OSCP PREPROTİONS – HTB Witer

Witer machine is a vulnerable machine with Linux operating system which is among the retired machines. It is expected to obtain user and root flags using these vulnerabilities.
We perform a network scan with nmap to recognize the target machine.
Classic Scan

Full Port Scan

As a result of netwrok scanning, 22/tcp ssh OpenSSH 8.2p1, 80/tcp http Apache httpd, 139/tcp netbios-ssn Samba smbd, 445/tcp netbios-ssn Samba smbd ports are open.
We enumerated the smb port and could not get valuable information because we do not have credential information.

With enum4linux we identified users kyle and john.
This enumeration revealed a couple of findings. First, we have 3 Samba shares, but unfortunately none of them allow anonymous access, so we will need a username and password to proceed. The second finding is more interesting, we identified 2 usernames: kyle and john
We provide emueration via port 80 since we do not find information from the smb side at the beginning.

We looked in developer mode, we looked with webaanlzye, and finally we looked at the source code and found no valuable information. We scan with Gobuster for hidden files and directories

We detected /contact, /about, /static, /logout, /dashboard, /administrative, /server-status directories.

Except for /administrative and /static directories, there is nothing remarkable.
/administrative

/static

/administrative
There is an input field in the directory, we tried default passwords in this field without success, we are trying sql injection

Vays we were able to bypass.

We provided enumeration through this interface and we could not get any rce etc.
We know we can run commands on a system with sql njection.
is to determine the number of columns used by the query. to determine this we must try the union parameter
‘union select 1 — – –
‘union select 1,2 — – –
When we wrote this, we tried up to 6, we tried up to 5, the credential information returned incorrectly, here we understand that we received welcome 2 at 6, so we understand that 6 columns
‘union select 1,2,3,4,5,6 — – –

Here we see that we have seen the number of columns Let’s try to read the contents of the file with FILE_LOAD
‘union select 1,LOAD_FILE(‘/etc/passwd’),3,4,5,6 — –

As you can see, we can see the /etc/passwd file. Another thing we can do here is to find the source code of the website and see if there is a security vulnerability in it.
We know you are using Apache, let’s look at its conf file
/etc/apache2/sites-enabled/000-default.conf

Here we see the file “/var/www/writer.htb/writer.wsgi”
Let’s go and look at what has caught our attention here

Here we then saw the init.py file.
This time we are redirected to it

In the init.py file we see that it analyzes a really long file, let’s see if there is any useful information
After spending a long time here
os.system(“mv /tmp/{} /var/www/writer.htb/writer/static/img/{}”.format(image, image))
It looks like there is command injection in the display name, it sends it directly to the system command without editing the filename, but we have to be careful with special characters so that it doesn’t break the command in between, so I’ll make it base64 safe.
Now let’s create the filename on our machine

Here we have created a file and now let’s upload it in the Stories section.
We see users in the Stories section

Here we added the file we created

It gave us a nc revershell because of the image file

Since there is no authorized user in this shell, let’s provide numeration to local to provide privilege escalation
We saw that Mysql was running on the system.

Let’s try to enumerate

We have detected credentail information in the mariadb.cnf file
user = djangouser
password = DjangoSuperPassword
let’s connect using this

We saw the dev database, we said let’s list the tables from the bee, then we read inside the auth_user table, here we saw the user kyle
kyle:
pbkdf2_sha256$260000$wJO3ztk0fOlcbssnS1wJPD$bbTyCB8dYWMGYlz4dSArozTY7wcZCS7DV6l5dpuXM4A=

Let’s try to break this hash with hashcat.

We broke the hash to :marcoantonio
Let’s try to connect to ssh using kyle with this

that’s how we’re connected

In this way we got our user flag, but we still did not have root access, so we continue to provide local enumeration.

Linenum.sh did not give us any results, let’s run pspy here to see the processes running behind the scenes

What comes to us as interesting in running processes
/etc/postfix/master.cf
/etc/postfix/disclaimer
We have seen the files.
Let’s look at these

Here at disclaimer we have a bash script that is run to get some checks when we send a mail, so let’s add a revshell line in it and then wait for it to trigger

Bu şekilde john kullanışından shell imizi aldık

But since we don’t have root privileges here, we provide local enumeration again

We did not find anything from Linpeas, let’s look at the prcesses running in the back with pspy

We continue local enumeration without any result from Pspy
Here we see with id that in the management group, let’s look at the files in this group

/etc/apt/apt.conf.d
Let’s see if there is privilege escation in this

Here we saw how to manipulate this file
We implement it in our target machine

Then we got shell authorization from the port we rested with nc

This is how we got our root authorization.

Comments

  1. Phone Tracker Free

    This can be annoying when your relationships are disrupted and her phone cannot be tracked. Now you can easily perform this activity with the help of a spy app. These monitoring applications are very effective and reliable and can determine whether your wife is cheating you.

  2. Rastrear Celular

    Rastreador de celular – Aplicativo de rastreamento oculto que registra localização, SMS, áudio de chamadas, WhatsApp, Facebook, foto, câmera, atividade de internet. Melhor para controle dos pais e monitoramento de funcionários. Rastrear Telefone Celular Grátis – Programa de Monitoramento Online.

  3. Auto Approve List

    Hello there! Do you know if they make any plugins to assist with Search Engine Optimization? I’m trying to get my website to rank
    for some targeted keywords but I’m not seeing very good gains.
    If you know of any please share. Cheers! You can read similar text
    here: GSA Verified List

  4. tlovertonet

    Can I just say what a relief to find someone who actually knows what theyre talking about on the internet. You definitely know how to bring an issue to light and make it important. More people need to read this and understand this side of the story. I cant believe youre not more popular because you definitely have the gift.

Bir yanıt yazın

E-posta adresiniz yayınlanmayacak. Gerekli alanlar * ile işaretlenmişlerdir