HTB [Squashed]


#linux#nfs#X11

RECON

port scan

PORT      STATE SERVICE  REASON  VERSION
22/tcp    open  ssh      syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC82vTuN1hMqiqUfN+Lwih4g8rSJjaMjDQdhfdT8vEQ67urtQIyPszlNtkCDn6MNcBfibD/7Zz4r8lr1iNe/Afk6LJqTt3OWewzS2a1TpCrEbvoileYAl/Feya5PfbZ8mv77+MWEA+kT0pAw1xW9bpkhYCGkJQm9OYdcsEEg1i+kQ/ng3+GaFrGJjxqYaW1LXyXN1f7j9xG2f27rKEZoRO/9HOH9Y+5ru184QQXjW/ir+lEJ7xTwQA5U1GOW1m/AgpHIfI5j9aDfT/r4QMe+au+2yPotnOGBBJBz3ef+fQzj/Cq7OGRR96ZBfJ3i00B/Waw/RI19qd7+ybNXF/gBzptEYXujySQZSu92Dwi23itxJBolE6hpQ2uYVA8VBlF0KXESt3ZJVWSAsU3oguNCXtY7krjqPe6BZRy+lrbeska1bIGPZrqLEgptpKhz14UaOcH9/vpMYFdSKr24aMXvZBDK1GJg50yihZx8I9I367z0my8E89+TnjGFY2QTzxmbmU=
|   256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBH2y17GUe6keBxOcBGNkWsliFwTRwUtQB3NXEhTAFLziGDfCgBV7B9Hp6GQMPGQXqMk7nnveA8vUz0D7ug5n04A=
|   256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKfXa+OM5/utlol5mJajysEsV4zb/L0BJ1lKxMPadPvR
80/tcp    open  http     syn-ack Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Built Better
| http-methods:
|_  Supported Methods: POST OPTIONS HEAD GET
|_http-server-header: Apache/2.4.41 (Ubuntu)
111/tcp   open  rpcbind  syn-ack 2-4 (RPC #100000)
| rpcinfo:
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100003  3           2049/udp   nfs
|   100003  3           2049/udp6  nfs
|   100003  3,4         2049/tcp   nfs
|   100003  3,4         2049/tcp6  nfs
|   100005  1,2,3      42834/udp6  mountd
|   100005  1,2,3      45599/tcp6  mountd
|   100005  1,2,3      50879/tcp   mountd
|   100005  1,2,3      58687/udp   mountd
|   100021  1,3,4      33135/tcp6  nlockmgr
|   100021  1,3,4      40939/tcp   nlockmgr
|   100021  1,3,4      43633/udp   nlockmgr
|   100021  1,3,4      51459/udp6  nlockmgr
|   100227  3           2049/tcp   nfs_acl
|   100227  3           2049/tcp6  nfs_acl
|   100227  3           2049/udp   nfs_acl
|_  100227  3           2049/udp6  nfs_acl
2049/tcp  open  nfs_acl  syn-ack 3 (RPC #100227)
40939/tcp open  nlockmgr syn-ack 1-4 (RPC #100021)
45489/tcp open  mountd   syn-ack 1-3 (RPC #100005)
50879/tcp open  mountd   syn-ack 1-3 (RPC #100005)
54255/tcp open  mountd   syn-ack 1-3 (RPC #100005)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

WebApp Enumeration

  • Nothing fancy, just a static web page with zero dynamic functionality

  • It’s a php site
  • So, let’s enumerate the nfs

NFS enumeration

  • We can mount these folders to our local
  • There’s a Passwords.kdbx file in ross user’s Documents directory
  squashed keepass2john Passwords.kdbx
! Passwords.kdbx : File version '40000' is currently not supported!
  • Unfortunately we can’t able to crack it
  • Let’s check the other mounted folder /var/www/

  • Only the uid 2017 and www-data has access to it
  • Let’s create a user in our box and give him the uid => 2017

  • We changed his uid successfully

  • Now we can able to access the contents of the html folder

INITIAL FOOTHOLD

  • Let’s try to create a file here and see it’s available in the webpage or not

  • Now time for a php rev shell

  • 1) Editing the php-rev shell and starting a ncat listener
  • 2) Copying the rev shell to the mounted /var/www/html/ folder
  • 3) Triggering the rev shell
  • 4) Got shell as alex

  • Grab the user.txt in alex’s home directory

PRIVESC

ross        1578  0.0  0.1   6892  3384 ?        S    03:16   0:00  |   _ /bin/bash /usr/share/keepassxc/scripts/ross/keepassxc-start
ross        1593  0.1  4.9 777124 101232 ?       SLl  03:16   0:05  |       _ /usr/bin/keepassxc --pw-stdin --keyfile /usr/share/keepassxc/keyfiles/ross/keyfile.key /usr/share/keepassxc/databases/ross/Passwords.kdbx
  • We can’t access these files, so we need to switch to ross

X11

  • Now let’s enumerate the other mounted directory /home/ross

  • These files are new to me, so I’ve reffered 0xdf’s writeup & Bookhacktricks
  • Here we can see we need the uid => 1001 to access these files, so let’s do the thing that we did for the 2017 uid

  • Now we can able to access these files
  • I’m going to copy these files to my local, coz mounted folders are slow

  • This is MIT-MAGIC-COOKIE-1 which means,

MIT-magic-cookie-1: Generating 128bit of key (“cookie”), storing it in ~/.Xauthority (or where XAUTHORITY envvar points to). The client sends it to server plain! the splain! the server checks whether it has a copy of this “cookie” and if so, the connection is permitted. the key is generated by DMX.

  • So we can use this file to authenticate

  • The display is connected in :0
  • But we don’t have access, so let’s copy this file to alex’s home directory

  • I’m setting XAUTHORITY=/home/alex/.Xauthority, so it checks this file and we will be authenticated

  • Now we can do multiple things, Interestingly we can take screenshots
  • That’s explained here
xwd -root -screen -silent -display :0 > screenshot.xwd

  • 1) Sucessfully took the screenshot
  • 2) But we don’t have convert
  • 3) So let’s start a python server
  • 4) And wget it to our local

  • Converted it to png format
  • We can see the root user’s password there

  • creds => root:cah$mei7rai9A
  • It worked and we’re root!!

References


Hack The Box

It would be appreciated if you give me a respect+ on HTB