HTB Response - Linux (Insane)
Phishing Admin and other Users through WebApp to gain access and PrivEsc in Docker container, elevate to FTP Access for User box. PrivEsc with lateral movement to gain RSA, then root with Meterpreter.
From HTB: Response is an Insane Linux machine that simulates an Internet facing server of a company, which provides automated scanning services to their customers.
An SSRF vulnerability in the public website allows a potential attacker to query websites on the internal network. One of those internal websites is a chat application, which uses the socket.io library. Using some advanced SSRF techniques the attacker can access the internal chat application and retrieve the source code. The source code of the internal chat application reveals that the authentication is performed through an LDAP server.
The attacker can change the LDAP server used by the application to one that he controls thus, performing an authentication bypass. Now, the attacker is logged in as the admin user on the internal chat application. The employee bob is willing to share sensitive information with the admin user including the credentials for an internal FTP server.
The employee, also asks admin to send him a link, which he will open in his browser. This allows the attacker to craft and host a malicious Javascript payload, which queries the internal FTP server with the provided credentials by leveraging Cross-Protocol Request Forgery. Since the FTP server uses the active mode by default, data can be exfiltrated from the server to the attackers local machine.
This data includes credentials for the user bob, which now can be used to access the box via SSH. Once on the box the attacker can inspect the automated scanning engine of the company, which is basically a bash script using nmap. This script retrieves the IP address of the servers supposed to be scanned as well as the email address of the corresponding customer via LDAP.
The scan result is converted to a PDF file, which is sent to the customer's email address. One of the used nmap nse scripts (ssl-cert) is slightly modified introducing a directory traversal vulnerability. This vulnerability can be used to read arbitrary files by creating a malicious TLS certificate with a directory traversal payload on the State or Province Name field, running an HTTPS server using this certificate and adding an LDAP entry for this server, so that it is scanned and the payload gets triggered.
To receive the results of the scanning process an email address must be placed on the LDAP info for this server while setting up both a DNS and an SMTP server locally to resolve the DNS requests. With this setup, an attacker can leverage this vulnerability to acquire the SSH private key of the user scryh. The user scryh has access to a recent incident report as well as to all the related files.
The report describes an attack where the attacker was able to trick the server admin into executing a meterpreter binary. The files attached to the report are a core dump of the running process as well as the related network capture. The attacker is able to combine all the clues to decrypt the meterpreter traffic and retrieve a zip archive.
The archive contains the authorized_keys file of the root user as well as a screenshot, which shows the last few lines of the root private SSH key. By extracting the RSA values N and e from the authorized_keys file and the q value from the partial private key, the attacker can re-create the private key of root and use it to login as root through SSH.
- Network Enumeration and Port Discovery
. . .[SOON]. . .
Post we’re created for learning template, not going to finished it in the near time.
And that’s it. Hope you guys Enjoy the box. And happy hacking!