Posts: 24 Threads: 0 Joined: N/A (June 10, 2022, 09:08 AM)josn0w Wrote: (May 27, 2022, 06:21 PM)Exa Wrote: (May 27, 2022, 11:34 AM)pacholingoso Wrote: (May 25, 2022, 06:38 PM)Exa Wrote: I found a username and password in the ZIP file. This can be used to login to the chat application.
I also found that the login request contains this authserver parameter, which can be modified to login as any user.
Next I found that I can send a link like http://10.10.xxx.xxx/ to a certain user and he will then connect to my web server. Does anyone know the next step from here?
How do you interact with the chat app, because it needs js enabled and is not accessible from outside the machine, you can get to the page only from the vuln with the digest stuff, I am at the zip point but cannot find anything interesting apart from the gu***:gu*** creds
I wrote a Python script with a port listener on port 80. It accepts GET and POST requests. For any such request, it retrieves the corresponding digest and then send the request to proxy.response.htb. Now I direct Firefox to the Python port and I can normally use the chat application.
I also created a Python Script to redirect the traffic to the proxy but i am having issues with the WebSocket Upgrade. I can see three requests being made but the last one fails with: unknown Session ID...
Also: it seems like the POST request is always returning ok, even putting trash in... There is two types of request : get and post so you have two seperate the two cases. Session Id is not just a GET parameter, it is use for the session param you send to proxy.response.htb (the digest must match). guest/guest bypass the query to the remote ldap server (index.js -> if username == guest and password == guest return true). If you modify the query, you can use admin as username and redirect the request to your own ldap server Posts: 36 Threads: 0 Joined: N/A Any progress on root?in the scryh home folder there is `scan` script which is scanning docker instance at 172.8.0.3 for ssl cert and heartbleed vuln and sending email report to the same ip docker instance.[code]PORT STATE SERVICE VERSION25/tcp open smtp-proxy Python SMTP Proxy 0.3|_smtp-commands: testserver, 8BITMIME, HELP, 53/tcp open domain ISC BIND 9.16.25| dns-nsid: |_ bind.version: 9.16.25443/tcp open ssl/http SimpleHTTPServer 0.6 (Python 3.10.2)|_http-server-header: SimpleHTTP/0.6 Python/3.10.2|_http-title: Test Server| ssl-cert: Subject: commonName=response-test.htb/organizationName=Internet Widgits Pty Ltd/stateOrProvinceName=Zion/countryName=DE| Not valid before: 2022-03-03T13:04:32|_Not valid after: 2025-10-30T13:04:32Service Info: Host: testserver[/code]I've got admin password from ldap, which isn't good for any user on the box, except admin.[code]Nmap scan report for 172.18.0.5Host is up (0.00014s latency).Not shown: 998 closed portsPORT STATE SERVICE VERSION389/tcp open ldap OpenLDAP 2.2.X - 2.3.X636/tcp open ldapssl?[/code]at 172.8.0.3 there is a simple test app and leads to nowhere.[code] Test Server Empty test server. [/code]none of the exploits works. any nudge on root?simple test app and heartbleed scans is a rabbit hole?Posts: 24 Threads: 0 Joined: N/A (June 26, 2022, 05:26 AM)r4vshe1l Wrote: Any progress on root?
in the scryh home folder there is `scan` script which is scanning docker instance at 172.8.0.3 for ssl cert and heartbleed vuln and sending email report to the same ip docker instance.
PORT STATE SERVICE VERSION
25/tcp open smtp-proxy Python SMTP Proxy 0.3
|_smtp-commands: testserver, 8BITMIME, HELP,
53/tcp open domain ISC BIND 9.16.25
| dns-nsid:
|_ bind.version: 9.16.25
443/tcp open ssl/http SimpleHTTPServer 0.6 (Python 3.10.2)
|_http-server-header: SimpleHTTP/0.6 Python/3.10.2
|_http-title: Test Server
| ssl-cert: Subject: commonName=response-test.htb/organizationName=Internet Widgits Pty Ltd/stateOrProvinceName=Zion/countryName=DE
| Not valid before: 2022-03-03T13:04:32
|_Not valid after: 2025-10-30T13:04:32
Service Info: Host: testserver
I've got admin password from ldap, which isn't good for any user on the box, except admin.
Nmap scan report for 172.18.0.5
Host is up (0.00014s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
389/tcp open ldap OpenLDAP 2.2.X - 2.3.X
636/tcp open ldapssl?
at 172.8.0.3 there is a simple test app and leads to nowhere.
<!DOCTYPE html>
<html>
<head><title>Test Server</title></head>
<body>
Empty test server.
</body>
</html>
none of the exploits works. any nudge on root?
simple test app and heartbleed scans is a rabbit hole? Root is in two parts ( scryh -> root). There is a scan.sh script in scryh home. The script itself send a mail through an smtp server with the report of the nmap scan. The name of the game for scryh part is data exfiltration. I think you should look closely at the scripts nmap used on the box. Posts: 36 Threads: 0 Joined: N/A (June 27, 2022, 07:23 AM)toatoat Wrote: (June 26, 2022, 05:26 AM)r4vshe1l Wrote: Any progress on root?
in the scryh home folder there is `scan` script which is scanning docker instance at 172.8.0.3 for ssl cert and heartbleed vuln and sending email report to the same ip docker instance.
PORT STATE SERVICE VERSION
25/tcp open smtp-proxy Python SMTP Proxy 0.3
|_smtp-commands: testserver, 8BITMIME, HELP,
53/tcp open domain ISC BIND 9.16.25
| dns-nsid:
|_ bind.version: 9.16.25
443/tcp open ssl/http SimpleHTTPServer 0.6 (Python 3.10.2)
|_http-server-header: SimpleHTTP/0.6 Python/3.10.2
|_http-title: Test Server
| ssl-cert: Subject: commonName=response-test.htb/organizationName=Internet Widgits Pty Ltd/stateOrProvinceName=Zion/countryName=DE
| Not valid before: 2022-03-03T13:04:32
|_Not valid after: 2025-10-30T13:04:32
Service Info: Host: testserver
I've got admin password from ldap, which isn't good for any user on the box, except admin.
Nmap scan report for 172.18.0.5
Host is up (0.00014s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
389/tcp open ldap OpenLDAP 2.2.X - 2.3.X
636/tcp open ldapssl?
at 172.8.0.3 there is a simple test app and leads to nowhere.
<!DOCTYPE html>
<html>
<head><title>Test Server</title></head>
<body>
Empty test server.
</body>
</html>
none of the exploits works. any nudge on root?
simple test app and heartbleed scans is a rabbit hole?
Root is in two parts ( scryh -> root). There is a scan.sh script in scryh home. The script itself send a mail through an smtp server with the report of the nmap scan. The name of the game for scryh part is data exfiltration. I think you should look closely at the scripts nmap used on the box. Thanks for your reply but i still don't get it. At least for now. Here is that i tried already. I dumped all creds from ldap and none of them appears to be crackable, except for the last one, which is only for test of my sanity and not from the box. Tried every dictionary i have, still nothing. {SSHA}6FUzE0mx39p42Su+3rO54In0FYJ3xX/L
{SSHA}5K0/4Z1X2iJGxQIf9mfqN8CKaReSU3MX
{SSHA}FVpXat9AvtkvXYMKer7Oztj8nryGxp8e
{SSHA}rj5qElfD1JK7PCKSLZzxIldkREeFW2Dv:tony
At this point i have passwd from admin and bob user and they're not good for those hashes. So, i attempted to repurpose a python script which is sending emails to the customer. Tried to inject several payloads in the msg filed to check for funny things like phonening home or get myself a reverse shell... nothing works. .nse scripts seems to be fine, nothing catches my eye. this scan script queries ldap, stores report in xml, converts to pdf and sends an email to the customer. Still lurking around how to exfill scryh creds... one thing that is baffling me if that 172.18.0.1, 172.17.0.1, 172.19.0.1 containers fills like the same. I can ssh into them, but environ does not change. Posts: 24 Threads: 0 Joined: N/A June 28, 2022 at 10:55 AM (June 28, 2022, 01:21 AM)r4vshe1l Wrote: (June 27, 2022, 07:23 AM)toatoat Wrote: (June 26, 2022, 05:26 AM)r4vshe1l Wrote: Any progress on root?
in the scryh home folder there is `scan` script which is scanning docker instance at 172.8.0.3 for ssl cert and heartbleed vuln and sending email report to the same ip docker instance.
PORT STATE SERVICE VERSION
25/tcp open smtp-proxy Python SMTP Proxy 0.3
|_smtp-commands: testserver, 8BITMIME, HELP,
53/tcp open domain ISC BIND 9.16.25
| dns-nsid:
|_ bind.version: 9.16.25
443/tcp open ssl/http SimpleHTTPServer 0.6 (Python 3.10.2)
|_http-server-header: SimpleHTTP/0.6 Python/3.10.2
|_http-title: Test Server
| ssl-cert: Subject: commonName=response-test.htb/organizationName=Internet Widgits Pty Ltd/stateOrProvinceName=Zion/countryName=DE
| Not valid before: 2022-03-03T13:04:32
|_Not valid after: 2025-10-30T13:04:32
Service Info: Host: testserver
I've got admin password from ldap, which isn't good for any user on the box, except admin.
Nmap scan report for 172.18.0.5
Host is up (0.00014s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
389/tcp open ldap OpenLDAP 2.2.X - 2.3.X
636/tcp open ldapssl?
at 172.8.0.3 there is a simple test app and leads to nowhere.
<!DOCTYPE html>
<html>
<head><title>Test Server</title></head>
<body>
Empty test server.
</body>
</html>
none of the exploits works. any nudge on root?
simple test app and heartbleed scans is a rabbit hole?
Root is in two parts ( scryh -> root). There is a scan.sh script in scryh home. The script itself send a mail through an smtp server with the report of the nmap scan. The name of the game for scryh part is data exfiltration. I think you should look closely at the scripts nmap used on the box.
Thanks for your reply but i still don't get it. At least for now.
Here is that i tried already. I dumped all creds from ldap and none of them appears to be crackable, except for the last one, which is only for test of my sanity and not from the box. Tried every dictionary i have, still nothing.
{SSHA}6FUzE0mx39p42Su+3rO54In0FYJ3xX/L
{SSHA}5K0/4Z1X2iJGxQIf9mfqN8CKaReSU3MX
{SSHA}FVpXat9AvtkvXYMKer7Oztj8nryGxp8e
{SSHA}rj5qElfD1JK7PCKSLZzxIldkREeFW2Dv:tony
At this point i have passwd from admin and bob user and they're not good for those hashes.
So, i attempted to repurpose a python script which is sending emails to the customer. Tried to inject several payloads in the msg filed to check for funny things like phonening home or get myself a reverse shell... nothing works. .nse scripts seems to be fine, nothing catches my eye. this scan script queries ldap, stores report in xml, converts to pdf and sends an email to the customer.
Still lurking around how to exfill scryh creds...
one thing that is baffling me if that 172.18.0.1, 172.17.0.1, 172.19.0.1 containers fills like the same. I can ssh into them, but environ does not change. Hashes are irrelevant here. Nse script aren't fine at all (try to diff it with your own nmap script : diff <serverscript.nse> <originalnmap.nse>. Scan.sh run as scryh that implies it can read an interesting file within its home. You can't exploit the script per se since the regex works well but you have the admin passwd of the whole ldap. That implies you can change ALL of the items within it . I strongly advised to recreate ALL of the servers required (https, dns, smtp) since you need it to data exfiltrate. Posts: 132 Threads: 0 Joined: N/A June 28, 2022 at 12:57 PM (May 28, 2022, 05:29 AM)Exa Wrote: (May 27, 2022, 09:16 PM)vitalykht Wrote: (May 27, 2022, 06:21 PM)Exa Wrote: (May 27, 2022, 11:34 AM)pacholingoso Wrote: (May 25, 2022, 06:38 PM)Exa Wrote: I found a username and password in the ZIP file. This can be used to login to the chat application.
I also found that the login request contains this authserver parameter, which can be modified to login as any user.
Next I found that I can send a link like http://10.10.xxx.xxx/ to a certain user and he will then connect to my web server. Does anyone know the next step from here?
How do you interact with the chat app, because it needs js enabled and is not accessible from outside the machine, you can get to the page only from the vuln with the digest stuff, I am at the zip point but cannot find anything interesting apart from the gu***:gu*** creds
I wrote a Python script with a post listener on port 80. It accepts GET and POST requests. For any such request, it retrieves the corresponding digest and then send the request to proxy.response.htb. Now I direct Firefox to the Python port and I can normally use the chat application.
Do you have an application in your browser? i wrote the code to interact with that, lol. as a result to be authorized under username admin. I got strange access cred for ftp, but I can not connect to it
To be authorized as admin, I intercepted the login request with Burp and changed the authserver to my own IP. For the incoming connection on port 389 I setup an LDAP server to approve that authentication attempt. Hi, how did you set up the ldap server ? Posts: 24 Threads: 0 Joined: N/A (June 28, 2022, 12:57 PM)fironeDerbert Wrote: (May 28, 2022, 05:29 AM)Exa Wrote: (May 27, 2022, 09:16 PM)vitalykht Wrote: (May 27, 2022, 06:21 PM)Exa Wrote: (May 27, 2022, 11:34 AM)pacholingoso Wrote: How do you interact with the chat app, because it needs js enabled and is not accessible from outside the machine, you can get to the page only from the vuln with the digest stuff, I am at the zip point but cannot find anything interesting apart from the gu***:gu*** creds
I wrote a Python script with a post listener on port 80. It accepts GET and POST requests. For any such request, it retrieves the corresponding digest and then send the request to proxy.response.htb. Now I direct Firefox to the Python port and I can normally use the chat application.
Do you have an application in your browser? i wrote the code to interact with that, lol. as a result to be authorized under username admin. I got strange access cred for ftp, but I can not connect to it
To be authorized as admin, I intercepted the login request with Burp and changed the authserver to my own IP. For the incoming connection on port 389 I setup an LDAP server to approve that authentication attempt.
Hi, how did you set up the ldap server ? You can use glauth (https://github.com/glauth/glauth) it's very straight forward when using the sampleconfig. You gotta change `nameformat=cn` to `nameformat=uid` to make it work tho Posts: 36 Threads: 0 Joined: N/A June 29, 2022 at 11:39 AM (June 28, 2022, 10:55 AM)toatoat Wrote: (June 28, 2022, 01:21 AM)r4vshe1l Wrote: (June 27, 2022, 07:23 AM)toatoat Wrote: (June 26, 2022, 05:26 AM)r4vshe1l Wrote: Any progress on root?
in the scryh home folder there is `scan` script which is scanning docker instance at 172.8.0.3 for ssl cert and heartbleed vuln and sending email report to the same ip docker instance.
PORT STATE SERVICE VERSION
25/tcp open smtp-proxy Python SMTP Proxy 0.3
|_smtp-commands: testserver, 8BITMIME, HELP,
53/tcp open domain ISC BIND 9.16.25
| dns-nsid:
|_ bind.version: 9.16.25
443/tcp open ssl/http SimpleHTTPServer 0.6 (Python 3.10.2)
|_http-server-header: SimpleHTTP/0.6 Python/3.10.2
|_http-title: Test Server
| ssl-cert: Subject: commonName=response-test.htb/organizationName=Internet Widgits Pty Ltd/stateOrProvinceName=Zion/countryName=DE
| Not valid before: 2022-03-03T13:04:32
|_Not valid after: 2025-10-30T13:04:32
Service Info: Host: testserver
I've got admin password from ldap, which isn't good for any user on the box, except admin.
Nmap scan report for 172.18.0.5
Host is up (0.00014s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
389/tcp open ldap OpenLDAP 2.2.X - 2.3.X
636/tcp open ldapssl?
at 172.8.0.3 there is a simple test app and leads to nowhere.
<!DOCTYPE html>
<html>
<head><title>Test Server</title></head>
<body>
Empty test server.
</body>
</html>
none of the exploits works. any nudge on root?
simple test app and heartbleed scans is a rabbit hole?
Root is in two parts ( scryh -> root). There is a scan.sh script in scryh home. The script itself send a mail through an smtp server with the report of the nmap scan. The name of the game for scryh part is data exfiltration. I think you should look closely at the scripts nmap used on the box.
Thanks for your reply but i still don't get it. At least for now.
Here is that i tried already. I dumped all creds from ldap and none of them appears to be crackable, except for the last one, which is only for test of my sanity and not from the box. Tried every dictionary i have, still nothing.
{SSHA}6FUzE0mx39p42Su+3rO54In0FYJ3xX/L
{SSHA}5K0/4Z1X2iJGxQIf9mfqN8CKaReSU3MX
{SSHA}FVpXat9AvtkvXYMKer7Oztj8nryGxp8e
{SSHA}rj5qElfD1JK7PCKSLZzxIldkREeFW2Dv:tony
At this point i have passwd from admin and bob user and they're not good for those hashes.
So, i attempted to repurpose a python script which is sending emails to the customer. Tried to inject several payloads in the msg filed to check for funny things like phonening home or get myself a reverse shell... nothing works. .nse scripts seems to be fine, nothing catches my eye. this scan script queries ldap, stores report in xml, converts to pdf and sends an email to the customer.
Still lurking around how to exfill scryh creds...
one thing that is baffling me if that 172.18.0.1, 172.17.0.1, 172.19.0.1 containers fills like the same. I can ssh into them, but environ does not change.
Hashes are irrelevant here. Nse script aren't fine at all (try to diff it with your own nmap script : diff <serverscript.nse> <originalnmap.nse>. Scan.sh run as scryh that implies it can read an interesting file within its home. You can't exploit the script per se since the regex works well but you have the admin passwd of the whole ldap. That implies you can change ALL of the items within it .
I strongly advised to recreate ALL of the servers required (https, dns, smtp) since you need it to data exfiltrate. Thanks for your help and very precise answers.. I will get back to this box slightly latter.. for now busy with other stuff as well. I think, I'm slowly getting into what you mean.. and you absolutely deserve more Rep than many of these "Rep spammers" around. This active machine is the only one, on which i'm still working on.. Thanks again for your help. Posts: 24 Threads: 0 Joined: N/A (June 29, 2022, 11:39 AM)r4vshe1l Wrote: (June 28, 2022, 10:55 AM)toatoat Wrote: (June 28, 2022, 01:21 AM)r4vshe1l Wrote: (June 27, 2022, 07:23 AM)toatoat Wrote: (June 26, 2022, 05:26 AM)r4vshe1l Wrote: Any progress on root?
in the scryh home folder there is `scan` script which is scanning docker instance at 172.8.0.3 for ssl cert and heartbleed vuln and sending email report to the same ip docker instance.
PORT STATE SERVICE VERSION
25/tcp open smtp-proxy Python SMTP Proxy 0.3
|_smtp-commands: testserver, 8BITMIME, HELP,
53/tcp open domain ISC BIND 9.16.25
| dns-nsid:
|_ bind.version: 9.16.25
443/tcp open ssl/http SimpleHTTPServer 0.6 (Python 3.10.2)
|_http-server-header: SimpleHTTP/0.6 Python/3.10.2
|_http-title: Test Server
| ssl-cert: Subject: commonName=response-test.htb/organizationName=Internet Widgits Pty Ltd/stateOrProvinceName=Zion/countryName=DE
| Not valid before: 2022-03-03T13:04:32
|_Not valid after: 2025-10-30T13:04:32
Service Info: Host: testserver
I've got admin password from ldap, which isn't good for any user on the box, except admin.
Nmap scan report for 172.18.0.5
Host is up (0.00014s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
389/tcp open ldap OpenLDAP 2.2.X - 2.3.X
636/tcp open ldapssl?
at 172.8.0.3 there is a simple test app and leads to nowhere.
<!DOCTYPE html>
<html>
<head><title>Test Server</title></head>
<body>
Empty test server.
</body>
</html>
none of the exploits works. any nudge on root?
simple test app and heartbleed scans is a rabbit hole?
Root is in two parts ( scryh -> root). There is a scan.sh script in scryh home. The script itself send a mail through an smtp server with the report of the nmap scan. The name of the game for scryh part is data exfiltration. I think you should look closely at the scripts nmap used on the box.
Thanks for your reply but i still don't get it. At least for now.
Here is that i tried already. I dumped all creds from ldap and none of them appears to be crackable, except for the last one, which is only for test of my sanity and not from the box. Tried every dictionary i have, still nothing.
{SSHA}6FUzE0mx39p42Su+3rO54In0FYJ3xX/L
{SSHA}5K0/4Z1X2iJGxQIf9mfqN8CKaReSU3MX
{SSHA}FVpXat9AvtkvXYMKer7Oztj8nryGxp8e
{SSHA}rj5qElfD1JK7PCKSLZzxIldkREeFW2Dv:tony
At this point i have passwd from admin and bob user and they're not good for those hashes.
So, i attempted to repurpose a python script which is sending emails to the customer. Tried to inject several payloads in the msg filed to check for funny things like phonening home or get myself a reverse shell... nothing works. .nse scripts seems to be fine, nothing catches my eye. this scan script queries ldap, stores report in xml, converts to pdf and sends an email to the customer.
Still lurking around how to exfill scryh creds...
one thing that is baffling me if that 172.18.0.1, 172.17.0.1, 172.19.0.1 containers fills like the same. I can ssh into them, but environ does not change.
Hashes are irrelevant here. Nse script aren't fine at all (try to diff it with your own nmap script : diff <serverscript.nse> <originalnmap.nse>. Scan.sh run as scryh that implies it can read an interesting file within its home. You can't exploit the script per se since the regex works well but you have the admin passwd of the whole ldap. That implies you can change ALL of the items within it .
I strongly advised to recreate ALL of the servers required (https, dns, smtp) since you need it to data exfiltrate.
Thanks for your help and very precise answers.. I will get back to this box slightly latter.. for now busy with other stuff as well.
I think, I'm slowly getting into what you mean.. and you absolutely deserve more Rep than many of these "Rep spammers" around.
This active machine is the only one, on which i'm still working on.. Thanks again for your help. Thanks for the kind words !! Happy to help Posts: 17 Threads: 0 Joined: N/A (May 27, 2022, 06:21 PM)Exa Wrote: (May 27, 2022, 11:34 AM)pacholingoso Wrote: (May 25, 2022, 06:38 PM)Exa Wrote: I found a username and password in the ZIP file. This can be used to login to the chat application.
I also found that the login request contains this authserver parameter, which can be modified to login as any user.
Next I found that I can send a link like http://10.10.xxx.xxx/ to a certain user and he will then connect to my web server. Does anyone know the next step from here?
How do you interact with the chat app, because it needs js enabled and is not accessible from outside the machine, you can get to the page only from the vuln with the digest stuff, I am at the zip point but cannot find anything interesting apart from the gu***:gu*** creds
I wrote a Python script with a port listener on port 80. It accepts GET and POST requests. For any such request, it retrieves the corresponding digest and then send the request to proxy.response.htb. Now I direct Firefox to the Python port and I can normally use the chat application. @ Exa Can you describe your method in a bit more detail? So far I am doing this manually in Firefox dev tools and all I get back from the proxy is a base64 encoded body that says I don't have JavaScript enabled. |
