DITULIS OLEH : Rizky Aditiyan
Port Scan: Nmap
We begin our reconnaissance by running a port scan with Nmap, checking default scripts and testing
for vulnerabilities
We see from the output above that ports 22 and 443 are open, meaning we’ve got ssh and https.
Enumeration: Source Code, File Python, Pastebin
Let’s check web of craft and it source code. We have sub domain for craft. That is https://api.craft.htb/api/ and https://gogs.craft.htb/.
Let’s edit file /etc/hosts first for domain and sub domain of craft.
We see at API Craft. The page gives us some information about the API’s endpoints and how to interact with them
On the gogs.craft site, We get several python files, including test.py and brew.py.
In the test.py file, we get the credentials of "dinesh" which is if we tested in the Login API, the authentication is successfull.
In the brew.py file there is a function that is vulnerable to exploits, namely eval function, where this function will run to pass malicious code to your site in order to exploit the current user's session in some way (e.g. a user following a malicious link)
However, here we will use a script from pastebin which has combined test.py and brew.py. this script will authenticate as dinesh and give reverse shell to the local machine.
Run the script and catch reverse shell connection use using ncat on the local machine
On the target machine there is a dbtest.py file that we can edit and use to query into the gogs.craft application database.
Edit the dbtest.py file as follows and run the script below.
From the results of the database query, there are several credentials. So, we use the credentials of "Gilfoyle"
In the Gilfoyle repository, there is a .SSH folder which we can use to log in on the machine as a user.
User
Change the permision of id_rsa user to 600 then try running ssh
Previledge Escalation
Next, let's check that there is a service running on the server, which is vault service. This service is used to do SSH with the OTP method.
In the "Gilfoyle" folder on gogs.craft there is also secrets.py, that file stores the configuration of the vault server.
Try to generate the OTP code for root. Make sure the OTP key storage path matches the vault server, that is ssh / roles / root_otp
If we successfully generate an OTP, then we try to run the service vault
the service will automatically run SSH and load the OTP key that was generated