Kotarak — HTB walkthrough

All about loop of directory busting.

Nmap Service and OS detection Scan

Also I ran fullport scan whose results goes as follows

Nmap service scan on port 60000

PORT 60000 Kotarak Web Hosting Scan

when we write http://google.com, the URL changes to /url.php?path=http://google.com

We see whatever URL we give , it displays it’s contents here.

Can we access contents on ??? No not working

On ???? No still auth required

On path= ???? Nop

On file:///etc/passwd ??? Says Try harder

This means there could be SSRF = Server Side Request Forgery, which means if we send a request server can process it based on internal data and reflect back output. This request can be reading internal files which we don’t have privilege to, but server is befooled to do so.

Let’s try more

Sent file:/// Again says try harder

Why are we sending, we know port 8080 is open and here we have SSRF. Let’s enumerate through all ports. For this capture request on burp and send it to intruder

1) Capture request file:/// let say

2) Send to intruder and add payload criteria on PORT number by adding $$ as shown

3) In payload options set

This will take 1–65535 as port numbers and will try getting response from all one by one

4) Run the attack

We get Length at port 888 is greater than other ports’ length
We get files and folders on port 888
Clicking on backup we see

To see contents of each we will use same trick

Going through each we see

we see when we click on backup it directly goes to doc=backup, but sending file:///

We can notice changes in URL. What about sending file:///, so that instead of sending back doc=backup from server , it sends it from localhost server

Capture on burp and fuzz

On front page we get nothing, but on seeing source code we see

username & password FOUND

Woah… We get tomcat manager Username Password.. Going to 8080 port

Now we will deploy a war file to get reverse shell

Using msfvenom to create payload

Open link on new tab

On netcat

We cannot get user.txt. We can notice we are Kotarak-dmz. So we need to be user of internal network not DMZ. On enumerating tomcat home directory I found

Transfer both to your machine

On victim machine one by one
On attacker machine one by one

Now that we have got ntds.dit and ntds.bin we can use secretsdump.py to get hashes

We see Administrator and Atanas Hash

Administrator : e64fe0f24ba2489c05e64354d74ebd11 : f16tomcat!

Atanas : 2b576acbe6bcfda7294d6bd18041b8fe : Password123!

Since there is no Administrator account, we can use both passwords for Atanas one by one to test. Doing SSH using both — doesn’t work. But Switching user works.

No Sudo Rights

But we have access to /root


We also see a file named app.log, which tries to download a file named archive.tar.gz as root via a cronjob. This makes use of wget. Now here it shows version of wget it is 1.6.

Also we see, it is connecting to

Okh also we see here is Wget V1.6 revealed. Let’s check exploits. https://www.exploit-db.com/exploits/40064

Going as per the exploit POC. We first create a .wgetrc file

Then we change /etc/shadow to /root/root.txt. Why ??? Because we need /root/root.txt and are less interested in /etc/shadow, some modifications are required right.

changing file we need to se contents of.
Installing lib pyftpdlib to host FTP server

Now copy the exploit and make following changes in Script

On Attacker machine

Get the script on victim machine, and make it executable, then run it.

We see we get socket error. This is because , we need permissions to use ports lesser than 1000, because they are privileged ports. So we use authbind

Authbind : authbind allows a program which does not or should not run as root to bind to low-numbered ports in a controlled way. You must invoke the program using authbind.

From <https://www.google.com/search?client=firefox-b-d&q=authbind+command>

On FTP Server on our machine we see

On victim machine we see

Our script completed with root flag on output.

ROOTED!!!! Not literally though ;)



OSCP | CEH | Cyber Security Enthusiast.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store