Kotarak — HTB walkthrough
All about loop of directory busting.
ENUMERATION
Nmap Service and OS detection Scan
Also I ran fullport scan whose results goes as follows
PORT 60000 Kotarak Web Hosting Scan
We see whatever URL we give , it displays it’s contents here.
Can we access contents on http://10.10.10.55:8009/ ??? No not working
On http://10.10.10.55:8080/manager/html ???? No still auth required
On path=http://10.10.10.55:8080../../../../../../../etc/passwd%00 ???? Nop
On file:///etc/passwd ??? Says Try harder
This means there could be SSRF = Server Side Request Forgery, which means if we send a request server can process it based on internal data and reflect back output. This request can be reading internal files which we don’t have privilege to, but server is befooled to do so.
Let’s try more
Sent file:///127.0.0.1:8080/ Again says try harder
Why are we sending 127.0.0.1:8080, we know port 8080 is open and here we have SSRF. Let’s enumerate through all ports. For this capture request on burp and send it to intruder
1) Capture request file:///127.0.0.1:80 let say
2) Send to intruder and add payload criteria on PORT number by adding $$ as shown
3) In payload options set
This will take 1–65535 as port numbers and will try getting response from all one by one
4) Run the attack
To see contents of each we will use same trick
Going through each we see
We can notice changes in URL. What about sending file:///127.0.0.1:888?doc=backup, so that instead of sending back doc=backup from server , it sends it from localhost server
Capture on burp and fuzz
On front page we get nothing, but on seeing source code we see
Woah… We get tomcat manager Username Password.. Going to 8080 port
PORT 8080 Apache Tomcat
Now we will deploy a war file to get reverse shell
Open link on new tab
On netcat
We cannot get user.txt. We can notice we are Kotarak-dmz. So we need to be user of internal network not DMZ. On enumerating tomcat home directory I found
Transfer both to your machine
Now that we have got ntds.dit and ntds.bin we can use secretsdump.py to get hashes
We see Administrator and Atanas Hash
Administrator : e64fe0f24ba2489c05e64354d74ebd11 : f16tomcat!
Atanas : 2b576acbe6bcfda7294d6bd18041b8fe : Password123!
Since there is no Administrator account, we can use both passwords for Atanas one by one to test. Doing SSH using both — doesn’t work. But Switching user works.
PRIVILEGE ESCALATION
But we have access to /root
We also see a file named app.log, which tries to download a file named archive.tar.gz as root via a cronjob. This makes use of wget. Now here it shows version of wget it is 1.6.
Also we see, it is connecting to 10.0.3.133
Okh also we see here is Wget V1.6 revealed. Let’s check exploits. https://www.exploit-db.com/exploits/40064
Going as per the exploit POC. We first create a .wgetrc file
Then we change /etc/shadow to /root/root.txt. Why ??? Because we need /root/root.txt and are less interested in /etc/shadow, some modifications are required right.
Now copy the exploit and make following changes in Script
On Attacker machine
Get the script on victim machine, and make it executable, then run it.
We see we get socket error. This is because , we need permissions to use ports lesser than 1000, because they are privileged ports. So we use authbind
Authbind : authbind allows a program which does not or should not run as root to bind to low-numbered ports in a controlled way. You must invoke the program using authbind.
From <https://www.google.com/search?client=firefox-b-d&q=authbind+command>
On FTP Server on our machine we see
On victim machine we see
Our script completed with root flag on output.
ROOTED!!!! Not literally though ;)
