{"id":573,"date":"2021-01-05T13:42:37","date_gmt":"2021-01-05T13:42:37","guid":{"rendered":"https:\/\/shreyapohekar.com\/blogs\/?p=573"},"modified":"2021-01-05T13:42:42","modified_gmt":"2021-01-05T13:42:42","slug":"ghoul-hackthebox-walkthrough-part-2","status":"publish","type":"post","link":"https:\/\/shreyapohekar.com\/blogs\/ghoul-hackthebox-walkthrough-part-2\/","title":{"rendered":"Ghoul hackthebox walkthrough – Part 2"},"content":{"rendered":"\n

Hey fellas! This is the follow-up post to pwn the ghould from hackthebox. You can find the part 1 of the walkthrough here<\/a><\/span>.<\/p>\n\n\n\n

Lets quickly jump into grabbing the root.txt<\/p>\n\n\n\n

After logging in as kaneki there were a few files present.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Notes.txt has something interesting!<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

The content of other files were<\/p>\n\n\n\n

root@Aogiri:\/home\/Eto# cat alert.txt \nHey Noro be sure to keep checking the humans for IP logs and chase those little shits down!\n\nroot@Aogiri:\/home\/kaneki# cat notes\nI've set up file server into the server's network ,Eto if you need to transfer files to the server can use my pc.\nDM me for the access.\n\nroot@Aogiri:\/home\/noro# cat to-do.txt \nNeed to update backups.<\/pre>\n\n\n\n
note.txt talking about the vulnerability in gogs and there is some file server present that means a different system. Also, there are some test accounts present. <\/p>\n\n\n\n
Lets find any active machine. <\/p>\n\n\n\n
Next task was to find all the other active mahines. That can be done by compiling the nmap binary, but why not try writing a bash script to do the same?!<\/p>\n\n\n\n
Below is the script to find the online machines using bash and ping<\/p>\n\n\n\n
#!\/bin\/bash\n\nfor i in $(seq 2 255); do\n        ping -c 1 -W 1 172.20.0.$i 1>\/dev\/null 2>&1\n        if [[ $? -eq 0 ]]; then\n                echo \"172.20.0.$i - Online\"\n        fi\ndone\n<\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
So the script found 2 ips online : 172.20.0.10 and 172.20.0.150<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Listing the contents of authorized keys bought to my notice that kaneki_pub is a user on the machine with hostname kaneki-p (whose ip is 172.20.0.150). So let’s try sshing!!!<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
It asks for passphrase. Remeber when the website leaked secret.php. It contained our passphare being : ILoveTouka <3 and voila we got in. Same pass is used again and again!<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
to-do.txt tells us that a user named AogiriTest is present.<\/p>\n\n\n\n
Ifconfig is giving us 2 network interfaces eth0 and eth1. Aogiri’s ip is 172.20.0.10 and kaneki-pc’s ip is 172.20.0.150 hence they are on the same network.<\/p>\n\n\n\n
Now in ifconfig of kaneki-pc,  we can clearly see completely different network present that has the subnet mask of 172.18.0.0\/24. Now lets create a script to scan for port on eth1 interface. We can use the previously built script to find out the active machines.<\/p>\n\n\n\n
172.18.0.2 came out to be as an active machine. So lets scan for its ports.<\/p>\n\n\n\n
#!\/bin\/bash\n\necho 1 > \/dev\/tcp\/172.18.0.2\/$1 1>\/dev\/null 2>&1\nif [[ $? -eq 0 ]]; then\n        echo \"172.18.0.2:$1 - online\"\nfi\n<\/pre>\n\n\n\n
And we get 22 and 3000 as online. I just made a guess with 3000 as its the default port for gogs and earlier we got some hints around txt files.<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
In order to access the gogs, ssh port-forwarding has to be done.<\/p>\n\n\n\n
Reason? Gogs is running inside a docker which has no gui. So in order to view the gui and run gogs on the browser, the port X of the local machine has to be mapped to the port 3000 of the docker. And thats called as ssh port forwarding.<\/p>\n\n\n\n
Tunneling<\/h1>\n\n\n\n
press enter and then ~C to enter the ssh mode<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
You can find more about ssh konami codes here\u2192 https:\/\/www.sans.org\/blog\/using-the-ssh-konami-code-ssh-control-sequences\/<\/a><\/p>\n\n\n\n
We will be doing a local port forward. So we r listening on our box and then we will be directing this to 172.20.0.150 (where we had our kaneki_pub) on port 22<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\"https:\/\/s3-us-west-2.amazonaws.com\/secure.notion-static.com\/f7bce5a7-8f03-4797-b0ed-3e8b7ee8225b\/Untitled.png\"\/<\/figure>\n\n\n\n
root@kali:~\/Desktop\/hackthebox\/ghoul# ssh -p 5001 -i kaneki kaneki_pub@localhost\nload pubkey \"kaneki\": invalid format\nEnter passphrase for key 'kaneki': \nLast login: Sun Nov 29 09:05:38 2020 from 172.20.0.10\nkaneki_pub@kaneki-pc:~$\n\nkaneki_pub@kaneki-pc:~$ \nkaneki_pub@kaneki-pc:~$ \nssh> -L 3000:172.18.0.2:3000\n<\/pre>\n\n\n\n
After sshing from the local machine as kaneki_pub, port 3000 of kaneki-pc has to be mapped with port 3000 of the local machine. So when i run http:\/\/localhost:3000<\/a> on local machine, it is actually getting executed on kaneki-pc. I hope everything makes sense!!!<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Now we have a tunnel that is listening on our port 3000 and will go to 172.18.0.2:3000<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
And we get gogs landing page, asking for username and password. But notice that version of gogs.<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Now a bit of previous information is required. to-do.txt revelas a username AogiriTest of which the password can be found in tomcat configuration files.<\/p>\n\n\n\n
password found in the tomcat (test@aogiri123)<\/p>\n\n\n\n
Once logged into the gogs, create a repository.<\/p>\n\n\n\n
root@kali:~\/Desktop\/hackthebox\/ghoul# go run cookiegen.go \n0eff81040102ff82000110011000005aff82000306737472696e670c070005756e616d6506737472696e670c060004726f6f7406737472696e670c0a00085f6f6c645f75696406737472696e670c0300013106737472696e670c05000375696405696e74363404020002\n<\/pre>\n\n\n\n
it created a go serialized object<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
upload this file on the newly created git repo.<\/p>\n\n\n\n
The vulnerable version allows us to perform a directory traversal.<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Viewing the page source gives us the information about directory.<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
So now, we need to do a directory traversal. If the file exsts, i_like_gogits will execute the data file<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
And voila! We are now signed in as kaneki.<\/p>\n\n\n\n
Now the git hooks can be modified to get the reverse shell based on triggers of file upload.<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Open a nc listener on local machine and upload a file on git gogs. Make a commit.<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
And we get a shell with git user.<\/p>\n\n\n\n
Now run enumeration script (linenum.sh<\/a>). I found gosu binary was present. And you guessed it right, it can be used to escalate privileges.<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
A few more steps revelas the actual password for user- kaneki on git gogs<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
I downloaded the 7z file on local machine for analysis. git reflog got me something interesting.<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
# git diff e29ad43<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
So there were multiple passwords written in here. But the one that works is kaneki: 7^Grc%C\\7xEQ?tb4<\/p>\n\n\n\n
I quickly did su<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Oh man! Its not over yet!!!<\/p>\n\n\n\n
I again did some more enumeration and found out that ssh-agent is running on the box. <\/p>\n\n\n\n
Root is periodically logging in and hence his session can be captured and we will be able to finally login as root on the box that is hosting all the docker machines.<\/p>\n\n\n\n
What is ssh-agent??<\/h2>\n\n\n\n
You can relate that to single-sign on. So you just give the credentails once and the agent will take care of signing in to the rest of the services. The agent keeps track of the user’s identity keys and the passphrase and then uses those keys to login to other servers. SSH ForwardAgent is yes means the agent is active.<\/p>\n\n\n\n
Getting the root<\/h1>\n\n\n\n