HackTheBox - Mentor

tags: hackthebox linux medium

Author: kavigihan

Initial Enumeratation

nmap

# Nmap 7.92 scan initiated Sun Dec 11 00:48:33 2022 as: nmap -vvv -sC -sV -oN nmap/mentor mentor.htb
Nmap scan report for mentor.htb (10.129.107.185)
Host is up, received echo-reply ttl 63 (0.16s latency).
Scanned at 2022-12-11 00:48:34 IST for 14s
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 63 OpenSSH 8.9p1 Ubuntu 3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   256 c7:3b:fc:3c:f9:ce:ee:8b:48:18:d5:d1:af:8e:c2:bb (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBO6yWCATcj2UeU/SgSa+wK2fP5ixsrHb6pgufdO378n+BLNiDB6ljwm3U3PPdbdQqGZo1K7Tfsz+ejZj1nV80RY=
|   256 44:40:08:4c:0e:cb:d4:f1:8e:7e:ed:a8:5c:68:a4:f7 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJjv9f3Jbxj42smHEXcChFPMNh1bqlAFHLi4Nr7w9fdv
80/tcp open  http    syn-ack ttl 63 Apache httpd 2.4.52
|_http-title: Did not follow redirect to http://mentorquotes.htb/
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.52 (Ubuntu)
Service Info: Host: mentorquotes.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Dec 11 00:48:48 2022 -- 1 IP address (1 host up) scanned in 14.89 seconds

In the nmap Scan we see

Web

Visting the page shows us

Enumerating the Site for Directories we find nothing

but doing a vhost enueration we find a new subdomain api.mentorquores.htb

Enumerating the api subdomain we find a swagger doc page

We also find an email

james@mentorquores.htb

I was able to create a user using the signup api.

Login

Getting Quotes

Looking at the token we see it is a JWT token

Trying to register with James email id we are able to register. As the token don’t have any check for admin. maybe the checkon email

but that to lead to no where maybe on username?

and we get admin access to the api

Checking /admin route we see two functionality

checking the backup route

using a ` we are able to get a shell.

Escalation

Updating the user model to contain password

Now on querying /users api we get the passwords too.

[
  {
    "id": 1,
    "email": "james@mentorquotes.htb",
    "username": "james",
    "password": "7ccdcd8c05b59add9c198d492b36a503"
  },
  {
    "id": 2,
    "email": "svc@mentorquotes.htb",
    "username": "service_acc",
    "password": "53f22d0dfa10dce7e29cd31f4f953fd8"
  },
  {
    "id": 4,
    "email": "f3v3r@f3v3r.in",
    "username": "f3v3r",
    "password": "949e204bf64777f4df24b1ae88c964c7"
  },
  {
    "id": 5,
    "email": "james@mentorquotes.htb",
    "username": "tesst",
    "password": "176c8bbfe04d83668bc6656b71bed22c"
  },
  {
    "id": 6,
    "email": "james@mentorquotes.htb",
    "username": "tesst'",
    "password": "176c8bbfe04d83668bc6656b71bed22c"
  },
  {
    "id": 7,
    "email": "f3v3r@something.som",
    "username": "james",
    "password": "949e204bf64777f4df24b1ae88c964c7"
  }
]

trying to crack the passwords we are able to crack the password for svc user

and we get a shell as svc

Privilege Escalation

Running Linpeas we find a script that we own

Which is calling the james api

kj23sadkj123as0-d213
trying the creds in login.sh doesn’t work to su to james

After going through config files

i find another password in /etc/snmp config

SuperSecurePassword123__

Toward Root

Checking Sudo -l

we see we can run /bin/sh as root