nmap zipping.htbStarting Nmap 7.94 ( https://nmap.org ) at 2023-09-10 14:46 CEST Nmap scan report for zipping.htb (10.10.11.229) Host is up (0.053s latency). Not shown: 998 closed tcp ports (conn-refused) PORT STATE SERVICE22/tcp open ssh80/tcp open httpNmap done: 1 IP address (1 host up) scanned in 2.95 seconds
localhost
nmap --script=http-enum zipping.htbStarting Nmap 7.94 ( https://nmap.org ) at 2023-09-10 14:48 CEST Nmap scan report for zipping.htb (10.10.11.229) Host is up (0.078s latency). Not shown: 998 closed tcp ports (conn-refused) PORT STATE SERVICE22/tcp open ssh80/tcp open http| http-enum:|_ /shop/: Potentially interesting folderNmap done: 1 IP address (1 host up) scanned in 12.13 seconds
Website Analysis
If you click the work with us button, you will be redirected to a page containing
an upload form.
This form says to upload a .zip file containing a pdf.
root:x:0:0:root:/root:/bin/bashdaemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologinbin:x:2:2:bin:/bin:/usr/sbin/nologinsys:x:3:3:sys:/dev:/usr/sbin/nologinsync:x:4:65534:sync:/bin:/bin/syncgames:x:5:60:games:/usr/games:/usr/sbin/nologinman:x:6:12:man:/var/cache/man:/usr/sbin/nologinlp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologinmail:x:8:8:mail:/var/mail:/usr/sbin/nologinnews:x:9:9:news:/var/spool/news:/usr/sbin/nologinuucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologinproxy:x:13:13:proxy:/bin:/usr/sbin/nologinwww-data:x:33:33:www-data:/var/www:/usr/sbin/nologinbackup:x:34:34:backup:/var/backups:/usr/sbin/nologinlist:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologinirc:x:39:39:ircd:/run/ircd:/usr/sbin/nologinnobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin_apt:x:100:65534::/nonexistent:/usr/sbin/nologinsystemd-network:x:101:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologinsystemd-timesync:x:102:103:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologinmessagebus:x:103:109::/nonexistent:/usr/sbin/nologinsystemd-resolve:x:104:110:systemd Resolver,,,:/run/systemd:/usr/sbin/nologinpollinate:x:105:1::/var/cache/pollinate:/bin/falsesshd:x:106:65534::/run/sshd:/usr/sbin/nologin
But we cannot read /etc/shadow.
However, we can read /var/www/html/shop/index.php and we can discover that in /var/www/html/shop there is a file called functions.php that we can read with the same method.
We have the credentials of the database! But the port 3306 is closed (the database is useless however).
function.php
<?phpfunction pdo_connect_mysql() { // Update the details below with your MySQL details $DATABASE_HOST = 'localhost'; $DATABASE_USER = 'root'; $DATABASE_PASS = 'MySQL_P@ssw0rd!'; $DATABASE_NAME = 'zipping'; try { return new PDO('mysql:host=' . $DATABASE_HOST . ';dbname=' . $DATABASE_NAME . ';charset=utf8', $DATABASE_USER, $DATABASE_PASS); }
Continuing inspecting other files we can find in cart.php that the site use preg_match.
cart.php
<?php// If the user clicked the add to cart button on the product page we can check for the form dataif (isset($_POST['product_id'], $_POST['quantity'])) { // Set the post variables so we easily identify them, also make sure they are integer $product_id = $_POST['product_id']; $quantity = $_POST['quantity']; // Filtering user input for letters or special characters if(preg_match("/^.*[A-Za-z!#$%^&*()\-_=+{}\[\]\\|;:'\",.<>\/?]|[^0-9]$/", $product_id, $match) ||
Reverse shell
Ok so we can bypass preg_match using %0A before the value.
Using the strings command we can inspect the string characters into the file /usr/bin/stock
zipping.htb
strings /usr/bin/stock...S******r...
As we can see, we found the password to run the program.
Debugging
Using strace /usr/bin/stock we can debug the program and find out that the program is trying to use a non-existent file, /home/rektsu/.config/libcounter.so.
So, we will create the file and then run the stock again.
Creator: xdann1