3. Skyfall
3.1. Machine Info
<<<<<<< HEAD
3.2. Recon
3.2.1. port
nmap
22, ssh
80, http nginx
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 65:70:f7:12:47:07:3a:88:8e:27:e9:cb:44:5d:10:fb (ECDSA)
|_ 256 74:48:33:07:b7:88:9d:32:0e:3b:ec:16:aa:b4:c8:fe (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Skyfall - Introducing Sky Storage!
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 5.0 (97%), Linux 4.15 - 5.8 (96%), Linux 5.3 - 5.4 (95%), Linux 2.6.32 (95%), Linux 5.0 - 5.5 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (95%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
PORT STATE SERVICE
53/udp closed domain
67/udp open|filtered dhcps
68/udp open|filtered dhcpc
69/udp closed tftp
123/udp closed ntp
135/udp closed msrpc
137/udp closed netbios-ns
138/udp open|filtered netbios-dgm
139/udp closed netbios-ssn
161/udp closed snmp
162/udp open|filtered snmptrap
445/udp closed microsoft-ds
500/udp closed isakmp
514/udp open|filtered syslog
520/udp closed route
631/udp closed ipp
1434/udp closed ms-sql-m
1900/udp open|filtered upnp
4500/udp open|filtered nat-t-ike
49152/udp open|filtered unknown
3.2.2. subdomain
domain names:
skyfall.htbdemo.skyfall.htb
└─╼$ gobuster vhost -u http://skyfall.htb --append-domain -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://skyfall.htb
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
[+] Append Domain: true
===============================================================
Starting gobuster in VHOST enumeration mode
===============================================================
Found: demo.skyfall.htb Status: 302 [Size: 218] [--> http://demo.skyfall.htb/login]
Progress: 114441 / 114442 (100.00%)
===============================================================
Finished
===============================================================
3.2.3. web
demo.skyfall.htb: website to introduce a service of storage
└─╼$ whatweb http://10.10.11.254/
http://10.10.11.254/ [200 OK] Bootstrap, Country[RESERVED][ZZ], Email[askyy@skyfall.htb,btanner@skyfall.htb,contact@skyfall.com,jbond@skyfall.htb], Frame, HTML5, HTTPServer[Ubuntu Linux][nginx/1.18.0 (Ubuntu)], IP[10.10.11.254], Lightbox, Script, Title[Skyfall - Introducing Sky Storage!], nginx[1.18.0]
demo.skyfall.htb, guest credential:guest:guest, framework: Flask, cloud storage: MinIOFiles: upload from file
Beta: restricted
URL Fectch: upload from url
MinIO Metrics: 403 forbidden
3.3. Foothold
=======
38e3e6a ([+] Add season4 machine info.)
Notice: the full version of write-up is here.
3.4. Exploit Chain
port scan -> 22+80 with skyfall.htb -> subdomain recon: demo.skyfall.htb, a cloud storage site with functions like file upload -> MinIO /metrics 403 bypass -> MinIO endpoint -> discover 3 version of askyy’s home directory -> v1: ssh priv key; v2: vault config -> use vault to be authenticated and get askyy’s otp -> vault-unseal sudo usage -> create a askyy’s debug.log and sudo run to read log info -> find master token -> vault with this token to get root otp -> root shell