Inception – HacktheBox
LEARNED
Using a proxy with nikto
Gobuster can not search recursively
Searchsploit can search output of nmap
START
What ports are open on this machine
[root:~/Desktop/inception]# nmap -p- 10.10.10.67 -T5 Starting Nmap 7.70 ( https://nmap.org ) at 2018-04-12 09:54 BST Nmap scan report for 10.10.10.67 Host is up, received echo-reply ttl 63 (0.034s latency). Not shown: 65533 filtered ports Reason: 65533 no-responses Some closed ports may be reported as filtered due to --defeat-rst-ratelimit PORT STATE SERVICE REASON 80/tcp open http syn-ack ttl 62 3128/tcp open squid-http syn-ack ttl 62 Nmap done: 1 IP address (1 host up) scanned in 56.14 seconds
A more comprehensive scan needed focusing on those ports
[root:~/Desktop/inception]# nmap -p80,3128 -sC -sV -oA detailed.portscan -T4 10.10.10.67 Starting Nmap 7.70 ( https://nmap.org ) at 2018-04-12 09:57 BST Nmap scan report for 10.10.10.67 Host is up, received echo-reply ttl 63 (0.034s latency). PORT STATE SERVICE REASON VERSION 80/tcp open http syn-ack ttl 62 Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Inception 3128/tcp open http-proxy syn-ack ttl 62 Squid http proxy 3.5.12 |_http-server-header: squid/3.5.12 |_http-title: ERROR: The requested URL could not be retrieved Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 42.07 seconds
OK it didn’t reveal anything extra really other than the http-proxy can not be retrieved.
GoBuster time.
[root:~/Desktop/inception]# gobuster -u 10.10.10.67 -w /usr/share/wordlists/dirbuster/directory-list-1.0.txt -t 100 -r -f Gobuster v1.2 OJ Reeves (@TheColonial) ===================================================== [+] Mode : dir [+] Url/Domain : http://10.10.10.67/ [+] Threads : 100 [+] Wordlist : /usr/share/wordlists/dirbuster/directory-list-1.0.txt [+] Status codes : 302,307,200,204,301 [+] Add Slash : true [+] Follow Redir : true ===================================================== /images/ (Status: 200) /assets/ (Status: 200) =====================================================
Note the T 100 sets the treads to 100, not recommended to use on the free hack the box as it may impact the server. I’m on the VIP which means less users are on it so the T 100 wont affect it as much. I added the -f to follow any redirects, i did this as the website could send us to the proxy site. Unfortunately i can not see how to make the search recursive – meaning search the contents of each folder it finds. I did a GoBuster search using http://10.10.10.67:3128 but nothing came back.
After several attempt nikto with 10.10.10.67 coming back with nothing and 10.10.10.67:3128 coming back with ALL the vulnerabilities, i managed to get the command correct.
[root:~/Desktop/inception]# nikto -h 10.10.10.67 -useproxy http://10.10.10.67:3128 - Nikto v2.1.6 --------------------------------------------------------------------------- + Target IP: 10.10.10.67 + Target Hostname: 10.10.10.67 + Target Port: 80 + Proxy: 10.10.10.67:3128 + Start Time: 2018-04-12 10:40:47 (GMT1) --------------------------------------------------------------------------- + Server: squid/3.5.12 + Retrieved via header: 1.1 Inception (squid/3.5.12) + The anti-clickjacking X-Frame-Options header is not present. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + Uncommon header 'x-squid-error' found, with contents: ERR_ACCESS_DENIED 0 + Uncommon header 'x-cache-lookup' found, with contents: NONE from Inception:3128 + Uncommon header 'x-cache' found, with contents: MISS from Inception + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type + All CGI directories 'found', use '-C none' to test none + 26152 requests: 0 error(s) and 7 item(s) reported on remote host + End Time: 2018-04-12 10:56:28 (GMT1) (941 seconds) --------------------------------------------------------------------------- + 1 host(s) tested
But it didn’t give me anything useful (that i could tell). More web enumeration needed
[root:~]# gobuster -u http://10.10.10.67 -w /usr/share/wordlists/dirb/big.txt -s '200,204,301,302,307,403,500' -e Gobuster v1.2 OJ Reeves (@TheColonial) ===================================================== [+] Mode : dir [+] Url/Domain : http://10.10.10.67/ [+] Threads : 10 [+] Wordlist : /usr/share/wordlists/dirb/big.txt [+] Status codes : 204,301,302,307,403,500,200 [+] Expanded : true ===================================================== http://10.10.10.67/.htpasswd (Status: 403) http://10.10.10.67/.htaccess (Status: 403) http://10.10.10.67/assets (Status: 301) http://10.10.10.67/dompdf (Status: 301) http://10.10.10.67/images (Status: 301) http://10.10.10.67/server-status (Status: 403) =====================================================
I could not see anything useful on those sites:
Need to figure out what type of service is running on 3128
[root:~/Desktop/inception]# amap 10.10.10.67 3128 amap v5.4 (www.thc.org/thc-amap) started at 2018-04-12 15:30:53 - APPLICATION MAPPING mode Protocol on 10.10.10.67:3128/tcp matches http Protocol on 10.10.10.67:3128/tcp matches http-apache-2 Protocol on 10.10.10.67:3128/tcp matches http-proxy Unidentified ports: none. amap v5.4 finished at 2018-04-12 15:30:59
As expected a http proxy – we knew this already from previous scans.
During my attempts at enumeration i found a useful thing searchsploit does. It can search your nmap outputs. Make sure you output as .xml ( I normally do -oA which outputs all formats that includes xml).
[root:~/Desktop/inception]# searchsploit --nmap detailed.portscan.xml [i] SearchSploit's XML mode (without verbose enabled). To enable: searchsploit -v --xml... [i] Reading: 'detailed.portscan.xml' [i] /usr/bin/searchsploit -t apache httpd 2 4 18 [i] /usr/bin/searchsploit -t squid http proxy 3 5 12
But no additional info was forthcoming.
The source of the web page is interesting but i cant seem to get burp to change user agent to IE8 – not even sure if that will reveal anything
html>html> <head> <title>Inception</title> <meta charset="utf-8" /> <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=no" /> <!--[if lte IE 8]>http://assets/js/ie/html5shiv.js<![endif]--> <link rel="stylesheet" href="assets/css/main.css" /> <!--[if lte IE 8]><link rel="stylesheet" href="assets/css/ie8.css" /><![endif]--> <!--[if lte IE 9]><link rel="stylesheet" href="assets/css/ie9.css" /><![endif]--> </head> <body> <!-- Header --> <header id="header"> <h1>Inception</h1> <p>Dreams feel real while your in them right? <br /> Its only when you wake up when you realize they were actually strange. </p> </header> <!-- Signup Form --> <form id="signup-form" method="post" action="#"> <input type="email" name="email" id="email" placeholder="Email Address" /> <input type="submit" value="Sign Up" /> </form> <!-- Footer --> <footer id="footer"> <ul class="icons"> <li><a href="#" class="icon fa-twitter"><span class="label">Twitter</span></a></li> <li><a href="#" class="icon fa-instagram"><span class="label">Instagram</span></a></li> <li><a href="#" class="icon fa-github"><span class="label">GitHub</span></a></li> <li><a href="#" class="icon fa-envelope-o"><span class="label">Email</span></a></li> </ul> <ul class="copyright"> <li>© Inception, Inc.</li><li>Credits: Dominic Cobb</a></li> </ul> </footer> <!-- Scripts --> <!--[if lte IE 8]>http://assets/js/ie/respond.min.js<![endif]--> http://assets/js/main.js
At the bottom of the main page’s source ( you have to scroll through blank space ) you see and I use searchsploit on it
<!-- Todo: test dompdf on php 7.x -->
And the box went live! This is how far I got after about 5 hours of working at it. Probably more than 5 hours but thats all i want to admit to.
I’ll post up later the walkthrough once i finally get this box under my belt.