Dyplesher was my very first Insane Hack The Box machine. Drove me nuts to find an initial foothold and root wasn't much harder than a medium/hard box.
Enum
Enumeration was the part where I spend most of the time, was overlooking into the wrong places and ignored the correct.
NMAP results
Below results of NMAP, we can see SSH, HTTP, RabbitMQ, EPMD Memcached and minecraft-server services running, also an unknown service running on port 3000.
Knowing we have a .git on test.dyplesher.htb proceeded to dump all info I can with gogitdumper. This tool will download all the git objects and create a new repository in our local machine.
Now that we have memcached credentials, is time to enumerate and find something useful. As the server is using SASL auth, we cannot use netcat nor telnet. So I installed memcached tools and check the status of the server.
Once logged in, we can see there was 2 repositories: memcached with same contents as we downloaded previously in the other web service and a gitlab repository.
So far, there were 4 repositories. After reviewing them we observed that only 4e07408562bedb8b60ce05c1decfe3ad16b72230967de01f640b7e4729b49fce had things usefull for us.
Checking over the contents of this repository I've found that there was a DB file with users credentials.
At first tried to upload a jar plugin created by msfvenom, it failed due name too large while loading and also because the plugin requires an specific design for the tool consuming it.
In order to raise the RCE, first we need to upload the plugin package and then enable it in the GUI. In the plugin list the name was a long hash, but using plugin name xnaaro in my case, properly executed it.
And looked at the contents, we where able to find some auth strings.
$tcpick-C-yP-rdata2.pcap|grepsubscribers...subscribers.direct..............2.....sub.subscribers...............<.(...subscribers..........<.............application/json.........{"name":"Mafalda Wuckert I","email":"cheaney@witting.com","address":"84889 Mayert Coves Apt. 784\nEast Tabithahaven, CO 07102","password":"B9YXOT2VmiDh","subscribed":true}.........<.(...subscribers..........<.............application/json.........{"name":"Berenice Hill","email":"weimann.janet@langosh.org","address":"237 Frank Trail Suite 931\nDareside, SD 21507","password":"B9YXOT2VmiDh","subscribed":true}.........<.(...subscribers..........<.............application/json.........{"name":"Dr. Hailie Gleichner","email":"kihn.beth@yahoo.com","address":"47786 Koelpin Hills\nNew Abigailshire, NC 91337","password":"B9YXOT2VmiDh","subscribed":true}.........<.(...subscribers..........<.............application/json.........{"name":"Francis Glover","email":"klemke@oconnell.info","address":"872 Wilton Land\nLauraview, PA 54556","password":"B9YXOT2VmiDh","subscribed":true}.........<.(...subscribers..........<.............application/json.........{"name":"Ryann Quigley","email":"osvaldo.oconner@gmail.com","address":"925 Ritchie Harbor\nWest Esperanza, FL 50235-9309","password":"B9YXOT2VmiDh","subscribed":true}.........<.(...subscribers..........<.............application/json.........{"name":"Peyton Reynolds","email":"harber.mossie@cruickshank.com","address":"644 Bauch Spur\nNew Mustafa, OH 10892","password":"B9YXOT2VmiDh","subscribed":true}.........<.(...subscribers..........<.............application/json.........{"name":"Prof. Catalina Kessler IV","email":"umorar@heathcote.com","address":"8527 Scottie Neck\nPort Charlie, WV 87089","password":"B9YXOT2VmiDh","subscribed":true}.........<.(...subscribers..........<.............application/json.........{"name":"Dr. Roselyn Ebert","email":"gracie.klocko@kilback.com","address":"9225 Zulauf Plaza Suite 751\nEast Obiemouth, PA 90425-1897","password":"B9YXOT2VmiDh","subscribed":true}.........<.(...subscribers..........<.............application/json.........{"name":"Edgar Osinski","email":"tressa.mills@hotmail.com","address":"92938 Toy Lock Suite 064\nNew Rossie, MT 63835","password":"B9YXOT2VmiDh","subscribed":true}.........<.(...subscribers..........<.............application/json.........{"name":"Gennaro Romaguera","email":"denesik.salvador@yahoo.com","address":"39874 Serena Extensions Apt. 100\nEmanuelborough, MD 38535-4626","password":"B9YXOT2VmiDh","subscribed":true}.........<.(...subscribers..........<.............application/json.........{"name":"Gennaro Romaguera","email":"denesik.salvador@yahoo.com","address":"39874 Serena Extensions Apt. 100\nEmanuelborough, MD 38535-4626","password":"B9YXOT2VmiDh","subscribed":true}.........<.(...subscribers..........<.........q...application/json........q{"name":"MinatoTW","email":"MinatoTW@dyplesher.htb","address":"India","password":"bixxxxxxFov","subscribed":true}.........<.(...subscribers..........<.........l...application/json........l{"name":"yuntao","email":"yuntao@dyplesher.htb","address":"Italy","password":"waxxxxxxob","subscribed":true}.........<.(...subscribers..........<.........p...application/json........p{"name":"felamos","email":"felamos@dyplesher.htb","address":"India","password":"tixxxxxxxxxg","subscribed":true}.
Credentials worked for felamos and yuntao users.
$sshfelamos@10.10.10.190felamos@10.10.10.190's password:Welcome to Ubuntu 19.10 (GNU/Linux 5.3.0-46-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage System information as of Fri 05 Jun 2020 02:39:08 PM UTC System load: 0.0 Processes: 254 Usage of /: 6.9% of 97.93GB Users logged in: 1 Memory usage: 33% IP address for ens33: 10.10.10.190 Swap usage: 0% IP address for docker0: 172.17.0.157 updates can be installed immediately.0 of these updates are security updates.To see these additional updates run: apt list --upgradableFailed to connect to https://changelogs.ubuntu.com/meta-release. Check your Internet connection or proxy settingsLast login: Thu Apr 23 17:33:41 2020 from 192.168.0.103felamos@dyplesher:~$ iduid=1000(felamos) gid=1000(felamos) groups=1000(felamos)felamos@dyplesher:~$ cat user.txta2ff93xxxxxxxxxxxxxxxxxxx
Cuberite
Once inside felamos $HOME directory we can see a file with some information on what to focus and how to do it.
It refers to some service that read on the rabbitmq queues and open an URL.
felamos@dyplesher:~$catyuntao/send.sh#!/bin/bashecho'Hey yuntao, Please publish all cuberite plugins created by players on plugin_data "Exchange" and "Queue". Just send url to download plugins and our new code will review it and working plugins will be added to the server.'>/dev/pts/{}
Checking running processes we can observe an interesting one executing something called Cuberite.
Investigated a bit what the services was doing and what languages uses it, found out that the plugins were written with lua programming language. https://book.cuberite.org/#0.1
At first tried to read queues, but auth was required. Looking at the previous captured .pcap file, I was able to see another credential for AMQP.
......capabilitiesF.....publisher_confirmst..exchange_exchange_bindingst.basic.nackt..consumer_cancel_notifyt..connection.blockedt..consumer_prioritiest..authentication_failure_closet..per_consumer_qost..direct_reply_tot..cluster_nameS....rabbit@dypleshercopyrightS....Copyright (C) 2007-2018 Pivotal Software, Inc..informationS...5Licensed under the MPL. See http://www.rabbitmq.com/.platformS....Erlang/OTP 22.0.7.productS....RabbitMQ.versionS....3.7.8....PLAIN AMQPLAIN....en_US.......=........productS....AMQPLib.platformS....PHP.versionS....2.11.1.informationS....copyrightS.....capabilitiesF.....authentication_failure_closet..publisher_confirmst..consumer_cancel_notifyt..exchange_exchange_bindingst.ExxxxxxxxxxxOp.en_US.ion.blockedt..AMQPLAIN...,.LOGINS....yuntao.PASSWORDS...
This box took me 25 hours of work, most of the time was in the enumeration part, once you know the behaviour of the services is easily accomplished after some research and development guides.