Mentor

Introduction

Mentor is a medium level Box however, most of the services exploited were sorta new so it wasn't really a walk in the park.

Enumeration

Nmap show two open ports that redirects to http://mentorquotes.htb, the page only contain some quotes, no links, no robots.txt and no sub-directory

I decided to scan UDP ports with nmap and found that SNMP port 161 is opened

So, there's SNMP running but I need the Community string, I googled tools for this task and found one on GitHub called SNMP Brute.

Now, we know the SNMP version as well as the community strings (internal and public)

Using snmpwalk with the command snmpwalk -v2c -c internal mentorquotes.htb I was able to the below string which seems like a password... Instinct and because it's found next to login file.

At this point we have what seems to be a password but no headway...yes, I saw that name james above and combined both in SSH attempt but no luck.

Time to scan for a subdomains...

As seen above, there is an "api" subdomain returning 404, while the page is not available, it doesn't mean the subdomain won't have subdirectories.

Using dirb, I found some subdirectories but only "/docs" returns 200 OK.

On the /doc page which uses Swagger UI, there are some json parameters allowing us to create account, login, get all users etc.

After playing around with the the page and creating users and logging in as the newly created user, I noticed when you login as a user you get their login token also called authentication token which is JWT encoded.

We can see the username james in the above page and it also occurred in the data gotten when we did the SNMP enumeration.

let's try to login as james then...and you can see we were able to succesfully login with the password and get james token.

User

With the right Authentication token, I was also able to see all users on the app.

Now trying to access the sub-directories that returned status code 307 before we had login access.

as seen below the admin page returned two other pages, the /check and /backup

The backup page doesn't allow GET method as seem below. once changed to POST we got another output.

The backup page requires a body and path json entry, let supply the required input.

We get done! after supplying input. now, trying to exploit this...

Apparently, there is a code injection vulnerability, and this is demonstrated below using curl and tcpdump

Next, I try to get a reverse shell using a shell payload

We got a reverse shell and access to the SVC account...

...and user flag

Privilege Escalation

On the app directory there are some files with the most interesting one being the db.py which contains the postgresql DB URL.

To access the Postgresql DB I have to forward the port using chisel...

Now to access the DB...

I dumped the password and was able to crack the one for svc

Using the cracked password to ssh into SVC account to get a stable shell...

As SVC I can't run any command as sudo... I decided to download linpeas.sh to the device to see what vulnerabilities are found

With linpeas.sh, I noticed the presence of a file called snmpd.conf...

As guessed, the file did contain a password.

Used the found password to login as james...and trying to see what command james can run as root, as seen below james can run /bin/sh which made us root instantly.