In this post, i would like to share a walkthrough on Sink Machine.

This room is been considered difficulty rated as an Insane machine

Information Gathering on Sink Machine

Once we have started the VPN connection, we can start the information gathering on the machine by executing the command nmap -sC -sV <IP Address>

The nmap result can be seen above and two(2) port that open have caught my attention.

  • 3000 – Gitea
  • 5000 – Devops

The screenshot above shows the login page on the 5000

The screenshot above shows the login page on the 3000

On the 3000 directories, we only can register on the login page, and we cannot register our credentials.

Gaining Access to Sink Machine

Looking back on the sink.htb:5000 web interface, i notice that we can register ourselves

After doing some research on the internet, i found a website that can help with the exploit over here

We should be changing the admin’s cookie with our own cookie

  • Reminder: Cwo= is written in base64 encode string where you need to unbase64 those with the button “control+shift+b” together.

There’s a credential saved on each ID.

Note1:
	Chef Login : http://chef.sink.htb
        Username : chefadm
        Password : /6'fEGC&zEx{4]zz
Note2:
	Dev Node URL : http://code.sink.htb
        Username : root
        Password : FaH@3L>Z3})zzfQ3
Note3:
	Nagios URL : https://nagios.sink.htb
        Username : nagios_adm
        Password : g8<H6GK\{*L.fB3C

One of the passwords above that can be used for login could be login credentials for the sink.htb:3000

We managed to login the dashboard of gitea website

Let’s access the root’s repositories after we found out that the username root has been created.

We have a bunch of files stored over here and one of the files can be useful to us. There are 9 commits on the repo in which we found a file called “Adding EC2 Key Management Structure

Maintaining Access

What a surprise! A public key has been saved within that file. Let’s copy the entire key and paste it on a new id_rsa file on the attacker’s machine.

Let’s ssh into the machine with Marcus’ privileges and public key.

On the /home/ directory, i notice that 3 users appear there.

For us to read the user flag, we need to go to /home/Marcus directory and execute the command “cat user.txt

Escalate to Root Privileges Access on the Machine

Let’s see which port is been used on the machine itself. After seeing the result, I notice that 4566 is listening and I’m curious about it.

Let’s do a port forwarding just like shown above.

We found some interesting files on Marcus’ git profile

Playing with AWS configuration on Sink Machine

We managed to get the key and secret for the AWS configuration.

Let’s investigate the configuration of the secretsmanager we found that there’s an encoded string that we cannot understand

Let’s get the password value by executing the command mentioned below:

aws --endpoint-url="http://127.0.0.1:4566/" secretsmanager get-secret-value --secret-id "arn:aws:secretsmanager:us-east-1:1234567890:secret:Jira Support-HRbzR"

We can change the user from Marcus to David

Inside the /home/david/ directory, we found that there’s a folder /Projects/Prod_Deployment that might store something useful.

There’s a file named servers.enc and let’s open the file by running the command “cat servers.enc”

Oh no! It’s hard to read because the file is been encrypt

Let’s see the list-key by executing the command aws –endpoint-url=”http://127.0.0.1:4566/” kms list-keys and we should decrypt the key which contains a file encoded base64

We can decode it using cyberchef and manage to get the username and password.

The credentials that we gained are shown below:

User: admin
Password: _uezduQ!EY5AHfe2

Let’s change privileges to root access and it works like charm!

To read the root flag, we need to access /root/ directory where the root flag has normally been saved.

-THE END-

Happy Learning Guys!

The screenshot above shows where I get the password hashes to unlock this write-up

Categories:

No responses yet

Leave a Reply

Your email address will not be published. Required fields are marked *