search

Skyfall

Link machine : https://app.hackthebox.com/machines/586

Pwned : https://www.hackthebox.com/achievement/machine/1410710/586arrow-up-right

My note about Skyfall machine.

Enumeration :

There is 1 subdomain from this subdomain, this subdomain can be obtained from the view source on port 80

Add skyfall.htb and demo.skyfall.htb to /etc/hosts and view the web page :

have a login page on the subdomain, log in with the credentials displayed on it ( guest/guest)

On this website there are some options like Fetch URL, Download,Upload file, I tried webshell upload and reverse shell on this one but it doesn't seem to work.

There is another notable function called Minio Metrics, but when I click on it to view it, I get error 403 Forbidden .

A bit of research tells me there is a security vulnerability in the minio service, which also contains several CVEs, and one of these I'm looking into is CVE-2023-28432 (CVSS 7.5).

WhiteHat also have a blog about this : https://whitehat.vn/threads/canh-bao-lo-hong-nghiem-trong-cao-trong-minio.17181/arrow-up-right

Okay, the problem is that the website when accessed returns a 403 forbidden error, so if we can ignore this then it will provide some useful information.

Continue researching 403 bypass on hacktricks book and there are more resources that can help.

Open Burpsuite first then tried to bypass :

\t ( decode to hex is 09 ) is the way to pass this error on this website.

View this and got the new subdomain :

Follow the CVE - POC had found , try exploit with that :

LogoGitHub - acheiii/CVE-2023-28432: CVE-2023-28432 POCGitHubchevron-right

Exploit successfully

Got MINIO_ROOT_PASSWORD and MINIO_ROOT_USER this is important credentials.

Now have this credentials we can gain access with MinIO client :

LogoMinIO AIStor DocumentationAIStor Object Store Documentationchevron-right

Enumerations :

Download all this file backup, got ssh key on v1 but can't connect, on v2/.bashrc get Vault TOKEN and Vault ADDRESS -> Gain User Access ( assky).

Install vault : https://developer.hashicorp.com/vault/install#Linuxarrow-up-right

Use vault to connect from all these credentials:

vault read sys/internal/ui/resultant-acl --format=json -> get ssh role

Password is the OTP generate -> this randomly each time connect

hashtag
Privilege escalation -> Gain Root Access

Run vault-unseal with -d option will give the the log and write that to debug.log , create a debug.log file can help we get the data from this :

Get Master Token -> Use this and follow the User Login Step done before which may help to login as root.

vault list ssh/roles -> list role to connect ssh -> use admin role to connect.

Pwned.

PreviousMonitoredNextWifineticTwo

Last updated