Introduction

I tried PwnBox from Hack the Box yesterday and it was awesome to be able to have a working Parrot Linux environment in the browser window. With that being said, being unable to Copy and Paste to/from my primary OS and being unable to use Hotkeys left me frustrated.

It is due to these reasons why this guide will not be as informative as my guides in the past. I will be returning to my VM tonight well talking some of the UI elements from the PwnBox.

I began by running AutoRecon:

Copy

The scan came back with a ton of false positives and holes. I decided to use WFUZZ to get away from the noise.

WFUZZ grabbing .txt files after failing to grab PHP. todo was the important find.

WFUZZ grabbing .txt files after failing to grab PHP. todo was the important find.

Todo showed me two important points. The user using the CMS and the fact that a CMS was in play.

Todo showed me two important points. The user using the CMS and the fact that a CMS was in play.

I reviewed my AutoRecon results and found Bludit running. Googling lead me to the Brute Force bypass exploit: https://rastating.github.io/bludit-brute-force-mitigation-bypass/

I don’t have the original code (I closed Pwnbox before saving) but it was relatively straight forward. For the Word list, I used CewL which I feel only works for CTF style engagements.

Upon logging in I checked for a way to upload a shell and came up dry. I looked around and Bludit has two methods of approach:

    1. MetaSploit (the route I took because I was being lazy): https://www.rapid7.com/db/modules/exploit/linux/http/bludit_upload_images_exec
    2. The manual approach from ExploitDB (which i would recommend): https://www.exploit-db.com/exploits/48701

I would recommend going the ExploitDB route if you have time as the OSCP only allows the use of MetaSploit once. Upon getting a shell via MetaSploit I navigated to the bl-content (temp I think) folder and uploaded a PHP Reverse Shell.

Next I checked the users on the machine.

Next I checked the users on the machine.

I then navigated over to the WWW directory. When seeing a CMS of any kind I always view configs, databases, etc. for additional creds. I found Hugo's creds and used md5Decrypt to get his creds.

I then navigated over to the WWW directory. When seeing a CMS of any kind I always view configs, databases, etc. for additional creds. I found Hugo’s creds and used md5Decrypt to get his creds.

After switching to Hugo I did sudo -l. This seems to always work on HTB and never work on the OSCP training. Running this command showed me I could use bash as root (but why?).

I looked of the bash version and used – https://www.exploit-db.com/exploits/47502 to escalate.

Capping the root flag.

Capping the root flag.

Rooted

Published On: October 17th, 2020 / Categories: HTB, Technology / Tags: , , , , , /

Leave A Comment