Hack the Box – Hard Boxes

It should be noted that no usernames, hashes or passwords will be included within this guide. As this box was an incident response type box, providing some of the steps would provide unattended access without the work. During these parts, I will highlight my faults and mindset and provide additional hints for those looking into the comments.

Introduction

Compromised from HTB is an incident response type box in which a Linux environment and eCommerce solution, LiteCart have been exploited. Utilizing some investigation, knowledge of code reading for both .PHP/.PY and a bit of luck I was able to root this box. I begin every scan using AutoRecon:

Copy
Website showing LiteCart is running.

Website showing LiteCart is running.

After finishing the scans I noticed Port 80 was open. Visiting the website I was able to see an eCommerce solution LiteCart running. Looking through AutoRecon results I was able to see a /backup/ folder existed. If you are not using AutoRecon I would always recommend running Dirbuster and Nikto in any web server situation:

Copy

The Backup Folder

The backup folder had a single file a.tar.gz inside. I downloaded the file and extracted it. Inside I found a full backup of the LiteCart website. The first thing I tend to check is the file modification date.

Copy

Looking through the files I notice that this website has been previously compromised and this is more of an incident style box. I first grab database credentials as the website states its using MySQL alongside PHP. Next, looking through the files I notice comments. What is weird though is you would expect these particular comments to be un-commented or removed? I also notice that on one of the comments when a username and password are submitted they are sent to a log file. Why would someone want that to happen?

After navigating to the log file I am able to get the credentials for the admin user. I log in to LiteCart via /admin/ and see that it is running LiteCart 2.1.2. I Google LiteCart 2.1.2 Exploit and find an exploit on Exploit DB.

Copy
HTB Forums Hints!

HTB Forums Hints!

Running the script and navigating to the directory comes up with a blank page. sparkla from HTB hint gave me my next foothold to keep going. I changed the exploit script to include phpinfo();.

Copy

This gave me an extremely ugly output in my console but navigating to the URL gave a clean output of the phpinfo(). Removing print r.content from the script will stop the output. Viewing the phpinfo() will show that a lot of functions have been disabled restricting a traditional shell.

disabled_functions within phpinfo()

disabled_functions within phpinfo()

The Restricted Shell

A bunch of options are available to bypass disable_functions restrictions within PHP. Due to this, I went over to an infamous repo, carlospolop in search of his phpwebshelllimited. For those who are unaware he is also the creator of PEASS, one of the best privilege escalation script suites available.

I saved the file as disabledfunctions.php and proceeded to alter 45267.py to import the file.

Copy

I also changed the request/print areas to make sure the response completed and OCD…

Copy

Navigating to the displayed URL you should be presented with a shell (a bad one but still a shell) to continue lateral movement.

The shell in all its glory.

The shell in all its glory.

MySQL

Running the command cat etc/passwd will show you that MySQL has a profile. We also already have (from good enumeration earlier) the MySQL password from the backup file. This next step took me a while but I recommend reading through this. Running below I could see that exec_cmd was running which would allow me to run commands as MySQL.

Copy
exec_cmd function available.

exec_cmd function available.

Next I created an SSH key on my parrot machine. I did this because of a comment in the HTB forums by Sys7em.

key” “gen“erally you say…

Using the hint alongside the article here I was able to create the key and deploy it to the box.

Copy
Logged into the box as mysql@compromised

Logged into the box as [email protected]

Escalation/Ghidra

Using the etc/passwd data from earlier as well as navigating to the how directory shows me I am looking for the sysadmin user next. I tried to download linPEAS to the machine before I realized I couldn’t form a connection. Next steps were manual search methods.

Copy
Why is that password so much stronger?

Why is that password so much stronger?

Immediately I noticed a password I had been using was changed on a line of data that came up. I tried the password and successfully logged into sysadmin. After logging into sysadmin I began searching for priv-esc. I was stumped for a while on this part and don’t want to give too much away. The one that I can say is as this is an ‘incident response‘ style box you should look for how the person before you has been doing .things. How have they .named files? How have they covered there tracks?

After finding the needed file I copied it to my local machine with scp.

Copy

This part took me an extremely long time as I have never done any type of file investigation before. People on the HTB forum pointed me to Ghidra. This will require JDK which you can get here. Once installed I copied the file from my Parrot OS over to my Windows machine. With the assistance of a friend and a PM on the HTB forum, I was able to find a backdoor function.

Backdoor function. I hated my life at this point.
Backdoor function. I hated my life at this point.

Backdoor function. I hated my life at this point.

If you trace this function and convert both backdoor strings you will have the password for root.

HTB Compromised rooted

HTB Compromised rooted

Rooted

Published On: January 23rd, 2021 / Categories: HTB, Technology / Tags: , , , , , , , /

Leave A Comment