Introduction

As with every scan, I run AutoRecon to do my introductory scans:

Copy

During the initial port scan I noticed Port 80 was open. It lead me to a website with some pictures listed (even though the picture makes you suspect otherwise).

Pretty sure Please Login is the biggest clue this box gave.

Pretty sure Please Login is the biggest clue this box gave.

I clicked login. At the login page, you will need to bypass the login screen. You can utilize Burp or be lazy and follow this Exploit DB Paper. I added ' as I was unable to put spaces in the login prompt.

Copy
I uploaded a file imhere.png

I uploaded a file imhere.png

I then checked my GoBuster log from Autorecon which showed /images/ as a directory. I tried upload and then uploads with success. Next, after a lot of trial and error:

Copy

Exiftool and an article on Nullbyte pointed me in the right direction. Copy above and make sure to change HTBIP to your IP. Next set up a reverse shell at the port specified. Navigate to the URL and it will spawn the shell. In my case it was http://10.10.10.185/images/uploads/inception.php.png.

The following should be noted:

  • I had to upload the image again if I lost the session.
  • .PHP.PNG is required. I could not get above (or any other oneliner) to work without .PHP before.

After getting a low priv shell I use the following command to get a more intelligent shell:

Copy

I think went looking for database/config files for the website for escalation:

Inside the db.php5 I found the next piece of the puzzle.

Inside the db.php5 I found the next piece of the puzzle.

With the database credentials found I dumped the database looking for a user or additional configuration information.

Copy
Found the creds for theseus in the mysqldump

Found the creds for theseus in the mysqldump

I proceeded to try to switch to admin without success. Finally I found:

Copy

The next step was to get some persistence and do some escalation. I created an SSH key:

Copy

and used the echo command to copy the key onto theseus profile:

Copy

followed by:

Copy

I then logged in as theseus:

Copy

I spun up an HTTP Server (check BUFF) if you don’t know this part. I uploaded LinPEAS. I would also upload pspy64 here (spoilers).

From LinPEAS showing me that sysinfo is definitely my target.

From LinPEAS showing me that sysinfo is definitely my target.

From LinPEAS showing me that sysinfo is definitely my target.

Running pspy64 followed by sysinfo to see the commands being ran.

Privilege Escalation

Again this part took me a long time but the best approach I can give is to create the file your going to be escalating with (in my case lshw as it was first) locally. Then use WGET to pull it down.

On Parrot (create a file called lshw with below)
Copy

then create a listener using the port specific above (mine was 4444).

On Victim (pull, permissions, etc.)
Copy
Connection coming in after running sysinfo.

Rooted

Published On: August 17th, 2020 / Categories: HTB, Technology / Tags: , , , , , /

Leave A Comment