🔎🦶Enumeration/Foothold
Before I begin each machine I kick off a full port scan with RustScan
and pipe the open ports found into NMAP
.
I pulled the python
file directly to my machine and executed it making sure to have a nc
listener running on Port 9001
.
Once on the box I grabbed LinPEAS
and ran a full scan. The following information came back as interesting –
I used the SUID privesc to elevate my session to root (cause when in Rome and also not knowing it would be used for root)
Next I noticed the config PHP
files from the LinPEAS
scan so I navigated to /var/www/html/include
(Cacti configuration) and verified this was what LinPEAS
had pulled.
Confirming it was the configuration for Cacti’s database I locally connected to the MySQL database. I pulled the user_auth
table which I remember from the last box as it contains the users for the Cacti application. More information regarding it can be found HERE. I grabbed both the hashes and put them into john
using rockyou password list built into seclists
.
I got a hit on the Marcus hash which I then used on SSH
–
Once on the box I enumerated around until I remembered notes from when I was doing HTB – Busqueda yesterday and found Exploit-Notes – Docker.
🔝Escalation to Root
Using the steps earlier I used chsh
to elevate my session to root on the initial docker and then ran the following:
Next as the Marcus user I used findmnt
to find all mountable file systems which includes docker containers:
I then searched the containers until I found the elevated /bin/bash
which can be executed for root
.
Rooted.
I’m a fan of TheCyberGeek approach to building boxes on the HTB platform and really enjoyed this box.
https://www.hackthebox.com/achievement/machine/245261/539