Hack the Box – Active Machine

This machine is an Active machine on HTB and is password protected by the Root password hash (for Linux Machines) or the Administrator password hash (for Windows Machines).

Once this machine has been Retired this post will be unlocked. Register/Subscribe for notifications on retiring machines.

[ppwp] Empty content, invalid attributes or values Empty content, invalid attributes or values Empty content, invalid attributes or values Empty content, invalid attributes or values Empty content, invalid attributes or values Empty content, invalid attributes or values Empty content, invalid attributes or values Empty content, invalid attributes or values Empty content, invalid attributes or values Empty content, invalid attributes or values Empty content, invalid attributes or values

🔎🦶Enumeration/Foothold

Writer is a Medium box from HTB and created by TheCyberGeek. This box features a website with a SQL login bypass and img_url parameter exploit allowing us to execute code. Once on the box we find a postfix and apt exploit allowing us to get root.

Before I begin each machine I kick off a full port nmap scan. This scan profile should normally not be used with the -T5 as you might miss/get incorrect information/results:

Copy

Reviewing the results I can see Ports 22/80/445 open. Starting with SMB I use enum4linux to pull some enumeration and directly access the share. I have no rights to the folders but I do find some accounts/users:

Copy

Next I navigate over to the website which is sitting on Port 80. I’ve recently been trying to use ffuf more in my day to day but highlighted Feroxbuster as well:

Story Bank website sitting on Port 80.

Story Bank website sitting on Port 80.

Copy

OR

Copy

Running the directory scans shows an administrative directory. Navigating to it shows a login page. I use admin/password in the fields and capture the request in Burp Suite. I change the parameters to match for easier identification. I then copy the request and create a req.txt. I use ffuf to fuzz the username/password fields for possible SQL injection or login bypass.

I get a hit:

Copy
Story Bank Dashboard after the SQL Login Bypass.

Story Bank Dashboard after the SQL Login Bypass.

After logging into the environment I am presented with a dashboard. I can see an area to edit stories. After some trial and error I realize that if I intercept the request with Burp Suite I can also the image URL to execute the code added to the end of the image:

⚠ Attack Machine

Copy

I click Edit Story and click Browse. I upload the exploit.jpg (created in the steps above) then browse to HERE to verify. Next, I upload a second image and intercept in Burp suite. Change our img_url request with:

Using the Edit Story to upload a malicious jpg on HTB Writer.

Using the Edit Story to upload a malicious jpg on HTB Writer.

Copy

A few seconds later the shell pops. I loaded LinPEAS onto the box and notice:

Copy

/etc/postfix/disclaimer running every 5mins. I’ve previously run across a similar privesc regarding disclaimer. Reviewing the script I add in a reverse shell:

⚠ Attack Machine

Copy

I then create a basic send mail script based off HERE and upload them both to the server:

Copy

Pulling them both to the server in a folder called crx. Once pulled I run the send mail script alongside the disclaimer copy noting the task above happens frequently:

🎯 Victim Machine

Copy

On my attack machine I kick off a reverse shell after transferring the files:

⚠ Attack Machine

Copy

Once on the virtual machine I grab John’s SSH key and log back into the box:

🎯 Victim Machine

Copy

🔝Escalation to Root

⚠ Attack Machine

Copy

I run LinPEAS again and notice apt running as root. I can also see that I can write to the file.:

GTFOBins confirms my hunch. I echo a one-liner bash reverse shell into the file and wait the shell.

🎯 Victim Machine

Copy

⚠ Attack Machine

Copy

Rooted

Published On: August 13th, 2021 / Categories: HTB, Technology / Tags: , , , , , , , , , , , /

Leave A Comment