Hack The Box

From Luniwiki
Jump to: navigation, search

Walthroughts of retired challenges on HTB

Hack The Box is an online platform allowing you to test and advance your skills in cyber security. Use it responsibly and don't hack your fellow members...

  • Haystack (Fri Nov 1 05:14:35 EDT 2019)
    • Image Hidden text
    • ELK queries (Elastic search)
    • Kibana LFI
    • Logstach command execution (ELK)
  • Lame (Tue Nov 5 21:28:26 EST 2019)
    • Samba exploit
  • Legacy (Wed Nov 6 02:31:31 EST 2019)
    • Exploit MS08-067 (remote code execution) Windows XP
    • Exploit MS17-010 (Eternal romance) User escalation Windows XP
  • Devel (Fri Nov 8 04:18:51 EST 2019)
    • Open IIS FTP push cmd.aspx
    • Reverse shell from IIS Web
    • Exploit MS11-046 privilege escalation
  • Beep (Fri Nov 15 09:13:04 EST 2019)
    • Elastix LFI vulnerability
    • Elastix remote code execution
    • Sudo nmap
  • Optimum (Fri Nov 15 14:50:50 EST 2019)
    • Rejetto HTTP File Server vulnerability
    • MS16-098 Privilege escalation
  • Arctic (Fri Nov 15 22:55:59 EST 2019)
    • Adobe Coldfusion LFI
    • Adobe Coldfusion scheduled task
    • MS10.059 Privilege escalation
  • Grandpa (Sat Nov 16 23:19:37 EST 2019)
    • CVE-2017-7269 (Metasploit)
    • MS14-058 privilege escalation
  • Granny (Sun Nov 17 23:22:59 EST 2019)
    • CVE-2017-7269 (Metasploit)
    • MS14-058 privilege escalation
  • Bank (Sun Nov 17 23:52:44 EST 2019)
    • Web enumeration
    • Injection of php file
    • /etc/passwd writable add new user with password
    • SUID executable that provides shell
  • Blocky (Mon Nov 18 14:22:07 EST 2019)
    • Wordpress enumeration for username
    • Web enumeration
    • Decompilation of java files -> password
    • Reuse of user and password in ssh
    • sudo access
  • Blue (Tue Nov 19 08:57:27 EST 2019)
    • nmap discover vulnerability to MS17-010 (Eternal blue)
    • Metasploit direct access as NT authority
  • Mirai (Tue Nov 19 14:03:50 EST 2019)
    • Web enumeration
    • Default raspberry password by ssh
    • sudo full access
    • Root flag hidden in deleted partition
  • Shocker (Wed Nov 20 08:51:23 EST 2019)
    • Web enumeration -> CGI script
    • Shell socker vulnerable machine
    • sudo on perl -> reverse shell
  • Sense (Wed Nov 20 10:20:52 EST 2019)
    • Web enumeration -> user name & passord for pfsense application
    • Pfsense authenticated vulnerability -> reverse shell as root
  • Bashed (Mon Nov 25 13:14:47 EST 2019)
    • Web enumeration -> php shell
    • sudo to user scriptmanager (Lateral movement)
    • root crontab run python scripts -> root reverse shell
  • Nibbles (Mon Nov 25 23:11:36 EST 2019)
    • Web enumeration -> user
    • Password guess
    • Nibbleblog vulnerability allows upload of php files
    • root sudo to script file -> reverse shell
    • Linux Kernel vulnerability (RationalLove)
  • Valentine (Wed Nov 27 14:00:41 EST 2019)
    • nmap detect vulnerable to heartbleed
    • web enumeration discloses ssh key
    • Heartbleed discloses passphrase of ssh key
    • tmux session opened -> privileges escalation
    • Dirtycow 2 Linux kernel vulnerability (allow to write files with root privilege)
  • Sunday (Wed Nov 27 20:48:39 EST 2019)
    • Finger enumeration
    • Brute force against ssh (or guess)
    • root sudo on script
    • hashcat on shadow file backup
    • root sudo with wget
    • Overwrite of script with wget and gain access
    • Alternative overwrite sudoers file
  • Bounty (Sat Nov 30 09:48:54 EST 2019)
    • Custom aspx page allows upload config files
    • Remote command exexution with config files in IIS
    • Reverse shell by powershell Downloadstring
    • Metasploit local privilege escalation suggester in multiple ways (machine not patched)
  • Jerry (Tue Dec 3 18:00:47 EST 2019)
    • Tomcat manager accessible with default password
    • Deploy malicious war to gain reverse shell -> NT authority
  • Active (Tue Dec 3 18:45:38 EST 2019)
    • Active directory enumeration
    • Group policy service password disclosure
    • Kerberoasting to gain Administrator password
    • imapcket psexec shell from impacket
  • Access (Tue Jan 21 17:08:17 EST 2020)
    • FTP enumeration
    • Access file with credentials
    • Password for encrypted pst file -> password for local user
    • runas with saved credentials
    • Crack of saved credentials with mimikatz
  • Frolic (Sat Jan 25 21:27:10 EST 2020)
    • Web Enumeration
    • PHP application vulnerability (PlaySMS)
    • Linux Kernel vulnerability
    • Local Buffer Overflow
  • Curling (Tue Jan 27 19:21:03 EST 2020)
    • Web Enumeration
    • Jommla! reverse shell
    • Curl on crontab abuse
  • Irked (Tue Jan 28 14:56:06 EST 2020)
    • IRC Unreal backdoor
    • Steganography
    • SUID custom file abuse
  • Teacher (Tue Jan 28 20:31:31 EST 2020)
    • Password clue
    • Brute force web password with burp
    • Moodle vulnerability (Evil teacher)
    • Mysql access with user root, find md5 password
    • Crack of md5 password with hashcat
    • Cron job abuse to modify /etc/passwd
  • Help (Wed Jan 29 19:34:01 EST 2020)
    • PHP application vulnerability (Helpdeskz)
    • Linux Kernel vulnerability
  • FriendZone (Thu Jan 30 19:25:10 EST 2020)
    • DNS Enumeration
    • Multiple web enumeration
    • Samba enumeration
    • PHP LFI
    • Abuse of writable python library and cron job run as root
  • Netmon (Sat Feb 1 10:35:23 EST 2020)
    • Anonymous ftp access
    • PRTG vulnerability allows to create admin user
    • Access with psexec from impacket
  • LaCasaDePapel (Sat Feb 1 12:00:18 EST 2020)
    • vsftp backdoor -> psysh shell
    • CA key -> Create http client certificate
    • Web application abuse -> ssh key file
    • Cronjob restart node.js application, abuse of ini file owner root but on user folder -> Gain privilege reverse shell
  • Bastion (Sat Feb 1 18:00:47 EST 2020)
    • Guest network share with workstation Windows backup
    • Mount vhd file -> dump SAM computer
    • Crack SAM -> user domain credentials
    • ssh over windows activated
    • Administrative domain credentials stored in mRemoteNG config file
  • SwagShop (Sat Feb 1 20:48:41 EST 2020)
    • Magento vulnerability to create magento admin user
    • Magento vulnerability allows remote execution
    • Abuse of sudo vi to gain a root shell
  • Writeup (Sun Feb 2 00:24:44 EST 2020)
    • CMS Made Simple SQL injection vulnerability -> User and password --> ssh session
    • Path abuse to rewrite command uname to gain root reverse shell when normal user log into the system
  • Safe (Sat Nov 2 21:42:40 EDT 2019)
    • app in port 1337 -> buffer overflow
    • ROP bof abuse -> gain user shell
    • crack of keepass file -> root
  • Heist (Thu Feb 27 08:44:06 EST 2020)
    • Crack Cisco-IOS encrypted passwords 5 and 7
    • crackmapexec to find valid AD credentials (hazard)
    • RID cycling to find additional users
    • crackmapexec to find valid AD credentials (Chase)
    • Evil-WinRM access with user in group BUILTIN\Remote Management Users (Chase)
    • Procdump of firefox process -> find Administrator credentials
    • Administrator Shell access with psexec or Evil-WinRM
  • Networked (Sat Mar 7 17:46:14 EST 2020)
    • PHP source code found in folder backup
    • Apache misconfiguration allows to interpret PHP in any file with .php in the name. -> Upload of an Image with reverse shell concatenated.
    • Abuse non sanitized file name in PHP script on a crontab to gain user shell
    • Sudo access to a script to modify CentOS network scripts
    • Abuse of network scripting shell to gain root
  • Popcorn (Sun Mar 8 22:43:00 EDT 2020)
    • Register Torrent application
    • Upload php file abusing file type detection tampering HTTP request -> Reverse shell
    • Old Ubuntu version and old kernel -> At least 4 ways to pwn the machine.
      • CVE-2010-0832 pam_motd module vulnerability
      • Full Nelson CVE-2010-4258 CVE-2010-3850 CVE-2010-3849
      • RDS Protocol CVE-2010-3904
      • Dirty Cow CVE-2016-5195
  • Bastard (Tue Mar 10 10:02:46 EDT 2020)
    • Drupal Service module vulnerability allows to upload php file
    • Upload of php script to upload files and execute commands
    • Upload nc.exe -> reverse shell
    • Upload MS-10-059 exploit -> Gain NT authority
  • Tenten (Tue Mar 10 16:12:14 EDT 2020)
    • WPScan -> provide user and vulnerabilities
    • Job Manager filename disclosure
    • Image with private key hidden by steganography
    • Crack passphrase private key with John
    • Abuse sudo allowed command without password to gain root shell
  • Postman (Sat Nov 2 14:19:03 EDT 2019)
    • Write authorized_keys files with redis abuse
    • Crack passphrase from ssh private key
    • Reuse of user password obtain user flag
    • Reuse of credential for access to Webmin
    • Remote execution Webmin update vulnerability obtain root reverse shell
  • Cronos (Wed Mar 18 20:56:29 EDT 2020)
    • DNS enumeration -> hosts names
    • By pass the authentication by SQL injection
    • Alternative By pass the authentication tampering the server response
    • Form with command execution abused to execute reverse shell
    • Cronjob execute php file
    • update of file -> root reverse shell
  • October (Wed Mar 18 15:13:33 EDT 2020)
    • October CMS guess admin password
    • October CMS allows upload of php5 files -> reverse shell and User flag
    • SUID program ovrflw
    • Exploit of buffer over flow brute forcing the ASLR
  • Forest (Fri Apr 3 23:14:53 EDT 2020)
    • AD User enumeration
    • User svc-alfresco has "Do not require Kerberos preauthentication" -> ASREPRoast -> crack password
    • Bloodhound graph -> Path to Domain Admins
    • svc-alfresco in group Account operator -> Create user into group Exchange Windows Permissions
    • Provide user WriteDacl DCSync privilege
    • Dump NTLM hashes -> psexec with administrator hash
  • Lazy (Mon Apr 27 06:40:44 EDT 2020)
    • Registered user on web
    • Tamper auth cookie raises -> Invalid Padding error
    • padbuster to find cookie structure
    • padbuster to encrypt admin auth cookie
    • Download of ssh key
    • Path abuse on setuid program to gain shell
  • Traverxec (Thu Apr 30 10:45:08 EDT 2020)
    • Nostromo web server remote code execution -> Reverse shell
    • Crack htpasswd file
    • Public_www user folder accessible -> backup file with ssh key
    • Crack ssh key
    • A script calls sudo journalctl without password
    • spawn a root shell from the less invoked by journalctl
  • Sneaky (Fri May 1 06:37:00 EDT 2020)
    • Login page vulnerable to SQL injection -> Ssh key and user
    • Snmp enumeration -> IPv6 address
    • SSH via IPv6 address
    • Found Setuid program vulnerable to buffer overflow attack
    • Bufferoverflow by calling system function
    • Alternative buffer overflow by injection system shell code in stack
    • Alternative buffer overflow by injection of a line in etc passwd line in stack
  • Openadmin (Mon May 4 15:38:55 EDT 2020)
    • Opennetadmin running on server
    • Opennetadmin RCE -> shell with www-data user
    • Database config file disclose Jimmy password
    • Internal server runs as user Joanna, and Jimmy can modify source code.
    • Add php file to open reverse shell as Joanna -> User flag
    • Abuse of sudo command of nano from user Joanna -> Root Flag
  • Haircut (Mon May 4 21:40:03 EDT 2020)
    • PHP page download web page with curl -> curl abuse to write our PHP reverse shell on server
    • Call reverse shell -> User flag
    • screen 4.5.0 is setuid and allows to change owner of file to root
    • Compilation of rootshell and shared library
    • Call of shared library creating file /etc/ld.so.preload as root with screen
    • Call screen to load the shared library as root (screen is setuid) and change rights on our rootshell
    • Call rootshell
  • Europa (Thu May 7 14:35:33 EDT 2020)
    • Admin portal with php login page
    • SQL injection allows access application
    • Tools page with PHP perl compatible regular expression allows remote code execution adding modifier e -> Open reverse shell
    • Cronjob execute script writable by www-data -> root reverse shell
  • Nineveh (Thu May 7 21:04:29 EDT 2020)
    • Dictionary brute force on custom php page
    • Find ssh key appended to image file
    • Dictionary brute force on phpliteadmin
    • Upload of embedded php script in SQLite database with phpliteadmin
    • LFI abuse in custom php application -> execution of php script embedded in SQLite database -> reverse shell
    • Knock port daemon -> know with port sequence unlock ssh port
    • periodic execution of chkrootkit detected
    • Creation of file /tmp/update executed by chkrootkit as root -> root reverse shell
  • Apocalyst (Tue May 12 07:04:52 EDT 2020)
    • Wpscan enumerate wordpress user
    • tool cewl used to generate a word list with the web content
    • Webenumeration with generated word list -> find image with steganography -> extract list.txt
    • Brute force wordpress with hydra the user name and the word list
    • Add php reverse shell to index.php template -> reverse shell as www-data -> User flag
    • Find password of user falaraki in hidden file.
    • /etc/passwd writable -> change uid of user falaraki to 0 -> root access
    • Alternative /etc/passwd writable -> Add new line for a root user -> root access
    • Alternative user falaraki in lxd group -> create container with root disk mapped -> access to host file as root
  • Solidstate (Wed May 13 20:07:47 EDT 2020)
    • James remote administration tool default password -> Change users passwords
    • With user password -> Read mails -> User and password -> access to restricted shell
    • By pass restricted shell
      • Changing pseudo terminal to bash
      • James Remote command execution (alternative)
    • Writable python file owned by root executed by crontab each 3 minutes
      • Privileges escalation python file by writting a new line in /etc/passwd -> Access by new user
      • Privileges escalation python file by launching a root reverse shell
      • Privileges escalation python file by changing rights and setuid to /bin/dash or /bin/bash -> Effective user is root
  • Node (Fri May 15 18:09:22 EDT 2020)
    • Node js application on port 3000
    • Hydra over login page find 2 passwords for normal users.
    • API users shows 1 admin user and password hashes
    • Hashcat brute force the admin user password.
    • Admin portal download a backup file encoded in base 64 -> encrypted zip file
    • Brute force zip file with john -> zip file password
    • Zip file contains the source code -> Database credentials to the database for user mark
    • Reuse of credentials with ssh
    • Background node js task run with user tom
    • Insert into MongoDB database a document to be executed by background task -> reverse shell as tom -> User flag
    • Tom is in group admin and gid (1002) is unusually high for an admin group -> handmade admin group
    • Found setuid program backup as root and group admin
    • decompilation and analyze of backup program -> program does folder backup passed as argument but discard some bad characters -> possible buffer overflow in a display function
    • Bufferoverflow allows external program execution -> root access
    • Alternatively, \n character is not controlled, we can abuse the program to execute new lines of command passed on the third argument -> execute /bin/bash -> root access.
  • Enterprise (Thu May 21 17:03:27 EDT 2020)
    • Port scan discover 3 web servers 80 443 and 8080 and a custom application on port 32812
    • dirsearch port 443 found zip file -> wordpress plugin vulnerable to sql injection
    • Sqlmap -> find wordpress users and hash, jommmla users and hash and list of passwords
    • hascat wp user -> access console -> reverse shell with template -> but reverse shell inside docker instance
    • hascat joomla user -> access console -> reverse shell with template -> but reverse shell inside docker instance
      • folder shared with host and host web server (port 443) /files -> create php reverse shell
    • Call reverse shell -> host access
    • find program running on port 32812 with user root
    • ASLR is disabled locally and prg vulnerable to buffer overflow -> remote exploit to run a root shell
  • Jeeves (Tue May 26 15:07:14 EDT 2020)
    • Dirsearch find jenkins on port 50000
    • Jenkins executes reverse shell groove script.
    • Keepass file in Document folder
    • Setup samba to transfer keepass file
    • John crack keepass file -> NTLM hash
    • Impacket psexec with NTLM hash access as adminitrator
    • root flag hidden in alternate data stream (ADS)
  • Inception (Wed May 27 14:28:07 EDT 2020)
    • dompdf 0.6 running on web server -> Vulnerability allows read files from target
    • Apache config contains WebDAV config -> upload files to web server
    • Upload reverse shell doesn't work, but webshell works
    • Recon -> IP address doesn't correspond with target -> possibly a container
    • Word press config file shows a database password
    • SSH through proxy (direct or with proxychains) -> use find password -> ssh access to container -> user flag
    • Port scan of host from container discovers ssh, ftp and tftp
    • Ftp as anonymous helps to recon host
    • SSH doesn't allow root access by password
    • Crontab runs apt update every 5 minutes
    • Add APT Update Pre-Invoke command in /etc/apt/apt.conf.d folder allows to insert new line in /etc/passwd with new user in group sudo
    • After crontab ran access by ssh with our new user -> sudo -i access as root
  • Nest (Tue Dec 22 16:22:23 EDT 2020)
    • Windows shares enumeration as anonymous -> file with TempUser credentials
    • Windows shares enumeration as TempUser
      • find hidden share folder with encrypted user credentials
      • VB source code with encryption/decryption
    • Write VB function to decrypt user credentials with dotnet -> User flag
    • find .Net executable
    • Debug password in alternate data stream
      • Use custom service with debug password via telnet to find administrator encrypted password
    • Disassemble .Net executable -> find encryption parameters
    • VB function to decrypt administrator password
    • psexec to pwn the machine -> root flag
  • Sauna (Mon Dec 28 09:06:09 EST 2020)
    • Web enumeration hint Kerberos roasting and possible user names
    • Get kerberos token from user fsmith with Don't require pre authentication set -> Crack to obtain password
      • crackmapexec rid-brute provides list of AD users
      • Shell access via evil-winrm and user fsmith -> User flag
    • WinPEAS collects Autologon credentials for user svc_loanmgr
    • Bloodhound graph detects that user svc_loanmgr has DC sync privilege
    • Dump of secrets with impacket tool secretsdump.py
    • Access with psexec.py from impacket passing administrator's hash -> root flag
  • Traceback (Tue Dec 29 16:13:54 EST 2020)
    • Web message backdoor was left -> enumeration for webshell php -> found a webshell
    • Web shell access with default credentials (admin/admin)
    • upload reverse shell -> access webadmin -> upload keys to access by ssh
    • sudo without password as sysadmin from webadmin for LUA tool -> pivot to syadmin access -> upload ssh keys -> user flag
    • pspy finds a cron job that overwrite /etc/update-motd.d/ files
    • /etc/update-motd.d/ writable by sysadmin -> add script to add keys to root user
    • Log as sysadmin to apply script after log as root with keys -> root flag
  • Remote (Wed Dec 30 16:47:35 EST 2020)
    • Web Enum -> find CMS umbraco
    • NFS enum -> find database backup of Umbraco
    • Umbraco database -> admin user with hash in SHA1
    • Hascat craks the admin password
    • Umbraco version 7.12.4 -> exploit by RCE
    • RCE provides reverse powershell -> User flag
    • winPEAS enumeration -> Service Teamviewer 7 is running
    • Teamviewer stores system password in registry with Teamviewer keys -> decypher password -> administrator password
    • evil-winrm or psexec to login in the box -> root flag
  • ServMon (Sat Jan 2 09:10:27 EST 2021)
    • FTP enum -> users Nadine and Nathan enumerated, passwords file in Nathan Desktop
    • Web enumeration -> Software NVMS 1000 -> LFI vulnerability -> Get password file from Nathan desktop
    • Try users and password -> Nadine's smb credentials find.
    • ssh with Nadine credentials -> user flag
    • Tunnel to forward access to NSClient++ from localhost
    • Password in clear in config file -> access web console
    • Send script and nc.exe to the target by ssh, and raise listener
    • Create new external command that calls our script, save config, reload daemon -> Gain reverse shell as NT Authority
    • Change administrator's password, ssh as admonistrator, allow RDP acceess, allow firewall for Remote desktop
    • Remote desktop on the server -> root flag
  • Admirer (Sun Jan 3 09:00:48 EST 2021)
    • Web enumeration in folder mentioned in robots.txt -> credentials.txt file
    • ftp login with found credentials -> get Web source code and database dump.
    • In source code, found script folder, db_admin.php script not found in production.
    • Web enumeration of script folder -> find adminer.php script.
    • Vulnerability of adminer.php <4.6.3 reads local file if connected to external DB.
    • Create local DB and table -> connect adminer.php to our database -> exfiltration of file /var/www/html/index.php -> find DB credentials of user waldo
    • Reuse of DB credentials for ssh by user waldo -> User flag
    • Waldo user has sudo rights over admin_task.sh script
    • On backup database option of script admin_task.py call python script
    • Create copy of module shutil.py and change make_archive function to add ssh key to root user.
    • Abuse of variable PYTHONPATH to execute our version of make_archive during call of admin_task option 6
    • ssh as root -> Root flag
  • Blunder (Mon Jan 4 14:27:46 EST 2021)
    • Web enumeration provides username in todo.txt file
    • Web enumeration finds CMS Bludit admin page
    • Brute force authentication with words from web page -> fergus admin credentials of CMS bludit
    • With upload file vulnerability upload php reverse shell as image and .htaccess file to interpret image as php -> reverse shell
    • Found SHA1 hash of user hugo in blundit config file -> Crack passwoprd -> su as hugo -> user flag
    • Sudo with bypass user control vulenaribility instaled -> run bash as root -> root flag
  • Tabby (Thu Jan 7 18:22:46 EST 2021)
    • We enumeration find news.php with LFI
    • Exfiltration of tomcat-user.xml -> Access management tomcat with manager-scripts role
    • Deploy reverse shell war on tomcat -> shell access to server
    • Find encrypted backup in web server -> Download file
    • Crack zip password -> Reuse credentials to pivot as ash user
    • ssh as ash user -> ash user is member of lxd group
    • Create escalation privilege image container
    • Run priviliged container with host file system mounted -> Access as root -> add ssh kpublic key to root user in the host
    • ssh as root -> root flag
  • Buff (Fri Jan 8 14:18:58 EST 2021)
    • Web enumeration, contact page discloses software name: Gym Management Software 1.0
    • Gym management has a Unauthenticated remote code execution vulnerability -> Gain reverse shell -> User flag
    • Download netcat on the target
    • Found CloudMe 1.11.2 executable in Download folder
    • CloudMe service is running and has buffer overflow vulnerability
    • Create a batch to call nc toward attacker machine
    • Create payload with msfvenom to generate the payload
    • Redirection of attacker local port 8888 toward localport 8888 of target machine
    • Run exploit -> reverse shell opened as administrator -> root flag
  • Omni (Tue Jan 12 07:53:44 EST 2021)
    • Ports 29820 correspond to Windows IoT Sirep protocol -> Accessible by SirepRAT tool -> upload file nc.exe
    • With SirepRAT launch command nc to gain reverse shell
    • User and root flags are powershell encrypted.
    • System user can dump SAM database
    • Create network share to copy SAM database files
    • Dump hashes from SAM database -> hashcat finds app user password
    • From web console logged as app user launch nc.exe to obtain reverse shell as user app
    • Decrypt flag with user app
    • Decrypt administrator credentials saved with user app encryption
    • From web console logged as administrator launch nc.exe to obtain reverse shell as admninistrator
    • Decrypt flag with user administrator
  • FluxCapacitor (Wed Jan 13 10:16:45 EST 2021)
    • Dirsearch finds sync page
    • sync page responds 403 from browser, 200 from curl -> user agent filtering
    • wfuzz to find parameter name -> opt provides 403 when value is filtered by WAF (bash)
    • wfuzz to find allowed characters -> @' allows code execution
    • Upload python reverse shell script evading the WAF -> obtain reverse shell with user nobody -> user flag
    • sudo right from user nobody without password for a script -> call bash as base64 parameter -> root shell -> root flag
  • Chatterbox (Thu Jan 14 12:00:36 EST 2021)
    • Port scan identifies Achat chat application
    • Achat V0.150 has a buffer overflow that allows Remote code execution
    • Test locally first -> exploit the buffer overflow to gain reverse shell -> User flag
    • winPEAS enumeration -> find user credentials (alfred)
    • Chisel to access local firewall port 445 -> crackmapexec -> test user credentials and administrator -> found administrator credentials
    • From user alfred invoke reverse powershell shell with administrator credential -> root flag
    • Alternative user alfred owns file root.txt, alfred can modify rights with icacls and obtain root.txt flag, but with this way the box is not really owned
  • Aragog (Sun Jan 17 10:03:21 EST 2021)
    • FTP access anonymous download test.txt file that contain an xml with a subnet.
    • Web enum discovers hosts.php file
    • Try to wfuzz the page with parameters -> no success
    • Post test.txt file to hosts.php and response is changed.
    • hosts.php parses XML -> Xml external injection allows lcal files disclosure
    • XXE discloses florian ssh key -> ssh access -> User flag
    • Local enumeration discloses WordPress and Mysql database
    • wp-config-php provides database access -> administrator hash -> hashcat doesn't find password in rockyou.txt
    • Add REQUEST dump to fle in wp-login.php
    • Script wp-login.py simulates login access to WP -> Intercept Administrator password -> reuse password for root user -> root flag
  • Bart (Tue Jan 19 09:02:41 EST 2021)
    • Web site forum.bart.htb provides staff names.
    • bart.htm returns an image instead 404 -> enumeration with wfuzz instead of dirsearch -> find monitor.bart.htb site
    • monitor.bart.htb
      • Forgot button allows to determine system users (daniel and harvey)
      • Custom Script to brute force password to take under consideration csrf token
      • Enumeration of application finds other site internal01.bart.htb
    • internal-01.bart.htb -> simple_chat web application
      • Register form not available but register.php file available -> Post new user registration
      • Custom Log button write in file user, user agent and timestamp -> temper with parameters allows to write php file with code execution
      • From php file with code execution -> upload netcat executable and call reverse shell
    • winPEAS enumeration finds administrator autologin pasword
    • chisel to port forward and avoid firewall -> administrator shell with evil-winrm -> access flags
    • Alternative call nishang powershell reverse shell with administrator credential -> access flags
  • Stratosphere (Thu Jan 21 04:32:58 EST 2021)
    • Web enumeration -> Application tomcat with struts framework.
    • Vulnerability CVE-2017-5683 -> remote code execution vulnerability
    • Firewall avoids open a remote shell
    • Tomcat manager seems installed but doesn't provide gui access to the tomcat console
    • Database credentials found and port 3306 listening -> query database -> found user richard credentials
    • Reuse of credentials in system -> access by ssh as richard -> user flag
    • User richar has sudo rights (ALL) NOPASSWD: /usr/bin/python* /home/richard/test.py
    • script test.py seems an hashcrack challenge but after resolution of challenge script /root/success.py not found
    • In python2.7 the basic function input can be abused to execute code
    • Execution of __import__('os').system('/bin/bash') in input prompt -> shell as root -> root flag
  • Celestial (Sat Jan 23 04:40:05 EST 2021)
    • Root page of web server on port 3000 responds with the text 404 and Hey Dummy 2 + 2 is 22, when reloaded and the server cookie is transmited.
    • Cookie is encoded in base64 and has Json values.
    • Playing with encoded cookie content changes results in web page and when the type is incorrect crashes the page with eval error -> the cookie content is evaluated.
    • The exploit CVE-2017-5941 explains how the unserialize function can be abused for execution with untrused values.
    • To test, we first try to launch a ping from the target -> the ping is received, we have remote code execution
    • Try to encode in base64 commands to gain reverse shell (to avoid problems with characters during serialization), but base64 commands cannot be piped.
    • Remote execution of curl to download script file piped to bash -> reverse shell -> user flag
    • output.txt file with root rights is updated each 5 minutes
    • source file script found aside of user flag and writable by user sun
    • Change content on script to open reverse shell -> reverse shell as root -> root flag
  • Silo (Sun Jan 24 10:46:07 EST 2021)
    • Default IIS web page
    • Oracle enumeration with odat -> Default sid XE and default credentials (scott/tiger) found -> Access database via sqlplus
    • Upload file with PL/SQL to IIS webroot folder -> Upload aspx web shell to IIS
    • Upload nc.exe via web shell -> Launch reverse shell via web shell -> user flag
    • Find text file with drop box URL and associated password, but encoding doesn't allow to read text file correctly
    • Transfer file locally with smb server -> transcode ISO-8859 to UTF-8 -> dropbox password readable.
    • Zip file from dropbox is a Microsoft crash dump file
    • Forensic tool volatility find SAM hashes -> evil-winrm with pass the administrator hash -> root flag
    • Alternative -> volatility dumps LSA (Local service authority) password -> Password corresponds to administrator -> evil-winrm as administrator -> root flag
  • Poison (Thu Jan 28 16:06:27 EST 2021)
    • Index page shows php form with parameter file to page browse.php
    • browse.php reads files passed as parameter file
    • execution of listfiles.php discloses file pwdbackup.txt
    • Pwdbackup.txt has a password encoded recursively in base 64
    • Intended way to access password file
      • Search for apache logs location
      • Log file readable with browse.php
      • Log file access with browse.php but poisoning the user agent with php code with a call to system
      • Read log file with browse.php and custom parameter cmd to execute commands
      • Raise listener and execute call back command with nc using browse.php and nc command as parameters -> reverse shell as user www -> found pwdbackup.txt
    • browse.php reads /etc/passwd -> username found
    • ssh wth user and password -> user flag
    • In user folder zip file encrypted with user password, provides file named secret with binary information
    • VNC server listening in local port 5901
    • ssh with port forwarding to access local port 5901
    • vncviewer with secret file allows access with xterm as root -> root flag
Retrieved from "https://wiki.luniel.com/mediawiki/index.php?title=Hack_The_Box&oldid=7777"