Dog (Easy)

Description

  • Difficult -> Easy

  • OS -> Linux

  • State -> Retired

  • Tags -> Pending

https://app.hackthebox.com/machines/651

Write-up

  • I started doing an initial port scan using Nmap

nmap -p- -Pn --min-rate 2500 -oN scan.txt 10.129.16.169

  • Then I did an exhaustive scan to learn more about the services running on the open ports

nmap -p22,80 -sVC -oN serv_scan.txt 10.129.16.169

  • I found an HTTP service on port 80, so I tried accessing the content in the browser. I found a website, a blog about dogs, with some entries

To learn more about the HTTP protocol, you can go here

  • Exploring the site, I reached de About tab where we found information about the CMS that was being used by the page, and an email with a custom domain. Apart from that, I didn't get any other relevant information

  • So, I tried fuzzing the page to search for hidden directories or routes, and using the Gobuster tool and a wordlist from SecLists, I found the /.git route, which is related to a git repository and could give us information about the project and the source code

  • To help me explore the project, I used the Git-Dumper tool to fetch the files and reconstruct the repository locally. Once done, I started to check the files and reached the settings.php file, where I found credentials for a database 

git clone https://github.com/arthaud/git-dumper
cd /git-dumper
pip install -r requirements.txt
python ~/Tools/git-dumper/git_dumper.py  http://10.129.16.169/.git/ ./repo

  • I tried using them to log in to the website, but it didn't work. So, I keep searching for a valid username in the files, and by filtering data using the domain dog.htb that we have found before, I fortunately found two email addresses. Once again, trying with the tiffany user, I gained access to an administration panel

  • I looked through the options to find any possible exploitation way, but didn't find anything relevant. So, I decided to search for possible known vulnerabilities for the version of the platform, and found a way to exploit an RCE vulnerability in ExploitDB. Reading the exploit found out that we could leverage a function to install modules, so I checked to confirm that option was present, and we fortunately found the upload point that would let us leverage the vulnerability

  • Then, I ran the exploit pointing to our target, which generated a compressed module that we could upload to the site. But first, I checked the created contents to ensure it had the correct payload, and noticed that we had to modify the shell.php file to work properly for gaining a remote shell for us, as it was spawning cmd, which wouldn't work correctly 

python exploit.py

  • So I edited it using a proper payload for the Linux host and compressed the files again in a format that could be uploaded as a module. Then, I went to the upload point to submit the module, which worked without problems

nano ./shell/shell.php
tar -cf shell.tar ./shell/shell.php ./shell/shell.info

To learn more about how to craft and use a Reverse Shell properly, you can go here

  • With that done, I set a Netcat listener to receive the shell, and I went to the /modules route, confirming the files were there. Then, I select the shell.php file to trigger the script, noticing the listener had caught the shell. After that, I sanitized the terminal to work more comfortably

  • With that, I was able to go to the /home folder to check for existing users, where I found two. Once there, I tried to log in as the johncusack user using the same password we had found in the previous enumeration, which worked successfully, confirming a credential segregation vulnerability. With the new access, I was able to go to its home folder where there was a user.txt file, and reading its content, I obtained the user flag

  • With that, I got the user flag

Answer: b63a7c1c6e4ba520e4a5d92cfde1b16c

  • I tried looking for a way to escalate privileges, so first, I checked the privileged execution permissions for the user with sudo -l and I was able to execute the /user/local/bin/bee binary. So, I checked the options that this binary had, finding that we have to specify the route to a Backdrop project, and one option that searched a file locally, and the most relevant thing, an option that let us execute PHP code arbitrarily

snippet

  • So first, I searched for a Backdrop project on the whole system, finding it at the /backdrop_tool/bee/tests route. With that, I tried to run the binary specifying this folder and trying to run a system command, but it didn't work properly

  • It seemed not to be the actual root folder that was needed. So, thinking back that the web page used Backdrop, maybe we have to specify the root folder for the website project, which was on the /var/www/html route. So I tried with that one, and executed a command to get a new shell, which this time worked properly and gave us a shell as the root user

  • Finally, I navigated to the /root folder where I found a root.txt file, and reading its content, I obtained the root flag

  • With that, I got the root flag and pwned the machine

Answer: ea5d6ec20ff7c40598a7e1f95579455c

PreviousTitanic (Easy)NextHTB Challenges

Last updated