We are continuing with our review of Hack the Box (HTB) machines. HTB is an excellent platform that hosts machines belonging to multiple OSes. It also has some other challenges as well. Individuals have to solve the puzzle (simple enumeration plus pentest) in order to log into the platform and download the VPN pack to connect to the machines hosted on the HTB platform.
Note: Writeups of only retired HTB machines are allowed. The machine in this article, named Bashed, is retired.
Let’s start with this machine.
1. Download the VPN pack for the individual user and use the guidelines to log into the HTB VPN.
2. The “Bashed” machine IP is 10.10.10.68.
3. We will adopt the same methodology of performing penetration testing as we have used before. Let’s start with enumeration in order to learn more about the machine.
4. As usual, let’s start with the Nmap scan to gather more information about the services running on this machine. [CLICK IMAGES TO ENLARGE]
<<nmap -sC -sV -oA Bashed 10.10.10.68>>
5. As we can see, only port 80 is up, so we need to start the enumeration on that.
6. Let’s use gobuster to start the enumeration of the common directories.
<<gobuster -u http://10.10.10.68 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 20>>
7. Above, we can see that there are lot of enticing directories on this box, but the ones that catch our attention are dev and upload.
8. Browsing the dev directory, we can see that we have some .php files.
9. Clicking phpbash.php gives us an interactive Web shell, as we can see below.
10. We can easily browse to get the user.txt, as shown below.
11. Since we want a proper shell, we need to find another way to get into this box. Since there are php files hosted on this server, let’s see if we can upload our reverse shell to the box.
12. First, let’s customize the shipped-in php reverse shell with our machine IP and the port on which we want to listen the connection.
13. On the same directory, let’s raise a Python Web server.
<<python -m SImpleHTTPServer>>
14. Since we have a Web shell, we can try to get this reverse shell via wget. But it looks like we don’t have the permission to create a new file.
15. The next step for us is to find the directory in which we can write.
16. Remember the uploads directory? We can browse there and check if we can download the shell.php.
17. As we can see below, we can download the shell there.
18. Below, we can see that the request to fetch shell.php was indeed made.
19. As defined in the shell above, we require port 1234 to listen to, so let’s spin up that port.
<<nc -nlvp 1234>>
20. Browsing the directory http:/10.10.10.68/uploads/shell.php will execute our script and give us back the reverse shell as shown below.
21. Again, we browse to fetch the user.txt.
22. First, let’s get a more interactive shell using the command below.
<<python -c “import pty;pty.spawn(‘/bin/bash’);”>>
23. Now we need to escalate our privileges on this box, so let’s start the enumeration again.
24. The first thing to always check for is what users can sudo as. Here we can see that the current user, arrexel, can run commands as scriptmanager.
25. The above finding means that we can change to the scriptmanager user as well.
<<sudo -u scriptmanager /bin/bash>>
26. After browsing into the / directory, it looks like all the files are owned by root, whereas only one file is owned by scriptmanager.
27. Enumerating this directory gives us a Python script and txt file. test.py is owned by scriptmanager and test.txt is owned by root.
28. Looking into the contents of test.py reveals that the script indeed is writing to test.txt, which is owned by root.
29. Another thing we notice is that the test.txt update time was changing every minute. This means that the file test.py is run on a cron by root, which results on root.txt.
30. Now we can create a test.py file on our box like below. It can be grabbed from Pentest Monkey. Make sure to reset the IP address and port.
31. Now let’s grab this file to our victim server, as shown below.
32. And spin up a listener in our attacking machine like so:
<<nc -nlvp 4422>>
33. Within a minute, we see that we got a call back with the root shell.
34. We browsed to get the root.txt file.
This was a simple and straightforward machine which relied on enumeration only.
We will continue this series with further interesting HTB machines.