This is my first writeup on a HTB box. I tried to keep things as simple and lucid to be as beginner friendly as possible. Hope, you guys enjoy 😃
Details:
Difficulty: Medium
Machine State: Retired
Let’s begin.
First we start with enumeration. We do our usual nmap scan. I perform a aggressive scan (-A), and store the output to a file:nmap 10.10.10.78 -A -oN nmapA
I checked the remaining ports with nmap 10.10.10.78 -p- --min-rate=1000 -v , but I didn’t find anything interesting. Let’s move on.
We find 3 ports of interest: 21[ftp], 22[ssh] & 80[http]. Let’s check them out!
Let’s begin with FTP and test whether it has got anonymous login present or not.
Type in ftp 10.10.10.78 into the cli and then Anonymous when prompted for user. Yay! Anonymous login works! Now we list the contents but ls -a
We use get test.txt to download the file into our system. In case you receive permission denied error, you are probably downloading it in a path or directory which requires root privileges. The work around for this is to use sudo with ftp: sudo ftp 10.10.10.78
Now that we have got the file let’s see what’s in it.
Well, when I first saw this I couldn’t make head or tail out of this.. This resembles XML but I have no idea where to use it. So, I kept checking other ports and services. This snippet of code will be extremely useful as we will see that later.
Since we don’t know any valid credentials for ssh, let’s skip it for now and move now to what the port 80/http site has to offer.
On going to http://10.10.10.78/ we find the default apache server page. Since we don’t have any leads on where to go next, we shall do a directory enumeration now. There are many tools you can use: dirbuster, gobuster, feroxbuster, etc. My favourite is feroxbuster as it looks cool and recursively scans through directories unlike gobuster. Let’s commence the directory enumeration:sudo feroxbuster -u http://10.10.10.78/ -w /home/kali/tools/Seclists/Discovery/Web-Content/directory-list-lowercase-2.3-small.txt -x php -o directories
It appears no directories were found, we could do a harder search with another wordlist, but before that let’s check out this page we have found: hosts.php
Let’s see what we have here:
Hmm, looks sort of empty 😔
However, let’s capture the request using burp and see what can we do about it. After, fiddling with the request with burpsuite for a while, I was able to find out something. Bingo! Turns out that this page accepts POST requests along with GET requests!
Now, if you remember text.txt from FTP, which resembled something sort of a XML code, maybe we could use that! I blindly pasted the data into the request and also changed the request method from GET to POST, turns out we do get back something interesting.
Let’s take a look at what the server returns:
The contents inside the tag subnet_mask is being returned and is therefore possible for us to perform a xxe attack! Let’s have a look at the xxe payload:
[Note: you can omit the ELEMENT tag, it’s not necessary in this case]
The response:
Now from here we can see that there are two accounts under /homedirectory of our interest: cliff & florian. Often accounts have ssh credentials stored in them, so let’s try to retrieve them. I use the following path: ./home/cliff/.ssh/id_rsa, but the server doesn’t return anything. The path might be wrong, or there may not be any ssh keys to begin with. I however try the same with florianand it works! [Path:./home/florian/.ssh/id_rsa ]
Cool, now let’s copy the private key and save it to a file. Now let’s correct the format by replacing the spaces with new line.
[ Tip: use cat id_rsa | tr ' ' '\n' > id_rsa , this will do most of the work but however you need to do some small adjustments, you will understand when you will look into the file]
We need to modify the permissions for the file. Make sure it’s NOT executable. Use either of the commands: chmod 400 id_rsa or chmod 600 id_rsa . Then let’s connect to our target via ssh.
The cli will prompt you with whether to save the fingerprint or not, you need to type in yes . It doesn’t show in my case, since I have already done it before.
We can find the user flag here:
Yay! We have completed the first half of our challenge!
Now all we need to do is to escalate our privilege on this system and get root.
This is the part where I got stuck for a lot of time. I tried using the conventional methods: sudo -l; find / -perm -04000 -type f 2>/dev/null' getcap -r / 2>/dev/null; cat /etc/crontab .
But, couldn’t find any leads unfortunately. Maybe there are other ways of rooting but I’m not that good at priv esc either (I’m learning too 🤓).
Let’s go to /var/www/html folder. Here you would find out along with the pages index.php and hosts.php , another directory: dev_wiki . Let’s try to view the page online.
However, the page redirects to http://aragog/dev_wiki/ . And we get a error saying that there is trouble finding the page :(
However, there is a easy fix for this!! We need to just add the hostname to /etc/hosts file. To do this we do the following: echo '10.10.10.78 aragog' | sudo tee -a /etc/hosts .
Now, load the site again. It works! However, there isn’t much we can do here. Let’s keep looking around.
After a while of wandering, I found that we could actually tamper with the login php files. We can replace the contents of the wp-login.php file with some malicious payloads:
This will capture any credentials typed into the wp-login.php page. And it will be saved under /tmp/creds.txt . After a while we open this file and print out it’s contents:
We have successfully captured the password! Let’s hope this password also works for the root account. Type in su root . When prompted for password, paste/type in the password we just found.
Bingo! It works and we now are logged in as root. Let’s quickly get root flag!
We have got both roots and completed this box successfully. Cheers!! ✨🥂
If you guys enjoyed this writeup and if it helped you, please do clap for this article and also follow for such awesome content. More coming!
