Khazi Peppers
FriendZone is an "Easy" difficulty Machine on hackthebox.eu
First Step: Nmap Scan of the Machine
nmap -n -v -Pn -p- -A --reason -oN fz.txt 10.10.10.123
Ubuntu, with only SSH AND HTTP
Primary areas of opportunity: SSH/22, HTTP/80
Primary areas of opportunity: SSH/22, HTTP/80
22/tcp open ssh syn-ack ttl 63 OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.18 ((Ubuntu))
10.10.10.140 swagshop.htb
This is the primary page for port 80. Its a site to buy hackthebox gear. 3 items are available for sale.
I played around a bit. Never seen Magento, so i Registered an account
Played around the dashboard, thought maybe I could escalate my privileges somehow.
I moved onto find sub directories. I used wfuzz
wfuzz -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --hc 404,302 -t 50 http://10.10.10.140/index.php/FUZZ
Actually hit quite a few, plenty of places to look
In the end the only one that mattered was the admin console found at http://10.10.10.140/index.php/admin. This put an end to my privilege escalation thoughts. It uses an entirely different dashboard... So, its not likely.
However, I found a vulnerability in Magneto eCommerce - Remote Code execution
- Changed the target to the IP of the Server
- Changed the target_url to be the proper subdirectory (has to include index.php)
- Changed the username and password it would create
- Updated the username and password in the printout at the end of the script
So head to the page to check it out
Spent a long time fishing around in here. Eventually I found Filesystem under System
This was great! I was able to see the entire http file structure.
Time for some php reverse-shell.
This script is consistently one of the best for php reverse shells
http://pentestmonkey.net/tools/web-shells/php-reverse-shell
I updated the ip and ports in the reverse script,
and uploaded it to overwrite the /errors/processor.php file and saved it.
Now we set the Kali box to listen on port 9595
nc -v -n -l -p 9595
Not surprisingly I didn't have permissions to the /root/root.txt file.
Turns out the way we can get to this file was staring me in the face. I tried to drop into root immediately, but didnt recognize the importance of the output it was providing me.
Basically, www-data (the user we're technically logged in with) has sudo permission for vi only.
I opened vi and specified a file in the /var/www/html/ folder so I meet the criteria here..
I ran the command from inside root.txt and got the following output.
Anyone who has ever tried to run 'top' or 'htop' on a linux server inside of SecureCRT and seen the struggle it has with providing a proper output... you may have quickly recognized (as I luckily did) this as an output error of the software...
Obviously it worked since its telling us to use the flag to get to the real store. I opened LXTerminal directly from Kali and went through the same steps and found the flag.
Dead Ends and Rabbit Holes
- Enumeration
- I was trying to fuzz it via the http://swagshop.htb/index.php/ which got me a lot of more hits, but everyone of them got me nowhere.
- I also spent forever trying to find a file that was readable under one of the subdirs they left open for us.
- I should have checked for exploits earlier
- Injection Attacks in the Customer Dashboard
- I was trying to find anywhere that I could force injection of some kind.
- Admin page didn't show up in Gobuster every couple of runs inlcuding my first 2 runs. It seems like it can crash on its own, if had to guess folks might have been brute forcing it.
- SSH
- Once I found out the local username was 'haris' I tried to use hydra to brute force my way in.
- This happened to me on Luke too, so it wasnt nearly as much time wasted.
All
