Curling

Machine Level: Easy OS: Linux

Scanning

I ran an aggressive NMAP scan to find open ports and services.

ajread@aj-ubuntu:~/hackthebox$ nmap -A [TARGET IP] -Pn
Starting Nmap 7.80 ( https://nmap.org ) at 2023-02-17 15:55 EST
Nmap scan report for [TARGET IP] 
Host is up (0.012s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 8a:d1:69:b4:90:20:3e:a7:b6:54:01:eb:68:30:3a:ca (RSA)
|   256 9f:0b:c2:b2:0b:ad:8f:a1:4e:0b:f6:33:79:ef:fb:43 (ECDSA)
|_  256 c1:2a:35:44:30:0c:5b:56:6a:3f:a5:cc:64:66:d9:a9 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-generator: Joomla! - Open Source Content Management
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Home
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.10 seconds

Enumeration

In the source of the website, I noticed a reference to secret.txt at the bottom.

Therefore, I navigated to the site and found what appeared to be a password for some user. Looking at the previous site, the best guess would be for user "Floris". The password was Base64 encoded, so I needed to decode it before use. I needed to find the admin page to login.

Initial Access

I looked around and noticed that I could change the index.php site. There, I decided to edit the jsstrings.php file with a php reverse shell from PentestMonkey. With that set, I needed to start a listener on my local machine.

And run the jstrings.php file by navigating to it in the browswer.

I was able to catch the reverse shell and I was dropped in as www-data.

In the home directory of user, floris, I was able to find a password_backup.

I attempted to look at the file and it appeared to be a .BZ file based on its magic numbers. I needed to grab the file and format properly because it was currently enterpreted as ASCII text.

I copied the file over and kept only the ASCII output.

However, I was having issues decompressing that data. So, I copied the entire hexdump from the target machine to my local machine and used xxd -r to reverse the hexdump to a new file.

Then, I decompressed with bzip2.

I looked like the new compressed data is in the format of gzip.

I decompressed the file in gzip to find that it is another bzip2 formatted file.

I copied it to a new file and decompressed again.

The new file appeared to be a POSIX tar archive.

I copied the file to a new name and then used tar to extract the contents, which appeared to be a password file.

I used the contents to ssh into the machine as user floris.

And I was able to read the contents of the user flag.

Privilege Escalation

I remembered seeing the admin-area folder within the user directory where I found the user flag and the compressed password file. I listed the cronjobs to see if there was anything interesting.

I used the official write up to help me with this portion. I downloaded pspy, copied it over using SCP, and used it to find the crons running on the machine. After running the tool, I was able to find that every minute there was a curl command to the admin area, run by root.

It appeared that the command would open a shell script, run the curl command, using the input as a config file and the output to the report. Therefore, if I can change the config file I can have it call my machine and execute code. Using the write up from HTB, I created a local crontab and cron to call back to my machine.

I started up an http server on my local machine.

I changed the input file on floris' machine.

I saw the GET request from the remote machine.

And shortly after, I was dropped into a shell as root.

I was able to read the root flag!

PreviousBlueNextBashed

Last updated