Write-up for the machine Carrier from Hack The Box.
This box is really fun since it allows you to try something yourself that you
otherwise only hear about in the news. BGP hijacking is required to get the
root flag. You start by checking out the admin interface of an ISP called
Lyghtspeed Networks. Fuzzing the web server, you find some documentation on
error codes which suggest you could log in with default admin credentials.
However, the password is a serial number of the device. Some UDP port scans
later you realize there is SNMP running and it spits out this number. Once
inside the admin interface you read some support tickets. One of them is about
an important FTP server is a specific network attached to a neighboring AS.
Also, there is a feature to check router status which turns out to be
vulnerable to command injection. This vulnerability turns into a shell on the
router. This was all easy but now the fun begins. You must carefully manipulate
the route advertisements to direct the traffic to this mysterious FTP server
over the compromised router. Dumping the traffic reveals the FTP password. The
root flag is now only one FTP download away. All in all a really interesting
challenge and a great way to learn more about how the Internet actually works.
Port scans A fast masscan scan returns only two open ports:
$ masscan -e tun0 -p 1-65535 --rate 2000 10.10.10.105 ... Discovered open port 80/tcp on 10.10.10.105 Discovered open port 22/tcp on 10.10.10.105 With nmap we can see we are in front of a Ubuntu Linux box with OpenSSH and Apache web servers running. Version 2.4.18 of Apache suggests the box is likely Ubuntu Xenial (click):
$ nmap -sV -sC -p 22,80 10.
Write-up for the machine Access from Hack The Box.
This one is a pretty easy box. The main challenges are processing
proprietary Windows files (MS Access DBs, MS Outlook PST files, Windows
shortcuts) on a Kali box and understanding stored Windows credentials.
To get started, enumerate to find open FTP and Telnet ports as
well as a web server. Ignore port 80 and log into FTP anonymously to find a
Microsoft Access database with a username and password inside. Use it to get a
shell via the Microsoft Telnet service available on port 23. To escalate
privileges, you can now use "runas" with saved admin credentials. On one of
the users' desktops there is a shortcut which is a hint to this solution.
However, it is also easily discovered by enumeration. Although not necessary to
get the flag, I demonstrate in the end of this post how to get the plaintext
admin password using impacket.
Port scans A quick port scan with masscan reveals a bunch of open ports:
$ masscan -e tun0 -p 1-65535 --rate 2000 10.10.10.98 ... Discovered open port 21/tcp on 10.10.10.98 Discovered open port 80/tcp on 10.10.10.98 Discovered open port 23/tcp on 10.10.10.98 nmap provides more details on these ports. They run the expected services on a Windows box:
$ nmap -sV -sC -p 21,23,80 10.10.10.98 ... PORT STATE SERVICE VERSION 21/tcp open ftp Microsoft ftpd | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_Can't get directory listing: TIMEOUT | ftp-syst: |_ SYST: Windows_NT 23/tcp open telnet?
Write-up for the machine Active from Hack The Box.
The machine is a very interesting exercise for those who do not work with
Active Directory domain controllers every day but want to dive deeper into
their inner workings. Basically, you find one such domain controller with
plenty of open ports. After a short distraction in form of a web server with no
content, you find that you get unauthenticated access to an SMB share with some
group policy files in it. Inside, you find an encrypted password. It is easy to
decrypt though since the key is public information. With these credentials, you
get not only the first flag but also access to the AD itself. Searching for
server principal names reveals that the Administrator account is
kerberoastable. With impacket and john, it is easy to crack the password of
this account. Now the root flag is only one execution of psexec away.
Enumeration Port scan We start as usual with a quick masscan to get open ports as fast as possible. It returns lots of results:
$ masscan -e tun0 -p 1-65535 --rate 2000 10.10.10.100 Starting masscan 1.0.4 (http://bit.ly/14GZzcT) at 2018-09-13 20:54:40 GMT -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth Initiating SYN Stealth Scan Scanning 1 hosts [65535 ports/host] Discovered open port 53/tcp on 10.10.10.100 Discovered open port 9389/tcp on 10.
Write-up for the machine Dropzone from Hack The Box.
This is a very interesting box since you have to get in only by writing files
to arbitrary locations. An initial TCP port scan returns no open ports at
all, only after scanning UDP you find an open TFTP daemon on port 69. After
playing with it a little, you find out the box is an old Windows XP machine and
you can read and write anywhere. The flag is hidden so you need a shell to
explore the system. Remembering the old Stuxnet exploits, you can find a way in
by exploiting Windows WMI with a malicious MOF file uploaded to a special
folder. The last step to get both flags is to read the ADS of the hidden file,
which only works after uploading the streams.exe tools from Sysinternals.
Enumeration Port scan As usual, start with a quick port scan to identify open ports for inspection:
$ masscan -e tun0 -p 1-65535 --rate 2000 10.10.10.90 Starting masscan 1.0.4 (http://bit.ly/14GZzcT) at 2018-10-08 20:55:02 GMT -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth Initiating SYN Stealth Scan Scanning 1 hosts [65535 ports/host] Not a single open port was identified. Instead of debugging masscan, checking the VPN connection, trying out all sorts of firewall evasion techniques, or going crazy otherwise, remember port scans do TCP by default but can do UDP as well:
Write-up for the machine DevOops from Hack The Box.
The box is Python-focused and illustrates nicely the various kinds of mistakes
you can make when using Python libraries carelessly. XML parsing is vulnerable
to XXE, giving access to source code. The source reveals that pickle is used to
parse user input, which turns into RCE as an unpriviledged user. From there,
searching the history of a git repository left on the box exposes a deleted
private key, which can be used to SSH in with root. There is an unintended
shortcut since the SSH key of the unpriviledged user is accessible via XXE,
but I ignore this way in for this write-up.
Enumeration Port scan Start with a fast standard port scan and you find only two open ports:
$ masscan -e tun0 -p 1-65535 --rate 2000 10.10.10.91 ... Discovered open port 22/tcp on 10.10.10.91 Discovered open port 5000/tcp on 10.10.10.91 A targeted nmap scan confirms SSH on port 22 and identifies port 5000 as a Python web server, running gunicorn:
$ nmap -sV -sC -p 22,5000 10.10.10.91 .
Write-up for the machine Sunday from Hack The Box. The box is
pretty straightforward but still cool to do. You start with enumerating finger,
finding some usernames. If you did thorough port scans and did not miss SSH on
a non-standard port, one of these names allow you to brute-force your way into the box.
Cracking a password hash from a shadow-file backup you find get's you to the
other, from which you can escalate to root after realizing you can sudo wget.
After quite a while, this is another write for a Hack The Box machine. This time for “Sunday”, a relatively easy machine based on Solaris. Never worked with this OS before, so I was keen to see what I would find.
Enumeration Port scan To start, we quickly scan the ports of the box. An initial scan with high rate using masscan takes only a few seconds and reveals a few open ports:
Write-up for the machine SolidState from Hack The Box. Requires thorough port scanning to find an esoteric telnet admin interface of the Apache James email server. With default root credentials, you become James admin and break into people's email inboxes. Inside, you find SSH credentials, bypass a restricted shell and finally find an insecure cron job to escalate to root.
This is my second write-up for a machine from Hack The Box. It is again a rather easy one but still lots of fun. Lots of opportunities to do some oldschool telnet work on email servers. It starts with port scanning and illustrates the importance of scanning also more unpopular ports. After finding the email server with default credentials, you must use your administrator power to get code execution. Once on the box, all you have to do is finding an insecure cron job and you are root.
Write-up for the Hack The Box machine called Calamity. Involves basic enumeration, finding a way into a hidden admin panel of the webserver, injecting PHP code after getting past the login, evading an intrusion detection system, recovering an SSH password hidden inside audio files and finally using LXD/LXD to exploit a user administration mistake to get root.
Hack The Box is a new company offering lab servers you can test penetration testing techniques on. It is quite educative and a lot of fun. They have multiple machines and all follow a similar pattern. You start with an IP address, have to find a way to get code execution on the machine (usually as an unprivileged user) and have to escalate from there to root. This post is about one of the machines called calamity.