Hack The Box Scavenger Writeup – 10.10.10.155

Hack The Box Scavenger Writeup - 10.10.10.155

Hello, welcome to Hack The Box Scavenger writeup. Like my previous HackTheBox windows walkthroughs, I will try to be as detailed as possible with explanations when needed. The machine is highly vulnerable to a recent Exim Vulnerability via EHLO Strings exploit discovered by QAX-A-Team.

NMAP PORT SCAN

As like other machines, I have added machine IP 10.10.10.155 to etc/hosts as scavenger.htb and start-off the nmap port scan. The nmap scan shows the following ports are open:

nmap full result:

Nmap as well shows there are a number of services running. The Exim SMPD version 4.89, a possible MX ib01.supersechosting.htb.

ENUMERATION

Let us first look at the webserver on the port 80.

So, there is nothing. I noticed a domain www.supersechosting.htb in my nmap scan, I added this domain to my etc/hosts agaisnt the IP of the machine and browse the website, here is the result:

There is nothing as well, but what caught my attention is the website’s DNS & WHOIS private servers list. The list says; the DNS server is dns.supersechosting.htb and the WHOIS server is at whois.supersechosting.htb. I add the both to my etc/hosts for enum. After reading the nmap results again, I noticed the WHOIS server is running on a MariaDB 10.1.37. Lets

I used the SQLi on the MariaDB I found 4 potential vHosts:

I used the “do dig AXFR” command against the above vHosts to enumerate more and I actually found handfull of bounty:

I again updated my etc/hosts with the new vhosts I found. Then I browsed each one manually. The host sec03.rentahacker.htb I found a note: “Owned by 31173 HAXXOR team!!!”.

Now, I know there is someting hidden in the domian sec03.rentahacker.htb, so my next step was to use GoBuster against the domain

The GoBuster would take a lot of time because I used the wrong wordlist, so after getting enough status: 200 I paused the scan. I used the below command “gobuster dir -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u http://sec03.rentahacker.htb -x php” to scan for the php extension.

The /shell.php seemed interesting. So next step was to use WFuzz using this command:

The wfuzz got me a variable “hidden”, I can execute commands over the hidden parameter successfully.

Command:

I was suggested by a HTB forum user about a WebShell, which supposed to be working to get the reverse shell. I had to modify a bit to make it work.

Using my script I got the shell and found the credential for the user”ib01c03″

I initially thought the password was for SSHing sec03.rentahacker.htb, but it didn’t work, then I tried with different lhosts – none worked. Lastly, I tried the password for FTP and I logged-in immediately.

Sad face again, there is no much info to go further. After painstaking enum for more than 45 minutes, I decided to ditch the FTP and get back to the shell I got earlier. I think FTP is one of the many rabbit holes in this box.

Before heading back to Shell, I decided to get some hints from the forum, one of the user told me there are “mails” in the “ib01c03” mail directory which may help me to go further and I can only see it by “reading more”. I fired up my terminal and the Shell.

I need to find the users with mailbox and the location first. I used ls -l /var/spool/mail/ command to list the mailboxes. I know that the mail spool is always a part of the user’s home directory, however, sometimes it can also be shared or located outside.

Using the list command I found 2 mailboxes one for the user “ib01c03” and another for the “support”. I will start enumerating one by one to see if I can find credentials or someting like SSH key to login to tthe box.

The support mailbox seemd empty, so I listed the messages of my user ib01c03, he has 1 message which was actually contained a credential for the FTP of another user called “ib01ftp”.

The content of the message is actually a reply from support to a SOS message subjecting “Re: Please help! Site Defaced!”. The actual message reads:

I now have the credentials for FTP: ftp.supersechosting.htb , let up connect to the ftp and see what it got for me in the basket.

GETTING USER.TXT

I successfully connected to the FTP using the above credentials, The FTP root directory has a folder called “incidents” which contains two subdirectories, ib01c01 and ib01c03. I assumed these as users directories. The directory ib01c01 contains some files where ib01c03 is blank.

I started to analyze the files. The first file “ib01c01.access.log” :

The second file: “ib01c01_incident.pcap” :

The log file and the note.txt file didn’t contain much information, so lets concentrated analyzing packet capture log file. The POST request in PCap log file normally gives a lot of information. After a while, I found the credentials of Admin in the packet capture log. Password: GetYouAH4t!

The credential didnt work for SSH, but worked for FTP. We earlier found a password for the user ib01c03 and ib01ftp, so the only user left with us without password is: ib01c01. I used this password against the user ib01c01 and I found the user.txt in the ftp.

Privilege Escalation: GETTING ROOT.TXT

The HTB Forum is actually a goldmine. You will get a lot of useful hints. The below thread helped me to get the root without pain.

I started to analyze the PCap file again, as per the forum this file is the key to root. After a while, I found that the PCap as well as captured an incident that created a transfer of root.c file.

After doing recon for a little while, I found the source code in c for the file root.c I mentioned above.

As per this (https://0x00sec.org/t/kernel-rootkits-getting-your-hands-dirty/1485) article, when a process writes a magic string to our special device, our LKM will give root credentials to such process. The magic string is “g0tR0ot”, as per the c script the two devices are already been used –

In the next step, I used stat command to gather someone information about the devices : ttyR0 and ttyR

Now, I’m back to forum with questions in my mind and got the exact answer I was looking for. The Magic bit “g0tR0ot” will only work with the user “ib01c03”, I will not get the root previlage.

HIDDEN DIRECTORY

The FTP has hidden directories, this information was gathered from the forum. When I run ls -al the list command listed them all. After going through all the way down I found a file called “root.ko” – A vulnerable rootkit which has the last key to root.

Ref:

https://github.com/leixiangwu/CSE509-Rootkit/blob/master/README.md

https://oscarlab.github.io/project_files/protego-slides.pdf

Without wasting the moment, I download the file. After analyzing git for a while, I know that I’m looking at an ELF file. ELF files mostly contain useful information in their header. Let us look into it Ref: https://greek0.net/elf.html).

The header info:

The Head Command

The head command in linux lists the lines of the program for the given command. So here is the output:

I now have the credential that supposed to work in the shell to get the root. The credential is: g3tPr1v

Root.txt

That’s it, thank you for reading.

Navin

Hey there, I'm Navin, a passionate Info-Sec enthusiast from Bahrain. I started this blog to share my knowledge. I usually write on HackTheBox machines and challenges, cybersecurity-related articles and bug-bounty. If you are an HTB user and like my articles, please respect here: https://www.hackthebox.eu/home/users/profile/68523

View all posts by Navin →
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments
Sorry, that action is blocked.
%d bloggers like this: