HackTheBox ForwardSlash Writeup – 10.10.10.183

HackTheBox ForwardSlash Writeup – 10.10.10.183

Welcome back my friends, I’m back with another HackTheBox writeup. The ForwardSlash (10.10.10.183) is a Linux box by InfoSecJack & chivato. The machine categorized as Hard with 40 points.

Important NOTE: I received a couple of messages (literally abusing ones) for not including the important part where I skip decryption and how I got the password. I did this part intentionally keeping in mind the people who abuse me.

Also, as I keep mentioning in the recent articles, I will do this in my all new articles and it will be hard for free flag takes by reading my write-ups. If you root the machine you don’t need to know the steps I missed and you already know what I did.

What I noticed is; HTB did good job by introducing dynamic flags, however it didn’t stop people to share administrator or root hash which unlocks articles.

Thank you,

Navin.

Let us start.

As usual the machine’s IP 10.10.10.183 goes to the hosts file as forwardslash.htb.

NMAP SCAN

The machine seem to have tight as I can see only two ports are open. SSH on 22 and HTTP web server on port 80.

Upon visiting the default webpage we have a webpage what seems to be compromised page of something. So, this is second similar themed machine after Traceback.

WFUZZ FUZZING

As usual, I started with WFUZZ to find subdomains using the wfuzz common wordlist. I couldn’t find anything at first however, 302 URL redirection of one of the subdomain caught my attention. All payloads returned with a status code 302 and 0,0,0 for lines, word and character but the payload “backup” returned with 6words and 32 characters.

HackTheBox ForwardSlash Writeup – 10.10.10.183 – WFUZZ Fuzzing

Trying My Luck With GoBuster

As the WFUZZ disclosed subdirectory backup.forwardslash.htb, I wanted to see if there are anything I could see further. I used GoBuster to enumerate. After running it for a few minutes I found handful of information.

A visit to http://backup.forwardslash.htb/ I received “Server not found” error, but adding the entry backup.forwardslash.htb to the hosts file and browsing again, I can see a new page “Login” and a link to “Sign up” – http://backup.forwardslash.htb/register.php

HackTheBox Forwardslash Login page

http://backup.forwardslash.htb/register.php

I registered myself and logged-in to the portal successfully. The new page is a Dashboard with few links.

  • Reset Your Password:
  • Sign Out of Your Account
  • Change Your Username
  • Change Your Profile Picture
  • Quick Message
  • Hall Of Fame

I started to enumerate the pages one by one and testing the options. The page “Change Your Profile Picture” comes with disabled input field and submit button. But I found this can be easily bypassed using “inspect elements” option of Firefox. I disabled the “disabled” option and was able to submit a new profile picture. However, I didn’t see any changes or my picture didn’t appear anywhere.

Now I’m not convinced with this behaviour, I knew there is something going behind the screen, so I decided to run burp and see it myself.

I captured the post request and sent it to repeater.

The repeater returns the regular reply from web server.

Finding LFI – A Local File Inclusion vulnerability

I was in fact found the LFI (Local file inclusion) without realizing it is the thing in this box. Since the Burp repeater didn’t provide anything helpful, I add the LFI to see in case it works, for my surprise it did work. So it then conformed the machine is vulnerable to LFI and directory traversal attack. From this point onwards I concentrated on LFI.

Continuing my directory traversal attack on the machine, I started to look for I was able to request lot of configuration files.

Gallery:

Obtain Database Credentials Using LFI

I manage to obtain temp_db database credentials using LFI and a little enumeration. The DB config file found here: var/www/backup.forwardslash.htb/config.php. Calling it from Burp returned the contents of config file:

HackTheBox Forwardslash – Obtaining Database Credentials

As GoBuster revealed /api.php (Status: 200) and /dev (Status: 301) I tried to read them using LFI – but I was denied permission with a warning “Permission Denied; not that way 😉” That means there is away to read those files.

After reading a couple of articles and PoC’s I understood that I could read the file using Wrapper php://filter (php://filter/convert.base64_encode/resource) method. I found a way in PayLoadAllTheThings.

Updating my LFI and sending again from the burp, boom I have the API in Base64.

After decoding:

Reading http://backup.forwardslash.htb/dev/ directory

After Decoding:

Within the decoded code, I found FTP credentials for user Chiv. However, the FTP is useless unless there is no FTP port is open. But the same credential let me in the box for SSH.

if (@ftp_login($conn_id, “chiv“, ‘N0bodyL1kesBack/‘))

SSH Using FTP Credential

Once I’m in I lost a bit, however I got my pace back after a nudge from fellow HTB user Cyberafro.

Getting User.txt

I started to enumerate Chiv’s directory and moved forward by finding another user Pain in the box. I found user.txt in Pain’s desktop but I wasn’t able to read it as I my current user Chiv has no permission to read it.

I found a note in Backup folder that says:

Chiv, this is the backup of the old config, the one with the password we need to actually keep safe. Please DO NOT TOUCH.
-Pain

So the note means it is a backup of old config files, probably before the exploit. There is a passwd.bak file that probably contains password of the user that I was looking for, possibly Pain. I was not able to read it as Chiv as a low privilege user, but I found a way to get the backup file and read it.

The credentials I recovered as: pain:db1f73a72678e857d91e71d2963a1afa9efbabb32164cc1d94dbc704

Next, I su’d user as Pain with the new credential I recovered and got the user.txt.

Privilege Escalation From The User Pain to Root

Sudo -l

The user Pain’s directory has a folder “~/encryptorinator” that contains ciphertext file and a python script to decrypt it.

After running a long battle with my script and fixing it and failing, I finally got the password:

cB!6%sdH8Lj^@Y*$C2cf

As I saw after running sudo -l, the user Pain can mount images as root without root password.

In the mounted image file I found the RSA PRIVATE KEY.

I copied the RSA PRIVATE KEY to my local kali machine’s .ssh directory update the id_rsa.pub and id_rsa and provide the required permission to run,

chmod 600 id_rsa

Then SSH the box using ssh -i id_rsa root@forwardslash.htb and obtained the Root.txt.

That’s all folks. Thank you for reading. I appreciate a feedback or comments.

Navin

Hey there, I'm Navin, a passionate Info-Sec enthusiast from Bahrain. I started this blog to share my knowledge. I usually write on HackTheBox machines and challenges, cybersecurity-related articles and bug-bounty. If you are an HTB user and like my articles, please respect here: https://www.hackthebox.eu/home/users/profile/68523

View all posts by Navin →
Subscribe
Notify of
guest
2 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
cyruslab
3 months ago

Hi Navin, a good write-up, i was hoping I can find an alternate method without decrypting the image itself, nevertheless thank you for your share. This is the most difficult machine which i have attempted so far, I just joined HTB and started to teach myself pentesting techniques, I started with retired machines, after doing a few like 5 machines i gave myself enough courage to attempt the active machines, I did the servmon, remote and magic, when i attempted the forwardslash i was brainfucked… this is due to lack of knowledge on a lot of things, i was panic… Read more »

Sorry, that action is blocked.
%d bloggers like this: