Whitelist

Sunday, July 28, 2019

Lazy

LAZY

- Layout for this exercise:

1 - INTRODUCTION

- The goal for this exercise is to develop a hacking process for the vulnerable machine Lazy from the Hack The Box pentesting platform:

https://www.hackthebox.eu/

2 - ENUMERATION

- Lazy's IP is 10.10.10.18:

- Scanning with Nmap:

- Dirbusting:

- Going to /classes/auth.php we discover a potential user called admin:

- Connecting to the web server we confirm the existence of user admin because when trying to register admin the answer is that the user already exists:

3 - EXPLOITATION

3.1 - Intercepting with Burp

- Registering a new user with credentials whitelist:12345

- Let's intercept the login of user whitelist:12345 with Burp:

- Clicking Forward the authentication cookie is displayed:

- Sending to Repeater, removing the caracter % and finally clicking Go the Response is Invalid padding:

3.2 - Oracle padding attack

- The Invalid padding response leads to think on a possible padding oracle attack.

- A padding oracle attack is an attack which uses the padding validation of a cryptographic message to decrypt the ciphertext.

- For further explanation:

https://en.wikipedia.org/wiki/Padding_oracle_attack

- padbuster is an automated script for performing this type of attacks:

https://github.com/GDSSecurity/PadBuster

https://tools.kali.org/web-applications/padbuster

- Providing ID# equals to 2:

- Launching again padbuster but entering user=admin as option:

- Finally we get the authentication cookie for user admin:

- Replacing the original authentication cookie and clicking Forward:

- Clicking Forward again finally the admin authentication is successful:

- There is a message about an SSH key, and just clicking My Key we get an RSA Private Key:

- The URL shows that the SSH key belongs to user with name mitsos:

- Storing locally the SSH key:

- Using that key the SSH connection fails, due to bad permissions:

- Changing permissions so that owner can read and write:

- Now connection with SSH is successful and we get a remote shell:

4 - CAPTURING THE 1st FLAG

- Finding the 1st flag is easy:

- Reading user.txt:

5 - PRIVILEGE ESCALATION

- The file backup is owned by user root and has got SUID and SGID bits set:

- When running backup the file /etc/shadow is displayed:

- Also /etc/passwd is available:

- So it seems that using John The Ripper could be a good solution, however we will follow an alternative Privilege Escalation path.

- Applying command strings over backup we learn that the command cat /etc/shadow is executed every time file backup is run:

- The path to the command cat is not fully specified (/bin/cat), what means that it is vulnerable to the attack of modifying the PATH system variable to the local or working directory.

- Redefining the command cat so that it spawns a shell (with root privileges because backup is run as root), giving execution privileges, and finally setting the path to the working directory (/tmp in this case):

- Now running again backup we get a remote root shell:

6 - CAPTURING THE 2nd FLAG

- Reading root.txt (look that the full path /bin/cat is now specified):

Monday, July 22, 2019

Bank

BANK

- Layout for this exercise:

1 - INTRODUCTION

- The goal for this exercise is to develop a hacking process for the vulnerable machine Bank, what is a retired machine from the Hack The Box pentesting platform:

https://www.hackthebox.eu/

2 - ENUMERATION

- Bank's IP is 10.10.10.29:

- Scanning with Nmap:

- Connecting to the web browser the result is the Apache default page:

- Traying to bind Bank's IP with domain bank.htb (usual format for Hack The Box machines) and adding a new line to file /etc/hosts:

- Now the browser connection is quite different and indeed more promising:

- Applying DirBuster:

- Aside from other folders and files we find the folder balance-transfer, what holds a record of a lot of customers' balance transfers:

- The extension .acc refers to financial account information for Graphic Accounts, a program for creating an maintaining personal budgets, what may include data for bank accounts.

- Reading the first file we find encrypted credentials about a user:

- Something strikes the attention: while most of the .acc files have a size of around 580 Megabytes, however there is one file with around half the size:

- Reading that file we find cleartext credentials for the user Chris Christopoulos:

3 - EXPLOITATION

- First thing we try is SSH with credentials chris:!##HTBB4nkP4ssw0rd!##, though we are not successful:

- However, we can login to the web application using credentials chris@bank.htb:!##HTBB4nkP4ssw0rd!##

- Going to the Support tab there is the upload application Choose File:

- Creating the exploit myshell.htb with Msfvenom:

- Clicking Choose File and uploading myshell.htb:

- Also, filling Title and Message fields with any text:

- Submitting, a ticket is successfully created:

- Setting a Meterpreter handler listening session:

- Now, clicking the ticket:

- The exploitation is successful:

- Getting a shell and improving it:

- Also, it may be useful a bash shell:

4 - CAPTURING THE 1st FLAG

- The user flag is at user.txt:

5 - PRIVILEGE ESCALATION

- Looking for SUID files:

- Let's use two ways to achieve a root shell, focusing on files /var/htb/bin/emergency and /etc/passwd

5.1 - /var/htb/bin/emergency

- The file emergency has got the SUID bit so it can be run as root: