HackTheBox Guard Writeup

Enjoy reading my HTB Guard Writeup

Information Gathering

Let's begin with a nmap scan in order to find open ports and services:

sudo nmap -p- -sV -sC -O -v 10.10.10.50

The only service that seems to be running is OpenSSH 7.6p1 on port 22.

In the Markup room (Writeup coming soon on GH) we got a private RSA key from a user called "Daniel", might be a valid key for this machine.

Using ssh [email protected] -i daniel_priv_key we are able to login as Daniel on the HTB Guard machine via SSH.

Breaking out and obtaining the user flag

Using ls we instantly see that the user flag is in our home directory. Unfortunately, commands like cat do not display the content and I am not able to open vi or vim because we are in a restricted shell.

With python3 -m http.server 9999 we are able to start a local python webserver and download the flag on our local machine with: wget 10.10.10.50:9999/user.txt. Alternatively, the flag can be downloaded using scp: scp -i daniel_priv_key [email protected]:user.txt /home/user/Desktop/.

If you want to break out of the restricted shell instead there are several ways:

  1. Use: python3 -c "import pty;pty.spawn('/bin/bash');"
  2. Use: man echo (it doesn't matter if you use echo or something else, just open a man page) and type !bash

Privilege escalation

In the directory /var/backups we have a file called shadow which we are allowed to read.

Inside the file we have two passwords hash (for daniel and for root). Both hashes start with $6$ which means they are hashed using SHA512-Crypt.

I stored both the hashes in a textfile and uses hashcat for cracking them:

hashcat -a 0 -m 1800 daniel_hash /Lists/rockyou.txt hashcat -a 0 -m 1800 root_hash /Lists/rockyou.txt

Using the rockyou wordlist I was only able to crack the password for root: $6$KIP2PX8O$7VF4mj1i.w/.sIOwyeN6LKnmeaFTgAGZtjBjRbvX4pEHvx1XUzXLTBBu0jRLPeZS.69qNrPgHJ0yvc3N82hY31:password#1

Connect to the HackTheBox Guard machine as root using ssh: ssh [email protected] and the password we just cracked.

Finally you can read the root flag using: cat root.txt.

Tags:

hackthebox, htb, guard, walkthrough, startingpoint