HackTheBox Guard Writeup
Enjoy reading my HTB Guard Writeup
Information Gathering
Let's begin with a nmap scan in order to find open ports and services:
sudo nmap -p- -sV -sC -O -v 10.10.10.50
The only service that seems to be running is OpenSSH 7.6p1 on port 22.
In the Markup room (Writeup coming soon on GH) we got a private RSA key from a user called "Daniel", might be a valid key for this machine.
Using ssh [email protected] -i daniel_priv_key
we are able to login as Daniel on the HTB Guard machine via SSH.
Breaking out and obtaining the user flag
Using ls we instantly see that the user flag is in our home directory.
Unfortunately, commands like cat
do not display the content and I am not able to open vi or vim because we are in a restricted shell.
With python3 -m http.server 9999
we are able to start a local python webserver and download the flag on our local machine with: wget 10.10.10.50:9999/user.txt
.
Alternatively, the flag can be downloaded using scp: scp -i daniel_priv_key [email protected]:user.txt /home/user/Desktop/
.
If you want to break out of the restricted shell instead there are several ways:
- Use:
python3 -c "import pty;pty.spawn('/bin/bash');"
- Use:
man echo
(it doesn't matter if you use echo or something else, just open a man page) and type!bash
Privilege escalation
In the directory /var/backups
we have a file called shadow
which we are allowed to read.
Inside the file we have two passwords hash (for daniel and for root).
Both hashes start with $6$
which means they are hashed using SHA512-Crypt.
I stored both the hashes in a textfile and uses hashcat for cracking them:
hashcat -a 0 -m 1800 daniel_hash /Lists/rockyou.txt
hashcat -a 0 -m 1800 root_hash /Lists/rockyou.txt
Using the rockyou wordlist I was only able to crack the password for root:
$6$KIP2PX8O$7VF4mj1i.w/.sIOwyeN6LKnmeaFTgAGZtjBjRbvX4pEHvx1XUzXLTBBu0jRLPeZS.69qNrPgHJ0yvc3N82hY31:password#1
Connect to the HackTheBox Guard machine as root using ssh:
ssh [email protected]
and the password we just cracked.
Finally you can read the root flag using: cat root.txt
.
Tags:
hackthebox, htb, guard, walkthrough, startingpoint