Hello everyone, here we will consider the solution of the Passage machine, which can be found on the special platform Hack The Box. Well, below is a description of the machine itself and its specific parameters, including the ip-address.
Progress:
- First you need to take a user. More precisely, log into the servers under the login of an existing user, thereby gaining access to some services.
- First, we connect openvpn in my case it is
$ sudo openvpn <your creds>.ovpn
- We have an existing ip address 10.10.10.206, go to it and see a regular news site
- I make a header (the header includes viewing directories through dirsearch and viewing open ports using nmap), the search results are small, but at least something:
- ssh port 22 is open
- there is port 80 http where the site is located
- dirsearch gave nothing
- I start looking at what is interesting on the site, and I see that there is a news service with a flat file system CuteNews, well, then on a whim I decide to drive CuteNews into the directory of the site, voila, we have an entrance and registration for this service
- At first I spent a lot of time on brute-force login and password, but in the end I decided to just register, then I go into personal settings and see that there is a file upload, which is very often a big vulnerability ... well, here we have, as it were, php, which means ideas here you can throw php code ...
- In general, I wrote a one-line php code that sets a request for a shell command:
- Next, I upload this php code to uploads, and look for myself, after which I write a command for the shell
- Ok, I was able to see with the bash command who I am and ls files, so logically I can do a reverse shell, do ... We get access to the server in 2 steps:
Step 1
Step 2
As a result, we throw the reverse shell, now we are on the server side, congratulations, but this is just the beginning.
- And so we are on the server, but as web-data, we are still nobody, but this will change soon, then the routine work begins, browsing directories and looking for something interesting ....
After 2.5 hours, I came across the www directory:
After going through some files, I came to the b0.php file
Looking at the structure of the cipher, I immediately realized that it was base64, as a result of which I used the site decoder ...
There is a hash password inside, there is even this written there, I also google the hash decode site and this result comes out ...
Login: paul
Password: atlanta1
- It remains only to log in as a user
We are in the system!
Progress:
- I start to browse the paul directory, very quickly find the right .shh directory with the command to show hidden files and directories ...
Lo and behold, this folder has id_rsa with which I can connect to another user - nadav
now I'm logged in as another user, let's see what we find here ...
- After several hours of searching directories for information, I still decided to look at the process history using the ps auwx command
Next, I search for interesting completed processes from root, I found a strange process
usb-creator-helper, I go to google and find the first article I see on privilege escalation with usb-creator link:
- After reading the articles, I understood the general principle of the vulnerability and was able to exploit it using a ready-made example from the article ...
Further, it was simply possible to use root id_rsa to connect to root using ssh. A couple of clicks and we are in the system as root.
Here is our flag comrades!