
In this article, you will learn how to use special tools to conduct reconnaissance and identify system vulnerabilities. You will learn how to use LFI attacks to gain access to confidential files, work with SSH login credentials, and understand how to examine VeraCrypt encrypted volumes. This material will show you how to take a comprehensive approach to security testing and effectively analyze vulnerabilities in web applications and servers.
Continuing to publish solutions for machines sent for refinement from the HackTheBox platform. The host contains important data, access to which is possible in a private network with specialists who have in-depth knowledge in the field of information security.
This machine has an IP address of 10.10.10.183, which we add to /etc/hosts.
10.10.10.183 forwardslash.htb
First, a scan of open ports is performed. To speed up the process, masscan is used, as a full nmap scan can take a long time. All TCP and UDP ports are analyzed through the tun0 interface at a rate of 500 packets per second.
masscan -e tun0 -p1-65535,U:1-65535 10.10.10.183 --rate=500
Now, to get more detailed information about the services running on the ports, let’s run the scan with the -A option.
nmap -A forwardslash.htb -p22,80
The server has an SSH service and a web server running. Let’s go to the web server and see what they have to offer us.
gobuster dir -t 128 -u http://forwardslash.htb/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x html,php,xml,txt
And we find note.txt. Let’s read it.
It is reported that a group has hacked the site and that there is a backup. Let’s search for subdomains. As a filter, we will set the number of characters not equal to 0.
wfuzz -H 'HOST:FUZZ.forwardslash.htb' -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u forwardslash.htb --hh 0
And let’s go to the backup subdomain. Add it to the /etc/hosts file.
10.10.10.183 backup.forwardslash.htb
Let’s go through the directories for this domain as well.
gobuster dir -t 128 -u http://backup.forwardslash.htb/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x html,php,xml,txt
And we go to this address.
We are greeted by an authorization form.
There is also the option to register. Let’s register and then log in.
By following the links, we find forms for changing the name and password, and you can also set a profile picture. We’ll probably stop there.
They report that this feature has been disabled due to a hack. The input field is not available, most likely disabled in HTML.
The property is removed from both elements. A web server is started on the local machine, after which a link to the test.txt file is specified in the field.
Since there are no filters, let’s try the LFI vector. For convenience, this is in Burp Suite.
And there is LFI!
Let’s check the apache configurations.
But if you try to read a php file, it won’t be presented to you as text. Instead, it will be executed.
But we can use php filters like base64. Yes, the php file is first encoded and then displayed on the page. So it will not be executed.
php://filter/convert.base64-encode/resource=../../../../var/www/backup.forwardslash.htb/index.php
Select the desired fragment and press Ctrl+Shift+B.
The resulting code is decoded. This way, all files found during the scan are read. The password for connecting to the database is found in the config.php file.
Let’s take a look at /dev/index.php. And there we find the authentication data for user Chiv.
This user is on the system, we can find this out from /etc/passwd. Let’s try this data for an SSH connection.
We use the LinPEAS script to collect data in the system. And we find some kind of note in the backups.
Thus, the backups contain an old config with a password. It belongs to pain.
So the backup program has the SUID bit set. That is, we can execute the program as the pain user.
We can backup, but only a certain random file.
We can make a reference to the backup config, naming it as presented from the backup program. But we have to do it in a few seconds. So let’s make a script. First, we get the file name.
Now let’s add link creation and repeated backup.
Let’s run it from the user’s home directory and get the file.
Let’s change the user by entering this password.
Let’s take a look at the settings for executing commands without a password.
So we have an encrypted volume. To decrypt and mount it, we need the password.
We have the ciphertext and the program.
For decryption we use the following code.
def decrypt(key, msg): key = list(key) msg = list(msg) for char_key in reversed(key): for i in reversed(range(len(msg))): if i == 0: tmp = ord(msg[i]) - (ord(char_key) + ord(msg[-1])) else: tmp = ord(msg[i]) - (ord(char_key) + ord(msg[i-1])) while tmp < 0: tmp += 256 msg[i] = chr(tmp) return ''.join(msg) ciphertext = open('ciphertext', 'r').read().rstrip() for i in range(1, len(ciphertext)): for j in range(256): key = chr(j) * i text = decrypt(key, ciphertext) if ' the ' in text or ' to ' in text: print(key) print(text) exit()
And we successfully decrypt the message.
Let’s see what we have along the indicated path.
Let’s decipher the volume.
And we’ll install it.
The SSH key is located there.
We connect and pick up the flag.
We ran a port scan, found hidden directories and subdomains, exploited the LFI vulnerability to read sensitive files, found credentials and gained access via SSH. We then explored the system with LinPEAS, used the SUID bit to execute a program as another user, decrypted the volume and gained access to the SSH key to remove the flag.