Monday, May 30, 2022

HTB Walkthrough - Hawk

 Hawk is a medium rated box in HackTheBox. Let’s see how we go.

As usual, let’s first start with a simple nmap scan.



We can immediately see that we have anonymously available FTP, a web server on port 80 and an H2 database running on port 8082.

Let’s see what we have available on the openly available H2 Server.


We find a hidden file inside of FTP.


Downloading the file and looking at the encoded text, it looks like base64. Decoding the base64 file gives us gibberish so it must be a binary file. 



We see that it’s a file encrypted using openssl and a salted password.

To decrypt this we need to first know which algorithm was used to encrypt it. 

Following this tutorial: https://myexperiments.io/finding-cipher-algorithm-encrypted-file.html, I tended to focus that maybe my file was also encrypted using the same algorithms; if it wasn’t I was going to try other popular encryption algorithms.


Now, bruteforcing the passwords using bruteforce-salted-openssl (openly found in github).



Image, might be hard to read; but I found a password ‘friends’.

Finally, unencrypting the encrypted file using openssl, I get a plaintext.



It says to use the password ‘PencilKeyboardScanner123’ in the portal. Okay, we need more context on where to use this password and where this ‘portal’ is.


Moving forward and looking at the open port 80 that we found in our nmap scan, I find a drupal website. So this must be the portal the text file was talking about. Let’s try the simple username admin and the given password.



This seems to work! Nice. Now I can do many things to try and get a reverse shell.

Let’s first traverse to modules and enable php filtering so that we can run custom php code.



Good, now lets run a reverse shell php code by adding a basic content.


The reverse shell php code was taken from: https://github.com/pentestmonkey/php-reverse-shell


Let’s preview the code and see if we get a revshell back.



Yes! We got a reverse shell back!


Good going, Now when we look at the running processes, we can see that the H2 DB that was running on port 8082 is actually running as root. Maybe we can do something and escalate our privileges to root.


I notice this exploit: https://www.exploit-db.com/exploits/45506 

Looking back at the version, the version matches too! Let’s try and see if this exploit works and gives us root.



Yep, it works of-course! Talk about being lucky haha.

Hawk has also been rooted!
at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Easy shellcode encryption and decryption using AES in C/C++

 I'm writing this blog post as I came across this problem myself while trying to encrypt and decrypt my shellcode while writing malware....