HackTheBox — Shrek Write-Up

I love the theme of the box, but the box itself was quite CTF-y. Enjoyed learning some crypto skills, but root was definitely a challenge.

Enumeration

Our autorecon scan shows FTP, SSH and HTTP are open.

┌──(kali㉿kali)-[~/HTB/shrek]
└─$ sudo env "PATH=$PATH" autorecon shrek.htb --dirbuster.wordlist /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt
[*] Scanning target shrek.htb
[*] [shrek.htb/all-tcp-ports] Discovered open port tcp/21 on shrek.htb
[*] [shrek.htb/all-tcp-ports] Discovered open port tcp/22 on shrek.htb
[*] [shrek.htb/all-tcp-ports] Discovered open port tcp/80 on shrek.htb
[*] [shrek.htb/tcp/80/http/known-security] [tcp/80/http/known-security] There did not appear to be a .well-known/security.txt file in the webroot (/).
[*] [shrek.htb/tcp/80/http/curl-robots] [tcp/80/http/curl-robots] There did not appear to be a robots.txt file in the webroot (/).
[*] Finished scanning target shrek.htb in 2 hours, 34 minutes, 48 seconds
[*] Finished scanning all targets in 2 hours, 34 minutes, 49 seconds!
[*] Don't forget to check out more commands to run manually in the _manual_commands.txt file in each target's scans directory!

Trying FTP, there’s no anonymous access or weak credentials so we’ll assume we need to find some credentials there.

For HTTP, the website looks as follows:

Our Feroxbuster scans shows a file called /secret_ultimate.php:

Viewing the source code reveals another directory called /secret_area_51:

The directory contains an MP3 of Smash Mouth’s All Star.

Viewing the file in Audacity show a weird bit at the end after the song has finished:

We can change from Waveform to Spectogram and the FTP credentials appear (once zoomed in):

donkey:d0nk3y1337!

FTP Enumeration

Signing into FTP gives us a series of text files and a “key” file containing an SSH private key requiring a password.

We download all the files (prompt off, mget *), so we can enumerate further.

Most of the files contain random junk:

However, some analysis on the files shows two with 3 words:

Both contain a bit of base64 in the middle. Decoding those snippets gives us what looks like some ciphertext and a key of “PrinceCharming”.

Through trial and error (or in this case, other people’s walkthroughs), we can work out the algorithm is ECC, and we can decrypt the cipher text with the seccure Python library.

┌──(kali㉿kali)-[~/HTB/shrek]
└─$ python3                  
Python 3.10.9 (main, Dec  7 2022, 13:47:07) [GCC 12.2.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import seccure
>>> cipher=b'\x01\xd3\xe1\xf2\x17T \xd0\x8a\xd6\xe2\xbd\x9e\x9e~P(\xf7\xe9\xa5\xc1KT\x9aI\xdd\\!\x95t\xe1\xd6p\xaa"u2\xc2\x85F\x1e\xbc\x00\xb9\x17\x97\xb8\x0b\xc5y\xec<K-gp9\xa0\xcb\xac\x9et\x89z\x13\x15\x94Dn\xeb\x95\x19[\x80\xf1\xa8,\x82G`\xee\xe8C\xc1\x15\xa1~T\x07\xcc{\xbd\xda\xf0\x9e\x1bh\'QU\xe7\x163\xd4F\xcc\xc5\x99w' 
>>> password = b'PrinceCharming'
>>> seccure.decrypt(cipher,password)
b'The password for the ssh file is: shr3k1sb3st! and you have to ssh in as: sec\n'
>>>

We can now ssh in with the key file from FTP as the user sec and the passphrase shr3k1sb3st!

Privilege Escalation

I found this privilege escalation technique a little bit tricky to get my head around in parts. The exploit relates to a cron job running as root that chowns a file and exploitation of wild cards (see https://www.exploit-db.com/papers/33930).

Enumeration of the file system shows /usr/sec is owned by user sec, rather than root. A file thoughts.txt is in the directory but is owned by root. So we can write to the directory but not the thoughts.txt file.

Writing a file to the directory and waiting a few minutes shows the new file changes ownership to nobody:nobody. This is clear when running pspy:

If we can create a file called “ — reference=thoughts.txt” and a binary with the SUID bit set, we can run the binary as root, as the cron job will mean the binary becomes owned by root (as it’s now using thoughts.txt as a reference for ownership.

Running the binary in this case writes the root flag to /usr/writeup.flag.txt (although we can equally as easily obtain a reverse shell through the same method.