Ellignson,a Linux box created by HackTheBox user [Ic3M4n](https://www.hackthebox.eu/profile/30224), was an overall medium to hard difficulty box.The Initial foothold was getting `werzeug` debugger and get a low privilege user then get the user by cracking the password for the user from `shadow.bak`. Root on this box a binary exploitation to get a shell as root, which was hard for me but was really fun.
1 2 3 4 5 6 7 8 9 10 11 12 13 14
# Nmap 7.70 scan initiated Sun May 19 00:30:53 2019 as: nmap -sC -sV -oN nmap/ellignson 10.10.10.139 Nmap scan report for 10.10.10.139 Host is up (0.14s latency). Not shown: 998 filtered ports PORT STATE SERVICE VERSION 22/tcp closed ssh 80/tcp open http nginx 1.14.0 (Ubuntu) |_http-server-header: nginx/1.14.0 (Ubuntu) | http-title: Ellingson Mineral Corp |_Requested resource was http://10.10.10.139/index Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Sun May 19 00:31:19 2019 -- 1 IP address (1 host up) scanned in 26.19 seconds
Web (Port 80)
Playing around on Port 80 we see there is somekind of failToban setup. looking around more we find http://10.10.10.139/articles/A crashes the app and exposed Werkzeug Debugger. This reminds me of the Patreon hack in 2015.. We can execute python functions to read list files and we find the user hal from /etc/passwd. I tried grabbing the id_rsa from /home/hal/.ssh/id_rsa but that is encrtypted. I tried cracking it but had no luck. So, I tried doing the opposite and writing to /home/hal/.ssh/authorized_keys.
1 2 3
f = open("/home/hal/.ssh/authorized_keys","a"); f.write("<my public key>"); f.close();
Low Privilege Shell
With the above steps we were able to ssh as hal in the box. but still no user.txt. After enumerating a little we see that hal is in group adm. Let’s try seeing which all files we can read with
$ find / -group adm 2> /dev/null
We find /var/backups/shadow.bak file. It took us sometime but we were able to crack that with hashcat with rockyou.txt and recover few passwords as theplaugeiamgod$08.
With the above passwords we try to ssh as user margo and we were able to get a shell as margo with password iamgod$08 and we were able to read the user.txt
Enumerating we find /usr/bin/garbage has SUID bit set and is not a standard Ubutnusuid binary. A hint from the movie Hackers(1995) which this box is based on, the garbage file was a worm that the plague inserted to defraud Ellingson and a young hacker named Joey tried to download this file as evidence of his capabilities. So we try to exuecute this file, it asked for a password which when we insert a huge password, it crashes the program, hece subjected to buffer overflow. Checking if ASLR (Address Space Layout Randomization) is enabled on this box
$ cat /proc/sys/kernel/randomize_va_space 2
The ASLR is enabled on the machine.We have loaded the garbage in gdb-peda The program crashed, looking at the RSP we can tell where it starts to overwrite the pointer.
Using pattern offset we know that it is 136 characters.
We need to get some of the addresses now. Looking into