HackTheBox WriteUp

• FowardSlash Jul 4, 2020— ForwardSlash is a hard Linux box that has vulnerable web application. The vulnerability is about LFI and it can be found on website. Through LFI, it is possible to read files and we can get user credential eventually. After get first user shell, the setuid binary 'backup' can be found. With a simple script, we can abuse `backup` binary and it will lead us to second user shell. From the second user shell, if we check the sudo privilege of user, second user can mount specific image file but it requires passphrase to make it happen. This passphrase can be obtained after decrypt ciphertext with simple brute-force script. After mount successfully, id_rsa key for root can be collected from mounted directory.
• Monteverde Jun 13, 2020— Monteverde is a medium Windows box that running an Azure Active Directory service. This machine starts with simple brute-force for initial user credential. Then obtained credential 'SABatchJobs:SABatchJobs' can be used for SMB enumeration. From SMB share, we can check the file which contains the credential of user 'mhope'. After get a shell with evil-winrm, we can check that user 'mhope' is in the group 'Azure Admins'. By abusing this privilege, the administrator credential can be extracted from database with simple script. Then we can get the administrator shell.
• Nest Jun 7, 2020— Nest is an easy Windows box that requires enumeration skills and basic knowledge on dotnet programming language. By enumerating on SMB share, user credential and flag can be obtained easily. After get user, the HQK Reporting service debug mode password, which is hidden in the alternate data stream, can be obtained. Then it is able to execute debug mode and the encrypted password of user Administrator can be obtained from HQK service. To decrypt the password, it is required to decompile `hqkLdap.exe` to check how it is encrypted. After decrypt password, the system shell can be spawned eventually with Administrator credential.
• Resolute May 31, 2020— Resolute is a medium Windows box which is running Active Directory service. Initial shell can be obtained easily without any difficulty. By enumerating on SMB service, user lists and default password 'Welcome123!' can be extracted. Then with just simple brute-force, we can get valid user 'melanie' who still did not change password. After get first shell with `melanie` and with just basic enumeration, we can check another credential of user 'ryan' who is in the group DnsAdmins. As user ryan is in the DnsAdmins group, he can manage DNS server and make it executes some malicious command with DLL injection. As a result we are able to get system privilege shell eventually.
• OpenAdmin May 3, 2020— OpenAdmin is an easy linux box that runs a software OpenNetAdmin which is vulnerable to RCE and initial shell can be obtained easily by just abusing this service with an exploit. Then user credential can be extracted from the database config file and it can be re-used to connect with SSH. After get first user shell, we can find another website which is running on port 52846 and encrypted SSH key can be obtained from this site. The SSH key is crackable and we can SSH to user who can run nano as root with sudo. From the nano page, we can spawn a root shell eventually.
• Control Apr 26, 2020— Control is a hard Windows box with a SQL injection vulnerability in the search product function that allows attacker to extract the credentials and create malicious file on the server. With created malicious file and credential, attacker can get an initial shell and escalate to user. For privilege escalation to root, the user have full control on all the services and abusing this vulnerability attacker can modify service and get a shell as system.
• Mango Apr 19, 2020— Mango is a Linux Machine that has NoSQL Injection vulnerability on web application. NoSQL Injection vulnerability can be found on MongoDB and by abusing this vulnerability the attacker can extract important information such as credentials. Then the misconfigured permission binary file, jjs, can be found on the server and attacker can execute arbitrary command with this binary to get a root shell or to change permission of important files.
• Traverxec Apr 12, 2020— Traverxec is a easy Linux box that can be exploited by abusing web server nostromo 1.9.6 (RCE) and misconfiguration of permission on files and sudo.
• Postman Apr 11, 2020— Postman is a Linux box which has 2 vulnerable service, Redis and Webmin, and by abusing both services attacker can eventually get root shell and take control.
• Active Apr 11, 2020— Active is easy Windows machine and it is all about misconfiguration of SMB share and AD(Active Directory) attack. For the initial shell, the user credential can be found from Groups.xml in SMB share and once we get the initial user credential, the admin credential can be collected easily.
• Shocker Apr 11, 2020— Shocker is a easy linux box that has `shellshock` vulnerability. By abusing this vulnerability we can get a initial shell and misconfiguration of sudo privilege will eventually lead attacker to root.
• Previous_WriteUp Apr 10, 2020— This is my first post after start my blog. This blog will be used for WriteUp (HTB, CTF) and my projects. I already have some WriteUp for retired HTB machines on my github. You can find them from this post.