HealthyByte: Bridge That Gap

View Original

Hack The Box Edition: Curling

Hack The Box: Curling   

Exploiting a vulnerable linux machine at target IP 10.10.10.150 known as Curling.

Strategy: 

Compromise the vulnerable machine in order to gain privileged access for the root. 

Tactics:

  • Perform a network scan. Using nmap to discover target Ip 10.10.10.150. Scanning it for all the vulnerable ports with Nikto and checking all the accessible directories with dirb. Nmap scan revealed that port 22 has a SSH service and  port 80 has an Apache server running and has a joomla service running on it. The target Ip has a cewl curling website running on it. Viewed the source page and found a secrets.txt and a username “Floris”. The secrets.txt file contained a hashed base64 text. Decoded that and it gave me a password “Curling2018!” which I used for user “floris”.

  • To confirm the password for user “Floris” used burp suite to intercept a random login request. And used the cluster bomb intruder attack in burp suite for the username payload and the password payload. For this I needed a wordlist so used cewl to get a word list out of all the words on the cewl curling website blog. And got access to the system as user “Floris”. Got access to the control panel.

  • Apparently I tried to upload a reverse php shell but for some reason was unsuccessful. So I got access to the media directory and used a php upload script so that I could upload a reverse tcp shell script to get access to the shell which worked. Also this website used the protostar theme, so linked the script with that theme directory. After successfully uploading the script, I got reverse shell using netcat.

  • I was currently logged in as “www-data” in the shell. Hovering inside the machine I found that user “floris” has a password_backup file present. The contents of the file are a hex dump. Copied the content and used cyberchef to decode the file. After decoding I got a password.txt file with a password for floris” and I then logged into the machine using ssh as floris. Exfiltrated to the user.txt file and infiltrated the admin area directory which contains an input and report file.

  • The report contained the source of the main page website. To perform privilege escalation copied the reverse shell script to the apache web server and started it on the web machine. The vulnerable machine ran a cron job which kept refreshing the page. This basically gave me a reverse shell and got the root.txt file.

Final Thoughts: This is great HTB machine. Did some reverse engineering, struggled a bit with escalating privileges and uploading a php script but overall had fun with this one, would rate it at a medium level difficulty CTF challenge.