Shubham Kumar

Hackthebox - Tenet 2021-06-12|htbmachinesretired|linux-retired-medium-deserialization-htb-machines-race-condition

Summary

Tenet was a medium difficulty Linux box by HackTheBox user egotisticalSW.
Initial Enumeration on the box reveal a sator file and a backup file which show us an Deserialization attack vector using which we can write a file and get a reverse shell.
After getting the box we find DB Password checking that with user we get a shell as user neil. We check for sudo -l we see we can run a enableSSH.sh without password.
Checking the script we see we can grab root ssh key as the script it copying that to a tmp file(Race condition) and then deleting that.

Hackthebox - ScriptKiddie 2021-06-05|htbmachinesretired|linux-retired-easy-metasploit

Summary

ScriptKiddie is a Hackthebox Easy Linux machine created by Hackthebox User 0xdf. Initial Enumeration was creating a malicious apk and using that to get a shell. After getting a reverse shell as user of the box. Privilege Escalation was just running sudo msfconsole and then bash to get root.

Hackthebox - Delivery 2021-05-21|htbmachinesretired|linux-writeup-hackthebox-easy-retire-helpdesk-mattermost

Summary

Delivery,a Linux box created by HackTheBox user ippsec. The Box don’t contain any exploitation and was about Enumerating the box properly. The Initial Enumeration Shows that mattermost is running and we need an @delivery.htb email to register to the box. Along side that an HelpDesk is running and creating a Ticket give us an email to that ticket. We can combine both to register an User and use that to get get into Mattermost. Checking Mattermost we get multiple hints for root also credential to get user. After ssh in the box we can use the hint and find root password hash for mattermost in mysql db. and from the hint we know we can crack the password PleaseSubscribe! along with rule and get root shell.

Hackthebox - Ready 2021-05-15|htbmachinesretired|linux-retired-hackthebox-medium-ssrf-gitlab-crlf-smtp-container-escape

Summary

Ready, a Linux box created by user bertolis was a medium difficulty box.
Initial foothold was finding a Gitlab instance which was running an old version 11.4.7 which had SSRF and CRLF issue and combining them and redis along with Gitlab workers we can get a RCE.
After we get a shell we find a backup in /opt which contain a gitlab.rb file checking that file without comments we find a SMTP password.
Trying to see if it was used somewhere else we can escalate to root.
But as we are still in docker container of gitlab we had to escape the container.
in the same backup folder we find a docker-compose file which contain that the container is running with privileged flag Googling around we find a way to escape the container

Hackthebox - Monitors 2021-05-02|htbmachinesretired|retired-lfi-sqli-htb-machines-spritz cve-cacti-executable directory-ofbiz-rce-docker-escape-SYS_MODULE

Summary

Monitors was a Hard difficulty Linux box created by TheCyberGeek. Initial foothold on the box was to find a vulnerable wordpress plugin with a LFI, using which we can read file descriptor and read apache logs. From the logs we get a new subdomain (Host) on the box for cactic, Also using the LFI we can read wp-configs.php which contained a credentials. Using Credentials Spraying we find that is the admin Credentials for cactic. Checking the Version for exploits we find that version of cactic is Vulnerable to SQLi which can be converted to RCE. Using which we get a shell on the box as www-data. Enumerating the box we find a service from crontab, following that we find credential for the user of the box. Enumerating the box as user marcus we see a notes.txt in his home directory. Following that hint we find a weird local only service running. port forwarding that service we discover that is an apache ofbiz. Trying a msf module for that give us a root shell in an docker container. Enumerating that we see we have CAP_SYS_MODULE capability and following Hacktrick docker escape we can get a root shell on the box.