HackTheBox -- Usage -- Easy Machine
Initial scan
An iniital nmap scan only showed ssh and port 80 open running a webserver. It had avoided a redirection to usage.htb, so I added that to my /etc/hosts file.
Navigating to the site showed a blog that I could log into and register for. A quick vhost fuzz showed there also existed admin.usage.htb so I also added that to my /etc/hosts file.
Doing some general exploration of the website showed there were CSRF tokens getting passed along with every request. There was also a hidden _token input in every form on the page. Looking into using CSRF led to nothing. It seemed like repeating the requests with burp did not always work, as the tokens seemed to expire after a little bit, so I had to do it somewhat quickly.
Doing some more exploration of all the fields showed it was vulnerable to SQL injection in the forgot password field! It a boolean-based injection that worked manually, but this was my first time using sqlmap so I had a lot of trouble with it.
I kept using 10 threads with nmap thinking this would make it go faster, and although it did return results they were all gibberish. After a while I noticed that that was the issue, and removing the -threads 10 finally showed the correct results from the database. Another mistake I made was trying to use the --strings flag multiple times. I’m still not sure why it wasn’t detected, but I suspect it must have been because of the redirect. The final command was this:
There was an admin_users table that I dumped, and it had a hash that I cracked with john.
Getting RCE from admin dashboard
These login credentials got me into the admin dashboard! It was a laravel admin dashboard that displayed the versions of all the packages in the main page.
A quick search of all the packages showed a file upload vulnerability, where we could upload a php file instead of an image for the avatar and then execute the code inside it.
The PoC was quite confusing, but I managed to get it working in the end by just following the steps quickly, and uploading the PentestMonkey PHP reverse shell gave me access to the machine!
Horizontal movement
I was logged in as the user, dash, so I immediately got the user flag. Then in /etc/passwd I saw that there were was one other user apart from root, called xander. I spent some time trying to escalate directly to root, and then figured out with a hint that I had to get into the other user account first. Again I completely ignored the files in my home directory for some reason, and then it turned out that there was a password in the .monitrc file that could be reused to switch to xander.
Privesc to root
From xander pretty much the first thing I did was run sudo -l, and saw there was an interesting binary called /usr/bin/usage_management that we could run with no password. I tried to cat the file and found out it was a binary. Running it showed three options, one to back up the project, one to back up the sqlite database, and one to reset the admin password.
The main option that attracted me was resetting the admin password, which it said was running successfully. Running strings on the binary showed no apparent password, and trying default passwords to switch into root didn’t work.
Then I looked into the first option, to back up the project. It was backing up the entire /var/www/html folder contents into a zip at /var/backups/project.zip. I could unzip it and see the files in a folder in /tmp, but there was nothing interesting in there because I already had access to those files. For a while I tried to change the folder that was getting backed up, but to no avail. In the end I realised that if I could get it to back up a protected folder that could get me root access!
I created a soft link inside /var/www/html to /etc, in the hopes of getting the /etc/shadow file and cracking a password. I did manage to get the password and hash, but I could not figure out how to crack it. Then I realised I could simply back up the /root folder and that would give me root.txt with the flag! This worked, and I completed the machine, but was left a little dissatisfied because I hadn’t actually gained root access, I could only read root owned files.
It turns out the solution to that was really simple, by backing up the whole /root folder I also had access to /root/.ssh/id_rsa and I could just use that to ssh in to root from my own machine.
Pwned!
What have I learnt
- Initial enumeration was good, I remembered to test everything in every field (XSS, SQL Injection, etc)
- I need to learn how to use
sqlmapcorrectly. Don’t use multiple threads if it is a time based attack, it will mess up your results - On htb if there is another non-root user after my foothold then I most probably need to find a way to switch into that user before getting to
root - Look at all the goddamn files everywhere. The password to
xanderwas right in front of me in my own home directory. It was even highlighted green when doingls - If I have access to root files then I also have access to its private ssh key, so I can just use that to ssh into them