- Difficulty: Easy
- Target: HackTheBox [Code]
- Type: Comprehensive Penetration
GetShell#
First, obtain the IP, scan the ports, and find that 22
and 5000
are open. It turns out that 5000
is an HTTP service, and upon accessing it, I discovered that Python code can be executed directly, although some dangerous functions are filtered.
I directly used getattr
to bypass and spawn a shell, first starting nc
to listen.
Then, running the following code will allow for a reverse shell.
After obtaining the shell, I found an SQLite database named database.db
. It contained two users, and I found the MD5 hashed username and password. Comparing with /etc/passwd
, I discovered that the user martin
exists, so I could crack the password and attempt to brute-force SSH.
Using HashCat to crack the password.
Successfully cracked the password and logged into SSH. At this point, GetShell was successful.
Privilege Escalation#
Actually, my approach to privilege escalation had some issues; I was only able to access all files under /root
, including the flag file, but I did not truly escalate to root. I will note this down.
First, I used ssh -l
to check the executable privileged commands and found a /usr/bin/backy.sh
.
Upon inspecting its contents, I found that it performs a series of filtering processes on the input $json_file
, then hands it over to the binary program backy
.
I found the source code for backy on GitHub. Analyzing the source code, I discovered that it actually calls the rsync
and tar
commands to back up folders, and rsync
accepts directories_to_sync
from the JSON file as the source path for synchronization.
The /usr/bin/backy.sh
only controls the directories_to_archive
parameter processed by tar
, so I could construct an attack chain like this: first, synchronize the /root
folder to the user directory using rsync
. The synchronized folder can only be accessed by the root user, so I could then use backy
to tar the synchronized folder, and finally download and extract it to see its contents.
First, modify the task.json
file.
Then execute sudo backy.sh task.json
, at which point the contents of /root
will be synchronized to /home/martin/root
, and then modify the task.json
file.
Execute sudo backy.sh task.json
, and you will find the compressed file in /home/martin/backup
, extracting it will yield the root flag.
However, there is a very obvious problem with this approach: rsync
does not synchronize hidden folders like .ssh
, so I cannot escalate to root. Later, I saw other people's WriteUp and found that it was necessary to bypass ../
using double writing, such as ..././
. In any case, the challenge was still very interesting.