PIT HackTheBox Walkthrough

Pit is a CTF linux box with difficulty rated as medium on Hack The Box platform. Lets deep dive into breaking down this machine.

Pentesting Methodologies

Network Scanning

·         Nmap

Enuemration

·         Abusing HTTP services

·         SNMP Enumeration

·         Banner Grabbing

Exploitation

·         Unrestricted file upload

·         Post Enumeration

Privilege Escalation

·         Abusing Writable Script

 

Network Scanning

So let proceed with an nmap version scan and script scan. 

nmap -sV -sC 10.129.95.189

From the output below we can find that 3 ports are opened:

·         22 running ssh

·         80 running http

·         9090 running http

We also find two additional information that is, a test page running on nginx port 80 and a domain certificate dms-pit.htb.

 

Enumeration

So, let’s start enumeration the web port 80 and 9090. When access the IP through port 80 via a browser, we are landing on the page below:

Whereas when we access the ip through port 9090 via a browser, we are landing on a different page as shown below.

Since we don’t know the username and password, this is not very helpful for the moment. So let’s continue to enumerate. During the nmap scan, we also found another domain name, dms-pit.htb. let’s add this entry in our host file, /etc/hosts.

 

Once the dns entry has been added into the host file, lets access the dns name in a browser to see what additional information we can have.

No luck. We go an error code 403 coming up. Maybe we will have more luck with an nmap udp scan. So lts give it a try.

nmap –sU 10.129.95.189

The result show that snmp port 161 is open on the target machine. SNMP is a protocol that is used to manage and monitor interconnected network devices. Let’s enumerate this protocol and see if we can get some valuable information.

nmap -sU -p161 -sV 10.129.95.189

we can see that the snmp version being used here is version 1 and the community string used here is the default one, that is, public.

Let’s enumerate deeper using the information found above.

snmpwalk -v2c -c public 10.129.95.189 .

 

Two entries have strike our attention namely: /var/www/html/seeddmsSix/seeddms* and /usr/bin/monitor* . Maybe we can find more information at these location.

 

Other useful information found are some usernames, michelle, root and system uptime. These can be used later.

Now that we have collect a few information, let’s try to use those information. Let’s access the path that we found in the /html folder.

http://dms-pit.htb/seeddmsSix/seeddms

we are automatically redirected to the login page below.

Let’s try to login with some default username and password. The first one we try was michelle and michelle.

 

We have been able to login in with the username michelle and password michelle where we have enumerated version for SeedDMS.

 

 

 

Exploitation

In the document information section, we can find valuable information like the name and version of the application. The application name is SeedDMS and it has just been upgrade to version 5.1.15. So let check if this application has some vulnerabilities which we can exploit.

Using searchsploit, we found that this application is vulnerable to remote code execution. Let’s mirror the exploit locally.

searchsploit seeddms

searchsploit –m 47022

cat 47022.txt

Once exploit has been mirrored, we edit the file to have to check how this works. When reviewing the code, we conclude that RCE can be obtained by executing this PHP backdoor while uploading it the documents.  

So, lets browse to add document, in our case we will upload a simple PHP webshell, in our case its 1.php.

 

Upload the 1.php and click on Add Document.

Once uploaded, we get a document id 35

Now let’s use curl with parameter cmd-pwd to know which working directory the id 35 is located.

curl http://dms-pit.htb/seeddms51x/data/1048576/35/1.php?cmd=pwd

 As you can see, it is located in /var/www/html/seeddms51x/data/1048576/35 .

Let’s continue to dig futher to see what additional information we can have in the other directories. Inside the conf folder, there is a file called setting.xml, so lets cat this file to see which configuration does it contain. Maybe we can find some resourceful details.

curl http://dms-pit.htb/seeddms51x/data/1048576/35/1.php?cmd=ls+/var/www/html/seeddms51x

curl http://dms-pit.htb/seeddms51x/data/1048576/35/1.php?cmd=ls++/var/www/html/seeddms51x/conf

curl http://dms-pit.htb/seeddms51x/data/1048576/35/1.php?cmd=cat+/var/www/html/seeddms51x/conf/setting.xml

 

Indeed. Inside the setting file, we have the database connection setting, where we can clearly see some credentials details for establishing connection.

And since the centos page is accessible on port 9090, lets try to login with username michelle and password found in the setting file. Great. We have been able to login successfully.

While browsing the tabs on the left-hand side, we can see a terminal tab at the bottom. Clicking on that brings us to a terminal. And here while listing the files, we can find a user.txt file. At this stage, we have a user level access.

ls

cat user.txt

Now it’s time to perform a privilege escalation and to have root access. From post enumeration results we find earlier, it seems that the scripts run files check*sh which is found under /usr/local/monitoring.

 

Privilege Escalation

We will simply create a private key with ssh-keygen, then try transfer private key inside target machine to get root access shell

We try to upload our id_rsa.pub file into compromised machine by editing checkshell.sh file to inject our private key inside /root/.ssh directory as authorized keys.

Now let’s run the snmpwalk command which shall execute the script located in /usr/bin/monitor

snmpwalk –v 1 -c public 10.129.95.189 1.3.6.1.4.1.8072.1.3.2

Once script executed, lets login as root via ssh using the private key.

ssh –i id_rsa root@192.168.25.189

cat root.txt

Finally, we have root access and capture the flags.