hackthebox forwardslash walkthrough

forwardslash.htb

Les start with masscan

Only two ports open. Now lets try with nmap

It gives the same result. However, we should take a note of the following line from the above result

|_http-title: Did not follow redirect to http://forwardslash.htb

Append the following line in your /etc/hosts file

10.10.10.183 forwardslash.htb

As we all know port 22 is SSH port, there is not much to pentest until and unless the SSH version is itself vulnerable. I give priority to port 80 as it gives more ground for pentesting.

Browsing the site it shows us the deface page

It looks like someone already hacked the website. The main thing to note here is that the hacker is a fan of Sharon, which of course is not helping. Secondly, hacker mention something about FTP and XML. Now, if FTP port was open then we could try login with anonymous but there is no FTP port open and till now we do not see a place where we could exploit XML so moving on to next.

The next obvious thing we should do is to try to find the hidden files. If you do http://forwardslash.htb/index.php then you will see the same page. This indicate that the web server is serving PHP files and there is chance of having other PHP files too. But we should also be aware that webserver still can serve other file types such as txt, xml, html etc.

At first, I just tried with simple gobuster with medium wordlist. There was no result.

There was few results which was not fruitful. I then tried with PHP extension.

Again, no good result. This is a good practice as I was not stressing the server here. Lastly, the following command gave me some hints.

Checking the note.txt

http://10.10.10.183/note.txt

Pain, we were hacked by some skids that call themselves the “Backslash Gang”… I know… That name…
Anyway I am just leaving this note here to say that we still have that backup site so we should be fine.

– chiv

Hmm, backup huh? Remember we were first redirected to forwardslash.htb? Lets try some subdomain. Browse backup.forwardslash.htb

It again redirect us to /login.php which is fine. A login page. I tried with username and password with admin:admin, admin:password. etc as a pentester should do, no result. I then notice a “Sign up now” at the bottom and registered as new user. Then successfully logged in as that user.

I saw few options after logged in

….few functions lets say. One is “Change Your Profile Picture” which was interesting for the following reason:

The page was disabled after the hack and possible Linux user Pain put the message about it.

I will come back to this later. Since we have now backup.forwardslash.htb, I though there could be other hidden files and used gobuster again.

New files were discovered which was not directly linked in the main page of backup like api.php, config.php and the folder /dev. I tried to browse /dev but it was forbidden.

Browsing config.php file gave nothing as everything must be inside PHP tags. However, api.php source shows something:

So, there might be some another possibilities

Back to backup page. ……One function that was interesting to me was “Change your profile picture” as it was accepting the URL……or was it? No, the function was disabled. I temporarily removed the “disabled” by running “inspect element”, put php://filter (directly wanted to read the file) and send it to burp suite.

Here, I tried to read /config.php file as it might content some juicy information.


php://filter/convert.base64-encode/resource=config.php

Response:

Then decoded the output result using base64 -d

Got password of www-data. I didn’t stop here and read all other files. Another possible interesting file could be dev/index.php as it was not allowing us to see the page.

Here, you will find the credential for user chiv

if (@ftp_login($conn_id, “chiv”, ‘N0bodyL1kesBack/’)) {

Now we can login as chiv in SSH

So, looking around the house, finding who else is in the house, I find another user called Pain, as I guessed before. Checking the files/folders inside /home/pain I see a note.txt file

[email protected]:/home/pain$ cat note.txt
Pain, even though they got into our server, I made sure to encrypt any important files and then did some crypto magic on the key… I gave you the key in person the other day, so unless these hackers are some crypto experts we should be good to go.
– chiv

Here, Chiv gave Pain the KEY in person so there is no way we could know it. Chiv mention about crypto and important files….. Further looking into the directory we find what chiv really means. I see python script which encrypts and decrypts message with known KEY.

So we will need KEY to decrypt the ciphertext huh?

I thought may be Pain has hide the KEY somewhere in a file. So I enumerated more

First two output looks intesresting

Both files are under ownership of pain user and we can run /usr/bin/backup as pain user. Sweet

Running the binary

Not so sweet. It says “Does Not Exist or not accessible”, hmm……..current time, md5sum….backup……At the top we can read “only works if backup is taken in same second

Checking the files inside /var/backups, I see a note.txt file

[email protected]:/var/backups$ cat note.txt
Chiv, this is the backup of the old config, the one with the password we need to actually keep safe. Please DO NOT TOUCH.
-Pain

It says, the config file content the password. May be of user Pain.

So lets create a simple script and try to take backup of /var/backups/config.php.bak file.

Here is what I had written

The output

Note the password of Pain

define(‘DB_PASSWORD’, ‘db1f73a72678e857d91e71d2963a1afa9efbabb32164cc1d94dbc704’);

it may look like some kind of hash. But it is not. It is a password. Most probably the secure one.

Now we can SSH using user Pain

Checking if Pain is in sudoers

Yes! we can run some command as root user. But what is cryptsetup??? Guessing, some kind of encryption? Heard about LUKS?

We can encrypt device, mount it and umount it in current folder mnt directory.

Checking the id of the Pain user

We have something new here ie backupoperator

Hmm, an image. Good one or Bad??

It is a LUKS encrypted file which will need a password to do any operation. So doing some research online I can say that we can read the image file content but as said before we will need a password.

So I am again guessing here. We have a encrypted message which I think contents the password for the LUKS.

To be honest I do not know how to decrypt the ciphertext. I did reach out to bright guys in hackthebox and they said we even do not need the actual KEY. We just need a similar KEY with same characters. If it was encrypted with Foobar then we can view partial decrypted message using Fo1111. Sound weird? well, at least for me. I will wait for almighty ippsec video walk through for this.

Anyway, I somehow got the password after decrypting the message partially. (only I know how I did, lets keep it a secret)

Then with the sudo command that we saw before I ran the following command.

Enter the password and a file called backup will be created inside /dev/mapper. We strictly need the name backup as we only have sudo permission to mount this.

Now mount it and read what is inside.

Now save it as file key, change the permission and ssh as root

Cheers!!

Leave a Reply

Your email address will not be published. Required fields are marked *