We are on our eighth box in this series and are building quite a good list of tools. This box is a great example of locking down ports, but common mistakes don’t let us in again.
First, let’s run a port scanner and see what comes back: masscan $IP -p 0–65535 -e tun0 — rate 1000 -v — open-only -oL “Guard.masscan”. This only returns one port, ssh! That’s going to be a tough one to get through if its updated. I’ll flip over and do the other protocol: UDP. I ran a quick scan again: masscan $IP -pU:0–65535 -e tun0 — rate 1000 -v — open-only -oL “Guard.masscan_udp” and end up with nothing! In a real world I’d jump over to IPv6 and scan those ports…but in HackTheBox we don’t get that option. So port 22 it is. We investigate further to dig into port 22 using our friend nmap.
There isn’t much else as far as built-in scripts for nmap for port 22, and those don’t get us very far. So, let’s check that version for vulnerabilities. Let’s run searchsploit and see what we got. If you haven’t updated the database in a while, searchsploit -u can ensure you got the latest from exploitdb.
So there is some enumeration we can do if we have some users we want, or we could just brute-force a list of commons. But wait, we have a list of credentials we have been keeping as we have gone through these boxes so let’s try those first before we try random stuff. Let’s grab that last exploit and see what we get. As you can see below, it may be python, but it is still the old python2. After we install the dependency, we can give this a shot.
Now that it is setup, it asks for a target IP and a username. Well, I have a list, so let’s put this in a loop. We can run this: for i in $(cat usernames); do python 45939.py $IP $i; done and see what we get. This says everything in my list is valid…something is wrong with this tool. That wasn’t productive, but there was a tool we used before on a previous box for enumeration. Let’s try crackmapexec ssh $IP -u usernames -p passes and see what we get. Well, that tool worked, but found nothing for us. Rats. Anything else? Well, we did find an RSA key on a box, have we tried that? Before we try blind brute-forcing, we’ll check all our options. So ensure you have the right permissions on the private key, then BAM…it let us in.
So credential reuse let us on again…what a trend for these boxes, but very common in real-world usages. So we are on and I see it is an Ubuntu box. I’ll just grab that other tool, linpeas.sh and have it check all the common suspects.
So after getting logged in, when I attempted to change directories, it tells me I’m in a restricted shell. Can we download the file? Yeah, but can’t run it. I used updog here to host the file, like how we used http.server with python before. So how can we get around this? One technique is to have rbash be activated when a shell is started, which is in a profile document. Let’s try to bypass that by not using a profile.
And that worked. Now we are in a bash shell and we can run linpeas.sh in memory without even writing it to disk. Perfect. It appears that daniel is part of a picasso group and the sudo group.
Well, to run sudo, we’ll need a password and we used a private key to get on the box so we don’t have a password. We can try sudo -l in case it doesn’t need a password, but it does so that won’t work. But linpeas did find a file in the backups directory that we can read and has a hash in it.
A simple way to get the small file off is to just use your clipboard. Uses no network transactions and difficult for the blue team to find during investigations. So let’s do it:
Now just paste what you copied in this: echo “<your clipboard>” | base64 -d > shadow and vioala. Or, if you are using updog, you can actually upload back to the server from the client with:
Okay, that was easy. Now let’s allow john the ripper do the rest. Since john is able to recognize hashes and ignore stuff that isn’t, it finds two hashes in the file (root and daniel) and attempts to crack it. You can either pass it a wordlist you know or let john use its default ones. And bam, we got a winner:
So now we just need to do “su root”, provide the password, and done.
We got a few more tricks for our toolbox, on to the last box!