Contents

HackTheBox - Base Writeup

Box author | TRXTRX

Enumeration

  • Top 1000 ports scan
1
nmap -sC -sV -oN nmap/initial 10.10.10.48
  • the result

/posts/htb/base/1000.png
nmap scan result

  • All ports scan
1
nmap -sC -sV -p- -oN nmap/all__ports 10.10.10.48
  • the result

/posts/htb/base/all_port.png
nmap scan allports

Open Ports

  • both Nmap scan result shows the only port open are SSH and HTTP

Gobuster

1
gobuster dir -u http://10.10.10.48 -w /opt/SecLists/Discovery/Web-Content/raft-small-words.txt -x php.html -o Rgobuster
  • We’ve found couples of hidden directory

  • the result

    • http://10.10.10.48/login/
    • http://10.10.10.48/static/
    • http://10.10.10.48/_uploaded/
  • let’s take a look at /login/ directory

/posts/htb/base/index.png
directory listing

  • Config.php sounds fantastic but I can’t read them.
  • However, the file login.php.swp can be download.
  • well, let’s download that file and take a peek at it

login.php.swp

  • let’s strings that file out
  • the result

/posts/htb/base/swp.png
login.php.swp file

  • well, it is a piece of code on how the login form works
  • it’s just logic if-else statements but again my eye caught something else.

Strcmp bypass

/posts/htb/base/strcmp.png
php strcmp

Description
Returns < 0 if string1 is less than string2; > 0 if string1 is greater than string2, and 0 if they are equal.

Foothold/Gaining Access

Devtools

  • Let’s navigate to the login page http://10.10.10.48/login/login.php. Now, we’ve learned how these login forms work. Let’s try strcmp bypass
  • First, I’m gonna insert something in those username and password fields.
  • Then, open up the Devtools and go to the Network tab.
  • Right-click and click on Edit and Resend
  • it should look like this.

/posts/htb/base/dev-1.png
devtools

  • Then edit the Request Body something like this
  • username[]=''&password[]=''
  • After that, click on Send and you should see the upload.php appears.

/posts/htb/base/dev-2.png
modify login request

Upload

  • Now, you have to do is Double-click on upload.php and you should greet by this page.

/posts/htb/base/upload.png
upload page

  • That means we successfully bypass the login.
  • So, I’m gonna upload the PHP reverse shell
  • I’m successfully uploaded. Remember those gobuster scans we did earlier. we’ve found the directory called _uploaded
  • Let’s navigate the URL and the file name. Hopefully, it will execute the revshell.

http://10.10.10.48/_uploaded/<filename>

/posts/htb/base/shell.png
shell as www-data

  • we’ve got the shell

config.php

  • I’m in. remember the file called config.php we’ve found earlier but sadly we can’t read it.
  • Now, it’s the time to read it. Let’s navigate into this directory
  • /var/www/html/login/. Then, read the config.php file

/posts/htb/base/pass.png
password in config.php

John

  • So, we’ve found the password.
  • Maybe this password belongs to the user on this system.
  • Let’s cat /etc/passwd

/posts/htb/base/john.png
check user in /etc/password

  • we found one user name john.
  • Let’s try login as john with those password we’ve found.

/posts/htb/base/john-cena.png
change user to john

  • Great. Now, I’m John

User Flag

/posts/htb/base/user.png
user flag

Privilege Escalation

  • OK. I’ve got the user password.
  • Let’s try to check the sudo permission this user got with this commands sudo -l
  • the result

/posts/htb/base/find.png
check sudo permission

  • Well, Let’s try to become root
  • by running this command
  • Source
1
sudo /usr/bin/find . -exec /bin/bash \; -quit

/posts/htb/base/haha.png
become root

Root Flag

/posts/htb/base/root.png
root flag

Conclusion

I’ve learned a lot today. Do not expose anything on the internet. Make sure your website properly configure. If your website offers to upload something. Make it harder for an attacker to upload that related to security risks such as reverse shell. Once again, don’t use the same password. Oh before I forgot. Configure the user and the root properly.

I have a fun time doing this machine and I hope you guys do too. Bye ;)