Contents

HackTheBox - Guard Writeup

Box author | TRXTRX

Enumeration

  • Top 1000 ports scan
1
nmap -sC -sV -oN nmap/initial 10.10.10.50
  • the result

/posts/htb/guard/1000.png
nmap initial scan

  • scan all ports
1
nmap -sC -sV -p- -oN nmap/all_ports 10.10.10.50
  • the result

/posts/htb/guard/all_ports.png
nmap allports scan

Open Ports

  • Well, both nmap scan result shows SSH port just open

Foothold/Gaining Access

SSH

  • Let’s try SSH into the machine using the private key we’ve got from the previous box markup.

/posts/htb/guard/ssh.png
ssh as daniel

  • It works

rBash

  • Well, I’m login as daniel and I found the user flag already.
  • However, it’s odd. When I try to read the content of the file
  • It doesn’t have any output.

/posts/htb/guard/rbash.png
daniel user in rbash

User Flag

  • I’m gonna try bypass it using ed
  • the result

/posts/htb/guard/user.png
bypass rbash using ed

  • Finally, I can read the user.txt file
  • That’s means we successfully bypass the rBash

Privilege Escalation

Backup

  • Now, let’s start enumeration inside this box.

  • These are some of the commands I run for manual enumeration.

  • Source

  • I try looking at the backup file with the .bak extension

1
find / -iname '*.bak' -exec ls -l {} \; 2>/dev/null

/posts/htb/guard/bak.png
found backup files

  • We’ve found couples backup files but I can’t read them.
  • Let’s try another approach.
1
locate backup

/posts/htb/guard/not_bak.png
found /var/backups/shadow

  • Well, I’ve found this.
  • Let’s try read /var/backups/shadow file
  • the result

/posts/htb/guard/hash.png
get the root hash

  • Nice. We’ve got hashes. Let’s try to crack it

HashCat

Description

Hashcat is a password recovery tool.
Examples of hashcat-supported hashing algorithms are LM hashes, MD4, MD5, SHA-family, and Unix Crypt formats as well as algorithms used in MySQL and Cisco PIX.

  • Now, I’m gonna copy and paste the root hash into a file called root
  • Here is the link to hashcat example hashes
  • I’m gonna run this command and use rockyou.txt as a wordlist
1
hashcat -m 1800 root /opt/rockyou.txt

/posts/htb/guard/hcat.png
crack root password

Note: I’ve already run it that’s why I’m using --show at the end

Root

  • Let’s change our user into the root by using this command su
  • when it’s prompt for the password. Just insert the password we crack earlier

/posts/htb/guard/root.png
change user to root

Root Flag

  • Let’s get the final flag
  • Nice

/posts/htb/guard/root-flag.png
root flag

Conclusion

I’ve learned a lot today. What is the rBash and how to bypass it. The most important thing is how you store your data or backup. If you do not properly store it or not configure the permission carefully. This thing might gonna happen. Once again, don’t use the same password.

I have a fun time doing this machine and I hope you guys do too. Bye ;)