HackTheBox | Editorial

In this walkthrough, I demonstrate how I obtained complete ownership of Editorial on HackTheBox
HackTheBox | Editorial

Initial Foothold Hint

  • There are only two ports open on the target — HTTP and SSH. You likely know that SSH is almost never the first way in, so you're going to need to lean on your web app skills.
  • When you land on the web page, click around. You should find a form on one of the pages. One of the fields of the form should particularly standout to you.
    • What kinds of vulnerabilities might be present on the target that accepts input of this specific variety?
    • If you're having difficulty...
      • You may notice the server responds two distinct ways depending on what you've asked for
      • Don't limit yourself just to files. Could there be an alternate web server that you can read from?

Privilege Escalation Hint

  • You need to pivot to one of the other system users before you can become root
    • To do this, you really only need a solid post-exploit enumeration methodology — enumerating usernames, internal ports, interesting files and directories, cron jobs, processes, etc.
    • You should be able to find an interesting directory owned by your current user. You could use a specific tool or default binaries on the operating system to grep through the directory and find some information for your next move.
  • Once you pivot to the next user, again, simple post-exploit methodology should lead you to a specific privilege this user has
    • Look carefully at the specific privileged program path. You should find a specific CVE regarding the contents of a specific file (Google keywords from the file contents).

Nmap Results

# Nmap 7.94SVN scan initiated Tue Jun 18 11:01:56 2024 as: nmap -Pn -p- --min-rate 2000 -sC -sV -oN nmap-scan.txt 10.129.105.5
Nmap scan report for 10.129.105.5
Host is up (0.017s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 0d:ed:b2:9c:e2:53:fb:d4:c8:c1:19:6e:75:80:d8:64 (ECDSA)
|_  256 0f:b9:a7:51:0e:00:d5:7b:5b:7c:5f:bf:2b:ed:53:a0 (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://editorial.htb
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Jun 18 11:02:12 2024 -- 1 IP address (1 host up) scanned in 16.16 seconds

Note the redirect to http://editorial.htb in the tcp/80 output. Let's go ahead and get that added to our /etc/hosts file.

echo -e '10.129.105.5\teditorial.htb' | sudo tee -a /etc/hosts

This box is still active on HackTheBox. Once retired, this article will be published for public access as per HackTheBox's policy on publishing content from their platform.

Read the full story

Sign up now to read the full story and get access to all posts for Pending Publication tier only.

Subscribe
Already have an account? Sign in
0xBEN
Great! You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to 0xBEN.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.