Initial Foothold Hint
- You likely know that SSH is never the first way in, so focus on the web app skills here
- Having worked on the Blazorized box gave me a really great starting point for this target, as I gained some familiarity with analyzing WebAssembly applications
- If you're having difficulty finding a way in, consider the following:
- ✅ You've probably tested the resume file upload
- ✅ You've probably found the login form on
tcp/3000
- ❔Have you done a thorough analysis of any the underlying tech stack on
tcp/80
andtcp/3000
? Hint: Look at theServer
headers and see if you can find the CVE - If you've found the CVE, you should be able to enumerate more information from the target, download some source files, and analyze them further in a debugger
- Once you have access to the main admin panel, there are a couple of bugs you can exploit, only one of them will lead to code execution though
- Remember that the server is running WebAssembly — Blazor specifically — and executes compiled code
- Play around with different input fields and see if you can spot the error that might tell you where to place your file to get code execution
Privilege Escalation Hint
- Enumerate thoroughly your permissions on the system. It should be clear that you have access to run a particular program on the box
- Figure out how you can use this program to monitor activity on the target and output this to a log file
- What kind of file is the log file? Is the program you need to read this file installed on the box?
- There's a specific column in the table that will reveal more about the system activity, but you need to format it in such a way that you can parse the data and filter out unprintable characters.
Nmap Results
# Nmap 7.94SVN scan initiated Tue Aug 20 10:50:56 2024 as: nmap -Pn -p- --min-rate 2000 -sC -sV -oN nmap-scan.txt 10.129.177.163
Nmap scan report for 10.129.177.163
Host is up (0.089s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 80:c9:47:d5:89:f8:50:83:02:5e:fe:53:30:ac:2d:0e (ECDSA)
|_ 256 d4:22:cf:fe:b1:00:cb:eb:6d:dc:b2:b4:64:6b:9d:89 (ED25519)
80/tcp open http Skipper Proxy
|_http-title: Did not follow redirect to http://lantern.htb/
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.0 404 Not Found
| Content-Length: 207
| Content-Type: text/html; charset=utf-8
| Date: Tue, 20 Aug 2024 14:51:41 GMT
| Server: Skipper Proxy
| <!doctype html>
| <html lang=en>
| <title>404 Not Found</title>
| <h1>Not Found</h1>
| <p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
| GenericLines, Help, RTSPRequest, SSLSessionReq, TerminalServerCookie:
| HTTP/1.1 400 Bad Request
| Content-Type: text/plain; charset=utf-8
| Connection: close
| Request
| GetRequest:
| HTTP/1.0 302 Found
| Content-Length: 225
| Content-Type: text/html; charset=utf-8
| Date: Tue, 20 Aug 2024 14:51:36 GMT
| Location: http://lantern.htb/
| Server: Skipper Proxy
| <!doctype html>
| <html lang=en>
| <title>Redirecting...</title>
| <h1>Redirecting...</h1>
| <p>You should be redirected automatically to the target URL: <a href="http://lantern.htb/">http://lantern.htb/</a>. If not, click the link.
| HTTPOptions:
| HTTP/1.0 200 OK
| Allow: GET, OPTIONS, HEAD
| Content-Length: 0
| Content-Type: text/html; charset=utf-8
| Date: Tue, 20 Aug 2024 14:51:36 GMT
|_ Server: Skipper Proxy
|_http-server-header: Skipper Proxy
3000/tcp open ppp?
| fingerprint-strings:
| GetRequest:
| HTTP/1.1 500 Internal Server Error
| Connection: close
| Content-Type: text/plain; charset=utf-8
| Date: Tue, 20 Aug 2024 14:51:40 GMT
| Server: Kestrel
| System.UriFormatException: Invalid URI: The hostname could not be parsed.
| System.Uri.CreateThis(String uri, Boolean dontEscape, UriKind uriKind, UriCreationOptions& creationOptions)
| System.Uri..ctor(String uriString, UriKind uriKind)
| Microsoft.AspNetCore.Components.NavigationManager.set_BaseUri(String value)
| Microsoft.AspNetCore.Components.NavigationManager.Initialize(String baseUri, String uri)
| Microsoft.AspNetCore.Components.Server.Circuits.RemoteNavigationManager.Initialize(String baseUri, String uri)
| Microsoft.AspNetCore.Mvc.ViewFeatures.StaticComponentRenderer.<InitializeStandardComponentServicesAsync>g__InitializeCore|5_0(HttpContext httpContext)
| Microsoft.AspNetCore.Mvc.ViewFeatures.StaticC
| HTTPOptions:
| HTTP/1.1 200 OK
| Content-Length: 0
| Connection: close
| Date: Tue, 20 Aug 2024 14:51:45 GMT
| Server: Kestrel
| Help:
| HTTP/1.1 400 Bad Request
| Content-Length: 0
| Connection: close
| Date: Tue, 20 Aug 2024 14:51:40 GMT
| Server: Kestrel
| RTSPRequest:
| HTTP/1.1 505 HTTP Version Not Supported
| Content-Length: 0
| Connection: close
| Date: Tue, 20 Aug 2024 14:51:46 GMT
| Server: Kestrel
| SSLSessionReq, TerminalServerCookie:
| HTTP/1.1 400 Bad Request
| Content-Length: 0
| Connection: close
| Date: Tue, 20 Aug 2024 14:52:01 GMT
|_ Server: Kestrel
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Aug 20 10:53:11 2024 -- 1 IP address (1 host up) scanned in 134.64 seconds
💡
Don't miss an opportunity to find some breadcrumbs in the
nmap
output. We can see the HTTP redirect to http://lantern.htb
in the tcp/80
output, so let's go ahead and get that added to the /etc/hosts
file.echo -e '10.129.177.163\t\tlantern.htb' | sudo tee -a /etc/hosts
⛔
This box is still active on HackTheBox. Once retired, this article will be published for public access as per HackTheBox's policy on publishing content from their platform.