HackTheBox | Resource

In this walkthrough, I demonstrate how I obtained complete ownership of Resource on HackTheBox

Initial Foothold Hint

  • Your initial nmap scan reveals a HTTP server and two SSH servers. You likely know that SSH is almost never the first way in, so focus on your web skills here.
  • Do a thorough job of examining the web app, create an account, log in, test different input points.
    • You'll see some different attack path potential it's just a process of elimination finding where to attack
    • The web server is running on Apache and PHP
      • What are common PHP wrappers? What kind of error do you get when you try them in different input points? What function name is returning the error about certain wrappers?
      • Do some googling about certain PHP wrapper names, along with the file type the web server accepts, and the function that appears to be in use here

Privilege Escalation Hint

  • Once you get a reverse shell, hunt around for information in the environment
    • It's always a good idea to look at files for the app you landed a shell on, and to look for easy wins with the information you already possess
    • There is a lot of information that you can enumerate in your reverse shell that will reveal details about the environment and how you can use this to your advantage with privilege escalation
  • Lateral to User 1 (Environment 1)
    • There is a particular folder that should grab your attention. If you enumerated well enough to this point, you should understand the purpose of the files in this folder and how they relate to another service on the box
  • Lateral to User 2 (Environment 1)
    • There should be a file that catches your attention. If you've enumerated well enough up to this point, you should know what the purpose of this file is with regard to granting user access to another service on the box
  • Lateral to User 3 (Environment 2)
    • You may feel quite stuck here, as you enumerate the environment post-exploit
    • Try not to get flustered and focus on who else has access to the box
    • You really need to understand the authentication mechanism of the service you logged in on
  • Lateral to User 4 (Environment 2)
    • There should be a file that catches your attention that User 4 has privileged access to. Read the source carefully and understand the workflow.
    • This exploit really requires a keen eye and careful source review
    • This is the last and final step to becoming root
ℹ️
For more hints and assistance, come chat with me and the rest of your peers in the HackTheBox Discord server. Or, you can reach out to me at my other social links in the site footer or site menu.

Owned Resource from Hack The Box!
I have just owned machine Resource from Hack The Box

Nmap Results

# Nmap 7.94SVN scan initiated Wed Aug  7 17:42:59 2024 as: nmap -Pn -p- --min-rate 2000 -sC -sV -oN nmap-scan.txt 10.129.246.210
Nmap scan report for 10.129.246.210
Host is up (0.088s latency).
Not shown: 65532 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 9.2p1 Debian 2+deb12u3 (protocol 2.0)
| ssh-hostkey: 
|   256 d5:4f:62:39:7b:d2:22:f0:a8:8a:d9:90:35:60:56:88 (ECDSA)
|_  256 fb:67:b0:60:52:f2:12:7e:6c:13:fb:75:f2:bb:1a:ca (ED25519)
80/tcp   open  http    nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://itrc.ssg.htb/
2222/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 f2:a6:83:b9:90:6b:6c:54:32:22:ec:af:17:04:bd:16 (ECDSA)
|_  256 0c:c3:9c:10:f5:7f:d3:e4:a8:28:6a:51:ad:1a:e1:bf (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Aug  7 17:43:42 2024 -- 1 IP address (1 host up) scanned in 43.35 seconds
💡
Don't miss the opportunity to find any useful information or breadcrumbs in the nmap output. We can see the HTTP redirect to http://itrc.ssg.htb on tcp/80, so add that to your /etc/hosts.
echo -e '10.129.246.210\t\titrc.ssg.htb' | sudo tee -a /etc/hosts

This box is still active on HackTheBox. Once retired, this article will be published for public access as per HackTheBox's policy on publishing content from their platform.

Read the full story

Sign up now to read the full story and get access to all posts for Pending Publication tier only.

Subscribe
Already have an account? Sign in
0xBEN
Great! You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to 0xBEN.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.