Initial Foothold Hint
- Your initial
nmap
scan reveals a HTTP server and two SSH servers. You likely know that SSH is almost never the first way in, so focus on your web skills here. - Do a thorough job of examining the web app, create an account, log in, test different input points.
- You'll see some different attack path potential it's just a process of elimination finding where to attack
- The web server is running on Apache and PHP
- What are common PHP wrappers? What kind of error do you get when you try them in different input points? What function name is returning the error about certain wrappers?
- Do some googling about certain PHP wrapper names, along with the file type the web server accepts, and the function that appears to be in use here
Privilege Escalation Hint
- Once you get a reverse shell, hunt around for information in the environment
- It's always a good idea to look at files for the app you landed a shell on, and to look for easy wins with the information you already possess
- There is a lot of information that you can enumerate in your reverse shell that will reveal details about the environment and how you can use this to your advantage with privilege escalation
- Lateral to User 1 (Environment 1)
- There is a particular folder that should grab your attention. If you enumerated well enough to this point, you should understand the purpose of the files in this folder and how they relate to another service on the box
- Lateral to User 2 (Environment 1)
- There should be a file that catches your attention. If you've enumerated well enough up to this point, you should know what the purpose of this file is with regard to granting user access to another service on the box
- Lateral to User 3 (Environment 2)
- You may feel quite stuck here, as you enumerate the environment post-exploit
- Try not to get flustered and focus on who else has access to the box
- You really need to understand the authentication mechanism of the service you logged in on
- Lateral to User 4 (Environment 2)
- There should be a file that catches your attention that User 4 has privileged access to. Read the source carefully and understand the workflow.
- This exploit really requires a keen eye and careful source review
- This is the last and final step to becoming root
ℹ️
For more hints and assistance, come chat with me and the rest of your peers in the HackTheBox Discord server. Or, you can reach out to me at my other social links in the site footer or site menu.
Nmap Results
# Nmap 7.94SVN scan initiated Wed Aug 7 17:42:59 2024 as: nmap -Pn -p- --min-rate 2000 -sC -sV -oN nmap-scan.txt 10.129.246.210
Nmap scan report for 10.129.246.210
Host is up (0.088s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u3 (protocol 2.0)
| ssh-hostkey:
| 256 d5:4f:62:39:7b:d2:22:f0:a8:8a:d9:90:35:60:56:88 (ECDSA)
|_ 256 fb:67:b0:60:52:f2:12:7e:6c:13:fb:75:f2:bb:1a:ca (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://itrc.ssg.htb/
2222/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 f2:a6:83:b9:90:6b:6c:54:32:22:ec:af:17:04:bd:16 (ECDSA)
|_ 256 0c:c3:9c:10:f5:7f:d3:e4:a8:28:6a:51:ad:1a:e1:bf (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Aug 7 17:43:42 2024 -- 1 IP address (1 host up) scanned in 43.35 seconds
💡
Don't miss the opportunity to find any useful information or breadcrumbs in the
nmap
output. We can see the HTTP redirect to http://itrc.ssg.htb
on tcp/80
, so add that to your /etc/hosts
.echo -e '10.129.246.210\t\titrc.ssg.htb' | sudo tee -a /etc/hosts
⛔
This box is still active on HackTheBox. Once retired, this article will be published for public access as per HackTheBox's policy on publishing content from their platform.