HackTheBox | Sea

In this walkthrough, I demonstrate how I obtained complete ownership of Sea on HackTheBox

Initial Foothold Hint

  • The initial nmap scan reveals that only SSH and HTTP are open on the box. You likely already know that SSH is never the first way in, so bring your best web skills for the initial foothold.
  • When you find the web form, look at all the form field names
    • One field, should be particularly interesting to you
    • Before you go too crazy, just test a simple proof-of-concept (POC) with the form, see what happens
    • What kind of exploits might you expect to find when you've "someone" clicking on your links?
  • You might be wondering what web application is running this page
    • There are clever ways to enumerate it. Look at the page source and see if you can find any file names on Google or GitHub.
    • There is a CVE and public exploit for this version, but you may need to adjust your target URL, since I found a little bit of a bug in the way the exploit parses the target URL
    • Also, if you're not getting any hits on your exploit, consider that the service might prefer hostnames over IP addresses (be patient as well, as there's a little delay with the exploit)

Privilege Escalation Hint

  • As always, have a solid post-exploit enumeration methodology
    • It's always a good idea to go back and look at configuration files, logs, and databases for the service where you established your foothold
  • Lateral to User 1
    • Always look for easy wins with the information you already possess
  • Becoming Root
    • What services might be running internally?
    • Look carefully at all the interactive / input points of the service and consider what the server might be doing locally with certain inputs you provide
ℹ️
For more hints and assistance, come chat with me and the rest of your peers in the HackTheBox Discord server. Or, you can reach out to me at my other social links in the site footer or site menu.

Owned Sea from Hack The Box!
I have just owned machine Sea from Hack The Box

Nmap Results

# Nmap 7.94SVN scan initiated Wed Aug 14 14:51:12 2024 as: nmap -Pn -p- --min-rate 2000 -sC -sV -oN nmap-scan.txt 10.129.192.248
Nmap scan report for 10.129.192.248
Host is up (0.091s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 e3:54:e0:72:20:3c:01:42:93:d1:66:9d:90:0c:ab:e8 (RSA)
|   256 f3:24:4b:08:aa:51:9d:56:15:3d:67:56:74:7c:20:38 (ECDSA)
|_  256 30:b1:05:c6:41:50:ff:22:a3:7f:41:06:0e:67:fd:50 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Sea - Home
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Aug 14 14:51:51 2024 -- 1 IP address (1 host up) scanned in 38.24 seconds
ℹ️
No particular breadcrumbs in the nmap output that would reveal any hostnames or anything special about the app other than the web server in use.

I'm going to go ahead and add an /etc/hosts entry for convenience.
echo -e '10.129.192.248\t\tsea.htb' | sudo tee -a /etc/hosts

This box is still active on HackTheBox. Once retired, this article will be published for public access as per HackTheBox's policy on publishing content from their platform.

Read the full story

Sign up now to read the full story and get access to all posts for Pending Publication tier only.

Subscribe
Already have an account? Sign in
0xBEN
Great! You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to 0xBEN.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.