It starts with an image metadata service where I’ll exploit a CVE in exfiltool to get code execution. Hackthebox ctf htb-meta nmap wfuzz vhosts wfuzz feroxbuster exiftool composer cve-2021-22204 command-injection pspy mogrify cve-2020-29599 polyglot hackvent imagemagick imagemagick-scripting-language neofetch gtfobins source-code In Beyond Root, I’ll look at a later CVE in Polkit, Pwnkit, and show why Paper wasn’t vulnerable, make it vulnerable, and exploit it. To escalate from there, I’ll exploit a 2021 CVE in PolKit.
I’ll exploit a directory traversal to read outside the current directory, and find a password that can be used to access the system. Inside the chat, there’s a bot that can read files. In a draft post, I’ll find the URL to register accounts on a Rocket Chat instance. There’s a WordPress vulnerability that allows reading draft posts. Paper is a fun easy-rated box themed off characters from the TV show “The Office”.
Hackthebox ctf htb-paper nmap feroxbuster wfuzz vhost wordpress wpscan rocket-chat cve-2019-17671 directory-traversal password-reuse credentials crackmapexec linpeas cve-2021-3156 cve-2021-4034 pwnkit cve-2021-3650 I’ll dump the script out (several ways), and then use the injection to get a shell as root. The next pivot is wildcard injection in a complied shell script. The first pivot involves password reuse and understanding the pam 2FA setup isn’t enabled on one interface. From there, I’ll abuse another plugin to upload a webshell and get a shell on the box. I’ll reverse enginner that plugin to figure out what I need from the DB, and get the seed to generate the token. I’ll get usernames and password hashes, but that leaves me at a two factors prompt. Still, very slow blind SQL injection shows the value in learning to pull out only the bits you need from the DB. This injection is quite slow, and I think leads to the poor reception for this box overall. Phoenix starts off with a WordPress site using a plugin with a blind SQL injection. Hackthebox htb-phoenix ctf htb-pressed htb-static nmap wordpress wpscan wp-pie-register wp-asgaros-forum sqli injection time-based-sqli sqlmap hashcat 2fa wp-miniorange totp youtube source-code crypto cyberchef oathtool wp-download-from-files webshell upload pam sch unsch pspy proc wildcard Reversing that provides a password I can use to get a root shell. Further enumeration finds a malicious Apache module responsbile for downloading and installing a backdoored sshd binary. From there, I’ll find a kernel exploit left behind by the previous attacker, and while it no longer works, the payload shows how it modified the passwd and shadow files to add backdoored users with static passwords, and those users are still present. I’ll exploit a misconfigured PHP package to get execution on the host. Undetected follows the path of an attacker against a partially disabled website. Hackthebox htb-undetected ctf nmap feroxbuster php wfuzz vhost composer phpunit cve-2017-9841 webshell reverse-engineering ghidra awk backdoor hashcat apache-mod sshd For root, I’ll exploit the Baron Samedit vulnerability in sudo that came our in early 2021.
I’ll use a system-wide proxy on the virtualized Android device to route traffic through Burp, identifying the API endpoint and finding a command injection. Unfortunately, it was a bit tricky to get setup and working. RouterSpace was all about dynamic analysis of an Android application.
Hackthebox htb-routerspace ctf nmap ubuntu android apk feroxbuster apktool reverse-engineering android-react-native react-native genymotion burp android-burp command-injection linpeas pwnkit cve-2021-4034 polkit cve-2021-3560 cve-2021-22555 baron-samedit cve2021-3156 htb-paper
There’s two hosts to pivot between, limited PowerShell configurations, and lots of enumeration. Rather, it’s just about manuverting from user to user using shared creds and privilieges available to make the next step. Hackthebox ctf htb-acute nmap feroxbuster powershell-web-access exiftool meterpreter metasploit msfvenom defender defender-bypass-directory screenshare credentials powershell-runas powershell-configurationĪcute is a really nice Windows machine because there’s nothing super complex about the attack paths.