HTB Walkthrough - Base

Tony Harkness

- 2 minutes read - 264 words

Information Gathering

Scanned all TCP ports:

# save target IP as local variable
export ip='10.129.105.155'

#initial scan
rustscan -a $ip -- -sVC --open -oN initial

# scan results
ORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 63 OpenSSH 7.6p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 f6:5c:9b:38:ec:a7:5c:79:1c:1f:18:1c:52:46:f7:0b (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDQmgId8Z5lyLG718jzJ9KoLYQPuaKh/Z1++me8L01noJeFuv5RPeqgtoJSeWKcimm7Cw7q3HDUZEHL2LncJIad5v04ma8xgiAG+xUmiO+ntkOff06rtsEx51XRWrbuN4gcTxDCPQQyTJKnTAfleagTbtoWtPNvi82SzaaPyU88nhcn/72USczCeiVfRvawQCcAIHKqUnJzTGlSHAwd6Fj+4sq4CTw0MCrZSTG9JCQmyUVbCFJaF/AtQ0PDOQ/fVhZH8E7E+faAlJKWTYr2sIfQZmC7enT2W82zzWL/JRiQXgAzsI8B6JTJOl3gbmy3+rLY9H+1qztceYKaA8wjFT/5
|   256 65:0c:f7:db:42:03:46:07:f2:12:89:fe:11:20:2c:53 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBA3Z4xQdzt1Zxsy5gdOFTrv3k9HtD0UppMhGWFIFWnHZgWAdONjTRzD/ZeiyGeDUgYWGGpQOzl74HXesdUhr+h0=
|   256 b8:65:cd:3f:34:d8:02:6a:e3:18:23:3e:77:dd:87:40 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINbQMzI8ONrv2TFdy0S8PtObPfizkmQ+217qx1pejwce
80/tcp open  http    syn-ack ttl 63 Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Welcome to Base
|_http-server-header: Apache/2.4.29 (Ubuntu)
| http-methods: 
|_  Supported Methods: POST OPTIONS HEAD GET
|_http-favicon: Unknown favicon MD5: FED84E16B6CCFE88EE7FFAAE5DFEFD34
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Steps 2 Pwn

  1. Enumerated port 80 and found directories and files of interest, including a /login/login.php page and a login.php.swp which contained the login pages source code.
  2. With the login page source code in hand, I found it was checking auth using strcmp(). Which allows for an auth bypass by turning the strings into arrays. Given that both of the arrays will be empty, they will match, and we will be granted authentication
  3. Once logged in, I uploaded a PHP reverse shell
  4. With initial access as www-data, I began enumeration and found the user john. I ran linpeas and found a password in /var/www/html/login/config.php
  5. This password gave us access as john, retrieved the user flag
  6. Ran sudo -l and found that john can run find as sudo
  7. Used GTFObins on how to abuse sudo permissions on find, and got root
  8. Retrieved root flag

Improved skills

  • Abusing PHP’s strcmp()

Used tools

  • rustscan
  • dirsearch
  • burpsuite

Trophy

User.txt

f54846c258f3b4612f78a819573d158e

Root.txt

51709519ea18ab37dd6fc58096bea949