skip to content
Decrypt LOL

Get Cyber-Smart in Just 5 Minutes a Week

Decrypt delivers quick and insightful updates on cybersecurity. No spam, no data sharing—just the info you need to stay secure.

Read the latest edition
River Machine Walkthrough on Attack The Box Platform

River Machine Walkthrough on Attack The Box Platform

/ 4 min read

stories , cybersecurity , penetration testing , exploit development , gitea , attack the box

Quick take - The article provides a detailed walkthrough of the River machine on the Attack The Box platform, aimed at junior penetration testers, outlining the steps involved in penetration testing, including scanning, exploitation, and privilege escalation, ultimately leading to successful access to the target machine and retrieval of key flags.

Fast Facts

  • The River machine on the Attack The Box platform is designed for junior penetration testers and focuses on enhancing penetration testing skills through a structured walkthrough.
  • Key stages covered include Scanning, Directory Enumeration, Exploitation, Port Forwarding, and Privilege Escalation, starting with an Nmap scan to identify services on the target machine.
  • Gitea, a web interface for Git management, is a focal point where the author exploits an account with admin privileges after discovering a vulnerability in the avatar upload feature.
  • The author successfully exploits the Hooks RCE vulnerability in Gitea using Metasploit, gaining access to the target machine and discovering a listening port for Webmin.
  • By logging into Webmin with Gitea credentials, the author achieves root access, retrieving both root.txt and user.txt flags, concluding the penetration testing exercise.

The River Machine Walkthrough on Attack The Box

Overview

The River machine on the Attack The Box platform is categorized as having an easy difficulty level. It is aimed primarily at junior penetration testers, security professionals, and enthusiasts. The walkthrough is designed to enhance skills in penetration testing, detailing various stages of the process, including Scanning, Directory Enumeration, Exploitation, Port Forwarding, and Privilege Escalation.

Scanning and Initial Exploration

The content begins with the scanning phase. An Nmap scan is employed to identify services running on the target machine. The results of the scan indicate the presence of SSH on port 22, a web server on port 80, and Gitea on port 3000. Gitea is a web interface for managing Git repositories and development tools, becoming a focal point for further exploration.

The author attempts to create an account on Gitea and investigates user settings for potential vulnerabilities. An upload feature in Gitea’s avatar update section is identified, but it is limited to accepting only image file extensions. To uncover more information, the author conducts web content discovery using Gobuster with a specific wordlist. During this exploration, the /explorer/repos page is accessed, revealing a list of public repositories and usernames.

Gaining Access and Exploitation

The author successfully logs in as the user “askira” by guessing the password. This account possesses admin privileges, facilitating further investigation for vulnerabilities. The walkthrough notes that the Gitea version 1.12.5 is checked for known vulnerabilities. The author utilizes Metasploit to exploit the Hooks RCE vulnerability present in Gitea, resulting in successful access to the target machine.

Following this, the author checks user status and system configurations but receives no response from the sudo command. Further investigations into SUIDs and running cron jobs yield no significant clues. During the exploration, a listening port on 10000 is discovered, running a web service. The author forwards this port to their Kali Linux machine using Chisel, a TCP/UDP tunneling tool.

Privilege Escalation and Conclusion

After successfully uploading Chisel to the target machine, they change its permissions for execution. The author runs Chisel in server mode on Kali Linux and client mode on the target machine. Accessing the service through https://localhost:10000/ reveals that it is Webmin. The author attempts to log in to Webmin using the same credentials as those for Gitea and achieves a successful login, revealing that the admin user is root.

This privileged access allows the author to retrieve both the root.txt and user.txt flags, marking a significant accomplishment in the penetration testing exercise. The article concludes with a note of appreciation for readers, encouraging them to apply the skills learned in this walkthrough to enhance their penetration testing capabilities.

Original Source: Read the Full Article Here

Check out what's latest

New File Transfer Protocol Developed for Enhanced Security and Performance
New File Transfer Protocol Developed for Enhanced Security and Performance
Study Introduces Benchmark for Evaluating Cryptographic Protocols
Study Introduces Benchmark for Evaluating Cryptographic Protocols
Study Reveals Vulnerabilities of LLMs to Bit-Flip Attacks
Study Reveals Vulnerabilities of LLMs to Bit-Flip Attacks