Walkthrough of Hack The Box Capture The Flag Challenge
/ 4 min read
Quick take - The article provides a comprehensive walkthrough of a Hack The Box challenge, detailing the steps taken to capture flags in a Capture The Flag competition, including various scanning techniques, the discovery of vulnerabilities in a web-based file manager, and the successful exploitation of these vulnerabilities to gain access and retrieve flags.
Fast Facts
- The article details a Hack The Box (HTB) challenge, starting with an nmap scan of port 80 and adding the domain “soccer.htb” to the /etc/hosts file for access.
- After conducting various scans (Wappalyzer, gobuster), the author discovers a web-based file manager, Tiny File Manager, and identifies an exploit for remote code execution (RCE).
- The author successfully uploads a PHP reverse shell, gaining access as the user “www-data” and later discovers the flag owner is “player.”
- A custom node.js solution is created to facilitate SQL injection via WebSocket, leading to the discovery of a password that allows SSH access to find the first flag.
- The exploration reveals potential vulnerabilities in the D-Bus service and a Polkit vulnerability for privilege escalation, highlighting ongoing learning in cybersecurity.
A Detailed Walkthrough of a Hack The Box Challenge
A detailed walkthrough of a Hack The Box (HTB) challenge has been documented, focusing on the intricate process of capturing flags within a Capture The Flag (CTF) competition. The author references a previous article on Secjuice, where ChatGPT was utilized to capture the first flag of the CTF, setting the stage for the current exploration.
Initial Scans and Discoveries
The initial phase of the challenge begins with an nmap scan, targeting port 80 as the primary access point for the challenge environment. To facilitate access, the domain “soccer.htb” is added to the /etc/hosts file. Despite the popularity of football in the author’s homeland, they express a personal disinterest in the sport, which serves as a backdrop to the technical details that follow.
Following the nmap scan, a Wappalyzer scan is conducted but reveals no significant findings. A gobuster scan is then performed to search for hidden routes, which, unfortunately, also yields no interesting results. The author proceeds to use wfuzz to explore subdomains, initially uncovering limited information. However, a more extensive dictionary search leads to the discovery of a web-based file manager called Tiny File Manager, which is written in PHP.
Exploiting Tiny File Manager
Investigating further, the author searches for exploits related to Tiny File Manager, noting that many require user credentials. They manage to find default administrator credentials, though these are likely outdated. An exploit for Tiny File Manager version 2.4.6 is identified, which permits remote code execution (RCE). The author encounters challenges with the downloaded exploit file but successfully resolves these issues using the dostounix command and other adjustments.
Additionally, a GitHub repository is located, containing an exploit for a path traversal vulnerability in Tiny File Manager. The author faces difficulties with the exploit, particularly regarding URL formatting and HTTP redirects. After several attempts, they successfully upload a PHP reverse shell, gaining access as the user running the portal instance, identified as www-data.
Upon further investigation, the author discovers that the user who owns the flag is named “player.” To gather more information about the system, the author initiates a session of linpeas. The scan reveals open ports 3306 and 33060, indicating a running MySQL instance, although root access is not available.
SQL Injection and Privilege Escalation
During this exploration, a subdomain (soc-player.soccer.htb) is identified in the portal configuration files and is subsequently added to the /etc/hosts file. The author then registers on a new football portal, suspecting a potential SQL injection vulnerability. An attempt to utilize sqlmap reveals that backend calls are made via WebSocket, which sqlmap does not support.
In response, the author creates a custom solution in node.js to forward sqlmap’s HTTP calls over the WebSocket protocol. This innovative approach leads to a successful sqlmap scan, revealing the database name and tables, ultimately uncovering a password (PlayerOftheMatch2022). With these credentials, the author establishes an SSH connection and successfully finds the first flag.
A new session of linpeas is conducted to compare findings with previous scans, revealing that the current user is running a service (d-bus.dbus-daemon). Research indicates that the D-Bus service may be vulnerable to exploitation for privilege escalation. Continuing their investigation, the author identifies a Polkit vulnerability that could potentially allow for local privilege escalation.
The article concludes with the author noting their ongoing exploration of exploits and a reminder for readers to refer to the related article on AI and HTB challenges, emphasizing the continuous nature of learning and discovery within the field of cybersecurity.
Original Source: Read the Full Article Here
