HackTheBox Writeup — Compromised
Hello Guys , I am Faisal Husaini. My username on HTB is “fa1sal” . Also join me on discord.
The IP of this box is 10.10.10.207
Port Scan
Running NMAP full port scan on it , we get
Got 2 Open Ports , Port 22 for SSH and Port 80 for HTTP
Moving onto the web part first
Way To User
Checking out the web services , I get to see a shopping website
The website is running Litecart, running GoBuster against the web
The /backup directory seems to be very interesting as it contains a backup file by the name of a.tar.gz
Downloading the file to our local machine
Unzipping the file and checking the contents
Analyzing the code of the login.php, there is a commented out code which puts the username and password in a text file
Fetching the file from the web gives me a username and password
Searching for exploits for Litecart gives me a successful hit
Using the python exploit on the target with the credentials I got
It says the exploit uploaded the webshell and I can access through the given URL
But I am unable to run system command, due to some kind of PHP security, to confirm that , I modified the python exploit to upload a PHP file which will echo “Working!!!” and it works
I can escape the filter using the exploit below
Modifying the exploit and putting the above code and then re-running it
This time the exploit was successful and was able to run system command, so will use webwrap tool to use the parameter based shell commands using a wrapper
Enumerating the webroot, there is a file config.ini.php which contains the MySQL connection details
Now enumerating the database, it can be seen that it has been infected by a backdoor as there is exec_cmd function being used which is used for executing system command
Using this, I uploaded my SSH keys on MySQL user
Now connecting to the mysql user through the SSH keys I uploaded
Enumerating leads to a file which is readable by the current user as well as root but not world readable, so this can contain some information for good
Checking the file, there are some password logs here
Using these passwords combinations with the available user on the machine through SSH and one of them works
Time for priv esc
Privilege Escalation
Since this machine was based on backdoor and compromise, so there might be possible rootkits
Checking for files with name backdoor, there is pam_unix.so file
Analyzing the file in Ghidra, it can be seen that the password is divided into two different strings in hex format
Decoding the hex strings, we get the divided password strings
Combining those strings leads to the password
zlke~U3Env82m2-
Using this password for root leads me to root