HackTheBox Writeup — Hawk

Hello Guys , I am Faisal Husaini. My username on HTB is “faisalelino” .

The IP of this box is 10.10.10.102

We do the nmap scan using the command “nmap -sC -sV 10.10.10.102

We see 4 Ports Open

From the NMAP Scan we saw that Port 21 is Open and running vsftpd 3.0.3 and also it has Anonymous login allowed , lets login through ftp

We connected successfully through Anonymous login , let’s dig up to it

We see there was a directory named “messages” , so we enter to it and then list the files and get a file named “.drupal.txt.enc”.

Let’s get the file to our host box.

We got the file successfully , now check the contents of the file

It’s base64 encoded , let’s decode it

It’s gibbrish , let’s check the file type using the “file” command

It’s an openssl encoded data with salted password and also base64 encoded as we saw , so firsr we base64 decode it and save it to a file.

We base64 decoded the file and saved it to a file named “drupal_ssl” and then check the file type.

Now we try to decrypt this Openssl file using bruteforce technique from a famous tool named “bruteforce-salted-openssl

We got the password candidate which is “friends” , now lets use this password and decrypt the openssl file and extract the contents.

We decrypted the file using the password we got from bruteforcing. Let’s check the contents of the decypted file.

We see it has a message telling a password for some portal as “PencilKeyboardScanner123

Let’s keep this for later.

As we saw that Port 80 is open and is running http service , lets fire up the IP of the box in the browser and see what it has.

Drupal login page , maybe the password we got from the openssl file is the password for admin login , let’s try

We try to login to admin account on this drupal page and see what happens.

Boom.!! We got login as Admin on this drupal page , let’s crawl through it and see how can we exploit this.

We go to the Modules section in the drupal page and enable the PHP Filter

We enabled the PHP filter and now we can “add new contents” as PHP Code

We just add a new Basic page and then post a simple php code which will execute a system command

We gave our PHP code in the body section and then Click on Save button down below of that page. We gave the system command for “whoami” in the php code

We see that we have successfully got code execution in the page as we get “www-data” in return for “whoami” command

Now we try to get a reverse shell , we take help from Pentest Monkey’s reverse shell cheatsheet

We save this and before that we set up a netcat listener on port 1234. As soon as we click on Save , we trigger the reverse shell

Bingo! We got the reverse shell , now we get a tty shell using python.

As we didn’t had python , we used /bin/bash -i to get a tty

Now we go on to get the user flag

The user flag is usually located on the home directory of the user

We got the user flag , now we move on for privelege escalation to get the root flag.

We have a low priveleged shell , so we try to be atleast “Daniel” user on this box. As this box is hosting Drupal , we know that the config files are saved under “sites/default

We see there are two files , lets check the contents of the “settings.php” file

If you scroll down while reading the contents of the “settings.php” file , you will see there is a password as “drupal4hawk” for user “drupal” , lets try to connect to this user through SSH.

We get a failed message , let’s try the same password for “Daniel” user

We successfully connected to Daniel user through SSH with the password we got from the user , but you notice we pop up a python3 interpreter instead of bash shell. If you look at the /etc/passwd file , you will notice “daniel” user has /usr/bin/python3 as user shell.

We can escape the python3 interpreter by simple python3 commands

>>>import os

>>>os.system(“/bin/bash”)

We escaped the python3 interpreter and now we are now on our normal bash shell.

If you remember from the NMAP Scan there was H2 database running on port 8082 , searching for exploits on google , we get an exploit in exploit-db website. Let’s download that exploit to our box and then upload it on the Hawk machine.

I have successfully uploaded the exploit to the victim machine , this exploit gives Remote Code Execution to root priveleges.

When we simple run this exploit using python3 , it gives us the usage of this exploit , so our final command for exploit will be

python3 exploit.py -H 127.0.0.1:8082

When we run the command , we see

Boom , we got RCE as root , now we have full priveleges as we are root. Let’s get the root flag

The root flag was in the same directory on which our root shell was spawned

This was really a cool box and learned new things from it.

  • Anonymous FTP Login which leaks an OpenSSL file containing password for Admin Login on Drupal
  • RCE on Drupal by enabling PHP Filter and posting PHP Codes
  • User Password on Drupal Config File which leads to SSH Connection to the user Daniel
  • Vulnerable H2 Database which leads to RCE as Root

References

Hacker | Bug Hunter | Python Coder | Gamer | Reverse Engineering Lover

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store