HackTheBox Writeup — Hawk
Hello Guys , I am Faisal Husaini. My username on HTB is “faisalelino” .
The IP of this box is 10.10.10.102
NMAP Results
We do the nmap scan using the command “nmap -sC -sV 10.10.10.102”
We see 4 Ports Open
FTP Login (Anonymous)
From the NMAP Scan we saw that Port 21 is Open and running vsftpd 3.0.3 and also it has Anonymous login allowed , lets login through ftp
We connected successfully through Anonymous login , let’s dig up to it
We see there was a directory named “messages” , so we enter to it and then list the files and get a file named “.drupal.txt.enc”.
Let’s get the file to our host box.
We got the file successfully , now check the contents of the file
It’s base64 encoded , let’s decode it
It’s gibbrish , let’s check the file type using the “file” command
It’s an openssl encoded data with salted password and also base64 encoded as we saw , so firsr we base64 decode it and save it to a file.
We base64 decoded the file and saved it to a file named “drupal_ssl” and then check the file type.
Now we try to decrypt this Openssl file using bruteforce technique from a famous tool named “bruteforce-salted-openssl”
We got the password candidate which is “friends” , now lets use this password and decrypt the openssl file and extract the contents.
We decrypted the file using the password we got from bruteforcing. Let’s check the contents of the decypted file.
We see it has a message telling a password for some portal as “PencilKeyboardScanner123”
Let’s keep this for later.
Web Service (Port 80)
As we saw that Port 80 is open and is running http service , lets fire up the IP of the box in the browser and see what it has.
Drupal login page , maybe the password we got from the openssl file is the password for admin login , let’s try
We try to login to admin account on this drupal page and see what happens.
Boom.!! We got login as Admin on this drupal page , let’s crawl through it and see how can we exploit this.
Exploting Drupal
We go to the Modules section in the drupal page and enable the PHP Filter
We enabled the PHP filter and now we can “add new contents” as PHP Code
We just add a new Basic page and then post a simple php code which will execute a system command
We gave our PHP code in the body section and then Click on Save button down below of that page. We gave the system command for “whoami” in the php code
We see that we have successfully got code execution in the page as we get “www-data” in return for “whoami” command
Now we try to get a reverse shell , we take help from Pentest Monkey’s reverse shell cheatsheet
We save this and before that we set up a netcat listener on port 1234. As soon as we click on Save , we trigger the reverse shell
Bingo! We got the reverse shell , now we get a tty shell using python.
As we didn’t had python , we used /bin/bash -i to get a tty
Now we go on to get the user flag
User Flag
The user flag is usually located on the home directory of the user
We got the user flag , now we move on for privelege escalation to get the root flag.
Privelege Escalation
We have a low priveleged shell , so we try to be atleast “Daniel” user on this box. As this box is hosting Drupal , we know that the config files are saved under “sites/default”
We see there are two files , lets check the contents of the “settings.php” file
If you scroll down while reading the contents of the “settings.php” file , you will see there is a password as “drupal4hawk” for user “drupal” , lets try to connect to this user through SSH.
We get a failed message , let’s try the same password for “Daniel” user
We successfully connected to Daniel user through SSH with the password we got from the user , but you notice we pop up a python3 interpreter instead of bash shell. If you look at the /etc/passwd file , you will notice “daniel” user has /usr/bin/python3 as user shell.
We can escape the python3 interpreter by simple python3 commands
>>>import os
>>>os.system(“/bin/bash”)
We escaped the python3 interpreter and now we are now on our normal bash shell.
If you remember from the NMAP Scan there was H2 database running on port 8082 , searching for exploits on google , we get an exploit in exploit-db website. Let’s download that exploit to our box and then upload it on the Hawk machine.
I have successfully uploaded the exploit to the victim machine , this exploit gives Remote Code Execution to root priveleges.
When we simple run this exploit using python3 , it gives us the usage of this exploit , so our final command for exploit will be
python3 exploit.py -H 127.0.0.1:8082
When we run the command , we see
Boom , we got RCE as root , now we have full priveleges as we are root. Let’s get the root flag
Root Flag
The root flag was in the same directory on which our root shell was spawned
This was really a cool box and learned new things from it.
Vulnerabilities Used To Solve This Box
- Anonymous FTP Login which leaks an OpenSSL file containing password for Admin Login on Drupal
- RCE on Drupal by enabling PHP Filter and posting PHP Codes
- User Password on Drupal Config File which leads to SSH Connection to the user Daniel
- Vulnerable H2 Database which leads to RCE as Root