HackTheBox Writeup — Hawk

NMAP Results

We do the nmap scan using the command “nmap -sC -sV 10.10.10.102

FTP Login (Anonymous)

From the NMAP Scan we saw that Port 21 is Open and running vsftpd 3.0.3 and also it has Anonymous login allowed , lets login through ftp

Web Service (Port 80)

As we saw that Port 80 is open and is running http service , lets fire up the IP of the box in the browser and see what it has.

Exploting Drupal

We go to the Modules section in the drupal page and enable the PHP Filter

User Flag

The user flag is usually located on the home directory of the user

Privelege Escalation

We have a low priveleged shell , so we try to be atleast “Daniel” user on this box. As this box is hosting Drupal , we know that the config files are saved under “sites/default

>>>import os

>>>os.system(“/bin/bash”)

python3 exploit.py -H 127.0.0.1:8082

When we run the command , we see

Root Flag

The root flag was in the same directory on which our root shell was spawned

Vulnerabilities Used To Solve This Box

  • Anonymous FTP Login which leaks an OpenSSL file containing password for Admin Login on Drupal
  • RCE on Drupal by enabling PHP Filter and posting PHP Codes
  • User Password on Drupal Config File which leads to SSH Connection to the user Daniel
  • Vulnerable H2 Database which leads to RCE as Root

References

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store