HackTheBox Writeup — Waldo

Hello Guys , I am Faisal Husaini and this is my writeup on Medium for Waldo machine which has retired. My username on HTB is “faisalelino” .

The IP for this box is 10.10.10.87, so let’s get started

NMAP Results

First we do nmap scan using the command “nmap -sC -sV -oA nmap 10.10.10.87”

Port 22 , 80 are open. Let’s move to see what the webserver is running.

HTTP Service

We see something weird page , lets check the source code.

We see a list.js file linked, lets check the code of “list.js”

If we look deeply in the js code , we see some php files , i.e , dirRead.php , fileRead.php , fileWrite.php , fileDelete.php , these might be some interesting thing to look on. Let’s fire up Burp and intercept the request of the page.

Intercepting Request Through Burp

We intercept the whole request through Burp and see what we can do for exploiting

When we click on the List122 on the webpage we got before, we intercept the request above , let’s send this to repeater as this seems vulnerable to LFI , so we will need to try multiple attempts for our attack to get succeed.

We see that when we send this request , it returns a false message , maybe someone reverted the box and this list122 does not exist anymore , so lets move on exploiting LFI

We first try the common /etc/passwd payload and see what does it return

We see that it returns a false , so lets try the traversal method by randomly adding ../../../ as web pages on linux servers are commonly on /var/www/html

It returns a false message too , let’s try adding a null byte (%00) at the end

This didnt worked , hmmmmm, there might be some filtering to ../ , lets try some filtering bypass , like trying ….//….//….//etc//passwd

Boom , we got the /etc/passwd file , let’s find out the user on this box

We see that there is a user named as “nobody” , also from our NMAP Scan we found out that Port 22 for SSH is open , so we might get a leak of SSH Authentication Key for User “nobody” from this LFI attack

SSH Authentication Keys are usually stored at “/home/<user>/.ssh/id_rsa

Remember that it is not necessary that name of the SSH Key file will be id_rsa

Getting SSH Authentication Key File

So as we came to know that SSH Key might be located at “/home/nobody/.ssh/id_rsa” , let check it

We try to get the key by putting this payload “….//….//….//home//nobody//.ssh//id_rsa”

We get a false message returned. What to do now? Remember from the source code we had dirRead.php too , and this request on our Repeater tab one is the fileRead.php , which might only show the file contents , maybe dirRead.php can show us the contents in a particular directory , let’s try it out

We can find the request for the dirRead.php by spidering the webserver

We send this to our Repeater tab and then do the LFI

Now lets go to that .ssh directory of the “nobody” user

We see that there is three files , let see what is .monitor file from the fileRead.php request

We got the SSH key , but this doesn’t seem to be in proper format as in this php files the forward slash(/) were filtered by getting added by a backslash (\) , also many more

So we will use a Linux tool called “sed” to make it a proper ssh authentication key which we can use

We have copied it into a file named “ssh” , now we use the tool sed , the command for it is as follows:-

cat ssh | sed ‘s/\\n/\n/g’ | sed ‘s/\\//g’ > id_rsa

This is save the perfect to use ssh key to a file named “id_rsa”

Now this key is perfect to use , now let’s connect to SSH

Connecting to “nobody” user through SSH

We connect through the command:

ssh nobody@10.10.10.87 -i id_rsa

We are now inside the box , cool!!! Now let’s get the user flag

User Flag

User flag is under the same location to which we spawned to

We got the user flag

Now time for Privelege Escalation

Privelege Escalation

We seem to be in a restricted bash shell here in the box when we connected to as “nobody” user

Let’s run a “ps -a” command and see what it returns

We see that the nobody user used a command “ssh -i .monitor monitor@localhost” where the .monitor is the same SSH key we got from the server before , lets first to that ssh key we have and create a .monitor file here using vi and then save it

After saving , then change the permissions of the file using “chmod 600 .monitor” and then connect to the ssh from the command above

We get connected as monitor user , lets dig into it and see what we can do more further to get root

As we see that we are still into restricted shell , we need to bypass it

We see that we have bypassed the restricted shell , we can confirm it by using any linux command

We see that now it shows bash instead of rbash , let’s continue digging

We see that we run any command like cat , python , perl , less , more etc. It gives us a command not found like in the above pic , so let’s check the PATH variable

We see this is not the normal as it is pointers towards the app-dev and the home bin directory at /home/monitor , lets change it to the default of what every linux system has

We are good to go and we can confirm it by running cat command on /etc/passwd

We now confirm that it runs and now we have a proper shell , lets now enumerate the folders in the home directory of “monitor” user

We see that the home directory contains two folders , in the bin folders it had the 4 command which we could have used from the previous PATH variable , and in the app-dev directory , we have something like logMonitor and also another folder named v0.1 , lets see what does v0.1 folder contain

We see there is another log named logMonitor-0.1 , we now see the contents of both logMonitor and logMonitor-0.1

We see that both of them contains gibbrish , let’s check MD5Sum of both of them

We can confirm that both of these logs are different

Let’s check the capabilities we have on this box using the command

getcap -r / 2>/dev/null

We get two things , one of them is the “tac” which is just an upside down of “cat” command , which has cap_dac_read_search+ei , which means we can bypass file read permission checks and directory read and execute permission checks.

In short , we can use the “tac” command to read the contents of the root user.

So let’s get the ssh key for the root user from the /root/.ssh/id_rsa

We see that we got the SSH Authentication Key for the root user , but in upside down order as that is what the “tac” command does

To get it in correct order , we just pipe the same command with tac again.

Now we have the perfect SSH Key , let’s copy this down to a file “id_rsa” on our box and then connect to the Root User through SSH

Dont forget to change the file permission of the id_rsa key to 600

Unfortunately when we tried to connect through this key , it got failed (I don’t know that is the reason)

As we know that we can read any files owned by the “root” with the “tac” , so let’s just get the root flag with is usually located at /root/root.txt

Root Flag

The root flag is usually stored at /root/root.txt file

This root flag is in correct order

Vulnerabilities Used To Solve This Box

  • LFI
  • Restricted Shell Escape
  • Linux Capabilities

References

Hacker | Bug Hunter | Python Coder | Gamer | Reverse Engineering Lover