HackTheBox Writeup — Zetta

Hello Guys , I am Faisal Husaini. My username on HTB is “kNgF” . Also join me on discord.

The IP of this box is 10.10.10.156

Running nmap on it , we get

We get 3 Open Ports running, Port 21 running Pure-FTPd, Port 22 running OpenSSH and Port 80 running nginx

Moving onto the web part

Running the IP in the browser

We get a cool webpage, but nothing much interesting from the webpage until we see something in the source code

We see a javascript function running which creates a 32 bytes long random string which we can see happening in the web part as we can see below

We see that we can use these random 32 bytes size as username and password on FTP

We connect to FTP using these creds

We got connected successfully, but we dont get anything interesting yet, but when looking further in the webpages, we see they have implemented IPv6 which was not 100% completed yet

After digging alot, we find the IPv6 address using ftp and ncat as shown below

As you can see we got the IPv6 address in the ncat session and now we run NMAP against it

We get 4 Open Ports there so running service scans against it

We get everything the same as IPv4 except for Port 8730 which is running rsync

We run a nmap script for rsync listing modules and then see

We see backup access to several linux type directories, so we move onto access some of them

We got access denied on the /bin directory even through we saw we had backup access to it

We tried to access the /home folder even though we didnt see that on the list but as it was linux based directory system so we gave a try

When trying to access the /etc directory, we see we have access to the files of it

We got all the files and folders to our current directory and see each one of them

Analysing and reading each files, we get

We see there is a directory named home_roy, so we try to access the files and folders of the directory

Using rsync, we see that it requires a password to access the directory, so we create a simple bash script which will bruteforce the password

Credits to PolarBearer from HTB

Runnin the script, we get

We cracked the password for the home_roy directory and then we get the contents of it the same way we did below and saved it in the same directory as show below

Now checking the contents of the home_roy directory

We have the user flag there, since we are doing everything using rsync and also we know the username and the home folder, we can create ssh keys and upload it via rsync

We created the ssh keys and now ready to upload it

Our SSH key is upload and now we connect through SSH on the box

Looking back to the rsync config file

On the /etc directory section, we see that .git is excluded which means that there is something interesting related to .git

Now we find files and folders in the root directory with name “.git” and got “/etc/rsyslog.d/.git

We ran the git log command and we see that we get postgres creds and also we check we have postgresql install in the box

We run logger in the other windows where we query single quote and see the logs

We see we get some SQL errors on the and now we try to get reverse shell using this where we first create a binary which we will use to execute through the SQL Injection

We now run the SQL Query as shown below with netcat listener on other terminal

We can now see that we got shell as postgres

Looking on the psql history commands, we see a password which we try to use it for root user

We got root and also we get the root flag

Hacker | Bug Hunter | Python Coder | Gamer | Reverse Engineering Lover

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store