[Hack The Box] Target 1 Meow+Paper

foreword

I have heard the name of the HTB platform for a long time. There is no need to download the mirror image and play it yourself. You can directly open the mirror on the Internet and connect to the vpn to do it directly.
This time, it is a familiar operation of this platform.

Meow

Download the open file, connect to kali,

and then test that it can be pinged,

then open nmap and run

nmap -sV 10.129.160.90

Open port 23, telnet service, direct connection, root account

directly take flag ,

this is a free gift

Paper

Next, we will start the official target drone. At the
beginning, the target drone cannot be pinged. It is found that Starting Point and Machines are not the same one.

So you need to reconfigure openvpn

to get the IP address

and nmap it first. You can see that 22 is turned on. 80, 443 port

80 port opened a web service

Look at the response header and match the domain name, /etc/hosts

USER

It is a WordPress website

. Scan it here with wpscan. The version is 5.2.3

. Google searched it. This version has a loophole for unauthorized viewing of blogs. I

found a hidden article

. I said a lot, here is a key point
and one secret chat site

# Secret Registration URL of new Employee chat system
http://chat.office.paper/register/8qozr226AhkCHZdyY

Add the domain name to hosts, then go in and find that it is a registered page, then register an account to

The most special npc in it is this robot. When you see this one,

you know what you can do here. It can

indeed read any file.

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:65534:65534:Kernel Overflow User:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
systemd-coredump:x:999:997:systemd Core Dumper:/:/sbin/nologin
systemd-resolve:x:193:193:systemd Resolver:/:/sbin/nologin
tss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin
polkitd:x:998:996:User for polkitd:/:/sbin/nologin
geoclue:x:997:994:User for geoclue:/var/lib/geoclue:/sbin/nologin
rtkit:x:172:172:RealtimeKit:/proc:/sbin/nologin
qemu:x:107:107:qemu user:/:/sbin/nologin
apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin
cockpit-ws:x:996:993:User for cockpit-ws:/:/sbin/nologin
pulse:x:171:171:PulseAudio System Daemon:/var/run/pulse:/sbin/nologin
usbmuxd:x:113:113:usbmuxd user:/:/sbin/nologin
unbound:x:995:990:Unbound DNS resolver:/etc/unbound:/sbin/nologin
rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin
gluster:x:994:989:GlusterFS daemons:/run/gluster:/sbin/nologin
chrony:x:993:987::/var/lib/chrony:/sbin/nologin
libstoragemgmt:x:992:986:daemon account for libstoragemgmt:/var/run/lsm:/sbin/nologin
saslauth:x:991:76:Saslauthd user:/run/saslauthd:/sbin/nologin
dnsmasq:x:985:985:Dnsmasq DHCP and DNS server:/var/lib/dnsmasq:/sbin/nologin
radvd:x:75:75:radvd user:/:/sbin/nologin
clevis:x:984:983:Clevis Decryption Framework unprivileged user:/var/cache/clevis:/sbin/nologin
pegasus:x:66:65:tog-pegasus OpenPegasus WBEM/CIM services:/var/lib/Pegasus:/sbin/nologin
sssd:x:983:981:User for sssd:/:/sbin/nologin
colord:x:982:980:User for colord:/var/lib/colord:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
setroubleshoot:x:981:979::/var/lib/setroubleshoot:/sbin/nologin
pipewire:x:980:978:PipeWire System Daemon:/var/run/pipewire:/sbin/nologin
gdm:x:42:42::/var/lib/gdm:/sbin/nologin
gnome-initial-setup:x:979:977::/run/gnome-initial-setup/:/sbin/nologin
insights:x:978:976:Red Hat Insights:/var/lib/insights:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
avahi:x:70:70:Avahi mDNS/DNS-SD Stack:/var/run/avahi-daemon:/sbin/nologin
tcpdump:x:72:72::/:/sbin/nologin
mysql:x:27:27:MySQL Server:/var/lib/mysql:/sbin/nologin
nginx:x:977:975:Nginx web server:/var/lib/nginx:/sbin/nologin
mongod:x:976:974:mongod:/var/lib/mongo:/bin/false
rocketchat:x:1001:1001::/home/rocketchat:/bin/bash
dwight:x:1004:1004::/home/dwight:/bin/bash

There is also a function called list, you can look at the directory file, similar to ls


and then look at the directory on the upper level,

rummaging through it, and found a password in this file

export ROCKETCHAT_USER=recyclops
export ROCKETCHAT_PASSWORD=Queenofblad3s!23

I used this to log in, he said that the robot can't log in on the web, then try to see if ssh shares the same password, and it turns out to
be

the first flag
fcb715124fb8598cb1e1295c2c9c3228

ROOT

The next step is to escalate the rights.
I tried it, and it seems that the htb target machine is not connected to the Internet. Then I can

do it locally and open a python service.

Then wget can be downloaded,

chmod +x linpeas.shadd a permission, and it runs successfully. It

is a CVE-2021-3560.

github finds the privilege escalation script
. The privilege escalation succeeds, and the flag is taken.