Curling - HackTheBox - WriteUp

Curling - HackTheBox - WriteUp

Make a new directory —> mkdir Curling

Next do a Nmap scan to look for open ports —> nmap -sVC 10.10.10.150

Seems like there are only 2 ports open, port 80 and port 22. The web service is running a content management system called Joomla!

Let's take a look at the website and see what we can find

There is not much to do on the website, however, when we take a look at the source code, at the bottom we can see that there is a secret.txt file hiding in an HTML comment

Look for the file adding its name on the URL

And we get our hands on what seems to be a base64 hash, let's go to CyberChef and crack it

And seems like we have something! We do not know what yet, but it could be a potential password, let's keep having a look maybe we can find a username somewhere around

The posts have been signed with the name of Floris, let's see if we can put together the pieces

And we are the Super User! I couldn't do much with this, so I decided to do proper enumeration, like I should have done before, running a Gobuster scan to look for directories

As you can see at the bottom, there is a directory called /administrator. Heading there we can use the Super User credential to access the control panel of the server

Clicking around we can have access to the config file of the server

Looking at the templates tap seems like we have the option to upload files, This could be a really good chance to try to obtain a webshell injecting php code

Once is created, use a PHP shell from Revshells and set a listener

Now we can honour the name of the machine and use the curl command to call our PHP file to trigger the shell

And we should have our shell ready on the listener

Now we need to escalate our privileges so we can get the user flag

There is a file called password_backup in the home folder

It seems to be a hex dump, Let's head again to CyberChef

By using the "Detect File Type" recipe we were able to retrieve a password.txt file. You just need to add the recipes before "Detect File Type" until is unrecognizable for the recipe. Now we can try to ssh these credentials for Floris

And we are in! Let's look at that admin-area folder we couldn't access before

And we can see a URL saved as a variable for the localhost. Let's take a look at PSPY to see if we can enumerate processes and find something useful

And seems like we have a cron task running the curl command with the -K option from the input file and sending the output to the report. Let's take a look at what the -K option does

The -K option reads the content of a file as arguments and will use them as they were provided on the command line. Knowing this we could set a listener on port 80 and change the local address for our IP, then call root.txt as the data value of a POST request that should be caught by our listener. Credit to 0xdf for this trick!

Note that we are using "@" to call root.txt. And just wait for the cron task to trigger curl

And there you go!