Create a new directory —> mkdir Hawk
Then run a Nmap scan to look for open ports —> sudo nmap -p- -Pn -sCV 10.10.10.102 -oN nmap.txt
We can see that there are a bunch of open ports, but we are missing some information, in cases like this we can use the next command to filter the output from our first scan
cat nmap.txt | grep open | grep -v '#' | cut -d"/" -f1 | sort | uniq | sed -z 's/\\n/,/g;s/,$/\\n/'
And you should get an output looking like this:
This way you can easily copy the ports to keep working on them
And this time we got some extra information about the services running on each port. Also as you may see I discovered by a happy accident that when I ran the Nmap scan using the wrong IP address (10.10.10.109) I got more accurate information about the services in use… Don't ask me why...
Let's start heading to the web service to see how it looks
And we see a normal login page powered by Drupal version 7, since the box is really old there are a lot of vulnerabilities at this point as you may see if you do a fast search in Google. Normally you would look for vulnerabilities in the given service but I know that when this box came out there were none
I’m pretty sure you could try Metasploit here and it would work, but we are going to do it in the old intended way and try to adapt as we can to the present times.
Let's run a go-buster and see if we can find anything useful
Nothing shows up looking for directories, let's look for file extensions
gobuster dir -u <http://hawk.htb> -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -t 150 -x .php,.html,.py,.git,.sh,.bak,.js,.txt,.git
I found an install.php that led me to a path that could be interesting
We are given the option to update the script from the current page
And some instructions to bypass permissions. Let's keep this for possible future use.
Let's head to port 21 and check the FTP server as we saw in the Nmap scan we can log in anonymously
And we found a hidden file that we can download to do a proper examination
And seems to be encoded in base64, let's decode it using base64 -d
and save it into a file
Now we can use the file
command to identify the type of encryption from the file
As we can see that is OpenSSL, there is a nice Python script to brute-force this
Once you have the password we can try if it works
So it did, You can see that at the top right, we are logged in as admin. On the modules tap you will find a very interesting option that allows you to execute PHP code
This may allow us to get a reverse shell by creating a PHP file, you can do that by heading to the content tap and creating a new article
Now that you have your reverse shell and you have set up the text format to be PHP, you just need to set your listener on your preferred port. In this case, I used the PentestMonkey from Revshells
To my surprise, we can get the user flag without having to be the user, in this case, named Daniel
Now we can have a look at that settings.php file that we were referred to earlier to bypass admin privileges and see if we can find something interesting
And we were lucky to find a password, let's see if we can use it to ssh into Daniel
And we do, but there is a little problem, we got a python shell, let's head to Hacktricks and try some of the techniques to spawn a shell
And without too much effort we got a proper shell, now let's start to enumerate to escalate our privileges to the root
Having a fast look at the processes we can see that H2 is running as root. H2 is also running on port 8082
We cant access remotely but we may want to try to access by doing port forwarding as the service is running locally
ssh daniel@10.10.10.102 -L 8082:127.0.0.1:8082
And now we can access the service by entering the localhost URL http://127.0.0.1:8082/
Clicking around where we have permissions we found a backup feature
This feature will look for .db files as a root and will save them as a zip file
We could create a symbolic link to the root.txt on our target machine as Daniel, first, you need to create a new directory where you are going to create the symbolic link
And now we are going to make the backup
Now we can transfer the zip file to our machine, it should be located in the given directory
Now you can unzip the file and read the flag!