14 January, 2019
HackTheBox is a free pen-testing lab where you can prove yourself as a hacker
The machines name is curling. You all know the 'curl'-command? Chances are, that you have to use it.
First things first, what you want to do if you have a target is to nmap it.
nmap -sC -sV 10.10.10.150
Quickly you find that port
22 and port
80 are open.
This is usually the SSH and HTTP port.
nmap also tells us, that a Joomla-webiste is running on port
We then go ahead and check with our browser what kind of content the user is sharing with the world.
Well its about curling - the sport.
I quickly read all the published articles - I see that he likes to use some kind of curling-jargon. Maybe we need that later in order to create a wordlist.
What I usually do then is to
wfuzz the webserver. For that I take Kalis standard builtin wordlist of
wfuzz which is under
First I check against php files:
wfuzz --hf 404 -z file,/usr/share/wfuzz/wordlist/general/common.txt http://10.10.10.150/FUZZ.php
I only find configuration and index. I could enumerate more against Joomlas architecture by not using a file extension, but usually I try the
txt-file extension, too.
voila: secret.txt . There is also a string in there, which looks like a password. I google which standard admin users Joomla utilizes, but I can't get in. Maybe I have to create a wordlist from the Joomla's content and brute force my way in. (If you look at the sourcecode of the Joomla page, you see a hint for this file on the end of the file)
The content of the
base64 encoded - it took me quite some time to notice this.
So I see that the author of the Joomla content writes "cewl" instead of "cool". You have to know there is a wordlist generator named "cewl" we can utilize.
We do so with
cewl -w curlingwordlist.txt -d 5 -m 2 10.10.10.150
Minimum character count is 2, and deepness of crawling is 5
First, because it is easier, I try to break into ssh. With
hydra -L curlingwordlist.txt -P secret.txt 10.10.10.150 -t 4 ssh -v
but with no success.
Okey lets try to break into Joomla - I use burp to see what data is transfered when i try to login to joomla. I can see where my username and password is put, and also there is a "return" parameter, which looks like a base64 encoded string (which it is) and deters where the page should return the user after a successful login.
But there is another parameter - looks like a
csrf token. This way I cannot automate brute force attacks that easily.
I researched a bit and came to a pretty good tutorial of how to bypass such
It worked and we can login to the admin page. I think from here on you have many possibilities. I installed a plugin which lets me upload files and loaded a php shell which opens a reverse shell to my host.
Now I have
RCE. I found a
password_backup file inside the users
home folder - it is a
hexdump. With some bash-jutsu I got the hex code into a binary, checked that, and figured out that this is a
bzip2, I unpacked it, et voila, it is a another
bzip2, then it was a
gz, then a
tar - and finally I got a cleartext password with which I could change users.
In the home folder there was another folder, called
admin-area. Two files in it which where recently changed - looks like a
cronjob. The files belong to root, so I guess that this is my way to the
root-flag. My user has read and write access as well.
There is one file which states
url = http://127.0.0.1 in it. And there is a second file with
report. Which seems to be the result of a
curl with the parameters of the first, the input file.
I think I have to change the url so that it connects to a consuming-server I control in order to disclose sensible information, like the contents of this juicy root-flag.
What is disconcerning me is, that the input file gets changed minutely by this
cronjob as well.
I set up a Python server which listens to my attackers address. I changed the input file accordingly and it got a connection from my target host.
Thats nice. Well the input file has been resetted but who cares. Let's see whether we can transmit the output of some
Just for testing purposes I set the input Url with some test parameters. To see whether my Python server echoes them properly. It works.
Now I want to test whether I can let execute the
PWD command. But it does not seem to work. Maybe I have to try some sql-injection stuff - only that it wouldn't be sql injection, but bash injection
After I tried a for while I thought that I should aim for lower hanging fruits. I started looking for
crons and started the
Did not found anything - well now I'll bring the big guns.
procmon.sh. It monitors all processes and writes them into
stdout. Then I can see what exactly happens to the files.
And I see that the input file gets served into the
-K parameter of a
I see two options:
I see, you can pass a configuration file when executing
curl. So I could pass more than only the url parameter. Let's see if there are other useful configurations I could exploit - I think that could be any parameter available - which means that I could pass a file (or its content) as parameter. Let's try that.
Quickly I spotted the upload-file parameter. That should be easy. One parameter per line. Okay tried it and worked. Only my Python
SimpleHTTPServer doesn't support PUT
A quick google and I found a ready sourcecode for Python 3 with a http server with put support!
Now craftig a nice payload to tell the curl process to upload its
root.txt to my server and I'm good to go !
Author: Marcel Michelfelder