HacktheBox Chaos Walkthrough

Hackthebox Lightweight Walkthrough
May 11, 2019
HacktheBox Help: Walkthrough
June 8, 2019
Share This:

HacktheBox Chaos Walkthrough

It is a retired vulnerable Machine presented by HacktheBox for helping pentester’s to perform online penetration testing according to your experience level

Difficulty: Medium

Task: To find user.txt and root.txt file

Enumeration

Nmap

As always let’s start with nmap scan

nmap  -sV -p- 10.10.10.120
Nmap scan report for chaos.htb (10.10.10.120)
Host is up (0.22s latency).
PORT      STATE SERVICE  VERSION
80/tcp    open  http     Apache httpd 2.4.34 ((Ubuntu))
110/tcp   open  pop3     Dovecot pop3d
143/tcp   open  imap     Dovecot imapd (Ubuntu)
993/tcp   open  ssl/imap Dovecot imapd (Ubuntu)
995/tcp   open  ssl/pop3 Dovecot pop3d
10000/tcp open  http     MiniServ 1.890 (Webmin httpd)

Webserver

It says direct ip not allowed but we can run gobuster against it to find interesting directory

GoBuster

lets check wp

WordPress

Inside the wordpress folder we have a website which is running on wordpress and also have 1 post which is password protected

As we can see this post is posted by human user.

Guessing password : human

Now we have some credentials and its for webmail. I tried this credentials on port 10000(webmin) but its not working.

IMAP

In our nmap scan we have some mail ports 993,995. I checked all port to login and port 993 worked, as well as contain some juicey information.

Port 993 is not simple imap contains ssl too it means we need to make secure connection thats why i use openssl to connect to imap

[email protected]:~# openssl s_client -connect 10.10.10.120:993

Logging into imap

Command : a login “ayush” “jiujitsu”

Finding mails

On listing the mails we have Drafts, Sent and INBOX

Inbox and Sent are Empty but Drafts contain mail.

Selecting Drafts

Command Used : a select Drafts

Reading Mail

Command Used : a FETCH BODY[]

Now we have a mail

Hii, sahay
Check the enmsg.txt
You are the password XD.
Also attached the script which i used to encrypt.
Thanks,
Ayush

--=_00b34a28b9033c43ed09c0950f4176e1
Content-Transfer-Encoding: base64
Content-Type: application/octet-stream;
 name=enim_msg.txt
Content-Disposition: attachment;
 filename=enim_msg.txt;
 size=272

MDAwMDAwMDAwMDAwMDIzNK7uqnoZitizcEs4hVpDg8z18LmJXjnkr2tXhw/AldQmd/g53L6pgva9
RdPkJ3GSW57onvseOe5ai95/M4APq+3mLp4GQ5YTuRTaGsHtrMs7rNgzwfiVor7zNryPn1Jgbn8M
7Y2mM6I+lH0zQb6Xt/JkhOZGWQzH4llEbyHvvlIjfu+MW5XrOI6QAeXGYTTinYSutsOhPilLnk1e
6Hq7AUnTxcMsqqLdqEL5+/px3ZVZccuPUvuSmXHGE023358ud9XKokbNQG3LOQuRFkpE/LS10yge
+l6ON4g1fpYizywI3+h9l5Iwpj/UVb0BcVgojtlyz5gIv12tAHf7kpZ6R08=
--=_00b34a28b9033c43ed09c0950f4176e1
Content-Transfer-Encoding: base64
Content-Type: text/x-python; charset=us-ascii;
 name=en.py
Content-Disposition: attachment;
 filename=en.py;
 size=804

ZGVmIGVuY3J5cHQoa2V5LCBmaWxlbmFtZSk6CiAgICBjaHVua3NpemUgPSA2NCoxMDI0CiAgICBv
dXRwdXRGaWxlID0gImVuIiArIGZpbGVuYW1lCiAgICBmaWxlc2l6ZSA9IHN0cihvcy5wYXRoLmdl
dHNpemUoZmlsZW5hbWUpKS56ZmlsbCgxNikKICAgIElWID1SYW5kb20ubmV3KCkucmVhZCgxNikK
CiAgICBlbmNyeXB0b3IgPSBBRVMubmV3KGtleSwgQUVTLk1PREVfQ0JDLCBJVikKCiAgICB3aXRo
IG9wZW4oZmlsZW5hbWUsICdyYicpIGFzIGluZmlsZToKICAgICAgICB3aXRoIG9wZW4ob3V0cHV0
RmlsZSwgJ3diJykgYXMgb3V0ZmlsZToKICAgICAgICAgICAgb3V0ZmlsZS53cml0ZShmaWxlc2l6
ZS5lbmNvZGUoJ3V0Zi04JykpCiAgICAgICAgICAgIG91dGZpbGUud3JpdGUoSVYpCgogICAgICAg
ICAgICB3aGlsZSBUcnVlOgogICAgICAgICAgICAgICAgY2h1bmsgPSBpbmZpbGUucmVhZChjaHVu
a3NpemUpCgogICAgICAgICAgICAgICAgaWYgbGVuKGNodW5rKSA9PSAwOgogICAgICAgICAgICAg
ICAgICAgIGJyZWFrCiAgICAgICAgICAgICAgICBlbGlmIGxlbihjaHVuaykgJSAxNiAhPSAwOgog
ICAgICAgICAgICAgICAgICAgIGNodW5rICs9IGInICcgKiAoMTYgLSAobGVuKGNodW5rKSAlIDE2
KSkKCiAgICAgICAgICAgICAgICBvdXRmaWxlLndyaXRlKGVuY3J5cHRvci5lbmNyeXB0KGNodW5r
KSkKCmRlZiBnZXRLZXkocGFzc3dvcmQpOgogICAgICAgICAgICBoYXNoZXIgPSBTSEEyNTYubmV3
KHBhc3N3b3JkLmVuY29kZSgndXRmLTgnKSkKICAgICAgICAgICAgcmV0dXJuIGhhc2hlci5kaWdl
c3QoKQoK
--=_00b34a28b9033c43ed09c0950f4176e1--
)

Mail sender says “You are the password” and mail is to sahay it means password is sahay.

and codes are base64 encoded

Decoding the message

First lets decrypt both Codes (base64 -d)

Now the second one

First code is non readable. But the second is

This is some kind of encryption script. Lets search the code on google to see if there is some script for decryption

https://github.com/bing0o/Python-Scripts/blob/master/crypto.py

Using this we can decrypt the other code. To do so what i have to do is just rename “1st code” file to “1st code.hacklab” because this script is decrypting files which have .hacklab at the end or you should do some modifications in python program

-d for decrypt
-p for password

The file is decrypted successfully.

One more base64 code

Finally we got the message

Getting User

in the message there is one url : http://chaos.htb/J00_w1ll_f1Nd_n07H1n9_H3r3

We need to edit our host file and add a entry for chaos.htb

Visiting URL

This is a PDF generator and in this only one template is working. which is test3 (I checked one by one )

When we click create pdf it generate’s a pdf in “http://chaos.htb/J00_w1ll_f1Nd_n07H1n9_H3r3/pdf/” if your PDF is not in the list that means you are using wrong template

Exploiting

PDF generator’s are mainly vulnerable of “LaTex

Read more about this attack from here : https://0day.work/hacking-with-latex/

\immediate\write18{ENTER COMMANDS HERE}

we can execute the commands directly. I used perl reverse shell because python is not working for me

Now We have shell. By checking the home directory there are two users ayush and sahay

USER

Credential which we found on wordpress are for user ayush. maybe we can switch to that user using that credentials

This is a restricted shell

We could not run this commands because this are not included in PATH variable. We can see what is set in PATH variable using echo command.

There is a hidden directory in /home/ayush

Reading USER FLAG

Let’s Check that directory

We cannot run ls command to see what is inside that directory but we can run dir as an alternative of ls

We can run this 3 commands dir,ping,tar we cannot do any interesting things with ping and dir but TAR can be used to break out from restricted environments by spawning an interactive system shell.

Still we cannot run commands because of PATH variable We Have to set PATH variable

Its perfect now we can all commands . Lets Read the flag

Privilege Escalation

On listing all files and Directory. I found “.mozilla” Directory

Firefox contains Credential. and we can retrieve them using a python script.

Python Script : https://github.com/unode/firefox_decrypt/blob/master/firefox_decrypt.py

Now we are Root and can read the root flag

Reading ROOT Flag

Share This:

Leave a Reply

Your email address will not be published. Required fields are marked *

%d bloggers like this: