Hackthebox Lightweight Walkthrough

Prtg Network Monitor Exploit With POC
May 3, 2019
HacktheBox Chaos Walkthrough
May 24, 2019
Share This:

Hackthebox Lightweight Walkthrough

As Always Let’s Start with Nmap Scan

[email protected]:~# nmap -sV -p- -oN nmap -v 10.10.10.119
Nmap scan report for 10.10.10.119
Host is up (0.13s latency).
Not shown: 65532 filtered ports
PORT    STATE SERVICE VERSION
22/tcp  open  ssh     OpenSSH 7.4 (protocol 2.0)
80/tcp  open  http    Apache httpd 2.4.6 ((CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16)
389/tcp open  ldap    OpenLDAP 2.2.X - 2.3.X

Lets Go Check port 80

So Here We have a site which is Bruteforce Protected. Then also I Tried to gobust it but box blocked my ip for sometime.

moving on to the pages on the webserver

In user page it says it added our ip in it and we can ssh into it with ip as user and ip as password

Logging into SSH

Now we have a shell

After Some time i dont know what to do then i again check my nmap scan and we have one more port which is ldap and on doing some research on ldap revels that ldap contains the creds in plain text and we can see that by using wireshark but we do not have wireshark in terminal but we have tcpdump which is commad line version of wireshark so by using tcpdump we can gather some creds

Finding Credentials (LDAP)

We have two interfaces ens33 and lo. I tried to dump passwords with ens33 but i failed with this one. using lo interface we can see the credentials

By simply doing tcpdump will not do something we need to browse the web pages.

tcpdump -XX -i lo port 389 -vv

By this we start tcpdump to dump all the data (-i) indicates from lo interface and from port 389 -(vv) very verbose -XX capture the data of each packet, including its link level header in HEX and ASCII format.

Now we need to give a right hit on web server this is not difficult to find the right one because here is only Four pages “home,user,info,status”

And if you noticed “status” page is the only page taking to long to load so giving a try to that one

Now In this part we can see the creds in the plain text

Username : ldapuser2

Password : 8bc8251332abe1d7f105d3e53ad39ac2

Switching to ldapuser2

Now we have username as well as password lets switch to ldapuser2

Reding user.txt

Cracking backup file

in the home directory of ldapuser2 we have a backup.7z file i download that file in my system but its password protected so first we need to crack password to see the content

you can crack the file using hashcat or john but i’m lazy so i cracked it with online cracking website

and revels password : delete

Extracting the File:

7z e backup.7z

Finding for password

now here we have bunch of file’s but last time we got creds by hitting status page. so let’s check status.php

Nice we have now password for one more user

Switching to ldapuser1:

Privilege Escalation

By Doing ls in the home directory of ldapuser1 we can see openssl executeble

I am already very familiar to openssl that’s why i know that openssl can encrypt and decrypt the files

Encrypting root.txt

we all know the flag is in /root/root.txt so i am encrypting root.txt and save the output in new file secrets.txt.en

we can give any password

Now by doing ls we can see that our file encrypted successfully or not

Nice file encrypted perfectly now lets decrypt

Decrypting root.txt

I decrypted secrets.txt.en to a new file named “thehackingtutorials.txt.new” now we can directly read read the flag using cat command

Reading root Flag


Share This:

Leave a Reply

Your email address will not be published. Required fields are marked *

%d bloggers like this: