Today I will briefly go over how I exploited this easy machine on Hack The Box. This machine is part of the season 4 active seasonal machines at the time of writing this writeup.
Starting off with standard recon on the box reveals that there are 3 main ports open. port 22, port 80 and port 443. Also reveals that the target machine has the domain bizness.htb. From the moment I see this, I go forward to inserting this in the /etc/hosts file.
Nmap recon result:
Port 80 and port 443 (running nginx open source web server software) indicates a web server is active on this target machine so navigating to the site shows something interesting. Immediately when accessing the target website, the site redirects from http to https automatically.
The site overall just looked like it was handled by a business management company which renders services to customers based on their needs to grow and manage their businesses.
Further enumeration on the target box, specifically, directory fuzzing, shows there is a /control/login endpoint.
Navigating to this end point reveals a login prompt available. No default creds will suffice here. Upon doing research online, the target web server is vulnerable to an authentication bypass. A little more searching and the exploit is hosted on github. After cloning the repo to my local machine, I launch the exploit to the target machine.
The payload for the exploit is basically the 'cmd' parameter of the command. I specify to create a reverse shell to my local machine. This is how I gain access to the box and grab the user.txt flag.
Privilege escalation on the machine is straightforward. After looking around, you find a SHA-1 hash within one of the xml files. The hash decrypted using hashcat tool is basically the password to the root account on the box.
No comments:
Post a Comment