[0:00]What's going on, YouTube? This is Ipc, and today we'll be doing down on Hack the Box. This box did come from Voln Labs. If you didn't hear, Hack the Box acquired Voln Labs a couple months ago, and will be releasing content on HDB throughout the rest of the year. This box is pretty simple. It starts off with an Is It Down type of site, which if you put your IP address in, you can see it uses Curl to check if a page is there. We can inject arguments but are unable to drop a shell because we don't have right permissions to the web route. It does allow us to perform local file disclosure because when it does that curl request, it outputs the content of that page. So we can um leak the source of index.php, which reveals a hidden argument that will switch it from Curl to Netcat, and through argument injection, we can get a shell. Looking at the box with the shell, we discover there is a Python password manager called PSWM. We can write a quick brute forcer, decrypt the data, and get a root credential. So, with that being said, let's just jump in. As always, we're going to start off with an Nmap. So, dash SC for default scripts, SV, enumerate versions, dash VV for double verbos. This gives us things like the TTL, OA output all formats when the Nmap directory and call it down. And then the IP address. And uh this is a Voln Lab box, so there are no static IP addresses. So, that's why we have this 10129234143 IP address. The platform gives you this when you spawn the box. Your IP will be different than mine. But Nmap can take some time to run, so I've already ran it. Looking at the results, we have just two ports open. The first one is going to be SSH on port 22. And the banner tells us it's an Ubuntu server. We also have HTTP on port 80. Its banner tells us it's Apache running on Ubuntu. And then looking down, we can see the title of the page is, is it down or just me? So, let's just go ahead and take a look at the page. And we get just a simple page. We could enter a URL here, but the first thing I like doing is taking a look at the page source, just to see if I can identify like how the page is built. Um the thing that sticks out to me is we have index.php, so this is tell me it's a PHP website. The other things I would do is like make 404 error pages because Django, Laravel, all those like frameworks have very distinct error messages on 404s. So, you can normally um pin it down that way as well. But we know this is a PHP website. We could start gobuster up in the background trying to find other PHP scripts on the server, but let's just go ahead and um enter this request, right? I'm going to enter my IP address, which I think maybe my IP has changed. Let's do ifconfig tun0. Uh 84. Wow. It has changed greatly. So, we'll do 10101484, and I'm going to listen on port 8,000. And then we can click, Is it down? And we see how the page is making requests to us. Um the user agent is curl. So, I know the page is probably doing a system command to like run things, right? So, let's go ahead and send this over to Burp Suite and play with command injection. So, I'm going to go over here. Burp. Uh did not send it. Click on that. There we go. HTTP, am I intercepting? I am. Send. Okay. So, I'm going to put this in the repeater. And if we just send this, let's see. We sent the page. And what size do we get back? Um 1064. So, I always like looking at the size we get back. Um now let's do a semicolon sleep one. And then I'm going to url encode that semicolon. And it's taking way longer than a second. Um did the page just like completely crash? I wonder if this is doing some type of DNS resolution now or something and it's taking a while. Uh let's see. Uh while this goes, let me ping this IP address. So we have a ping going. Um open a new pane. Get rid of this. I'm going to do a Python 3-m. Before I do that, I'm going to make dirt. And what I'm doing here is um I just want to make a request, have it come back to us, verify the server is up, we see it there. So, now I'm going to try my sleep again. So, when I put that semicolon there. This is when the server stopped responding to me. It still isn't responding. We don't get anything. So, I don't know exactly what is happening here. This is very odd behavior, right? Um let's see. I'm going to do a plus then sleep and I'm just putting a space after that semicolon. And that seems to come back, but we're still not getting any results. So, this semicolon is breaking things in a weird, weird way. Um let's see. We can do slash and then I'm going to do like ID like this. And I'm trying for like command injection here. So, if we send this, we see we just get ID. So, that's not command injection. I was hoping we get the output of that command. We could try something like this. And again, the reason why I'm trying this is because um we know the server is using Curl, so it's using a system command. So, that doesn't work. Um let's see. Can we even manipulate the arguments? So, what I'm going to do here is uh we'll do a Netcat again on port 8,000. And then I'm going to say uh let's see, it's doing Curl and then the URL here. So, I bet if I do like a dash X, uh let's change this to a post request. And we can do pluses for spaces. We don't get anything. We get an error message here that says, only protocols HTTP or HTTPS is allowed. So, I'm going to move this to the end of my string. So, do URL plus and then change it to a post request this way.
[6:09]And let's see. It still does not look like it wanted to work. Um is it a dash X or a dash capital X? Uh Curl, I'll try capital X first, 127001. Uh 8,000. Uh maybe it's a capital X. It always is handy to test things. Maybe lowercase X is proxy? Yeah. So, let's go back and change this to upper case X. Send the post. And we see we can inject arguments into Curl. So, I'm going to go over to GTFO bins. I'm going to turn my Burp Suite off, so I'm not proxying this one. And then we're going to type Curl and see what we can do. We have file upload, file download, file write, read, sudo and suid. So Curl doesn't look like it has a way to um allow us to execute commands. But it is giving us a way to download files and that will be um the dash O probably. Yes, it's doing a dash O here. So, let's go ahead and try to write something. So, I'm going to do a dash O and then I'm going to guess this is in var/www/html. I'll call it shell.php.
[7:30]And let's go ahead and put something on our server. So, V, we'll do index.php. I'll probably call it index uh shell.php. Um we'll do system, request, CMD, like this. Just write a quick PHP shell. I'll move index to shell.php.
[7:52]Start up our web server again. And let's see. We're doing that Curl. We'll call it shell.php. Dash O, I don't know why that disappeared. Um var/www/html/shell.php. Save it. We have a successful download. So, now let's go ahead and see if we can hit it. So, I'm going to go over here. I'm going to try shell.php. And we get a 404 not found. So, the user that is running this Curl command probably doesn't have permissions to write into the HTML directory, right? Um what I would normally do here is look at where images are hosted. Um let's see. There is an image here, right? Image in new tab. Uh logo.png. I was hoping it's in like an images directory because normally you'd have right access there. We could also run gobuster, but I don't think we have right access anywhere on this server. So, it doesn't really help us, right? But if I could write into /images, then I could drop my shell into images/shell.php and then execute it that way. Um so we're kind of at the drawing board. Um there is another interesting thing that Curl does is if we do Curl, let's do um Ipc and then google.com. It's going to just attempt to Curl this and then move to the next one, right? And what that's going to enable me to do is we can do like HTTP colon slash slash and then put a space then um anything else we want. Like Curl can grab files, right? So, that's what I'm going to try. So, we have this HTTP. Then that's colon slash slash. And then I'm going to erase this and I'll just put a plus, which is going to be a space. And then we're going to see if we can do Etsy pass WD and if we have any type of file disclosure, right? So, if we do this. And we get pass WD. Again, the reason why I'm doing that is if we just did the file, we're going to get an error message because it requires HTTP or HTTPS. So, what I'm doing here is making sure the string begins with HTTP colon slash slash then putting a space and then the URL I want. Um the PHP code on the backend is just making sure this argument begins with HTTP. It's not checking if the URL um begins with HTTP, if that makes sense. So, we can get files out of here. So, let's go ahead and look at index.php. So, I'm going to do a proc self CWD to go into the current working directory, index.php. You could probably just do like file colon slash slash um we can try that real quick. This is normally what I do to get to the web directories um root. But I bet if we just did file slash slash index.php, maybe we need three. Is it going to be here? Um no, I guess you'd have to guess it or you could do like var/www/html, right? So, we're here. I guess that's what we could do. Um we want to make sure uh when we wrote the shell, we wrote it to var/www/html, but maybe the page is under var/www/down/html or something like that. So, right here I'm just seeing where index.php is and we get the contents of it, so I know it's in var/www/html. So, I'm pretty certain the reason why our file download didn't work is because we didn't have permission. But I'm not positive yet. Right now, I'm just going to um decode the page and then we can say V page.html, paste this in. Because we put index.php in that output, so what I'm doing here is um viewing it. So, we can do Firefox page.html. And the reason why I did that Burp Suite decoder is if we looked at what it had given us. Um it's in my Burp Suite. Repeater. It was all um like HTML entity encoded or whatever this is. So, that's why I'm using Burp Suite decoder to get into a format that I can read better, right? So, this is going to be where the PHP script is. We have if is set expert mode and expert mode is TCP. Then it's going to uh do escape shell command Netcat. So, we have a hidden mode if we have expert mode in our parameters. Let's see. This is URL. Um we're going to trim the URL. We're doing a match. So, we're making sure it begins with HTTP or HTTPS colon slash slash. And then we're doing a escape shell command Curl URL. So, um we had this begin with HTTP. Let's do it. I'll do it here, since it's bigger. So, it began with that. Then we did a space and then did file slash slash. So, that's why it bypassed this because her string still began with HTTP. So, let's see. We want to get over to probably this Netcat, right? So, let's go expert mode equal TCP. So, we can say um question mark, expert mode equal TCP. And it's an IP address and a port number. So, if we do 1010148 port 8000. We can do nc -lvnp 8000 after we stop our web server. Run this. Um my IP is actually something weird, right? It was like 84. 84. There we go. Is it refused? Something weird is going on. Disable new tab. 10101484, 8000. Is it refused? Now it's doing a Netcat. I think things are just going like slow.
[14:41]But that's definitely a Netcat connection because it's not giving us the user agent and other things. So, um yeah, I think something's just going slow. There we go. It's telling us it is open. So, let's go ahead and intercept this. Do intercept on. 10101484, 8000. Send this. Send it over to repeater. And then I'm going to do a space dash E bin bash. And then let's see. Stand up the shell. Run it. This is really taking longer than I'd expect. There we go. We got the shell. Um let's do a Python 3-c 'import pty; pty.spawn("/bin/bash")'. Let's get a proper TTY. Stty raw -echo;fg. Enter, enter. And then we can export term is equal to xterm, which is going to let us clear the screen. So, now that we have a shell, let's just do a LS. And we can see we're in var/www/html. Root owns all these files. And the only one we could potentially overwrite is this user underscore and then some random stuff.txt, which is the user flag of this box. So, um this is why dropping the shell did not work. Uh we just did not have permission to write into this directory, right? Read execute on group root, um and read execute on everyone. And it's the same thing for all the files. So, that is why we couldn't use Curl to just drop a file. Um but now we have to figure out a way to get root. Normally, I look at like databases when I pop a web server and see if there's any credentials there, but this doesn't have a database. So, let's see. I'm going to do find.type f. No real interesting files here. We'll do it in home. And let's see. There is this directory. I don't know what PSWM is. Let's go here. Uh Cat PSWM. We get a few base64 strings. It looks like maybe they're delimited by a star, right? We see base64 then star base64 star.
[17:07]So, we can do echo-n base64-D. Uh let's pipe it to XXD. And it just looks like um random data, which is probably going to be encrypted text. So, let's Google PSWM. So, let's turn my Burp Suite back off. PSWM. Uh let's go over to Google. My internet is going slow. Uh let's see. PSWM. A simple command line pass manager. Okay.
[17:49]This maybe it. Uh let's see if we go over to this. I'm guessing is the code. So, it's going to be Python.
[18:07]And let's see. Where's main? So, we do manage master password. Then we do password is lines to password. What is this function doing?
[18:31]Nothing too interesting. Let's go back to Oh, there's a encrypted file to lines. This function opens and decrypts the password vault. Takes the file name and the master password. So this is probably what we want. I'm going to copy this. And we'll probably have to do this on a local box. So, I'm going to V crack.py. We'll put that in. Save it. Um I'm going to Cat PSWM. And I'm going to put an echo after it just so it's easier to copy. Go here. V PSWM. I did QM. There we go. Paste this. Okay. And now we have to crack this. So, it's using the Cryptocode library. So, Python 3-m venv. Let's create a virtual environment. Then we can do source venv/bin/activate. Pip 3 install Cryptocode. Is it just a library? There we go. We have installed it. So, let's see. Um crack.py we have that. Let's import Cryptocode. Okay. Let's see, it's also using OS. And then I'm going to import sys, so I have argv. So, we have this function. And it looks like it will return false if we can't decrypt and then it returns the decrypted content if we can. So, let's do um a loop. So, I'm going to do with open and then we'll just do sys.argv1. And this is going to be our word list, right? I'm probably going to put this to like rock you. We're going to do as word list. And then we can say for I'll call it PW for password in word list. Let's try decrypting it. So, we'll do decrypted is equal to um was it encrypted something? Encrypted_file_to_lines. Yes, file_name and master_password.
[21:07]So, the file name was um PSWM. And the password is going to be just what entry we are on the word list.
[21:20]Then we can say if decrypted, there we go. We want to print the PW and then we will also print decrypted. And then we can just exit. So, I'll do sys.exit as well. That should be fine. We can do python 3 crack.py. And then I'm going to give it rock you. So user/share/wordlists/rockyou.txt. And let's see. Does this go?
[24:03]It looks like it already cracked. I was about to say, I'm going to pause the video, but we have flower. So, that's going to be the decrypted key. Then we have PSWM, Talex flower. Alex at down. So, this is probably the host. So, tab is going to be like tab delineated, right? So, I can probably just do a printf on this. I don't think I need a space. Uh that, right? There we go. So, we have Alex at down, Alex, and then this, which is probably going to be the password. So, let's go. We're going to just try SSH. So, SSH, Alex at 10.129.234.143. Yes. Paste. And we're in. So, let's see. It says pseudo as admin successful. If we do pseudo-l, put this in. Uh Alex can run anything. So, if I do sudo SU, go into the root's home directory. And we have root.txt. So, that's going to be the box. Hope you guys enjoyed it. Take care and I will see you all next time.
