ForwardSlash — HTB walkthrough

This was a very tough box. And I learnt a lot from it. I have tried my best explaining it here. First some insights on upcoming things.

1. Luks — Linux Hard Disk Encryption
2. cryptsetup — setup cryptographic volumes for dm-crypt (including LUKS extension)
3. Format: cryptsetup luksOpen <device> <name>
4. Symlinks : Creates virtual links from one folder to another,to access data.

ENUMERATION

Visiting site redirects us to forwardslash.htb. Lets add this to host file

Website front page

Gobuster scan reveals following: Note.txt

Subdomain search.Tried forwardslash.htb/backup — — does not exist.Tried WFUZZ for subdomain scan but it sent cannot resolve host.So went for gobuster scan.

Adding this to /etc/hosts we visit site

Signup as Username : offs3cg33k and Password : abcdef

Login in

We see our name reflects here. Visiting one by one we see

1. Hall of Fame 2. Facts

3. Change Profile Picture 4. Reset Username

Facts has something in Source Code

On profilepicture page we see , it is disabled. Lets inspect elment

Removing disabled from input and submit

We can enter url. Let’s enter /etc/passwd

Removing disabled from tools

Got /etc/passwd

I tried reading /home/chiv/.ssh/id_rsa and similarily for pain, but didn’t work. So what file to read?? Let’s see our gobuster scan , if it revealed something

What about reading something for /dev

Lets capture request on burp so we don’t need to make changes on browser again and gain. Also let’s try sending base64 PHP LFI /etc/passwd request.

Trying /dev/index.php

Decoding this we get

These can be creds for 1) FTP anonymous login 2) Login on backup.forwardslash.htb 3)ssh

EXPLOITATION

SSH Worked

we get chiv’s shell

We haven’t got our user pain yet, so enumerating

We got config.php.bak in /var/backups and an SUID enabled file “backup”. Enumerating more I saw input from /var/backups/config.php.bak goes in as key to /usr/bin/backup. This input is MD5SUM Hash of Timestamp created by Pain using /var/backups/config.php.bak. Which is checked by /usr/bin/backup and backup is created.

Got pain creds. We can get user.txt

PRIVILEGE ESCALATION

That we have got our Pain creds. We see we have encryption decryption script. Which takes in key and msg and produces a cipher text. We have cipher text and script. Now we need is decryption. For this we will add some code to open cipher text file. Assume key should be somewhere in between length of cipher text range. Running each character in alphabet against that length.

Example : a < ran 1 to 165 (164) times> , then b < ran 1 to 165 (164)times> and so on covering each letter 164 times as a key. This means 1st time key =a , next time k = aa and so on till k = DEL/rubout(164times)<refer ascii sheet for ascii char codes> . This will create a key and msg pair. Now we will check this decrypted message if it contains “the”, “be” “and” “of” , common words . Then we print out value, length of key and value of msg

Running script gives us the key

When we do sudo -l to check privileges we see , we can run commands as sudo . The command we can run is cryptsetup using luksopen.

Now we will run cryptsetup against /var/backups/recovery/encrypted_backup.img using key we got as passphrase

We see we have got our id_rsa private key. Copying this to our machine , giving perfect permissions and running against SSH we get root.

ROOTED!!!