ForwardSlash — HTB walkthrough

This was a very tough box. And I learnt a lot from it. I have tried my best explaining it here. First some insights on upcoming things.

  1. Luks — Linux Hard Disk Encryption
  2. cryptsetup — setup cryptographic volumes for dm-crypt (including LUKS extension)
  3. Format: cryptsetup luksOpen <device> <name>
  4. Symlinks : Creates virtual links from one folder to another,to access data.

ENUMERATION

Visiting site redirects us to forwardslash.htb. Lets add this to host file

Gobuster scan reveals following: Note.txt

Subdomain search.Tried forwardslash.htb/backup — — does not exist.Tried WFUZZ for subdomain scan but it sent cannot resolve host.So went for gobuster scan.

Adding this to /etc/hosts we visit site

Login in

We see our name reflects here. Visiting one by one we see

On profilepicture page we see , it is disabled. Lets inspect elment

We can enter url. Let’s enter /etc/passwd

I tried reading /home/chiv/.ssh/id_rsa and similarily for pain, but didn’t work. So what file to read?? Let’s see our gobuster scan , if it revealed something

Lets capture request on burp so we don’t need to make changes on browser again and gain. Also let’s try sending base64 PHP LFI /etc/passwd request.

Decoding this we get

EXPLOITATION

SSH Worked

We haven’t got our user pain yet, so enumerating

We got config.php.bak in /var/backups and an SUID enabled file “backup”. Enumerating more I saw input from /var/backups/config.php.bak goes in as key to /usr/bin/backup. This input is MD5SUM Hash of Timestamp created by Pain using /var/backups/config.php.bak. Which is checked by /usr/bin/backup and backup is created.

Got pain creds. We can get user.txt

PRIVILEGE ESCALATION

That we have got our Pain creds. We see we have encryption decryption script. Which takes in key and msg and produces a cipher text. We have cipher text and script. Now we need is decryption. For this we will add some code to open cipher text file. Assume key should be somewhere in between length of cipher text range. Running each character in alphabet against that length.

Example : a < ran 1 to 165 (164) times> , then b < ran 1 to 165 (164)times> and so on covering each letter 164 times as a key. This means 1st time key =a , next time k = aa and so on till k = DEL/rubout(164times)<refer ascii sheet for ascii char codes> . This will create a key and msg pair. Now we will check this decrypted message if it contains “the”, “be” “and” “of” , common words . Then we print out value, length of key and value of msg

When we do sudo -l to check privileges we see , we can run commands as sudo . The command we can run is cryptsetup using luksopen.

We see we have got our id_rsa private key. Copying this to our machine , giving perfect permissions and running against SSH we get root.

ROOTED!!!