Hack The Box – Curling Write-up By Nikhil Sahoo

Introduction

So Finally back with a new blog. Today we will go through the walkthrough of the Hack the Box machine Curling which retired very recently. It was actually a fun box and the level of the box was stated as easy. Getting the user flag was tougher than getting the root flag. Many were actually stuck and were overthinking like me for getting the root flag but the answer was just in front of us. All that needed to be done was to actually look for it. So follow the write-up carefuly

 

So let’s begin !!!

Recon

We’ll start with our recon by doing a nmap scan.

So as we can see from the results, port 22 and port 80 were open. If we go to google and search for the above service version numbers, we won’t find anything fancy to go forward from here.

So next let’s open the port 80 i.e the IP in our browser and we’ll find a website made with Joomla framework.

 

We can scan the IP with the joomscan tool and it will show the version of Joomla installed. In our case, the Joomla version was 3.8.8 .

Now moving to the source code of the home page

 

Now if you have good eyes you would be able to see a filename: secret.txt mentioned in the comment section in the bottom of the source code.

So let’s move to secret.txt and see its contents.

So looks like a Base64 text: “Q3VybGluZzIwMTgh”. Let’s try to decode it

Go to your Kali and type the following: echo -n “Q3VybGluZzIwMTgh” | base64 -d

Result: Curling2018!

 

So it looks like it must be some kind of password.

We know that Joomla has an administrator login page at URL/administrator

Next job was to find a username. Here I got stuck a little bit because instead of looking properly everything on the homepage, I tried running Hydra and wfuzz and got zero results with it. So never make this mistake and always enumerate each and every bit properly.

If we go to the home screen and watch properly we’ll see the name “Floris

 

 

So now let’s login:

 

Go to templates > templates > select theme of your choice

 

Now we can create our own file for a reverse shell. One thing to note is that never touch any default files of the server like index.php. Some people were changing it and the box was crashing continuously.

So download the PHP reverse shell from pentest monkey. Change the IP and your desired port no and upload the shell.

Start a listener in your kali using netcat : nc -lnvp 7878

Then open the link of your uploaded shell which can be found in the following path http://url/template/<template_name>/<uploaded_shell_name>

Once you open you’ll get a reverse shell via netcat which was listening on port 7878.

 

So now let’s go to /home/floris directory. You’ll see three important folder/files. Here we can find the user.txt but we won’t be able to open as because we don’t have permission.

 

But we also have a file named password_backup.

So let’s start a python web server to download the password_backup file: python3 -m http.server 8000

Go to your browser and open the port 8000 of the IP.

Download the password_backup file.

Now go to the terminal and check the file type by typing: file password_backup

So the result shows that its a text file… Now open it using any editor

 

So looks like hexdump.

Lets reverse the hex using xxd command: xxd -r password_backup > password

Now again check for the type of the file

Looks like a bzip file so move the file to a new file with the bz2 extension and decompress it using the command:

bzip2 -d password.bz2

Again check for the file type of the decompressed file. Looks like it is a gzip file so move to a new file with a gz extension and decompress it using the command: gzip -d password.gz

So keep on doing these steps i.e checking the file type, moving for extension and then decompressing it.

In the end we will find a tar file. So move it to a new file with tar extension and extract it using the command:

tar xvf password.tar

 

We will get a txt file now and opening it will reveal a text “5d<wdCbdZu)|hChXll” which looks like a password.

 

Now if we remember we have our port 22 open i.e ssh and we know that there is a user named floris and we just now got the password. So let’s login by typing: ssh floris@ip

 

Now type the ls command. We can see the user.txt file. Open it with any text editor.

 

Thus we got our user flag. Now let’s hunt for root flag.

We can see a directory named admin-area, let’s get into it. 2 files could be found in that directory named as input and report.

 

On opening those files, the input file contained an entry of a URL which was localhost and the report file contained the html code of the home screen of port 80.

 

I was looking for things here and there but the answer was actually right in front.

Look for all running processes by typing ps -ef. You can also use a tool named pspy to monitor processes.

 

We can see here that the cron daemon is running which is used for executing scheduled tasks. To confirm this if we do a ps -ef after a minute or so we will find that curl command highlighted above no longer exists. So curl is the one that is doing all the job. The -K option reads the content from the file input and the response is then reflected on the report file using the -o option.

So what we can actually do here is change the contents of the input file i.e the URL value from http://127.0.0.1 to file:///root/root.txt because we know that the root flag is present inside the root directory and then type the same curl command as highlighted above.

The output of that file will be reflected inside the report file and we will be successfully able to view the root flag.

 

Thus the challenge was successfully completed.

So that’s for now. See you next time. Goodbye

You can have a look at my previous article on LibSSH Auth Bypass Vulnerability. Here is the link of the article

Loved what you read?

If so, then kindly comment, follow and share our website for much more interesting stuff  ?

For any queries please send a Hi to my Linkedin Handle: Here

 

 

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *