Hack The Box – Wall Box Writeup By Nikhil Sahoo

Introduction

Back with a new blog. Today we will go through the walkthrough of the Hack the Box machine Wall which retired very recently. It was a good box and was mostly based on public CVEs and was assigned the medium difficulty. So without further ado…Let’s Begin

 

Recon

We’ll start with our recon by doing an Nmap scan.

nmap -sC -sV 10.10.10.157

As we can see that port 80 is open so let’s check that first in our browser.

 

So nothing much interesting just the default Apache server page.

Let’s try to do some fuzzing to check if we can extract some good endpoints.

 

So there seems to be an endpoint named monitoring. On checking it in the browser it asks for username and password (Basic Authentication).

Let’s capture the request in our burp and see the response.

 

Unauthorized 🙁

What if we change the Request Method?

 

So we did get a different response on POST request…Seems like it is redirecting to a page named centreon.

 

On viewing it in the browser

Another login Page  !!!

Tried searching for public exploits and there was an RCE exploit available for sure but it required authentication to perform it.

After a lot of searching here and there then realized that it is possible to bruteforce usernames and passwords using the centreon API.

More information could be available here:

https://documentation.centreon.com/docs/centreon/en/latest/api/api_rest/index.html#authentication

So admin:password didn’t work…Let’s try to bruteforce the password field using Hydra and run it against a common wordlist like rockyou.txt

 

After running for a bit it gave password1 as the correct password. Let’s try to login using admin:password1.

And we have successfully logged in.

 

Exploitation

And now coming back to the public exploit. You can refer to this link here

Basically,  it allows attackers to execute arbitrary OS commands via the Command Line field of main.php?p=60807&type=4

We just need to navigate to Configuration > Commands > Discovery and in the “Command Line” section we can put our reverse shell there.

 

After clicking on the small play button there, we should be getting our reverse shell.

 

Some common things to check always after getting initial like checking all files with suid bit set, searching all writable files and folders, running pspy to check any suspicious running processes, checking cron jobs, running sudo -l to check what all commands the current user can run with root privileges and a lot more.

So let’s check all files that have suid bit set.

 

We can see that screen 4.5.0 has suid bit set which also referred to as GNU screen: A full-screen window manager that multiplexes a physical terminal between several processes.

A little bit of googling and we can find out that a privilege escalation flaw is present in this version.

Here is the link of the exploit: https://www.exploit-db.com/exploits/41154

So we just need to download(using apache or python simplehttpserver) it onto the box, give executable permissions and run the bash file.

 

All Set…Let’s run this.

 

That explains it all.

So that’s for now. See you next time. Goodbye

You can have a look at my previous article on Hack The Box: Heist Box Walkthrough. Here is the link of the article

Loved what you read?

If so, then kindly comment, follow and share our website for much more interesting stuff  ?

For any queries you can send a Hi to my Linkedin Handle: Here

 

 

 

 

 

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *