Continuing on my road to OSCP certification, I am in the midst of preparation for the exams in January. Part of my preparation is to take on the retired machines available in Hack in The Box (HTB) platform. This platform is a great platform for practicing and learning new penetration testing skills as well as taking on the challenge of “capturing the flag” on their machines.
In this HTB series, I will be sharing my write-ups on all the retired machines that I have and will attempt. If you are wondering, “How does he know which machine to do to prepare for OSCP?” Well, I am using TjNull list of OSCP-like boxes in HTB which can be found here
This box caught me off-guard with the credentials finding portion. I did not think about lazy password off the bat and it took me several hours to realise that. Other than that, it was pretty straightforward in terms of the exploitation steps and there is no privilege escalation involved for this box
Recon
To begin with this box, we first carry out our basic Reconnaissance. For me, I used AutoRecon which is developed and scripted by Tib3rius. It is one of my fundamental scans I make before moving on to more manual enumeration for specific ports or applications. From the full port Nmap scan results done by AutoRecon:
Two ports that will be of interest to us here: Port 21 which is an FTP service and Port 80. It also highlights how the FTP service allows anonymous login which is pretty dangerous for the machine, but very useful for us as an attacker.
Information Gathering
On Port 21:
Due to misconfigurations in the FTP service, you can essentially grab the user.txt file. However, in the exam, we are not able to do this as it will require us to have a shell on the machine before grabbing the flags. So let’s go take a look at the other service.
On port 80:
Our Gobuster and Nikto scans did not managed to return anything significant. We also attempted a login with the default credentials which led to us being unsuccessful. Using searchsploit, we found a public exploit that allows us have Remote Code Execution (RCE).
However, in order to use the exploit, we needed to be authenticated meaning we will need to be able to login. We need to somehow obtain credentials from somewhere. That will bring us back to the FTP service as it is the only service that we are authenticated in to the FTP server to get files to read. Using a bit of GoogleFU, I managed to find out from here where I can locate the files that might contain the credentials for the login page
Using the FTP service to retrieve these files:
We see here there at three PRTG Configuration files, one is .old and another .dat and a old.bak
Reading the .old.bak file will give us the database credentials prtgadmin : PrTg@dmin2018 .
However, this credentials did not work out for us on the login page. Thinking on this, the password does look like a form of lazy password and in that, we attempted the login with different variations of the password (you can bruteforce if you wish). Thus we derive the password to be PrTg@dmin2019 and we login successfully:
Exploitation
Now we can utilise the exploit to RCE and create a new user:
Grabbing our cookie after we login as an authenticated user and input that into the exploit:
The user was successfully created and it is added into the administrator group. Since we have SMB service available, using psexec.py we are able to pop a shell:
We are in as user in administrator group and we can grab root.txt!
Learning Points
The main learning point here is to be aware of lazy passwords and how users’ mental shortcuts might help us to gain credentials that are used to access other accounts or services that the same user might have access to. This is why we should not reuse passwords or even use passwords that are obviously lazy like admin45, admin46 … etc. From the attacker’s point-of-view, this also means that we need to remember that people will variate their use of the same password through “lazy” shortcuts as mentioned. Thus, we want to also learn how to mutate the password (can be done via JtR) and use those passwords to attempt a login as well!
Thank you for reading! And like always if you enjoy this write-ups, subscribe to my publications or follow me on twitter @lojomojo96 and hit me up with a DM! It will really encourage me to write and share even as I prepare for my OSCP Certification. Of course, if there are points to improve upon my own methodology, do let me know too! You can also find me on LinkedIn as well!
