After mistakenly enrolling for a course for offensive cyber security on Hack the Box Academy, I am here to write my first blog on a box I challenged.

Reconnaissance

Knowing that my target will be a Linux server and given the IP address, I started with a Nmap scan to see what ports are open and fetch some potentially useful banners.

It came to my attention that this is an Apache server - hence I confirmed it to be a web server and ran whatweb for more details on the web infrastructure. Simultaneously, I proceeded with trying to enumerate some directories of the website. I used the common list with gobuster and found some addresses that can be accessed directly through the browser.

I connected to the IP with the browser to check out the content of the website. It was a getsimple CMS system. The next information I was looking for was the version number of getsimple - I will need that to learn if there are any exploits on the system. Found it through digging around the directory.

Exploit

During this process, it also came to my attention that they had an admin file on the shared directory that had the admin hashed password and plain text user name. There was also an API key lying around.

Using the CMS name, version and some document information, I have targeted a vulnerability that leverages theme template editing.

To be frank, I could’ve used Metasploit at this point, but I was mad lucky and I got in while trying a very common password on the admin portal at this point because why not? This made the exploit process a whole lot easier. I went with the GUI to implement the exploit and gained a reverse shell on my attack box

Initial footfall

I transverse the path to obtain a flag for the initial footfall. I explored what I can do with the account by poking around different files - the web server user itself does not have access to jackpot files. I use the reverse shell to catch the LinEnum script I hosted on a port from my local device. It initially didn’t work and I thought there were defences in place - turns out it was just that I transverse to a folder where I have no writing permission.

Ran the script and found out I could sudo php. By that time, it was already very late at night and my brain wasn’t functioning properly - I tried to write into the PHP programming language as that’s what I did in the tutorial to a script. It took me a time longer than I would like to admit to see that I can just directly write PHP.

I spawn a root shell with the PHP and obtain the final flag.

Aftermath

I later studied the Metasploit and also managed to craft the cookie on my own without using any tools. I conclude that this attack was possible since:

Admin user used a very simple password Admin users didn’t verify if documents are properly hidden by scanning their own website Misconfiguration of the AllowOverride option on Apache, leading to the result where the redirect control from .htaccess was not enforced This served as a reminder for me to constantly patch my website and keep an eye on vulnerabilities. haha.