Hacksudo 3 Writeup (InfoSec Prep)

We going to try out Hacksudo: 3 machine that’s created for the InfoSec Prep Discord Server. I would say that one of my favorite in this machine was the port knocking part.

So let’s get start.

Starting with Enumerations

As we notice that this machine only has port 80 opened. We can’t find any other ports open in the meantime. So let’s enumerate on the Apache Web Server first.

Now let’s perform some web directory fuzzing on the Apache Web Server.

Interesting that, over here there’s 2 PHP pages that’s caught my eye which will be the generator.php & login.php as they’re not the default created PHP pages.

Now let’s check out the login.php first.

Over here it seems like testing out on some default credentials like “admin:admin” doesn’t work out. So let’s place this aside first & dive into generator.php page.

In the generator.php page it ask us to enter our name into the textbox below, let’s try out inputting random text.

This feels quite suspicious right, it seems like this part executing a Linux binary called figlet.

Some quick checkup on figlet: This is how it looks like with figlet binary executing on our local machine.

Okay so it seems like we’ve notice that when we submitting some random text, in the backend there it will be executing the figlet system command. This part might be vulnerable to OS command injection!

Time to exploit the vulnerability

Now let’s intercept the packet using our burpsuite, we will be testing out with the repeater feature in burpsuite.

Let’s test out with the basic injection payload by appending ‘;id’. It looks like this doesn’t work, there might be something filtering the text that we sent to the backend.

Now let’s test out with ‘%0a’ technique & voila! The id command has been injected!!

Now we know that how to craft our payload, next let’s inject our reverse shell payload into the web server.

Since we know that the port 80 was running a PHP Web Server, so we can upload our reverse shell payload in PHP file, let’s use laudanum php-reverse-shell.php as our reverse shell payload.

Next, we edit the IP & netcat listener port number part to our own IP & netcat listener port number.

We will be using python3’s http.server to host the reverse shell payload.

Now let’s upload the reverse shell payload into the web server, we use the wget command to download it.

As we can see that the remote host just grabbed our rev.php from our web server, that’s a good sign!

Now let’s test executing our rev.php payload & voila! We’ve just gotten our initial foothold on the remote host machine!

Enumerating on www-data user

Now let’s upgrade our reverse shell to TTY shell.

First let’s take a look how many users that have in this remote host machine. From the /home directory we found 1 user name hacksudo but we don’t have the permission to read the content in the hacksudo home directory.

Let’s check out the source code of login.php as just now we can’t manage to find the credential to access it right.

So it seems that we’ve found the credential “hacksudo:viluhacker” to access into the login.php.

Note: This login.php credential is not the credential accessing hacksudo user in this remote host machine, this is a rabbit hole!

If we read the source code here, when the credential doesn’t match it will print out the following page asking us to enter the credential again.

When the credential matched, it will show us this part of HTML code.

Here it tell us something about opening the next door key, this might be a clue for us. There’s one part of text encoded in based<something> let’s use cyberchef to decode it for us.

After some testing with cyberchef, we’ve found the sequence to decode the text. Here it tell us 3 integer “10001 10002 10003”. What might these means to us, let’s note it down somewhere in our notebook first.

During the enumeration, we’ve found an interesting file in the www directory. The content here was encrypted, so let’s find it out how we can decipher it with cyberchef again.

So the ciphertext was encrypted in ROT13, the deciphered text provide us the SSH credential to access into hacksudo user.

The password that show looks like a hash to me, let’s analyze the hash with Hash Analyzer. From the result, it told us that the hash belongs to SHA-512 hash.

Now let’s use John The Ripper to crack the hash & we found the correct password that match the hash!

Although we can directly su into the hacksudo user with the credential that we found from the ROT13 cipertext, but let’s learn something new from this machine which will be the Port Knocking technique to unlock the door accessing SSH.

Knock Knock To Unlock The Door to SSH Port (Port Knocking)

Let’s check out the listening ports on the remote host machine & we found that the SSH port was actually open.

But why when we want to establish a connection to the SSH service we failed to do so?

If you guys still remember that we found the 3 mysterious integer from the login.php page right. This is actually the port numbers to unlock the SSH port.

In order to unlock the SSH port, we need to utilize the port knocking technique by knocking on the 10001=>10002 =>10003 ports. We need to follow the sequence “=>” in order to unlock the SSH port.

We can use the command knock to knock on the port numbers & we’ve just unlocked our access to the SSH port!

Now with the credential we found in the ROT13 cipher, let’s gain access into the hacksudo user.

Privilege Escalation: Abusing lxd group (hacksudo=>root)

It seems that our hacksudo user doesn’t have sudo privileges.

Now let’s check out on the id command of hacksudo user. If you notice well that the hacksudo user are in the lxd group! We can utilize that to privilege escalate to root user.

Before we start exploiting it, let’s build our own LXD Alpine Linux image first. Now let’s clone the LXD Alpine Linux image builder first.

Build the alpine image with the “build-alpine” shell script.

After done building the alpine image, we will get a alpine image tar.gz compressed file.

Now transfer the alpine image file to our remote host machine.

Now execute this commands to import the alpine image, run the image with security.privileged=true & gain access into the container.

Now we’re in our alpine image container with the host root directory mounted in the container /mnt/root directory.

Now let’s gain access into the root directory of the host machine & voila! we’ve just pwned hacksudo3 box!

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Bryan Leong (NobodyAtall)

Bryan Leong (NobodyAtall)

A Bachelor of Computer Science student that’s passion in CyberSec & Pentesting.