# Joker

## Joker - 10.10.10.21

### Target Enumeration:

OS: Linux

IP: 10.10.10.21

User:  a298121179fe93f2978d3337dbd7057b

Root: d452b7faf5fd5b30210f340ef1d4146e<br>

### Ports / Services / Software Versions Running

22/tcp   open ssh        OpenSSH 7.3p1 Ubuntu 1ubuntu0.1

3128/tcp open  http-proxy Squid http proxy 3.5.12

### Replicating the exploit:

Nmap

![](https://lh5.googleusercontent.com/fMW9R2f37RyaRGRHgkyab6q2dZZe0QkSTbEn27mSqAVFhv4Bj12SIt5fhhxzADTUgWgduLVFYU7_tBlO5B691qHeL6xtr85firrtZh49a2xKfYTfu2vsKEK9O2EIxLY21WCxMsKi)

![](https://lh5.googleusercontent.com/fMW9R2f37RyaRGRHgkyab6q2dZZe0QkSTbEn27mSqAVFhv4Bj12SIt5fhhxzADTUgWgduLVFYU7_tBlO5B691qHeL6xtr85firrtZh49a2xKfYTfu2vsKEK9O2EIxLY21WCxMsKi)

UDP

![](https://lh5.googleusercontent.com/2venTx11gaeT4ipWKWPWPlByPTgYOAOD6s5ftup_ny1gFMYStkkbCrU7u53D8qpubP3L6T6znoaMA3xdJ8aQQWi9ezlF4rJ_4XdcbEnBWh0WY5CsDpaMYvjOvFHSSxesv5qNYkhF)

Result from firefox 3128

<div align="left"><img src="https://lh3.googleusercontent.com/3FSK3rkN2UyafWqXZt8sXzxhNhBUcEE3eoHEuRabnoclS4kjqc78katTcFROIbAE9DKWnXajTOKywb-H53NJei2fjf3HHHxwfgIp1XRUIudj8e2wgEf4AJ7hHt2SUr4a74_vBPpg" alt=""></div>

\
Configure squid in foxyproxy and browse to the port

![](https://lh6.googleusercontent.com/2p0b9LnJvsZbxC7mI_K54aqHa1gPhNdE-X6dudyX6n9VP_KgFKyvHOdz19hQ1FPnRavP0WNkwZ5ERe72y9XmUbksMk9j8npD-ECKS5ByYhnmW3zMviACNDPDwWQwVqCGQ7JAP1dT)

Tried default creds no luck

Login via tftp from UDP and search for config files

<div align="left"><img src="https://lh6.googleusercontent.com/IOrdQldv9MOHbUtN9bzLJmSfHNolUbNgoB8_8os_4N-xUkexnvSTovrsKvo8m-ZH1fQQoMBzYhInB2FXyFBlwfMJBQKBJCqYwWZIJ7j1Rh8QBsqvIo5aDenPhzqX6lllc-cxIfp8" alt=""></div>

File is downloaded to our system

<div align="left"><img src="https://lh5.googleusercontent.com/RkNt2o_aqNCXG_ShAYG8X6fMrMerSkW0kzsD033pBgE_gEWokC9eHKKz2Qu5Vw2Xx6ZltYHTP_GDlGK6R_6_uftPpFPEykEOyTrZ2A8k2amy_1VkqkO2ei5ED-3YsDFHX1-LZRkl" alt=""></div>

Remove all lines with a #

cat squid.conf | grep -v ^\\#

Filter for lines with content

cat squid.conf | grep -v ^\\# | grep .

Grab password file via tftp

<div align="left"><img src="https://lh4.googleusercontent.com/SoxbqCHaAumLo7DBqp8Tm0vWQyjuJzsbrIm119ybbyPKqqt4nwOin62p07io-jJSU4AIs1YzgpkPxFSLN2T1gmmwIsPH_kPLZEUOC-0_bSTJZfc8mcKA5r-_6cc1yFj0TSXI0EVx" alt=""></div>

Passwords stored in MD5.

<div align="left"><img src="https://lh4.googleusercontent.com/D2SYiPcy2rpN9mpfSx6uK48-SqLvsIEfjWZHeFdZUJ2SGQ9sJaJP_AY1PxZ8DXWuDGu1wn6s-vw6hCZixLSkG48XtQGgb96do4nshoV5PmbBBNqb24_Bzta6B1WlXrSIdB9fON91" alt=""></div>

Crack with john.

![](https://lh6.googleusercontent.com/S8wjegUqS2ZKaUwNF2NIm8AdgVz4CvDA6gD-Q7XCByyw5LzQU5gkXwvtc2OcdjuoFSSMKyhtBTNi6qqcXCiaZyXJ3fbWH40sqHmXFTsawKHPIso5cYd9Z6s9_Yf5OJ1TzCjJnfrr)

ihateseafood     (kalamari)

Now you get no prompt for a username

![](https://lh3.googleusercontent.com/9NkY__Ob2qJ6goTecawYceOwvu4pBEJoyXj6ixbaTv23Ux14FxS6xmCqtUf6zo2Culm9vFJXEl-Wxg2pdclvQCfNKKYOszFrTIsD25oIoaNHInloCwBcekVTF5BT0VaEWtedPUHr)

Go to 127.0.0.1

![](https://lh6.googleusercontent.com/KBzUvegYh5VX4laqfmYu0CIpAqx9mGaKGmEl44pR3KNJDe8qmeHwhY40hNsKWwaVszQSF-MEfa6iE5w1Mi-1mF9D__lrdLmWjsCBCsbxpsaXCNONoWbow8Ptw7B8TKSNKq0XX4pK)

Server side request forgery attack

Add a upstream proxy

<div align="left"><img src="https://lh6.googleusercontent.com/FpBPDEUHszCdgZRB2PKl8xr4scc0g1jcocC4PdLALAZacUFgyZNVrBcnwO3eWXJ8o96mEVNdvxuYYLBpEn2MhqTIdl5gI39Ii3Hu0E1THd3zLHkUC8RtIFgDiaQkkSfAO3kvMcH6" alt=""></div>

Configure new proxy listener as the app is not vulnerable

<div align="left"><img src="https://lh5.googleusercontent.com/J6m5r_r9OvQKm8OgQsYqXeHyKl3IRnmd7t6J8j-XGs7OxR9B-wjFrPq9zeYxMRip2sFI7hnuiCpTxcA2vDafLh7BKXYwaYaohjptbtx0i0Dq0iKI8AtrMwtLTyLmTALQSQFFcVvP" alt=""></div>

And send to localhost on  port 80 (you dont need invisible proxy) but you may need to add it just to make it work.

<div align="left"><img src="https://lh5.googleusercontent.com/hO-EJTBLVouOcWE0EDPX7bqrXXIPv_x5rH38WRaxeYfxoc_6bcJkSVp5cYq8XA2Nc1VCySG1CtaRe0tJhK0sL8Z4jk7V2_9FlW8LdA42BRCY0Ohl8MSo6p5PVyN0RGafEEcmMPu1" alt=""></div>

Browse to 127.0.0.1 URL and you have the same. Now use dirsearch.py to find the directory you need.

Git clone <https://github.com/maurosoria/dirsearch>

Python3 dirsearch.py -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u <http://127.0.0.1> -e php -t 20

Eventually you get /console

Run some system commands and try to get a reverse shell

![](https://lh4.googleusercontent.com/Vh0c7ICTfo1hOFyWatH3N9nRci1uQYJru64zMYZjJ3bDkvfMi_66uKAXXdb9brk3TbY_3J7AcfGTnknDYj3wqxjfh7Jo2uz2V0P41p41UwqDY_zFvxyJI3sHTNr7m4Gga3xy5zkg)

Does not work. Suggests a firewall issue

Ping our machine with TCPdump listening<br>

<div align="left"><img src="https://lh4.googleusercontent.com/PtvYvBqLHGhL68hUSTCmagsO_QVmnWTha3W_XIaqceAQvC8Wzf-JKOYcu0SjyjeEL7FYTb69sqN5EDKmP3MkKAviKxaZ6kE4cQHNlpWHTdhHubE5mi0QmS5TRa3x894OcltbNCNF" alt=""></div>

Which works

![](https://lh3.googleusercontent.com/zwwZqqd_1O5OL7-YlQwc3QuGYpOnyDnY09DLEfMK7A3Mg1rgripsyoK59onqaWfVHdEbD1l9cKb8-YS-PP_7eZ1yg2l8tEscQzjcsAn03-eGOFLGnqAodajQ9PtT2y1SJZhTS-B5)

Find firewall rules

<div align="left"><img src="https://lh5.googleusercontent.com/EmTfYcBC0N5V8w3lMGsYb3UsvvyfGXqdSkX1wxXlZlU7Z-Rb1ac6FC-MMulWHavDMykIf6UXaeFBVPFVqgHb-SkcDzdvySio4buyyboVC2gpHAoza6qy4MIZ580e2lbyD2FsrQHa" alt=""></div>

Check local firewall rules and base64 encode them without wrapping.

![](https://lh4.googleusercontent.com/KJpAhmrsZo_iznXT834Txh3vBsOumm9GctMU7Q3tVBAX3XcZHEu9cL-7pBwpGVELoaiQa8qubiKRSmQsmNmfK2KXbDsWiXfzxh6O-f5vOtagrNqHUPrRmnxQzw9m9AiRSPVvQeCW)

Copy and decode by putting string into a file

<div align="left"><img src="https://lh6.googleusercontent.com/XC8Lp2N4KUuYwE7CHKrdLme-xOHTrWYesPetL0HnHK5IrDZF9qUlZZxnL2hI2pgq8iwVkGvuQJea8nXsQwrizOlq6eLNp9R38_mR6Rm75bDmM3aL9o-K_fCh2VYWU8CmnVNdRqJO" alt=""></div>

UDP is allowed so now do a reverse shell with nc -u\
Start up a listener in UDP mode

<div align="left"><img src="https://lh5.googleusercontent.com/SHJv7V-vJf4LbN8jULBESEnlh9UbpfKIHHVA2TB9MXppYU47wLdWknTCmLEcpg8hyQXrFlqdWDpUZPyqn8IPJYlvbCA-qAWognnfvU3thN5zN6t2x7c1FpNJjo8U9Bg7-9zPKkjn" alt=""></div>

Send udp shell

![](https://lh4.googleusercontent.com/jENrwiTwvGY8kGCqNtV3qrLMcbsQRHgfsvoCKYozh_JTZHNrDSVKBlwKXzlHk9PWgod-C-WwYcaNMglXEJZToOf528iRw2vXoZtsB35tPuhqzlXZNE8vqLlESEUV2Of1fU9L-0Zs)

Now you have a shell

<div align="left"><img src="https://lh5.googleusercontent.com/RB14_JvGk89pFmFEfOs_nk6rUheIcxzxOLAeulCbXA1gQlThkEp36QRfrFeZV_iuTREJeDgtpb07iGTQ_AWx-mAD3mg7TmGG49YPxaIJQh_qf28YhiwaDD5j8wgxacJsAUoF6PKn" alt=""></div>

Get a better shell

<div align="left"><img src="https://lh4.googleusercontent.com/P1QT_IY-4-y2zZ0wIj80SCaNtlS76kvxEvdi3WXiYaUa9Wo2i1rd_oqkfxgjfqIF_UgHiOFKqOBGgJ-nkrGBKereHalfkZD12CV25g_WVP5gM27VJShDWorDtGfjBJFB_TUr4VYR" alt=""></div>

Check sudo -l

![](https://lh6.googleusercontent.com/uRaxvGaz15GuHODzmOm0IojcLKzBRlXUYdoVAdqNAL41LakbzNJxt79kLb3LIa_kONjAbfjF3xtGF2wcKMLE8UBDNZg8KDyIFtcaVCc3nbVo3I_BSaQP_bOEP7BUEiKFJ4vTZvh4)

Also checked

![](https://lh6.googleusercontent.com/IMGhrK1DhedeTZJ1P-3VqUOIlCE-mwSK9HNP2YXTIhN44nPkpFTaPKcriIi3slMDP_ZymmfKTXmWOpvQ3cJUwEw370DimqBnkyb-W-EODU6ltPdUVi_N-WRv8SgJjTeHhq3X_Ztd)

Searchsploit sudo version

![](https://lh5.googleusercontent.com/2S6CcO7G_fPCvWnOV0VyqNlX0DboDK7tSiH5QqCadPrceWq8hoq85CNJS7ZFmDuubDKrW2K6XCDGrwWpUEFaumf_OacX78V1buynceD89fleHNYfvhXhHUBQJZmxppmhBH5MRDiZ)

Checking this file:

Generate SSH key on kali

Create a symlink to alekos ssh keys

<div align="left"><img src="https://lh3.googleusercontent.com/nOUy60wkRDuFkOx1wDHnCEZbbhYEko0NYcAhnyBndEitZHgLVxPJVK0O3AgGSMQyjoFkZdB-hZfWKlFLOQltXzZrRPWtD6t9x3Xe5fkyPPuRoSevwf79-TqdGo_2SjTG8ZDSStkT" alt=""></div>

Edit file with sudoedit

<div align="left"><img src="https://lh6.googleusercontent.com/pjvDXlu2k9osbjmvrFG9WFh9MR2UvSZgJJxOvtvvjO7Q4CQsMzRQrNu3r-T3iVWwCV52uc_Dtt0PFTkxOKfrbQfz5tuMhfh0zFemh3GLjqsIju7ZLYy8nN0Nh3o3TO0u2itca08A" alt=""></div>

Generate a ssh key so you can login to the system and edit files with a proper terminal.

Copy key to clipboard and paste into the layout.html with sudoedit

Another way is to sudoedit -u alekos /var/www/ .ssh/authorized\_keys /layout.html which edits 3 files at oncels

Exit and save the file

SSH into box with new key

![](https://lh3.googleusercontent.com/E4FJvBdezSHWazPvMkRZnv8VBlkgWMkQ9wF12QZ_JgITWL0KMwnrIDxZiFvonI8KjFQDSOdmcpIaQvEHI7cOjn2LfQ3Fycmw0Sdk_7aeCoPNrpEpb3B5XRwWB3I6ML-CUq5C7CXC)

User.txt: a298121179fe93f2978d3337dbd7057b\
Privilege Escalation

Navigate to the /home/alekos/backups dir and list it and you will see all files are being backed up every 5 minutes

<div align="left"><img src="https://lh6.googleusercontent.com/oaIAsVA07sK5xPT4PIVb7xQqRNfwymuh_5KZTRwaQn-d7fhpeFKHTmu7KBsPhy0YOSWg6t1X7IoQjEjstwyBk8N8ZaH_veVUz4GyOnCzAzdSqHt9RfV6mJeq8pxBjqS8LFzViuEq" alt=""></div>

Mkdir extracted & cd extracted

Tar -xvf ../dev-1511680202.tar.gz

Shows the development folder being backed up every 5 mins

To get the root flag

Create a symlink

<div align="left"><img src="https://lh3.googleusercontent.com/Kb22U3gIzhLCUjd3Dvyt7Z54sr5CNzmNZcije31keiE25Pk88TmyPMlOvpCAqGztIsbsEgeVr2GAnkapSh3xrrP66dzWX471nwXNKDZ2KvdlAwBT2ZUBkH1uDgApSgMjLSWcekBM" alt=""></div>

Wait 5 minutes and copy and extract the latest dev\* and unzip it and you will get the root flag.

Second way

![](https://lh5.googleusercontent.com/GZuZXSZpCX5mYyCcF_X-jUr2BgG9GpS0uka6tPljxBLvTO8fO1AdZkvNPTUMpt8ATKEPPS60bTFHxE0_kC0zBB0t3e1KjyVFstdl17oJYErADgaPT-Sgi7UXQVWts35woPDE58NC)

Create shell.sh

<div align="left"><img src="https://lh6.googleusercontent.com/TLOQxpsA3MQiPM-Mne74NSsYPyhg_l3Nyh9yTIcOihiADc7MTdUke1hxfOPQWh02Anqp-r7M8mNILdjRRUmYPrY3p2rrsarZ6h8vNiULe3lSC-8mxNPuoXVqlpevR1wVY-E8d87E" alt=""></div>

Make the file executable:

Set up a nc listener and wait to get root on port 8082

![](https://lh6.googleusercontent.com/zN3fSVF5E061vYGuyVfvSahUZrkYt8S422JKMOVeRkAFLri9oP3vUz3E-kaXJj2pZTUncIMEC69GRvu2tnMyvCABk0Ff8kt0QXLE-1_9zk4teVSs0kaCxVuaAKhgSwmckYgEAz8u)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.jdksec.com/hack-the-box/joker.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.