Hacking
Github
Twitter
Search…
Hacking
Hacking, Bug Bounties & Penetration Testing
The Hacker Lab
Methodologies
Basic Buffer Overflow
Basic Internal Network test
Basic Mobile Testing guide
Basic Subdomain Enumeration guide
Guides
Build A Raspberry Pi Dropbox
Golang
Powershell / PowerView
Hack The Box last updated - 2019
Legacy
Devel
Optimum
Popcorn
Beep
Tenten
Arctic
Cronos
Grandpa
Granny
October
Lazy
Sneaky
Holiday
Blocky
Shrek
Blue
Joker
Europa
Haircut
Bank
SolidState
Mantis
Shocker
Tally
Sense
Jeeves
Stratosphere
Inception
Bashed
Fluxcapacitor
Canape
Rabbit
Chatterbox
Nibbles
Sunday
Aragog
Valentine
Silo
Olympus
Poison
Celestial
Waldo
Jerry
Access
Active
Netmon
Powered By
GitBook
Olympus
Olympus - 10.10.10.83
Target Enumeration:
OS: Linux
IP: 10.10.10.83
User: 8aa18519aff3c528c46bf675d6e88719
Root: aba486990e2e849e25c23f6e41e5e303
Ports / Services / Software Versions Running
22/tcp filtered ssh
53/tcp open domain (unknown banner: Bind)
80/tcp open http Apache httpd
2222/tcp open ssh (protocol 2.0)
Vulnerability Exploited:
XDebug running on web server allows remote code execution.
Privilege Escalation:
Vulnerable docker container allows user to execute commands as the root user.
Exploiting the host:
Nmap
Nothing found on the webapp
One interesting header
Searching online leads us to:
​
https://ricterz.me/posts/Xdebug%3A%20A%20Tiny%20Attack%20Surface
​
So build the exploit in burp
Modify the python script as follows
Start the exploit script with nc listening on port 8889.
You will get a python shell so execute a python command to send a shell to port 8889
Once you have a shell you will be inside a docker container
Check your IP address:
Looking around the file system we find that we have very few tools available but we found a .cap file
Move the file over to the docker webserver to download it locally.
Now crack with aircrack-ng
This password does not work for ssh with the users zeus etc
Also found this in the cap file:
Generate a userlist with as many things you can think of and try all the passwords it could be .
Turns out that the user is icarus and the password is the SSID
Login and we find a new text file
Add that to your hosts file
Now do dome dns recon
Looks like a port knocking sequence
Send the sequence to the main host which opens port 22 for about 5 seconds
user:prometheus:St34l_th3_F1re!
Seeing how docker is running we will map the root directory of the host system to /tmp and see if we can read the flag.
Now we have the root flag we know we can play around with the file system.
We execute a reverse shell:
And receive our shell in return
Hack The Box last updated - 2019 - Previous
Silo
Next - Hack The Box last updated - 2019
Poison
Last modified
3yr ago
Copy link
Outline
Olympus - 10.10.10.83
Target Enumeration:
Ports / Services / Software Versions Running
Vulnerability Exploited:
Privilege Escalation:
Exploiting the host: