Hacking
  • Penetration Testing
  • Methodologies
    • Exfil
    • Manual Enumeration
    • Basic Buffer Overflow
    • Basic Internal Network test
    • Basic Mobile Testing guide
    • Basic Subdomain Enumeration guide
  • Guides
    • Build A Raspberry Pi Dropbox
    • Golang
    • Powershell / PowerView
    • PurpleSharp
  • Hack The Box last updated - 2019
    • Legacy
    • Devel
    • Optimum
    • Popcorn
    • Beep
    • Tenten
    • Arctic
    • Cronos
    • Grandpa
    • Granny
    • October
    • Lazy
    • Sneaky
    • Holiday
    • Blocky
    • Shrek
    • Blue
    • Joker
    • Europa
    • Haircut
    • Bank
    • SolidState
    • Mantis
    • Shocker
    • Tally
    • Sense
    • Jeeves
    • Stratosphere
    • Inception
    • Bashed
    • Fluxcapacitor
    • Canape
    • Rabbit
    • Chatterbox
    • Nibbles
    • Sunday
    • Aragog
    • Valentine
    • Silo
    • Olympus
    • Poison
    • Celestial
    • Waldo
    • Jerry
    • Access
    • Active
    • Netmon
  • scriptz
  • Issues
    • gists
    • Boring Issues
Powered by GitBook
On this page
  • Olympus - 10.10.10.83
  • Target Enumeration:
  • Ports / Services / Software Versions Running
  • Vulnerability Exploited:
  • Privilege Escalation:
  • Exploiting the host:
  1. Hack The Box last updated - 2019

Olympus

Olympus - 10.10.10.83

Target Enumeration:

OS: Linux

IP: 10.10.10.83

User: 8aa18519aff3c528c46bf675d6e88719

Root: aba486990e2e849e25c23f6e41e5e303

Ports / Services / Software Versions Running

22/tcp filtered ssh

53/tcp open domain (unknown banner: Bind)

80/tcp open http Apache httpd

2222/tcp open ssh (protocol 2.0)

Vulnerability Exploited:

XDebug running on web server allows remote code execution.

Privilege Escalation:

Vulnerable docker container allows user to execute commands as the root user.

Exploiting the host:

Nmap

Nothing found on the webapp

One interesting header

Searching online leads us to:

So build the exploit in burp

Modify the python script as follows

Start the exploit script with nc listening on port 8889.

You will get a python shell so execute a python command to send a shell to port 8889

Once you have a shell you will be inside a docker container

Check your IP address:

Looking around the file system we find that we have very few tools available but we found a .cap file

Move the file over to the docker webserver to download it locally.

Now crack with aircrack-ng

This password does not work for ssh with the users zeus etc

Also found this in the cap file:

Generate a userlist with as many things you can think of and try all the passwords it could be .

Turns out that the user is icarus and the password is the SSID

Login and we find a new text file

Add that to your hosts file

Now do dome dns recon

Looks like a port knocking sequence

Send the sequence to the main host which opens port 22 for about 5 seconds

user:prometheus:St34l_th3_F1re!

Seeing how docker is running we will map the root directory of the host system to /tmp and see if we can read the flag.

Now we have the root flag we know we can play around with the file system.

We execute a reverse shell:

And receive our shell in return

PreviousSiloNextPoison

Last updated 6 years ago

https://ricterz.me/posts/Xdebug%3A%20A%20Tiny%20Attack%20Surface