# Olympus

## Olympus - 10.10.10.83

### Target Enumeration:

OS: Linux

IP: 10.10.10.83

User: 8aa18519aff3c528c46bf675d6e88719

Root: aba486990e2e849e25c23f6e41e5e303

### Ports / Services / Software Versions Running

22/tcp   filtered ssh

53/tcp   open domain  (unknown banner: Bind)

80/tcp   open http    Apache httpd

2222/tcp open     ssh (protocol 2.0)

### Vulnerability Exploited:

XDebug running on web server allows remote code execution.

### Privilege Escalation:

Vulnerable docker container allows user to execute commands as the root user.

### Exploiting the host:

Nmap

![](https://lh4.googleusercontent.com/juj6lqbWZvWC2yPnckMFZzK-Ae0VDdykNokS2PWUvSuvfimVpsMR2DXwFb1q0pU2J2LoXUPtGpsOce28rUj6H4irQ-yw5s2NMOWWE6E5TI79DJTK9oiAG0Vcpta_eysQkuxoYW7f)

Nothing found on the webapp

One interesting header

<div align="left"><img src="https://lh3.googleusercontent.com/fxC4SC_gDVTtg5rtPqNvFqcsPVUtX710RfR-wC_41O23hcT4WIj73xAN2NJE6dFO6b77DAMXUyA2XJINvp7vNupfOyQJvdHkJJx2sKGsM45-a-9eo3LBHabVWKDlg0VJOcQmG2Pi" alt=""></div>

Searching online leads us to:

<https://ricterz.me/posts/Xdebug%3A%20A%20Tiny%20Attack%20Surface>

So build the exploit in burp

![](https://lh3.googleusercontent.com/PllN3G8wpoXrXU3vsxe_MaaC1T-iZhmD6L6iYOGSg_sUweUinD1_FADQaBORGr1gL55JT89ySx0lkUE5uDSQR0kV7QXqUJ5zgbGwjtB2z1PkwlCnhQ_qphZ0b2bxTQdPrEtqAdrc)

Modify the python script as follows

![](https://lh6.googleusercontent.com/0mLssqLIySGweH97bzZWbiwf_623ptJUCizTipMY0vFnx8g30_anWxXnRSd2Hd5aeUaXxjKpCSsj-d3q47KjS2F05X7P00rHdsIJxpukK0E0E4PdWaNMMVlzmI27VpIKFM5nIkaI)

Start the exploit script with nc listening on port 8889.

You will get a python shell so execute a python command to send a shell to port 8889

![](https://lh6.googleusercontent.com/6XjiFo2CpvsfLaRh6kqx3TtsOuJiZS4o7xY4RrkGRFGnvl6BQlbB2J2ue0D4L88Ep6cnlfPolMGmNU3JaDkWQy0q8X_Lbs8OpEJNLnoK470xTyJSEIjnn0C5ogSgUmK2I6jXOXrM)

Once you have a shell you will be inside a docker container

![](https://lh4.googleusercontent.com/XBQAOwuJcz19D2ZKNgKQqsRL8ITTcEQeNrQu1zxMdOvq2dGCiZMWbsnBjFg6mDZeAwL1HQGhbILgIPSDWwn4SYJK6_JmZPci_vMBxKNC5LaV6BVwMAWYeZuRIU4hikU8r9kg0pGE)

Check your IP address:

![](https://lh6.googleusercontent.com/EST44X9juO8pqvifUsQzB6-mAVVn1oYEHHVuGziSsHZadLw9Z7dowEnsA6DHmdIb0hgnPflhbyI7qsVD3ajyRd22UQzpt5K80SbH0RHIPkb9eINTKZPKouaOgh5Xa9JTl3AHPmwu)

Looking around the file system we find that we have very few tools available but we found a .cap file

![](https://lh6.googleusercontent.com/01OiT2kuoruUaBU6an_RE6er0bHgaCD9TJAE83pN-jaI3fkL5vTuZb16467_C5L4fHe8gpa901MubDGaplDFvGWAWg0h3P4ExqWbgRJO0ja7JuIvNbQpS2VUg9BwoI59aebZq3NP)

Move the file over to the docker webserver to download it locally.

![](https://lh3.googleusercontent.com/r_VAR-R5m7AVTC4VfMhiVonGd9dJDep3F7huR7WbJWYM9GumAG8iqCq4r5uYYku8yIPsJJzEFGAKc8f0N3M9cMTrsHdyLpKIo6GsxXYQMNxV6tOk4nfD8fmTqGjyICTG97WRlcGA)

Now crack with aircrack-ng

![](https://lh3.googleusercontent.com/ZsKXa6yQh-Az6EYcyG2kfDfY5TRvhTxDnaPqsQd-7hx_qRyodXmItg-4CnqqO7yN-QM5WuTj5xTmzcVObLCRg8WiZfCNh3d4SMl8gxl9oBFBupi8A4cWLVU8BXjf8wk6BJZ3xbA2)

This password does not work for ssh with the users zeus etc

Also found this in the cap file:

<div align="left"><img src="https://lh6.googleusercontent.com/tOuflHwDxwDkXXLA5csUi1G-mwr5g9Qfdg3I1ygzV3Smn1gN_VkUgxnsy5Ipc01JxjUQUKPVyxYl714iFYINy1-0zCu3aP-UZV0tl-nWG1DdC2n1dz5hAGqFSdCbenjcZJKFD6oi" alt=""></div>

Generate a userlist with as many things you can think of and try all the passwords it could be .

<div align="left"><img src="https://lh6.googleusercontent.com/x80UwDgtkInyd175D8vzstEtf_yerKT0p80t_QGB-QIXyQam4ACiJiOFpveHUFNHFsj6UpYXFilccNSfZsC-Xo9jFTGofZLLJLc-OwCS6gABsMC5GyPOXDJOUldYsAW71WxZ3fcO" alt=""></div>

Turns out that the user is icarus and the password is the SSID

![](https://lh3.googleusercontent.com/nwO5fhau6PntngtdKH309palDPvIBzc3GGroXxSnH7ZVRugq2yh4TDE7sx1OzH3WVzk2LjyT2Gh1Ul86oggyg2gQ91MzjoYIBbwg_Mbb2WU5pE-h78Vqkvh9kzGhCm7nqueLS9xZ)

Login and we find a new text file

![](https://lh4.googleusercontent.com/6T5h40VQ2W1uKXKDZ539OD05ESgm8pC1fAKWcDr9YwgS8YKwXa7eX4Naxf49srzEIbnrlLVQ4fqNhw_tx7QiU0PKMe3I6tlS2U3Fz371MU0yjg7OZopqkTKASIb3J1snTKAZStH8)

Add that to your hosts file

<div align="left"><img src="https://lh3.googleusercontent.com/FmnTO3dS-wjHsyoC5SKr5YkcHBGn13OC_TFCfSHeo19yvSJWwtXbSnRIA_mdttVBf9QCYh9FcE6iUaT2GECWOU2HUS4vcoE5w8Wf0e7Gu_-wDeORgjLYj-eX3iwfF2yog-JSy3vi" alt=""></div>

Now do dome dns recon

![](https://lh3.googleusercontent.com/hr7FuqjIfzCFR1MKBJCuSiv1aA52B8g8nKrO9JCHbDKnlLrdIYcl46oJ7jvdCp0ZE7vs0jFWF16WdCZokaiGucMEe3-eHyJrEOvXRvBtm9AMpXhoouXfshHszCYe4A497F-LE-1B)

Looks like a port knocking sequence

Send the sequence to the main host which opens port 22 for about 5 seconds

user:prometheus:St34l\_th3\_F1re!

<div align="left"><img src="https://lh5.googleusercontent.com/ywlTww5YMCarkfBUNf-d6yWyzxO_lSc3PPUHu9DbZYnUI1QOXVEwNTV0--qMzhL5v-4nFpe4Mppz0Vo8SQUUZL0duEV5pD06BqJMoBUEvnlCZL_eT1bbQk5oaZ1H5WQLTxV7T6_7" alt=""></div>

Seeing how docker is running we will map the root directory of the host system to /tmp and see if we can read the flag.

![](https://lh4.googleusercontent.com/Aps42K5dejpoSB5SO1VTuy6JxIFV5mTEt85pbAamglhQcdeDGB2SOHoM4iq4bUZy5H90ncRfxp-bzhMEBbk01pRVI0adKq2En_ByhpcufisAX3KIuRpILf1VCpSW1SIkPHSmGyNI)

Now we have the root flag we know we can play around with the file system.

![](https://lh3.googleusercontent.com/qiQarUvrnvDKBGk0jNsNtJYBUAQnkzCpvyG0KBxTvw2gXko0qMPAR0qk6EHJtU0ec1vAcH9XT4hiT0ytcPAh-LhZB-_g9B7Zm9YHX53fmEGC0bHusSiP426Rn2PtXMf_4Hz0TeBx)

We execute a reverse shell:

![](https://lh3.googleusercontent.com/KyyhcJZyVh7H4wHDFDWuXEtEj1OPtyrVrM7RtbTP-S0tjxiwnuAP5tNfgKpuxF3zBkngQg4Lm76VTJEJx_miLotizoPMcqQcpnlzc8NKaV2lXnT94xALIVqWPI4E91tivcSTBZXY)

And receive our shell in return

![](https://lh6.googleusercontent.com/PMMfynDMZTV8qMzkgwyl3yTG9Aj-Ctlc4YLwhTJqGINLIt8EVPXWKklZlNVIxiUC2gxvrBjhbuarWfV3VWoJqB1URcaXWtT6MjLSIe8NkYvOpqTtk3uFDsVKh9C8-vj0-OPoDxOY)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.jdksec.com/hack-the-box/olympus.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.