In this article I’ll show you guys how I pwned Olympus machine on Hack the Box.
First thing we need to do is enumerating ports. I will be using masscan for quicly enumerating all ports.
I recommend you to use this awesome tool.
There are some ports opened. Lets run nmap for more information.
Apache is running in port 80. We have a web page.
Lets check it first.
There is a picture as background of body. I looked the source code of the page and nothing is usefull. So I thought maybe thats a steganography challenge ?
Downloaded that image and run steghide and binwalk on it. And I got nothing.
And I decided to take a look at the server response, maybe I can find something.
Yeah. Thats realy interesting. Xdebug is a PHP extension for debugging.
That header also tells us the version of xdebug. I searched on google and I saw that version has a vulnerabilty.
I wrote a simple script that drops me a reverse-shell.
Enumeration from the inside
I am www-data now. Thats good but I realized that box is actually a docker container.
That means we are not inside the real box. Anyway, I found a zeus username in /etc/passwd file. I looked the /home/zeus dir.
I saw airgeddon folder, here:
That captured folder is interesting. I looked inside and:
That message maybe could help later.
I copied that file using netcat. When you transfering something always make sure the file is not broken, check the md5sum.
I dedided to crack the file.
SSID: Too_cl0se_to_th3_Sun noted.
After 20-30 mins later aircrack-ng cracked the file.
The password is flightoficarus
I tried to connect to the machine using ssh with username zeus and passwords I found, but didn’t worked.
Than I thought, I know I am in a docker container. There isn’t another user on that container.
There must be another container or actual box itself.
So I tried with username icarus and passwords I found. It worked.
icarus is the right username, and the password is Too_cl0se_to_th3_Sun
Found something interesting again. ctfolympus.htb
Lets add this domain in our /etc/hosts file.
I already checked that dns service I found earlier with nmap.
But I didn’t find anything. Lets check again.
This message looks interesting..
As I could understand there is another place to go. 3456, 8234, 62431 these numbers also weird.
prometheus must be a username, St34l_th3_F1re! must be password. I tried with ssh again but didn’t worked.
I was stucked here. But my friend Kunal told me about port-knocking.
I searched on google and found these great articles.
Basicly the port 22 is opened but hidden. We can’t access directly. But if we knock specific ports in a particular order, knockd service catch that sequence and allow us to connect.
Doen’t matter if that ports closed or not.
In the home folder of prometheus there is a message from gods.
That message I think useless.
I’m in docker users group. Thats important.
Lets have a look at docker images and containers.
I want root flag, right ?
Docker allow us to share our data between our machine and docker containers. So all I need to do is bind the /root partition and I can read what I want..
It will create new container and execute the /bin/bash for us. –rm flag means delete the container when we exit.
Or we could use like this for just grab the flag..
Almost forgot, I wanna show you guys how knockd daemon configured on this machine. Check this.
Thats it for Olympus. I learned a few things from this machine.
If you have a question or something you can leave a comment.
See you guys later.