The description for this box states: "HackinOS is a beginner level CTF style vulnerable machine." If this is "beginner", I'd hate to see intermediate. That being said, this was a fun box because it was much more complex when compared to other boxes you'll find on Vulnhub. There's also a little bit of everything with the different avenues of exploration and exploitation. It's sprinkled with a few rabbit holes as well and I'll admit, I followed a couple. To top it off, this box also gives us the opportunity to write a little bit of code which I initially tried to do in Bash (I ended up using PHP) but I couldn't get it to work for whatever reason. I don't want to dig too much into that now but I'll go over it later when we arrive at that point in the enumeration process.
Kicking off with an Nmap scan:
I was tasked with searching for data within Word and Excel files similar to something I'd written a while back but an expansion of that original request. Instead of searching for a specific term within the filename, we are now searching inside of the files looking for a specific phrase. When I was finished, I gained some additional knowledge -- some good and some not so good. I started out with a myopic mindset but realized the gravity of the situation once I moved from my test environment to the live system.
That's not to say that it doesn't work so let's walk through the test situation and then I can elaborate on the issues.
We start off with our test folder which contains a dozen or so Excel files. Within a couple of those Excel files, I've inserted a username and password. In one of the folders, I've created a subfolder to ensure the -Recurse function was working.
Funny story -- I have a number of virtual machines setup for various types of exploitation such as the machine I used below for this RID Hijacking post. When I'm done with the exploitation, I will revert them back to their previous state to keep things clean and in order to have a fresh slate for my next "project".
After finishing up this post, I reverted the machine to a point further back than I thought and I was unable to login to the machine with the known password. Quickly thinking, i was confident the box was vulnerable to MS17-010 but I was incorrect. :\
This particular machine is hosted on a Xenserver hypervisor which allows you to detach the disk and reattach it elsewhere -- which is what I did. Upon accessing the drive from another virtual machine, I changed the utilman.exe executable with a meterpreter executable. I then reattached it to the original host. If you're not familiar with this hack:
I stumbled upon a vulnerable version of Oop CMS Blog which according to Exploit-DB is vulnerable to SQL Injection. In order to better understand what I was dealing with, I downloaded the software and I installed it on the same operating system as the target server. Looking at the comments on Exploit-DB, the injection points seemed relatively easy and I thought this was going to be a quick kill. Due to a variety of different circumstances, I could never get from point A to point B in a single shot. In the end, I wound up combining a few different pieces in order to get that initial shell.
From a web browser, we take a look at the site:
SP: eric is one of the newer releases from Vulnhub and when I first started enumerating it, I spotted the .git directory. Right off the bat, I figured that wasn't there by accident and I started Googling to find more information. After a minute or so, I discovered a post titled: "Don't publicly expose .git or how we downloaded your website's sourcecode" which lead me to a collection of tools written that facilitate data from sites where .git is exposed.
While I was working through this box, I was reminded of a Defcon talk, "Hacking Git", which I believe is along the same lines. A quick search found some tools related from that talk but I wasn't as successful at extracting data as I was with the tools above so as far as I can tell, this is the quickest path to get where you need.
Anyway, I kick off with an Nmap scan:
I'm working on another box but I can't root it. The initial foothold is very unique and even though I was tempted to write up just that part, I really want to do a full write-up so I'm holding off. After banging my head far for too long and spending more time than I allot for these diversions, I decided to step back from it for a day or two. In my "cooling off" period, I fired up another newly released box from Vulnhub titled "RootThis".
Before I get started with the walk-through, let me point to a post I'd recently written: Drupal to Reverse Shell
The timing of these articles couldn't be better. Spending the time working with Drupal and then coming across this box made my life so much easier.
Let's not get too far ahead --