Try   HackMD

Hack the Box Academy: Getting Started, Knowledge Check

Difficulty Level: Easy
Challenge link Getting Started

Table of Contents

Background

Information security is a broad field that has many specializations like:

  • Network and infrastructure security
  • Application security
  • Security testing
  • Systems auditing
  • Business continuity planning
  • Digital forensics
  • Incident detection and response

If you are here, you have probably just started exploring these domains and have (hopefully) completed the Getting Started module on HTB academy up to the Knowledge check section. Congratulations for taking the first step in your infosec career. This module introduces the following foundation concepts which you will use to complete the challenge:

  • Enumeration/Scanning tools
  • Web footprinting/Fuzzing
  • Exploitation
  • Privilege Escalation

Although this module does a great job in explaining how to exploit a simple web app, in a real-world pen test there will be more detailed steps. I recommend finding a penetration testing [framework](https://owasp.org/www-project-web-security-testing-guide/latest/3-The_OWASP_Testing_Framework/1-Penetration_Testing_Methodologies#:~:text=The Penetration Testing Framework (PTF,Discovery %26 Probing) to follow and teach yourself how to document each stage.

Walkthrough

Say we were using the PTES to do our 'pen test'.

The Penetration Testing Execution Standard PTES defines penetration testing as 7 phases. Particularly, PTES Technical Guidelines give hands-on suggestions on testing procedures, and recommendation for security testing tools. These stages are:

  • Pre-engagement Interactions
  • Intelligence Gathering
  • Threat Modeling
  • Vulnerability Analysis
  • Exploitation
  • Post Exploitation
  • Reporting

Pre-engagement Interactions

During this pre-phase, the penetration tester outlines the logistics of the test, expectations, legal implications, objectives and goals the customer would like to achieve.

During the Pre-Engagement phase, the penetration tester should work with the client to fully understand any risks, organizational culture, and the best pentesting strategy. The client may want a white box, black box, or gray box penetration test. It’s at this stage when the planning occurs along with aligning goals to specific pentesting outcomes.

In our case, we will be doing a gray-box testing since we already have some information about the target. The pre-engagement phase will include gathering the tools required to perform our challenge. These are:

  • Operating system: Kali Linux
  • Software: Nmap, Metasploit Framework, Feroxbuster, FFUF, Python

Intelligence Gathering

Open Source Intelligence (OSINT) in the simplest of terms is locating, and analyzing publicly (open) available sources of information. The key component here is that this intelligence gathering process has a goal of producing current and relevant information that is valuable to either an attacker or competitor. For the most part, OSINT is more than simply performing web searches using various sources.

We begin with an nmap scan of the IP address that is provided in the challenge. The results of the scan are:

  • The machine IP is: 10.129.133.157
  • Active scanning using Nmap to find open ports
  • Port 22 running an ssh service to an Ubuntu server
  • Port 80 which is the default port for http. This is running an Apache server version 2.4.41

Whatweb confirms the following services running on the target:

  • Apache/2.4.41 (Ubuntu)
  • Script[text/javascript], Title[Welcome to GetSimple! - gettingstarted]

Gathering victim host information

Navigating to the ip address on port 80 reveals a web service called getsimple running on the target IP

Clicking on the hyperlinks provided in the home page does not give much information about the target so we move on to other tactics

We check if there is a robots.txt file that could give further information about the web service. This reveals a disallowed /admin/ directory which we navigate to and find a login page

Scanning & Enumeration

Wordlist scanning on the root directory reveals the following directories and pages:

  • Admin. Here we have the login page
  • Backups contains stuff similar to the data directory
  • Data.
    • Under /data/other/logs there is a file showing filed logins and we notice that the login failed because of a wrong password. The username admin was not rejected
    • Under data/users we find xml files that reveal credentials to be used on the login page
    • Under data/cache we have a .txt file that gives a warning that the version of the service is outdated. Version 3.3.15 and the latest is 3.3.16
  • Plugins. We notice many php files uploaded to this directory. This could be valuable to us later
  • Robots.txt. This shows the disallowed admin directory that contains the admin login page
  • Server-status
  • Sitemap.xml
  • Theme. This doesn't seem to have valuable info that can be used to attack the target

So far: we have a username admin, a potential password d033e22ae348aeb5660fc2140aec35850c4da997, a version 3.3.15, and a suspicion that the web app allows php uploads but we are yet to figure out an interface to use to make the upload

Threat Intelligence and Vulnerability assessment


We can check if there are vulnerabilities associated with the version of the web service running in our target. Let's also search for public exploits related to getsimple version 3.3.15. There are many but the 2 that I select are GetSimpleCMS - Unauthenticated Remote Code Execution (Metasploit) and GetSimpleCMS PHP File Upload Vulnerability

Resource development

  • We have our username, a password, and an exploit that we can use to gain access to the target
  • I suspect that the password given is a hash so I save it to hash.txt and use john to crack the password. The cracked password is admin
  • We now have everything we need to exploit the target and gain initial foothold

Exploitation

Let us log in to IP:PORT/admin using the credentials that we found earlier admin:admin.

tags: HTB Getting Started Web Exploitation