Hackthebox Attended WriteUp (PART 1)

Overview:

Attended is a one of the craziest hard machine in Hackthebox that includes exploiting a binary file. The foothold is to phishing the email smtp port and take advantage of vulnerable vim version to get code execution, after get into the machine there is another host running port 2222 and there is a anthkey executable. After analyzed this anthkey and start bianry exploitation, it allows write a ssh key into the root directory and gives access to root. The first part of blog will explain the foothod and the blog part 2 will explain how to exploit that binary. With all that being said, let’s just jump in!

Reconnaissance:

The Foothold:

Set up a simple SMTP server with Python’s smtpd module to receive mails

After few minutes the python server received message back from the server. And there is user called freshness? So lets send a email to him.

Looks like he wants us to attach a file So lets attach a file.

He will open vim immediately So if there is a vim command execution vulnerability that makes him execute commands for us?

After Googling around, Found this github page has the thing we wanted.

Send this payload to ping myself. And l got ping back so we have code executions now.

The previous email said that to check the /home/shared folder so let’s have it a go. Since we can’t just ls -la to see the output so we need to make a request and hit to a web server we hosted. The payload looks like below.

We got hit from the webserver and let’s decode it.

And there is a cofig file in the /tmp directory

Strings this file and we are able to see the contents in it.

From the email the the freshness said that he will test the /home/shared/config file So, Its likely there is a cronjob to from freshness to test ssh config and the guly also has write access to the /tmp/folder. Therefore, We can leverage ProxyCimmand from ssh config.

Send it and ssh login to freshness’s machine.

Privilege Escalation:

Looking at the note and notice there is another host running.

Build a simple bash script to scan running port on the machine.

This new host is running port 2222.

Next, there is a authkeys binary and in the next PART 2, I will explain how to exploit this binary file and it’s the craziest part of this box!

Christian, Studying Cyber Security and Digital Forensics, Security Consultant at 12security.com | OSCP