Scavenger — HackTheBox Write-up
Scavenger is a Linux machine that involves a lot of enumeration, SQL Injection through WHOIS service, analyzing a PCAP file,an access log file and privilege escalation through a Linux Kernel module!
As always the write-up starts with an nmap
There are six open ports, the web-page gave me a virtual hosts configuration error.
I tried to do anonymous login to the
vsFTPd service but it is disabled so I wasn’t able to get anything from this service.
whois service which uses a
MariaDB database, I was able to confirm that it is vulnerable to some
SQL Injections that leads me to four domains.
Putting a basic
SQL Injection payload
a’) OR 1=1#” shows
whois results on the following four domains:
- hxxp://www.supersechosting.htb — a static site
- hxxp://www.justanotherblog.htb — a static site
- hxxp://www.pwnhats.htb — runs on Prestashop
- hxxp//www.rentahacker.htb — runs on Wordpress
On four domains I performed directory scanning but didn’t give me anything useful. I was able to to find a few PoC exploits on
rentahacker virtual-hosts but its a dead end.
When I zone transferred on the
hxxp://www.rentahacker.htb it gave me a list of hosts of
When I browsed the subdomain
sec03 it was already been hacked by another team.
On the comments section from the
hxxp://rentahacker.htbit was revealed that they were already pwned by the team
Since the website was already pwned by a hacker team, I looked for potential backdoors that was left by the hackers. So I performed another directory scan on the
One of the interesting results from the directory scan was the
shell.php. Fuzzing the parameters gave me the
hidden parameter, which I can use to perform command injections through the web shell.
Initial Foothold and Privilege Escalation
shell.php?hidden= is a web shell backdoor that was left by the hackers who pwned the machine. Now that I was able to get an initial foothold on the machine, the first thing that came to my mind is to look for configuration files that contains hard-coded passwords.
Going to the
config directory of the
wordpress, I was able to get the password for
Using the credentials of
ib01c03 user to login on the
FTP service gave me a better shell to enumerate the files inside the machine.
The next thing that I did was enumerate more directories and files inside the machine as the
ib01c03 user. I came across on the
/var/mail files and transferred the file
ib01c03 and fortunately I got another credentials for
Logging in as the
ib01ftp user, I was able to get some important files from the
The directory contains an
access log file, a
PCAP file, and a
The note says that the hackers who pwned the machine knows the valid credentials and abused a specific vulnerability that gave them access to the server.
PCAP file I was able to get the credentials for the
The password also works for the
Privilege Escalation to Root
I generated an
ssh key and uploaded it to the ssh directory but it didn’t worked since I don’t have a permission to upload files through FTP.
/home/ib01c01/... directory, there was a Kernel module rootkit that was probably left by the hackers. Going back to the
PCAP file, I was able to view the code of the
root.ko file and its magic word!
Using the magic word
g0tR00t doesn’t work, it might be already changed from the machine. By viewing the first few lines of the
root.ko module I was able to see some words that might be the magic word. Also since the word
g0tR0ot doesn’t work, I tried the combinations
g3tPriv as the magic word, I was able to view the contents of the
root directory which means I already have
root access on the web shell.
But the web shell with the rootkit payload isn’t enough. I uploaded my ssh keys to the
ssh folder on the
root directory to get a better interactive shell!
Unfortunately, it still asks for
So the reason why I cannot ssh using
root user is because the group
support is only allowed to perform ssh logins.
Also outgoing connections are only gonna work if it comes from port 20.
So to bypass all these configurations, first thing I did was to delete the first line on the
Then restart the
After restarting the
ssh.service I made sure that I successfully deleted the first line on the ssh configuration.
Now that I successfully deleted the first line on the ssh configuration, I uploaded my ssh keys to the
/root/.ssh/authorized_keys and was able to login successfully as root!
echo+"g3tPr1v"+>+/dev/ttyR0%3becho+"Put your keys here"+>+/root/.ssh/authorized_keys
Change the file’s permission!