Capture the flag (CTF)

Hack the Box (HTB) machine walkthrough series: Vault

Security Ninja
January 14, 2021 by
Security Ninja

Today, we will be continuing with our exploration of Hack the Box (HTB) machines, as seen in previous articles. This walkthrough is of an HTB machine named Vault.

HTB is an excellent platform that hosts machines belonging to multiple OSes. It also has some other challenges as well. Individuals have to solve the puzzle (simple enumeration plus pentest) in order to log into the platform and download the VPN pack to connect to the machines hosted on the HTB platform.

Note: Only write-ups of retired HTB machines are allowed. The machine in this article, named Vault, is retired.

Let’s start with this machine.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

The walkthrough

  1. Download the VPN pack for the individual user and use the guidelines to log into the HTB VPN.
  2. The “Vault” machine IP is
  3. We will adopt our usual methodology of performing penetration testing. Let’s start with enumeration in order to learn as much information as possible.
  4. As usual, let’s start with the Nmap scan to gather more information about the services running on this machine. [CLICK IMAGES TO ENLARGE]

    nmap -sC -sV -oA Vault

  5. Let’s start the enumeration with port 80. Below is the page we get on port 80.
  6. Based on the above, it looks like Sparklays can be a sub-directory under root.
  7. We’ll add that to the base URL and brute-force the directory names, using Gobuster.
  8. We got a design under Sparklays. Enumerating that further, we got uploads and design.html also.

  9. Except design.html, we got access denied on all the pages. On design.html, we have a way to upload a logo and we can try to see if we can upload a reverse shell to it.

  10. Intercepting the responses using Burp, we can fuzz the PHP extension (as shown below) and all the variants of possible PHP formats.

  11. After triggering, we can see the response length of php5 is different and it shows the message of a successful upload.

  12. After modifying the file extension to php5 and accessing it under uploads directly, we got a reverse shell back:
  13. Enumerating the directory under Dave’s, we got folders. Under shh, we got a phrase.
  14. Using that to SSH as “dave” worked.
  15. Continuing the enumeration under Dave’s home directory, we got a key and servers list.
  16. Interestingly, the servers list is on a different interface, which means the further enumeration needs to happen on the devices on that interface.
  17. We need to start the enumeration further on the above two IPs. We got hits on port 80.
  18. In order to access that, we need to do the port forwarding locally.
  19. Let’s access it now. We can see that we got two links to modify and test the VPN configurations.

  20. We can abuse it, as shown below with the listed reverse shell.
  21. Let’s open a listener on the Ubuntu box, as shown below. After execution of above, it throws a reverse shell back.
  22. We can enumerate to collect the user.txt flag.
  23. Let’s try to SSH from Ubuntu to the DNS server as Dave.
  24. Once we are in DNS server, then we can see that Dave is part of the sudo group and can execute all as root.

  25. On the DNS box, we have the following entries. It connects to the Vault box as well.
  26. Enumerating the Vault box from DNS results in the following services hits.
  27. Looking into the log events, it turns out that the it is listed how the Ncat command should run, i.e., with source port of 4444 and then trying to connect to port 53.
  28. Enumerating the services with source port 4444 reveals the expected port 987.
  29. Checking the service behind port reveals SSH service.
  30. From the DNS machine, we can run the SSH with the switch to run a proxy command by connecting to the machine as Dave.
  31. As we are in a Vault machine, we got a root flag in GPG format encrypted with an RSA key.
  32. Back in the Ubuntu machine, we have got some GPG keys.
  33. So, we have to bridge the gap from Ubuntu to DNS to Vault. Let’s do port forwarding from DNS to Vault and then access the forwarded port on DNS to fetch the GPG back to Ubuntu.

  34. Once we have the root.txt.gpg locally on the Ubuntu box, we can decrypt it with the key under Dave’s home directory. Finally, we got the root flag.

Wow, what a fantastic box! This involves a lot of enumeration and more: right from directory enumeration to extension fuzzing to hopping to multiple boxes to collect the flags, this box covers it all.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

We will continue our HTB series with more examples of machines very soon.

Security Ninja
Security Ninja