Open in app

Sign in

Write

Sign in

Hackthebox — OpenSource Walkthrough

Atalay Samet Ergen
5 min readOct 8, 2022

Run a nmap scan to see which ports are open and which services are running on those ports.

  • -sC: run default nmap scripts
  • -sV: detect service versions

The result shows that three ports are open.

  • Port 22 running SSH
  • Port 80 running HTTP
  • Port 3000 running HTTP (filtered)

Visit the HTTP service.

Enumerate these two buttons below. Let’s click “Download” first.

We download the source code and will be reviewing it later.

The other button “Take me there” bring us to a file upload service.

Let’s see the source code of it.

Create a file called test.

Intercept the traffic.

Change the path that the file will be uploaded to, and change the Content-Type as text/x-python, add the execution function to the content of the file.

Upload the file.

Successfully uploaded the file but the first try looks like failed.

Let’s generate a reverse shell payload and try it out again.

PS: Do not forget URL encoding

Netcat is ready on port 9999.

Execute the payload.

Successfully get the reverse shell back.

Nothing here.

A quick search shows us that we are in a docker container.

The container IP is 172.17.0.6 and the host IP is 172.17.0.1.

The nmap scan showed us that port 3000 was being filtered. We can have access by using a reverse socks proxy. To do so, we use Chisel.

Download the binaries to our machine and run the chisel server.

Add 127.0.0.1:1080 to the proxychains config.

For the target side, create a Python HTTP server on port 9003 and get chisel with wget.

Run chisel on the target machine.

Edit socks config in Firefox to access HTTP service on port 3000.

Afterwards, we visit the page successfully.

Now, there is “Register” and “Sign In” options. Register option did not work out. How about Sign in? We do not have any credentials so far.

We have the source code that we downloaded before. Let’s review it.

Firstly, switch to branch dev.

See the details.

Get the credentials by checking the difference of first commit and the second commit.

Let’s log in.

Check the home-backup repository.

There is .ssh folder which takes the attention.

Awesome! We have the private key.

Successfully ssh the box via private key.

Capture the user flag successfully.

Download pspsy.

We see that the git commit being run regularly.

The article from Atlassian explains how we can use hooks to get code execution. We can use the pre-commit file to execute commands before the commit is done.

Generate the reverse shell payload, we just put the one in to a file called pre-commit in the dev01 users .git/hooks folder while we are listening port 9898 on our machine.

After a while, we successfully get our shell back as user root.

Finally, capture the root flag.

Thank you for your time.

Originally published at http://atalaysblog.wordpress.com on October 8, 2022.

Hackthebox
Cybersecurity
Hackthebox Opensource
Opensource Walkthrough
Opensource Writeup

--

--

Atalay Samet Ergen

Written by Atalay Samet Ergen

24 Followers

I’m a computer engineer. Interested in security, privacy and policy.

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams