< Back to All

Hack The Box: Lazy

Lazy - 10.10.10.18

Target enumeration:

OS: Linux

IP: 10.10.10.18

User: d558e7924bdfe31266ec96b007dc63fc

Root: 990b142c3cefd46a5e7d61f678d45515

Ports / Services / Software versions running

22/tcp open  ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)

80/tcp open  http Apache httpd 2.4.7 ((Ubuntu))

Vulnerability exploited:

Authentication bypass to gain access to web application

Privilege escalation:

Executable file with weak permissions

Exploiting the host:

Nmap

Visiting the web application

Cant create an admin user as already exists

Create a new user with the name admin= and we discover an ssh key.

Download key with wget and change permissions then login with the ssh key

Unusual file called backup in home dir which reads the /etc/shadow file

Strings shows us it uses cat

Create a file called cat in the home dir with the contents:

#!/bin/bash

/bin/sh

Make it executable with

chmod 777 cat

Export the path to the users home dir so it picks up the malicious file cat first.

Execute the file to get root.