Hack the Box: Wall Walkthrough

Today we are going to crack a machine called Wall. It was created by aksar. This is a Capture the Flag type of challenge. This machine is hosted on HackTheBox. Let’s get cracking!!

Penetration Testing Methodology

  • Network Scanning
    • Nmap
  • Enumeration
    • Browsing HTTP Service at port 80
    • Directory Bruteforce using DirBuster
    • Bypass Authentication using Verb Tampering
    • Bruteforcing using hydra
  • Exploitation
    • Detect Remote Command Execution
    • Invoke Reverse Shell using RCE
  • Privilege Escalation
    • Downloading Screen 4.5.0 Exploit
    • Crafting the Payload
    • Compiling the Payload
    • Transferring the Payload
    • Getting Root Shell
  • Reading Root Flag


Network Scanning

To Attack any machine, we need the IP Address. Machines hosted on HackTheBox have a static IP Address.

IP Address:

Now that we have the IP Address, We need to enumerate open ports on the machine. For this, we will be running a nmap scan. To get the most information and fast, we ran the Aggressive Scan.

The Nmap Aggressive scan quickly gave us some great information. It positively informed that the following ports and services are running 22 (SSH), 80(HTTP). Let’s move on to Enumeration Stage.


Let’s start with the Port 80. We ran the browser and opened the IP Address of the Machine. It gave us a default Debian Apache is Working Page.

Its time to do some directory bruteforce on our target. Generally, we use the dirb tool but let’s show some love to DirBuster sometimes as well. Usage is pretty straight-forward. Enter the Target URL, locate the dictionary you want to use for the bruteforce. Here, in this case, we will be using the medium.txt. It can be found in Kali Linux by default. After everything is set, just click Start and kickback.

After working for a while, it gave us one directory called monitoring, Felt to take a look at it.

So, we entered the URL in the Browser and we have ourselves a Login Panel. This is no fun. It does say that “Protected area by the admin”. So we get that username is admin. Easy Part is done. Now, all we got to do is get through this panel.

After trying a bunch of bruteforce techniques, we were not able to get through his login panel. That’s when it hit us, we should try HTTP Verb Tampering. So, we fired up our BurpSuite and captured the request of the /monitoring/ page.

As we observed that there is a GET request being sent to the server. We decided to tamper with it and we changed it to POST. After making this change, we forwarded the request to the server.

Verb Tampering worked and we were redirected to the /centreon/ page. Here we have another Login Form. How lucky! Now we need to bypass this as well.

We tried to bruteforce it using Burpsuite but we were unsuccessful. Then we took a closer look at the source code of the page and found a centreon token that was preventing us from brute-forcing. Then we ran a directory bruteforce on this page. It gave us /api/ page. So we decided to bruteforce the API for the credentials. We looked for the API documentation for Centreon (https://documentation.centreon.com/docs/centreon/en/latest/api/api_rest/index.html) to find the query that can be brute-forced, In the API documentation, we are told to send a POST request to the API. When we did so, we got the message “Bad Credentials”. So we gained enough information for crafting a bruteforce query. We crafted this query to bruteforce with the Hydra Tool.

Here, we started by giving the username “admin”. We got this from the initial login panel. Then we provided the wordlist for bruteforce. Next, we gave the target IP address. Then we provided the type of authentication panel, which is “http-post-form”. Followed by the URL and usernames and password parameters and the response text that could be used to differentiate the valid and invalid credentials. This gave us the credentials:

Username: admin

Password: password1

Now, this panel which we got was not something that we are used to working every day. But being in the penetration testing business we are sure to check out the CVEs for any panel, software or CMS. We did our research and found CVE-2019-17501 https://www.cvedetails.com/cve/CVE-2019-17501/. There was a GitHub link mentioned in the description of this CVE. We browsed it to find ourselves a PoC. On a closer look, the PoC contained a path.

We entered that URL in our Browser. Here we found an Add a Command Form. This contained the Command Input Field. We entered “cat /etc/passwd” here to check if RCE is working. After entering the command we hit that Blue Play button (Highlighted in the Image). This resulted in the opening of a new window with the result of the command we entered. RCE is indeed working. Now let’s get a shell form here.

We decided to use a socat reverse shell. We edited our attacker IP Address into the one-liner and then entered it into the field. Then we clicked the Blue Play button that we used previously for the command to get executed. Before this, we start a netcat listener on the port that we mentioned in this one-liner.

As soon as the command gets executed, we have a shell in the lister we started. Now as a part of our Post Exploitation tasks, we decided to use the find command to look for the SUID files. We found the screen-4.5.0. file as shown in the image given below.

Now we used the searchsploit command to look for the exploit for the screen-4.5.0. We see that we have the exploit by the name 41154.sh. We download this exploit to our attacker machine via searchsploit.

Now, we read the script. It divides itself into 3 files.

File #1: libhax.c

File #2: rootshell.c

File #3: 41154.sh

Each of them consisting the following code. You can download these files from our GitHub.

Now we need to compile the c files to get the object code. We will be using the gcc to compile this file.

After compiling the code we ran a python one-liner to transfer the payload files.

We went back to the session that we have of the target system and downloaded the payload files onto the machine using wget command.

Now, if we read the initial sh files, we know that we need to perform some configurations before actually running the payload.

After these configurations, we ran payload. This gave us a root shell. This can be confirmed using the whoami command. We traverse into the /root directory. Here we found the root flag.

This concludes this machine. This was a pretty lab. We got to use the Screen 4.5.0 privilege escalation technique after quite some time.

We at Hacking Articles want to request everyone to stay at home and self-quarantine yourself for the prevention against the spread of the Covid-19. I am writing this article while Working from home. Take care and be Healthy!

Author: Pavandeep Singh is a Technical Writer, Researcher and Penetration Tester. Can be Contacted on Twitter and LinkedIn

TBBT: FunWithFlags: Vulnhub Walkthrough


Today, we are going to complete a Capture The Flag challenge hosted on Vulnhub. This lab is based on a popular CBS series: The Big Bang Theory and as I am a huge fan of this show, it’s gonna fun to solve it. This lab is developed by emargkos and you can download it from here. This lab is a combination of capture the flag challenge and boot2root which means we have to find flags and root the lab; seven flags are hidden in the lab.

Penetration Testing Methodology

  • Flag #1: Sheldon
    • Nmap Scan
  • Flag #2: Amy
    • Browsing HTTP Service
    • Directory Bruteforce
    • Enumeration using WPScan
    • Exploiting Vulnerable Plugin
    • Getting Meterpreter
    • Downloading Binary File
    • Reading Flag using Strings
  • Flag #3: Penny
    • Enumerating Directories
    • Decoding Base64
    • Reading Flag
  • Flag #4: Leonard
    • Enumerating Directories
    • Enumerating Crontab
    • Crafting Payload using Msfvenom
    • Uploading Payload
    • Getting Root Shell
    • Reading Flag
  • Flag #5: Bernadette
    • Enumerating Directories
    • Grabbing Database Credentials
    • Enumerating Database
    • Reading Flag
  • Flag #6: Raj
    • Enumerating Directories
    • Grabbing Database Credentials
    • Enumerating Tables
    • Reading Flag
  • Flag #7: Howard
    • Enumerating FTP Service
    • Downloading Locked Archive File
    • Brute-forcing Password using fcrackzip
    • Brute-forcing Password using stegcracker
    • Reading Flag


Flag #1: Sheldon

As DHCP is disabled in this machine, we have ourselves a static IP Address. It is Let’s start pawning the lab, firstly by scanning it and for the scan, we will use nmap with the following command:

Nmap showed us that various ports are open with multiple services running on them. These ports are 21(FTP), 22(SSH), 80(HTTP), 1337. If we look closer at the port 1337, we found our first flag i.e. Sheldon.

Flag #2: Amy

Moving on, we opened the target IP address in the browser and here we found an image as shown below:

Apart from Sheldon’s creepy smile and Penny’s sarcastic bung, all that there was on this page was this image. So, to proceed forward with the directory bruteforce. We used the dirb tool for the same.

Without taking much time, our reliable dirb gave was a directory /music/wordpress/. It is a pretty odd directory to find. But if the machine is based on Big Bang theory then who are we to judge. We decided to browse the URL.

As we got wordpress directory, and the web-page that opened up seems to be made in WordPress. It was only natural to enumerate WordPress. For this task, we decided to use WPScan.

 In no time, we have got ourselves a vulnerable plugin on our hands. It is the world-famous reflex-gallery.

Our experience with this plugin tells us that we have a perfect exploit for this plugin in our Metasploit Framework. Let’s get ourselves a sweet meterpreter.

We got our metepreter in the blink of an eye. Now that we have a shell. We need to enumerate the machine for another flag. We traversed in the home directory of the current user. Here we listed the contents to find ourselves a directory named amy/. First Sheldon then Amy. This is turning out to be a nice path for flags. We enter the amy/ directory and we find 2 files here. We read the text file named notes using the cat command. It tells us that another file named secretdiary is Amy’s diary. But no need to be happy. The notes say that once she is famous she will write secrets in it. Like that’s gonna happen any time sooner. We are told that Amy used a very strong password that cannot be brute-forced. It is 18 digit, alphanumeric, uppercase/lowercase with symbols. How kind of Amy to tell us what the password is made up of. Also, we are told that the program is compiled. That means that it is a binary. We need to figure out another approach towards it. But it is not gonna do any good sitting there. So, we downloaded the secretdiary to our attacker machine.

Now that we have the secretdiary on our hands, we need to figure out a way to get the password to unlock it. As it is a binary file, there must be a location where the password is stored. Since it a text inside a binary file, we need the strings command to read from it.

We can see that we have the password, “[email protected]”. Sorry to say Amy but is not a strong password. I recommend that you change it. But strings command has done more than it was asked. It gave us the amy flag. So, we don’t need to log in.

Flag #3: Penny

We went back to the meterpreter and went back to the home directory. We saw that there were a lot of directories. But we decided we need the Penny flag. So, we traversed into the penny directory. We listed the contents of this directory to find a hidden file called .FLAG.penny.txt. Come on! we wanted it to be tougher. We read the file to find a base64 encoded text.

We copied the encoded text and went back to our attacker machine. Here, we decoded the text using the echo command. It gave us the penny flag. 3 Flags down!!

Flag #4: Leonard

Time to go back to the home directory. Here we traversed into the Leonard directory. Let’s see if Leonard is good at hiding his flag. We listed the contents of this directory to find a script. Interesting! We read the script. There was no script. Typical Leonard. It says that they have a thermostat connected to the IoT device. This means that the script can manipulate the temperature. As we all know that Sheldon needs to keep his thermostat at 71 degrees. This is uncomfortable for Leonard. So, this script will change the temperature to Leonard’s preference every minute. I smell corn!

Time to check the crontab. As suspected, we have this script inside the crontab file. It is scheduled to run every minute.

 If we are not wrong, this might give us root. Let’s wait and watch. Time to craft a raw bash payload using the msfvenom.

We copied the payload on our clipboard and used the echo command to paste the payload inside an empty file having the same name as Leonard’s script.

All that’s left to do is upload this script from our machine to the target machine. As we have a meterpreter this can be done using the upload command.

Before uploading, we started a listener at the port that we mentioned at the time of crafting the payload. Now after we upload the payload, we got to wait a minute for the cronjob to execute the script. In no time we have a session. We used the id command to gain information about the user. We have the root shell. Now for the flag. It was in the current directory. We read the flag using the cat command. We have the message that we can sit on Sheldon’s spot. Dreams do come true!!

Flag #5: Bernadette

But, although we have the root shell, it doesn’t mean that the challenge is over. We need to find other flags as well. We went back to our meterpreter shell and started enumerating. This led us to the /var/www/html/ directory. Here, we found a directory named private. How can we not open it? SO! we saw that we have a bunch of HTML and php files. Among them was the db_config.php file. If our experience servers us right, the config file mostly stores the database password. We decided to take a look. Bazinga!! We have the Database credentials.

User: bigpharmacorp

Pass: weareevil

Word of Wisdom: If you are a Big Pharma Company don’t keep your password weareevil. This would have been our First Guess.

We went back to our root shell that we obtained just a while ago. Here, we ran the python one-liner to convert the shell into a TTY shell. As soon as we got the proper shell. We attacked the Database using the credentials that we dug up. We used the queries to inquire about the databases and tables. Here we found different users, their password and in Bernadette’s description, we have our 5th Flag!!

Flag #6: Raj

Since we got this flag inside the database. It scratched a part of our brain that we might have another database user. Then it hit us that we have wordpress installed. WordPress creates its users. We went on the hunt for that user. We traversed into the directory containing the wordpress. Here we found the wp-config.php. How convenient! We read the file using cat command. We found ourselves some credentials.

User: footprintsonthemoon

Pass: footprintsonthemoon1337

Now, who will keep such a password? It must be our Indian brother Raj!! Let’s get that flag.

 We logged out from the previous database and logged in using the new credentials. We enumerated almost all the tables. But we won’t take you on that painstaking journey. We found something in the wp_post table.

If you read the data form the wp_post table, you will find the Raz flag tucked in between. 

Flag #7: Howard

We enumerated further, but we didn’t get anything new. So we went back to our initial nmap scan. We remembered that we have a port 21 open as well. So let’s login to the FTP. We logged in as Anonymous User. Here we listed the files to find a directory named pub. Now, everyone is in the pub including Amy, Bernadette, Howard, Leonard, Penny, Raj, and Sheldon. They must be here to witness as we capture the last flag. Until now we don’t have any flag from Howard. Let’s check his directory. In this, we have a note file and a compressed archive. We figured that we that the zip file was the to be focused so, we downloaded it using the get command.

The archive was password-protected, so we decided to use fcrackzip on it. We brute-forced using the rockyou.txt. It gave us the password. It was the “astronaut”. Damn! Could have guessed that one. We unzipped the archive to find ourselves an image. Hmm.

It didn’t take much time before we figured out that the flag must be hidden inside the image. We used the stegcracker to bruteforce it using rockyou. It cracked us the password “iloveyoumom”. How very Howardy!! Well, all that left is read the flag from the file that stagcracker created. This gave us the Howard flag!!

This concludes this lab. But can we leave without saying “It all started with the big bang!”.

We at Hacking Articles want to request everyone to stay at home and self-quarantine yourself for the prevention against the spread of the Covid-19. Take Care and be Healthy and Keep Hacking!!

AuthorYashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast. contact here

Hack the Box: Postman Walkthrough

Today, we’re sharing another Hack Challenge Walkthrough box: POSTMAN design by The Cyber Geek and the machine is part of the retired lab, so you can connect to the machine using your HTB VPN and then start to solve the CTF.

The level of the Lab is set: Beginner to intermediate.

Task: Capture the user.txt and root.txt flags.

Penetration Methodologies

  • Network Scanning
    • Nmap
  • Enumeration
    • Redis
  • Initial Foothold
    • Access SSH
  • Privilege Escalation
    • Webmin

Network Scanning

As we know the machine IP of the victim, Nmap scans will begin with the identification of open ports and services across them.

We find port 80 open for HTTP from this scanning study, and port 22 open for SSH, too. In addition, I have noticed port 1000 for webmin and the port 6379 for Redis is open.


The Redis security model is: “it’s totally insecure to let untrusted clients access the system, the ability to control the server configuration using the CONFIG command makes the client able to change the working directory of the program and the name of the dump file. This allows clients to write RDB Redis files at random paths, that is a security issue that may easily lead to the ability to run untrusted code as the same user as Redis is running”.

You can read more about it from here

Since we saw port 6379 is available for Redis, we try to communicate with this with the help of the Redis client.

We noticed, that Redis is insecure and not AUTH required, so we discovered “.ssh directory” for the Redis as mentioned above, due to unsafe configuration we can transfer any file inside the server.

Further, I generate an ssh key pair using the ssh-keygen command given below:

I have a key and my goal is to place it in the server memory and then move it to a file in such a way that the authorized keys file that results remains valid.

Initial Foothold

As we have uploaded our ssh key into server thus it’s time to connect with a remote machine with the help following command

Here, we notice two things: first there is a user whose name is  “Matt” and a file with name “id_rsa.bak”, let’s find out the path for this file.

So, with the help of find command, we enumerate the path for id_rsa.bak file which lie inside /opt directory.

So id_rsa.bak file is actually the id_rsa private key, I copied it into a text file and saved it as a hash.

Then we have used ssh2john to convert this SSH key into a crackable file with the help of John the ripper and further used the rockyou.txt wordlist for this.

Hmmm!! so we have obtained ssh key “computer2008” for the user Matt.

As we knew that webmin was running over port 10000 thus we navigate to a web browser and explore the URL where we submit above-enumerated creds.

Boom! We logged in successfully and notice the installed version for webmin i.e. 1.910; now we can search for its exploit if available.

With the help of searchsploit, we found a Metasploit module for exploiting remote command execution. This module exploits an arbitrary command execution vulnerability in Webmin 1.910 and lower versions. Any user authorized to the “Package Updates” module can execute arbitrary commands with root privileges.

Privilege Escalation

Without wasting time, we loaded the Metasploit module and set the value required to initialize the exploit.

We got the meterpreter session with root privilege, let’s enumerate flags.

Let’s capture both flags user.txt and root.txt from inside the /home/Matt/ and /root respectively.

Conclusion: In this machine, we have learned about two major vulnerability and their exploitation, the first was insure Redis and the other was webmin.

Author: Pavandeep Singh is a Technical Writer, Researcher and Penetration Tester. Can be Contacted on Twitter and LinkedIn

MuzzyBox: 1: Vulnhub Walkthrough


Today we are going to crack this machine called MuzzyBox. It was created by Muzzy. Duh! This is a Capture the Flag type of challenge. The approach towards solving this machine is a bit different from the standard procedure. It consists of 3 Challenges. Each having a flag of its own. Let’s get cracking!!

Penetration Testing Methodology

  • Network Scanning
    • Netdiscover
    • Nmap
  • Initial Enumeration
    • Browsing HTTP Service at port 80
  • Challenge #1
    • Browsing the HTTP Service at port 3000
    • Downloading the idcard.png template
    • Editing the idcard.png
    • Reading Flag #1
  • Challenge #2
    • Browsing the HTTP Service at port 8989
    • Getting a Python Shell
    • Reading Flag #2
  • Challenge #3
    • Detecting of the Server Side Template Injection
    • Getting shell using tplmap
    • Enumerating the shell
    • Getting SSH session
    • Enumerating ls command
    • Reading Flag #3


Network Scanning

To Attack any machine, we need to detect the IP Address of the Machine. This can be done using netdiscover command. To detect the IP Address, we can co-relate it with the MAC Address of the Machine that can be obtained from the Virtual Machine Configurations Setting. The IP Address of the machine was detected to be:

Now that we have the IP Address, we need to enumerate open ports on the machine. For this, we will be running a nmap scan. To get the most information and fast, we ran the Aggressive Scan.

The Nmap Aggressive scan quickly gave us some great information. It positively informed that the following ports and services are running 22 (SSH), 80(HTTP), 3000(HTTP), 15000(HTTP). So nice of the author of the machine to give us so many HTTP services to explore. Let’s move on to Enumeration Stage.

Initial Enumeration

Let’s start with the traditional HTTP port. Port 80. We ran the browser and opened the IP Address of the Machine. It gave us an Index Page. It consists of a text file named index.txt. That was odd but okay. We moved on further by clicking on that file.

Here we get this nicely crafted introduction of the Lab Environment. This machine has been divided into 3 Challenges. Each containing a flag.

Challenge #1

Let’s Start with Challenge #1. The information about this challenge state that Washington University created an online library. But currently, only Principle is Authorized. The library is hosted on the HTTP service running on port 3000. Also, there is an idcard named image hosted on port 9633. Let’s start with an enumerating port of 3000.

Okay, that’s quite a dull library. But in the end, it is a library. If you go through the introduction text written. You might get to know that the developers of the library have implemented a security measure to prevent unauthorized access. They have used an alternative of SQL DB to secure the database. How nice of them to provide us this sweet information. The process to enter the library is to upload the idcard on this page and then the access is allowed.

The template is provided to us on the port 9633. Let’s take a look at it. Now we know that the principal has access to the library. But what we don’t know is the name of the principal. We will have to figure out a way to get through this.

For starters, we downloaded the idcard.png file to our attacker machine using wget command.

Initially, the introduction on the page at 3000 port told us that the authentication is checked using an alternative of SQLDB. Now if we think about it, if they are not using an SQLDB then the next best alternative is NoSQL. We tried to google some of the NoSQL based payloads that can help us in this situation. We found quite a few. We decided to use this one.

Now we took the idcard.png image that we downloaded and tried to edit it to make it look like the image shown in the screenshot given below. It is quite easy you can use any online tool for the same. We made the following changes.

Now that we have the idcard ready. Let’s upload it. The upload was a success and we have successfully cracked the Challenge #1. This flag is in the form of a PIN. Let’s take note of this, we may need it down the road.

Challenge #2

We move onto the next challenge. After we broke the authentication in the previous challenge, the University developed a new website. How Unnecessary! It is under maintenance. We are asked to list the current directory and read the flag file. It shouldn’t be difficult. The new website is hosted on port 8989. Upon browsing the webpage, we see that it is an error page. While we were casually looking at the errors, we saw that there was a console icon. We hovered over it and got the message that it will “Open an interactive python shell in this frame”. How convenient!

We clicked on the console icon, we are greeted with a pop that tells us to enter a PIN. If we remember correctly from the previous challenge we received the flag in the form of a PIN. Let’s try it to get in.

PIN: 123-456-789

Since it was in “Python Interactive Shell”, we need some python shellcode to pop up a shell over here. We went to the pentestmonkey reverse shell cheat sheet and got the Python Reverse shell. We modified it a little bit to execute it line by line as shown in the given image. We chose the port 5555 for getting the reverse shell and opened the netcat listener for the same. As soon as we execute the last command, we see that we have a shell.

The objective of this challenge was to list the current directory, so we ran the ls command. We found a directory named flag. Inside this directory, we found a script called ctf2.py. We read the contents of this script to get ourselves the second flag.

Again we seem to have a hint in this flag. It tells us to read a file at the home directory of the user webssti.

Challenge #3

Two challenges down. One to go! We went back to the index for the description of the third challenge. It says that when we compromised the machine in the last challenge the root user started to audit the machine. Well, he/she really should do a better job. It wasn’t that difficult to exploit them. We are told that the root user is using sudo and bash with the ls command. This seems interesting. At last, we are told to read the final flag using an “Out-of-Band technique”. This challenge is hosted on the port 15000. We modified the URL to print the Raj name. #PersonalTouch. So what kind of vulnerability is this? Its Elementary, My Dear Watson. It is a Server-Side Template Injection.

For exploiting this vulnerability, we have just the tool. It is called tplmap. It is available on GitHub. To use it we cloned it to our attacker machine. After that, we traversed into this directory to find the python file named tplmap.py. We ran it with the proper parameters for the injection point as well as the -os-shell parameter to pop out a shell.

We got ourselves a shell in no time. We ran the id command to enumerate the user. Back to the previous challenge. We saw that the flag from the previous challenge asks us to read a file in the home directory of this user. We are indeed logged in as the webssti user. We checked the directory using the pwd command as well as listed the current directory contents using the ls command. There was a directory named ssti. We listed its contents to find the no_flag.txt file that we were looking for. We read the file using the cat command. This tells us the ssh username as well as password. Brilliant!!

Time to get that SSH shell. We entered the previously found credentials and got logged in. As the final flag was inside the root folder, we tried to read that flag. But we were unsuccessful.

Time to work our mind to escalate privilege on this shell. We ran the sudo -l command to enumerate but we were unsuccessful. We remembered from the introduction that the root user was using sudo as well as bash with the ls command. So it came us that Path Variable method might work here. We used the echo command to print the path for the ls command. After this, we enumerated which ls command we are running. We found that directory /usr/local/sbin was writable by our user. This means that we can create a file there and name it ls. Then we will be able to execute that file. Let’s do this using the nano command as shown in the image given below.

We used curl command to send a POST request onto our attacker machine with the contents fo the Final Flag. Clever Isn’t it?

Now before we save that file and exit the nano editor, we started the netcat listener on the port 1234. In no time we have the Final Flag.

This was a good set of challenges. I enjoyed it a lot while solving it. The first and second challenge was nice and surely something that you can come across in real life. Also this format of small challenges instead a standard CTF was a fresh approach. I appreciate the author and I look forward to more in this series.

We at Hacking Articles want to request everyone to stay at home and self-quarantine yourself for the prevention against the spread of the Covid-19. I am writing this article while working from home. Take Care and be Healthy!

Author: Pavandeep Singh is a Technical Writer, Researcher and Penetration Tester. Can be Contacted on Twitter and LinkedIn