Hack the Box: Mischief Walkthrough

Today we are going to solve another CTF challenge “Mischief”. Mischief is a retired vulnerable lab presented by Hack the Box for helping pentester’s to perform online penetration testing according to their experience; they have a collection of vulnerable labs as challenges, from beginners to Expert level.

Level: Easy

Task: To find user.txt and root.txt file

Penetration Methodologies

Scanning Network

  • TCP and UDP ports scanning (Nmap)

Enumeration

  • SNMP Service Enumeration (Nmap Script)
  • Obtain credential for port 3366 login
  • Identify IPv6 address (ENYX)
  • Scanning Ipv6 (Nmap)

Access Victim’s Shell

  • Abusing web server through Command Execution Panel
  • Obtain reverse Shell via ncat
  • Get user.txt flag

Privilege Escalation

  • Obtain root password from bash_history
  • Find root.txt flag

Scanning Network

Note: Since these labs are online available therefore they have a static IP. The IP of this lab is 10.10.10.92

Let’s start off with our nmap Aggressive scan to find out the open ports and services.

But as you can observe that here we didn’t obtain much information, therefore further I scan for UDP port and from its result we got port 161 is open for SNMP.

Enumeration

Because we was knowing SNMP service is enable in the network, therefore I run nmap script command for snmp enumeration.

Hmmm!! So here I found something very interesting and it looks like the login credential to be use as authentication for port 3366.

Let’s navigate to port 3366 in the web browser and enter the following credential.

Here, we were welcomed by following web page where it was holding another credential. Let’s dig out another way to utilize this credential for login.

We use a python script called Enyx to find the ipv6 address of the target machine. You can get the script from this link.

So as you can observe that we have enumerated IPv6 address of victim’s machine and further scan it using nmap command given below:

Hmmm!! So along with Port 22, this time it has also shown port 80 for HTTP services.

So we navigate to web browser and explore Target IPv6 address in the URL, it put a login page for command execution panel. So we try to login this page with the credential we found earlier but that wasn’t the valid credential.

Access Victim’s Shell

 

Further I try brute force for username and successfully get login with following combination:

Since it was Command Execution Panel where we can run arbitrary system commands, hence this was RCE which could be easily exploit and we can owned reverse shell of the target machine.

But before that, you must know Ipv6 address of your local machine for addressing your IP as listening IP.

For reverse shell, I use python reverse shell code from pentestmonkey, and modify lhost IP from our IPv6 address. Since it was both nodes belong to IPv6, therefore we need a listener which can establish reverse connection such as ncat, hence we start ncat listener on port 1234.

As soon we will execute the malicious python code, we will get reverse connection via ncat.

Great!! You can observe that, we have access of remote terminal and let’s try to find out user.txt file to complete our first task. We found the user.txt file in the /home/loki but unable to read it. Although, there was another interesting file “credentials” and here we found another credential.

As port 22 was running, therefore we connect to remote machine through ssh using following credential.

And successfully found user.txt file this time as shown below.

Privilege Escalation

While exploring more, I found .bash_history file where I found one more credential for root user but loki doesn’t have permission to execute switch user command.

Therefore, we move back to www-data user shell to run switch user command and enter above password for root login, then try to find out root.txt file inside the root directory but there wasn’t any flag. Therefore with the help of find command we try to enumerate the path of root.txt.

Booom!! We got the path of the root.txt file and as you can observe that we have successfully captured the last flag and finished this challenge.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Leave a Reply

Your email address will not be published. Required fields are marked *