ISpeedNet: A Hack The Box Walkthrough

Hey guys! Welcome to my detailed walkthrough of the iSpeedNet machine on Hack The Box (HTB). This box, a retired easy-rated machine, is a fantastic learning experience if you're diving into cybersecurity and penetration testing. In this article, we'll walk through the entire process, from initial reconnaissance to gaining root access. We'll explore the vulnerabilities present in iSpeedNet, including those related to web application flaws, exploiting misconfigurations, and privilege escalation techniques. Get ready to dive deep, and let's unravel the secrets of iSpeedNet together. This is a great exercise for anyone looking to build their skills, so buckle up, and let’s get started. I’ll break down each step, making sure even beginners can follow along. Let's make sure you get a good grasp of the whole process. Don't worry if some terms sound complicated at first; I'll explain everything. This is all about learning, so no question is too basic. The purpose of this write-up is to give you a full understanding of the iSpeedNet challenge, so you can do the whole process again and again. You can see how one small issue can be blown up to get full root access. I want you to be able to replicate everything that is in this article. I am sure you can do it. Let’s get to the fun part!

Reconnaissance: Discovering the Landscape

Initial Scan with Nmap

Alright, first things first, we need to gather information. The very first step is always reconnaissance. We begin with an Nmap scan. Nmap is a powerful tool for network discovery and security auditing. It helps us identify open ports, services running on those ports, and even the operating system of the target machine. Here's how we'll kick things off:

nmap -sC -sV -p- 10.10.11.218

Let’s break down that command:

• -sC: This script utilizes a script scan, which means it will use a bunch of different scripts to try and identify more information about the target. These scripts are from the Nmap Scripting Engine (NSE) which can provide more detailed information about the services.
• -sV: Service version detection. This flag tells Nmap to determine the version of the services running on the open ports. Knowing the service versions is critical because it helps us identify potential vulnerabilities.
• -p-: This tells Nmap to scan all ports (0-65535). This ensures we don't miss any open ports.
• 10.10.11.218: This is the IP address of the iSpeedNet machine on Hack The Box.

The output of this scan will be our roadmap. It will show us which ports are open and what services are running on each. This is where we start building a picture of the target environment. Take a close look at the output of the Nmap scan. You'll likely see a few open ports, each running different services. This is the foundation upon which we will build our attack plan. Make sure you understand the output. If you are not sure of something, then do a quick search. Learning is all about being curious.

Web Application Reconnaissance

Once we have identified the open ports, especially port 80 (HTTP), it's time to dive into web application reconnaissance. This is where we gather information about the web application running on the target. We can use tools like curl or a web browser to explore the website. Check out the source code, too! See if there are any comments or clues that will help us get further into the system.

curl http://10.10.11.218

Using curl we can see the source code of the website directly in the terminal. The source code might contain any important information, like hints to credentials or other internal information.

Also, we can use dirb or gobuster to do a directory and file enumeration. These tools help us find hidden directories and files on the webserver. Finding these hidden files and directories is important because they might give us more information about the website.

gobuster dir -u http://10.10.11.218 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

This command will try to find any hidden directories and files on the webserver using a wordlist.

Exploitation: Gaining a Foothold

Exploiting the Web Application

Now comes the fun part: exploitation. Based on the reconnaissance phase, you should have identified the different services that are running on the target. This includes the web server, which is usually our first point of entry. It is important to look for well-known vulnerabilities related to the version of the software. Let’s say you have identified that the website is running a certain version of a CMS (Content Management System) that is vulnerable to a specific type of attack. You would want to find the vulnerability and then exploit it. Usually, you can find exploits by searching the internet. It is all about finding the right tools and knowing how to use them.

Password Cracking

Sometimes you can get credentials to get into the system. It could be in the source code or maybe as part of the directory enumeration. Let’s say that you get a password. Then what? You can use a tool like John the Ripper or Hashcat to crack password hashes. These tools use different techniques to find the original password. They are very useful when you get a hold of the user's password hash and you want to know what it is. With the password you can maybe log in or use the password to log into an ssh service.

Privilege Escalation

Once you have gotten access to the system, you probably will be a low-privileged user. This is just a starting point. The real fun begins when you try to escalate your privileges. You need to find a way to become a root user. There are many ways to do this, such as exploiting misconfigurations, kernel exploits, or vulnerable applications. Always look for a way to escalate your privilege, as this is the ultimate goal when you are doing a Hack The Box challenge. There are many resources that you can use to learn about privilege escalation, such as GTFOBins, which is a website that will give you a list of commands that can be used to escalate the privilege. Also, always keep your eye on the Linux kernel versions. There might be some known exploits.

Foothold: User Access

Web Application Vulnerability

During the web application reconnaissance, we would have identified any vulnerabilities. One common type of vulnerability is SQL injection, where attackers can inject malicious SQL code to manipulate the database. This allows us to access or modify sensitive data. Another common vulnerability is cross-site scripting (XSS), where attackers inject malicious scripts into the web pages viewed by other users. This helps attackers to steal user's sessions.

Exploiting the Web Application

Once you have identified the vulnerability in the web application, you need to exploit it. This will get you a foothold into the system. With SQL injection, we can try to inject SQL commands into the input fields to get any data from the database. With XSS, we can inject a malicious script to steal a user’s session. When you are able to log in to the system, you can try to upload files to the system, which will allow you to execute your code on the system.

Gaining Initial Access

After we successfully exploit a vulnerability, we need to gain initial access to the system. This means getting a shell, which is an interactive command-line interface. A shell gives us the ability to execute commands on the target system.

Privilege Escalation: Root Access

Enumerating the System

After we have gotten our shell, it is time to escalate our privileges. First, you need to understand what you can do on the target system. It is important to know the current user and its privileges. We can find information about our user, like the groups that it belongs to and the permissions it has. We can also check the kernel version, which can help us find any exploits. Make sure to keep your eyes open for any misconfigurations. This could be things like weak file permissions, which might allow us to modify critical system files.

Exploiting Misconfigurations

If we have identified any misconfigurations, we can exploit them to gain root access. This could be changing the file permission of the sudoers file so that we can execute commands as root. We can also try to write to a configuration file that would allow us to get a root shell. It is very important to fully understand how the system works.

Privilege Escalation Techniques

There are many ways to escalate privileges, such as exploiting the kernel. Kernel exploits are used to get root access by exploiting vulnerabilities in the operating system's kernel. Another one is using vulnerable applications. These applications might have vulnerabilities that can allow us to gain root privileges.

Post-Exploitation: Maintaining Access and Cleaning Up

Maintaining Access

Once we have root access, we want to maintain it. This means making sure we can get back into the system whenever we need to. This can be done by creating a backdoor, which is a way to gain access to the system without authentication. Make sure you understand how the backdoor works. The most common backdoors are SSH keys.

Cleaning Up

After you have completed the challenge, you must clean up your tracks. This includes removing any backdoors, deleting logs, and removing any files you have uploaded. This ensures that you have not left anything behind that could be used by others.

Conclusion: Lessons Learned

Congrats! You've successfully navigated the iSpeedNet Hack The Box machine. From the initial reconnaissance using tools like Nmap and discovering the web application's vulnerabilities to exploiting them and finally gaining root access, you've seen the entire process. Each step of this walkthrough provides invaluable insights into penetration testing methodologies. Remember, it's not just about following the steps. It's about understanding why you're doing them. This journey helps you build a strong foundation for a career in cybersecurity. Keep practicing, keep learning, and you'll be well on your way to becoming a skilled cybersecurity professional. The more you practice, the more you will understand, and the better you will become. Keep up the good work, and keep hacking!