HackTheBox - Hawk

UGd9JE1ZXUI/default.jpg

01:00 - Begin nmap, discover FTP, Drupal, H2, and its Ubuntu Beaver
03:50 - Checking FTP Server for hidden files
04:30 - Examining encrypted file, discovering encrypted with OpenSSL and likely a block cipher
08:20 - Creating a bunch of files varying in length to narrow likely ciphers down.
14:35 - Encrypting all of the above files and checking their file sizes
22:45 - Decrypting file, obtaining a password
24:25 - Begin looking at Drupal, running Droopescan
25:12 - Manually examining Drupal, finding a way to enumerate usernames
25:50 - Placing invalid emails in create account, is a semi-silent way to enumerate usernames
28:15 - Logging into Drupal with Admin.
29:25 - Gaining code execution by enabling PHP Plugin, then previewing a page with php code
32:30 - Reverse Shell Returned
33:25 - Running LinEnum.sh - Discover H2 (Database) runs as root
37:00 - Hunting for passwords in Drupal Configuration
39:25 - Finding database connection settings. SSHing with daniel and the database password (not needed)
40:10 - Doing Local (Daniel) and Reverse (www) SSH Tunnels. To access services on Hawk's Loopback. Only need to do one of those, just showing its possible without daniel
44:30 - Accessing Hawk's H2 Service (8082) via the loopback address
50:00 - Finding the H2 Database Code Execution through Alias Commands, then hunting for a way to login to H2 Console.
51:45 - Logging into H2 by using a non-existent database, then testing code execution
52:50 - Playing with an awesome Reverse Shell Generator (RSG), then accidentally breaking the service.
59:50 - Reverted box, cleaning up environment then getting reverse shell
01:02:45 - Discovering could have logged into the database with Drupal Database Creds.

UGd9JE1ZXUI/default.jpg
HackTheBox - Hawk HackTheBox - Hawk Reviewed by Anonymous on December 01, 2018 Rating: 5