In two weeks, our cybersecurity team is gearing up for a competition at Stanford. To prepare for this, we typically convene in the basement of Kobe Mini Mart. Kobe is our choice because it's a small store with less scrutiny on its Wi-Fi activity, especially when we're engaged in mildly suspicious activities. To be clear, what we're doing isn't illegal or harmful, but it involves tools that are commonly associated with alarming activities.
One of the best ways to prepare for these competitions is by using Hack The Box penetration testing labs. One of the main focuses of these challenges is privilege escalation. This is when you enter a system as a user, and slowly become a privliged user, and admin, and then work your way up to root. On the particular challenge I was assigned by the club president, my solution methodology was the following:
First, I utilized a tool called dirbuster to identify all the pages on the target website. For instance, if there's a webpage called "bar.html" on a site like http://www.foo.com, you can navigate to it by typing http://www.foo.com/bar.html. Sometimes, website designers want users to access these pages and place a direct link on the main page. Other times, these pages serve as backups in case the website goes down or store information mainly useful to the programmer, not the user. Dirbuster is a valuable tool in such cases because it scans for common extensions and checks for their existence. In my case, it uncovered a /backup folder containing files like index.php and photos.php. This told me two important things: the website's backend was written in PHP, and it likely had similar files in the main folder. So, I navigated to the main folder, added /index.php, and sure enough there was a file!
So, this web server allowed us to upload files, which makes it relatively easy to exploit. All we needed to do was upload a file that serves as a backdoor. Typically, finding a file involves navigating to the photos folder and adding /your_photo_name.jpg to view it. In our case, we injected a web shell, allowing us to run commands through that page. I used a simple web shell that Kevin had written and added a .gif extension to make the site think it was a GIF file. This allowed me to upload it, and when I visited the uploads folder, I gained access to a web shell to manipulate the web server. While exploring the server, I discovered a user named Guly, who had user privileges. My teammates wrote a script to log us in as Guly. There was a Guly-level script that executed commands. I used this script to upload a reverse shell into Guly's folder, enabling me to run commands through my command line on the website.
This experience helped me achieve my first successful server hack. With root access, the possibilities are nearly limitless. In our case, we could modify a script running every three minutes, essentially with root privileges. We used command injection to insert the 'sudo bash' command, allowing us to execute commands directly from the root directory. I'm hoping to continue learning and improving in time for the upcoming competition.
May you be ever victorious in your future endeavors!