Chainsaw

Starting the Discussion

Hack The Box

Tagged:
«134

Comments

  • Got the files! Now what... :astonished:


    Hack The Box
    defarbs.com - "Let me just quote the late, great Colonel Sanders, who said, 'I'm too drunk... to taste this chicken.'”

  • Decoded bytecode... Not sure what I'm looking at apart from a whole world of pain Im about to open myself up to

  • edited June 16

    any nudge on decoding the bytecode? I feel like it's a contract bytecode, need to study more about solidity it seems!

  • You really don’t need to decode the bytecode. You got the contract source code. Now pay attention to the contract name and maybe think what the underlying process might do

  • To see the underlying code, don't we need to decode the bytecode? Or are you suggesting we assume the underlying code by couple of getter and setter functions? Anyways, even though I decoded the bytecode it doesn't seem to be of any use since it looks like a mix of Assembly and JS.

    @lyak said:
    You really don’t need to decode the bytecode. You got the contract source code. Now pay attention to the contract name and maybe think what the underlying process might do

  • Anyone else found that high port 9*** that only responds to a certain type of http requests? I'm not sure what options I have to enumerate further.

  • edited June 16

    gives 400 on all type of req

    B0rN2R00T

  • Sometimes it responds with a 200, but I'm not sure if that's a rabbit hole or not...
    Might try another option..

  • Some people have written to me, but I’ll answer here. I’m currently root on the machine, but there’s a last step.

    I suggest you to read up on smart contracts. It really doesn’t matter if you deploy your own in this scenario. The idea is to get a shell, remember that. So look at the name of the smart contract and think how would that be possible, then look at the options for the smart contract that you’ve got. The smart contract is all you see, but a process running on the computer is watching what happens with the smart contract, try to exploit that. Read up on web3
  • edited June 17

    Type your comment> @lyak said:

    Some people have written to me, but I’ll answer here. I’m currently root on the machine, but there’s a last step.

    I suggest you to read up on smart contracts. It really doesn’t matter if you deploy your own in this scenario. The idea is to get a shell, remember that. So look at the name of the smart contract and think how would that be possible, then look at the options for the smart contract that you’ve got. The smart contract is all you see, but a process running on the computer is watching what happens with the smart contract, try to exploit that. Read up on web3

    Is this a hint for starting out? Or is it for escalating from user to root just wondering?

    edit: got shell from this hint, follow by user after a couple of steps, thanks lyak!

    edit 2: useful link http://www.dappuniversity.com/articles/web3-js-intro

  • edited June 16
    Starting out
  • Well, I can communicate with the server, I can issue 'set' and 'get', I can get a receipt, but I have no idea how to exploit this. Is there any advanced knowledge of the technology needed?

  • No advanced knowledge necessary, the vulnerability itself is rather vanilla. The platform upon which the vulnerability lives is not vanilla though, took me an hour or so of reading to really understand what it was and how to use it. As @lyak said, reading a few tutorials on smart contracts should give you a good idea of what to do for user.

  • Type your comment> @lyak said:

    Some people have written to me, but I’ll answer here. I’m currently root on the machine, but there’s a last step.

    I suggest you to read up on smart contracts. It really doesn’t matter if you deploy your own in this scenario. The idea is to get a shell, remember that. So look at the name of the smart contract and think how would that be possible, then look at the options for the smart contract that you’ve got. The smart contract is all you see, but a process running on the computer is watching what happens with the smart contract, try to exploit that. Read up on web3

    Thank you @lyak for this phenomenal hint. I was trapped for a long time. Kudos to you and +1.


    Hack The Box
    defarbs.com - "Let me just quote the late, great Colonel Sanders, who said, 'I'm too drunk... to taste this chicken.'”

  • Don't kill and restart certain processes. They don't re-instantiate and you end up with unusable services.

    Xentropy
    Null | Nada- | Zip | Diddly | Zilch+

  • Question to those who got user:
    I can pop a shell using a pretty basic technique (even though the path of delivery is quite different and took me a while to figure out, because I never worked with that kind of technology which in my book is placed in the chapter "Hipster techno-BS") as "some very well known username". Is the user flag supposed to be there or do I first need to pwn another user on the system? If so, is the user I need to pwn referred to by name in a very popular xkcd about a very popular attack technique? ;)

    image

  • edited June 16

    @Xentropy said:
    Don't kill and restart certain processes. They don't re-instantiate and you end up with unusable services.

    Obviously -- one should be careful when engaging with a target, there is no 'reset' button IRL.

    artikrh

  • Type your comment> @darkkilla said:

    Question to those who got user:
    I can pop a shell using a pretty basic technique (even though the path of delivery is quite different and took me a while to figure out, because I never worked with that kind of technology which in my book is placed in the chapter "Hipster techno-BS") as "some very well known username". Is the user flag supposed to be there or do I first need to pwn another user on the system? If so, is the user I need to pwn referred to by name in a very popular xkcd about a very popular attack technique? ;)

    I'm sure no one deleted the user.txt file :)

  • Well, hours ago found some weird script in the a*****.. user home subfolder, along with some left over files that are useless without a counterpart. Tried executing the script to see if maybe something shows up in pspy. Tried placing a logger inside that script but pspy shows no activity on the system that would suggest cron jobs touching this stuff. But maybe this thing is just there to troll. I also found the high thing, redirected it and poked it with the stick I used to get the initial foothold but to no avail. A popular enumeration script also didn't help a lot. All I have left is a list of usernames to try but I hate trying to guess their passwords (as this imho totally isn't what HTB should be about - "who has the fastest gear to crack stuff?" etc.), probably won't work anyway. If the high thing is running some contract I haven't been able to find its source or even only byteCode. Also I found that the things are spawned by some high level daemon which uses the name of Novell Netware's default administrator account name and I found the definitions in the configuration dir of that daemon. So where should I poke this weird thing next to get even something like a general direction for user? As of now this is like trying to catch a shadow inside a completely dark room...

    image

  • @darkkilla you have everything you need in the user’s folder

  • Type your comment> @lyak said:

    @darkkilla you have everything you need in the user’s folder

    Are you referring to something from outer space with 4 letters in it? I was blind... lol

    image

  • Anyone have any advice on how to "mine deeper"?

  • Type your comment> @darkkilla said:

    Type your comment> @lyak said:

    @darkkilla you have everything you need in the user’s folder

    Are you referring to something from outer space with 4 letters in it? I was blind... lol

    You bet he is, you are on the right track

  • edited June 18

    Anyone have a hint on initial foothold? I've connected to *810 a few different ways, one through Re*** IDE, through G**h. Read up on W**3 and all the commands but I can't seem to make anything happen up there worth mentioning.

    Update: Make sure the address has not changed!

  • Yea same for me. One thing to learn a new concept in a day, and completely another thing to find a working exploit on it. Day 2 onwards!

    @frankx said:
    Anyone have a hint on initial foothold? I've connected to *810 a few different ways, one through Re*** IDE, through G**h. Read up on W**3 and all the commands but I can't seem to make anything happen up there worth mentioning.

  • Well I am still blind as a bat I guess. I dumped the contents of the thing from outer space (and also I copied everything I had read access to my local machine... basically rsyncing the "whole" machine... still working on a way to remove everything from that ton of files/folders that is native / unmodified to the real OS and sifting through the remaining stuff), found the counterparts to the files found somewhere else but the counterparts are encrypted. I can't seem to find the place where I should get the passphrase from... again I definitely don't want to try and throw wordlists at the files... which would be a last resort. There are files in /tmp I tried reading but from what I say they got created while getting the initial foothold when sending transactions. So far this machine has been my Kryptonite. The only thing I could imagine would be using some sort of "ID" to get data from the two services but then again: The one service apparently has only the first block with nothing of value in it and the other one only has stuff which is related to my own activities. I also found something listening on UDP on a particular port but I think it's related to the outer space thingy... which would mean that anything I could find on that port would somehow also be present in the files.

    image

  • edited June 17

    @darkkilla said:
    Well I am still blind as a bat I guess. I dumped the contents of the thing from outer space (and also I copied everything I had read access to my local machine... basically rsyncing the "whole" machine... still working on a way to remove everything from that ton of files/folders that is native / unmodified to the real OS and sifting through the remaining stuff), found the counterparts to the files found somewhere else but the counterparts are encrypted. I can't seem to find the place where I should get the passphrase from... again I definitely don't want to try and throw wordlists at the files... which would be a last resort. There are files in /tmp I tried reading but from what I say they got created while getting the initial foothold when sending transactions. So far this machine has been my Kryptonite. The only thing I could imagine would be using some sort of "ID" to get data from the two services but then again: The one service apparently has only the first block with nothing of value in it and the other one only has stuff which is related to my own activities. I also found something listening on UDP on a particular port but I think it's related to the outer space thingy... which would mean that anything I could find on that port would somehow also be present in the files.

    Sometime it has to be:

    But you sound to be definitely on the right track

  • edited June 17

    Rooted! What a fun box! Every step taught me something I haven't gotten to do on HTB before. :D

    User: Just use what's in front of you.
    Root: It's still in front of you, but it's no longer related to previous steps. :)

    (There's another step after getting the root account. I'm referring to getting user.txt and root.txt files, not getting a user account or getting a root account.)

    Xentropy
    Null | Nada- | Zip | Diddly | Zilch+

  • Any hints for that final last step as that is where I am up to, not sure where/how to 'mine deeper' so to speak.
    Thanks in advance

Sign In to comment.