Hackthebox — Dyplesher

Summary

Today we have another linux machine is retired with IP 10.10.10.190

Enumeration

We have 3 open ports: 22(ssh), 80(http), 3000(…)

I found another hosts,So i add it for /etc/hosts directory
Open

Try to FUZZ

I found .git, But i can’t get access from browser, So i tried to dump the content using gitdumb tool

After dump i found credentials for Memcached username felamos, password zxcvbnm and service port 11211 in index.php
Let’s take a look using memchached-cli

Tried to crack with john

After that i decided to take a look for http://dyplesher.htb:3000 , I register and login

In felamos we could find gitlab.git and memcached.git
I tried to login with felamos credentials

Let’s download repo.zip and unzip

I dump this 4 hashes that end with .bundle in hash.sh file

After searching i found user.db file and it contain hash

So let’s crack

Login again with new credentials user: felamos@dyplesher.htb and password: alexis1

Then I found the page “AddPlugin” and tried to add some files to see its response

We can also see that http://test.dyplesher.htb is deployed under /var/www/test/ and is owned by MinatoTW

For the IDE where we’ll write the Minecraft plugin we can eitheir use Eclipse

Use this method to creating a blank Spigot plugin

After puttinng your public key authorized_keys , Upload it on http://dyplesher.htb/home/add and load it on http://dyplesher.htb/home/reload

Now connect via SSH to MinatoTW account with your key

But i didn’t find user flag, After searching i found that the user of MinatoTW is wireshark so we need to download and analyzing
Try to download capture.pcap

I found credentials for some users
*MinatoTW : bihys1amFov
*yuntao : wagthAw4ob / EashAnicOc3Op
*felamos : tieb0graQueg

Try to get felamos with this password

Gain user flag!

Privilege Escalation

I found lua is running, So we could use malicious plugin to get root

Plugin for lus and python script
https://github.com/khanmoin/htb_scripts/tree/master/rabbitmq_dyp

  • Write lua script on dyplesher machine with own id_rsa.pub

Write python script on our device

Lunch python server on dyplesher machine

Running python script

Response

Let’s try to connect

It work!
Gain root flag!

If u learn any thing useful from write up, Respect me on HackTheBox

Thx for ur time!

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Ahmed Samir

Ahmed Samir

CTFer | Computer Science Student