Hack The Box

Machine Info:

BigBang is a complex Linux (Hard) machine that requires a combination of web exploitation, database enumeration, and privilege escalation techniques.

The machine was running a WordPress site vulnerable to Local File Inclusion (LFI). Leveraging LFI, I exploited CVE-2024-2961 (Cnext Exploit) to gain a reverse shell as www-data.

Upon further enumeration, I discovered database credentials. By port-forwarding the MySQL service, I extracted credentials for a low-privileged user, which allowed me to gain SSH access.

While exploring the system, I found a Grafana database (grafana.db). Using SQLite3, I extracted stored credentials, cracked the hash, and escalated to another low-privileged user.

Further enumeration revealed an APK file. Analyzing the APK led me to discover a subdomain, which I then port-forwarded to access a service. The service was vulnerable to command injection, allowing me to execute arbitrary commands and ultimately obtain root access to the machine.

Enumeration:

Nmap:

┌──(deepak㉿kali)-[~]
└─$ nmap -sC -sV 10.129.187.209 -oA Bigbang
Nmap scan report for 10.129.187.209
Host is up (0.043s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 d4:15:77:1e:82:2b:2f:f1:cc:96:c6:28:c1:86:6b:3f (ECDSA)
|_  256 6c:42:60:7b:ba:ba:67:24:0f:0c:ac:5d:be:92:0c:66 (ED25519)
80/tcp open  http    Apache httpd 2.4.62
|_http-title: Did not follow redirect to http://blog.bigbang.htb/
|_http-server-header: Apache/2.4.62 (Debian)
Service Info: Host: blog.bigbang.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel

During my enumeration, I performed an Nmap scan using -sC for default scripts and -sV for version detection on the target 10.129.187.209. The scan revealed two open ports: 22 (SSH) running OpenSSH 8.9p1 on Ubuntu and 80 (HTTP) serving an Apache 2.4.62 web server. The HTTP service redirected to http://blog.bigbang.htb/, indicating a virtual host configuration. Additionally, the Apache server was identified as running on a Debian-based system. This information provides a good starting point for further enumeration, including virtual host enumeration, web directory fuzzing, and potential SSH access attempts.

⛔ This box is still active on HackTheBox. Once retired, this article will be published for public access as per HackTheBox's policy on publishing content from their platform.

⛔ For more hints and assistance, come chat with me and the rest of your peers in the HackTheBox Discord server. Or, you can reach out to me at my other social links in the site footer or site menu.

Appreciation

If my write-up helped you, I’d really appreciate it if you could show your support! 🙏 Also, if you like my content, please consider giving me respect on HTB—your support truly means a lot! 💚✨

Avatar

4shWIN Hacker

Rank: 504 Icon 371 Star Icon 1

Give me a Respect

Found a Mistake?

If you notice any errors or have feedback, feel free to email me at ashwin200323@gmail.com. Thanks for your help!