HacktheBox — Jerry Writeup

Quick note:

So, Jerry from Hack the Box has been retired and this means that write-ups are allowed. I am fairly new to security and want to get on the offensive side. With this, I’m preparing myself before i take the PWK course to get my OSCP certification.

What is Hack the Box?

Hack the box is an online platform where you can practice your penetration testing skills and to share ideas with other members. Learn more about it here. If you are interested in hacking(ethically), one way to learn about it is through this site. Usually, we call machines as “boxes” here.

This box is intended for beginners and is a very simple box. So if you are are interested in penetration testing, you can start playing with this box. I will try to explain even the smallest details to clear out things even if you are just starting out. I hope this write-up helps you.

Let’s get started.

Recon: We first start with our nmap scan, we invoke:

where:

-sV = version fingerprinting
-sC= runs default scripts on the target
-oA = outputs in all formats, to be stored in my nmap directory with the name initial

Enumeration: Going to the website, we find the home page. I tried clicking possible options from the page. It is helpful to explore the functionalities of a website to further understand how the site was developed or coded. It can help you identify possible entry points.

This is common in many webpages, some admins do not delete default pages where default credentials are stored. 😞

We were able to login using those credentials.

Initial foothold: After scrolling through the page, we see that we can deploy a directory or WAR file. A war file is simply a file that is used to deploy JAR files in creating web applications. 🚨

It seems that only .war files are allowed to be uploaded.

One simple escape is we can change the extension of the file name, and try to re upload. 👌

I simply tried making a copy of the test.txt and named it test.war. Both of them are text files. I tried uploading and it was successful! ✋

Not checking the initial content, header, or any indicator that identifies what type of file it really is. We can see that our test.war is uploaded. We can try uploading a reverse shell so we can access the system.

What is a reverse shell?

According to infosec institute, a reverse shell is a type of shell in which the target machine communicates back to the attacking machine. The attacking machine has a listener port on which it receives the connection, which by using, code or command execution is achieved.

We create our payload by using the command:

where:

LHOST = target IP
LPORT = target PORT
-f = file type

where:

-l = listening mode
-p = local port where to listen to
-n = do not perform dns lookups, saves time and lessens false positives
-v = verbosity, more detail

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
sif0

sif0

355 Followers

Penetration Tester | Aspiring Red Team Operator 🇵🇭