# Hack The Box - Ghoul

## Quick Summary

Hey guys, today Ghoul retired and here’s my write-up about it. It was a very hard box with a lot of rabbit holes, tons of enumeration and a lot of pivoting. However I enjoyed most parts of the box and learned some new stuff. It’s a Linux box and its ip is 10.10.10.101, I added it to /etc/hosts as ghoul.htb. Let’s jump right in !

## Nmap

As always we will start with nmap to scan for open ports and services :

We got two ssh ports 22,2222 and two http ports 80,8080. Let’s check the first http port.

## Initial Web Enumeration

By going to http://ghoul.htb we see a basic static website with nothing really interesting :

So I ran gobuster with the extensions php and html :

/secret.php and /users look interesting.
/secret.php :

Of course this user flag was just a troll, but there are two interesting things here, first one is Noro asking Kaneki for access and Kaneki replying with ILoveTouka which looks like a password. The other thing is the fake art site Kaneki talked about which is probably the site running on port 8080.
/users :

ILoveTouka didn’t work as a password so I tried to bruteforce the password with the username admin and I got it (abcdef) :

However this was just another troll :

I couldn’t find anything else on port 80 so I checked port 8080. It had basic http authentication :

But it was easily guessable, admin : admin :

This is the fake art website Kaneki was talking about, and we can upload images. But we can also upload zip archives :

## Arbitrary File Write (Zip Slip) –> RCE

The ability to upload zip archives can cause a vulnerability known as zip slip. This happens when the archive has files with directory traversal paths in their names. During extraction, if the target is vulnerable it will write the extracted files to the specified paths in their names.
We need to put a shell in /var/www/html, so I copied simple-backdoor.php to /var/www/html then I added it to a zip archive using a lot of ../ before the file path :

This is the easiest way to do it, let’s look at the file with vi, you’ll see the file name :

When this zip is extracted on the machine it will put shell.php in /var/www/html.

The shell was successfully uploaded :

Now we can simply get a reverse shell, the usual nc shell didn’t work because nc wasn’t installed on the box so I used php instead :

## Privilege Escalation on Aogiri, User Flag

First thing I did after getting a shell was to get a stable shell :

Then I checked /home, www-data couldnt access any of the directories :

So I had to escalate. By looking at the shell I uploaded I saw that it was created by root :

So I tried to use the zip exploit again to overwrite /etc/passwd, but first I had to create the passwd file. I copied the one from the box :

I used openssl to generate the hash of the password (AAAA) :

Then I added a new user called rooot with the the uid 0 to the passwd file :

After that I created the zip file like I did before :

Now we can do su rooot and use AAAA as a password :

And I could get the user flag from /home/kaneki :

We owned user.

## Enumeration, Pivoting from Aogiri to kaneki-pc

After getting root I couldn’t find the root flag :

So I started to enumerate the home directories, web and configuration files.
Every user had some notes (hints) in their home directory :
Eto :

kaneki :

noro :

I could also get ssh info for the 3 users :

In kaneki‘s authorized_keys there was a public key for kaneki_pub@kaneki-pc, with that and the hints about kaneki‘s pc and the other file server it was obvious that we need to pivot to another host. But before that I could find some passwords in /var/www/html/users/login.php :

And in /usr/share/tomcat7/conf/tomcat-users.xml :

123456, password123 and test@aogiri123. Maybe we’ll need them later.
I checked the other interfaces :

Aogiri‘s ip on eth0 is 172.20.0.10. We need to know what other hosts are live on that subnet so we will do a simple ping sweep :

We got 172.20.0.150 we need to scan it for open ports, neither nmap nor nc was installed so I got a static version of nc and uploaded it :

I scanned the first 1000 ports and ssh was open :

Assuming that 172.20.0.150 is kaneki-pc we can use kaneki‘s private key to ssh as kaneki_pub. But there was a problem, the key is encrypted :

I tried to crack the key but I couldn’t find the password in rockyou. Then I remembered /secret.php when Noro asked Kaneki for access and Kaneki replied with a weird string that looked like a password (ILoveTouka) :

I tried that as the key password and it worked :

Since I’m going to tunnel stuff I echoed my public key to /root/.ssh/authorized_keys and I got ssh as root :

I forwarded port 22 on 172.20.0.150 then I sshed to the box as kaneki_pub :

## RCE in gogs, Pivoting from kaneki-pc to git

There was a text file called to-do.txt in the home directory :

On Aogiri there was a hint about a vulnerability in gogs :

A painless self-hosted Git service. -gogs.io

I checked the interfaces and there was a new subnet :

So I ran another ping sweep :

And again I downloaded nc to scan the discovered host (172.18.0.200) :

Port 3000 is the default port for gogs, I forwarded it to Aogori then from Aogiri to my machine :

We already have the username : AogiriTest. I tried the password I got from tomcat-users.xml (test@aogiri123) and it worked :

The hint said that this version of gogs was vulnerable, so I cloned gogsownz and tried to exploit the RCE vulnerability :

It worked, time to get a reverse shell :

## Privilege Escalation from git to root, Getting aogiri-app.7z

Unfortunately python wasn’t installed on the host so I had to get ssh for a better shell.

I couldn’t find anything useful so I had to escalate to root. After some regular enumeration I checked the suid binaries :

gosu was interesting so I checked it and found that it executes commands as other users even root, so I executed bash as root :

I checked the root directory and found a bash script called session.sh :

This script was executed periodically to terminate the active sessions, I saved the password because we may need it later.
The other thing was a 7z archive called aogiri-app.7z, I used nc to download it on my box :

## Searching Through git Commits, Privilege Escalation on kaneki-pc

I created a directory and called it aogiri-app then I extracted the archive there :

By looking at the extracted files we’ll see that it’s a git repository :

And honestly this was a very big rabbit hole, I kept searching through the application code (it was useless and I couldn’t get anything from it) for a long time while it was actually about the git repository itself.
Let’s check the reflog to get the commits :

I checked each commit and in one of the commits (0d426b5) I found some passwords :

The only host that hasn’t been rooted yet is kaneki-pc so I tried the 2 passwords and 7^Grc%C\7xEQ?tb4 worked, However still no flag :

## Hijacking the SSH Forward Agent, Root Flag

By checking the /tmp directory I saw some directories named ssh-RandomString :

And by checking the processes I found that there is a periodic ssh command as root to 172.18.0.1 :

After searching for a while I found this article which explains it very well. I cleaned the /tmp directory :

Then I waited for the ssh command to get executed again. After some minutes the agent was created :

I quickly hijacked it :

Then I could ssh to 172.18.0.1 as root :

And we owned root !
That’s it , Feedback is appreciated !