Skip to content

Hack The Box — Hawk Writeup without Metasploit

Hack the box Hawk. Again another web application. This time Joomla. Joomla is a well known CMS in the community. Had few flaws caused by plugins. As usual lets start with nmap

4 ports are open. 21,22,80 and 8082 which is not familiar at all. We will first check out drupal. nmap scan is showing it’s drupal 7

Tried different logins but failed. lets check ftp

we have a drupal encoded file. Download it to the desktop. It’s time to google about everything.

File was salted and also base64 encoded. life is hard I guess. let’s continue. started running dirbuster in the background just in case we might find something interesting.

We needed a tool to brute force SSL. found tool to do that

It’s done. Now it’s time to grind the salt.

After few minutes realized it was base64 encoded. Great try again harder

again it was SHA256 run again. Missed that screenshot but the password was Friend.

Daniel. Let’s go back to drupal. Tried Daniel which didn’t work but admin : PencilKeyboardScanner123 worked.

Wait whats the version?

Joomla 7.58 start googling again. after a while came across a plugin which gives away a php shell.

Click on the php filter. go back and write an article. Like im doing now. Just kidding.

Accidentally wrote another pho reverse shell lol.But anyway that’s the one liner shell we need. so our favorite netcat in place listening let’s save the file.

We got the user flag. I wanted to try linpeas and winpeas to get more familiar with it. Tried downloading linpeas. Bad luck permission denied. Time to start pulling hair. Im pretty sure I’m gonna be bold when I’m done with OSCP. Changed directory to /tmp

Downloaded. Ok I have tested linpeas and it tries to spit out a lot of information. And I mean a lot. I thought like let’s think a bit smarter and run it put everything in a file and we will read the file ./linpease.sh > new.txt

I can read it but never gonna do that again. This is the only thing which was abnormal. I pointed out in the nmap scan about something which I have no idea about. And now we know what that is.

Time to find an exploit

Can download the exploit from the following url

https://www.exploit-db.com/exploits/45506

transferred the exploit to the machine and got root. I like to show how silly I am so captured everything. CANT BEAT THE NOOB POWER!!!!!!!!!

Published inHackinghacktheboxOSCP

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *

%d bloggers like this: