Greetings, My name is THOVITI SIDDHARTH, and I’m passionate about cybersecurity, machine learning, computer vision, web development. Welcome to my website! I write about my computer science experiments and thoughts that drive me to write.
Blog Posts
Pilgrimage – HackTheBox Writeup
Machine Name: Pilgrimage
IP: 10.10.11.219
Difficulty: Easy
Summary
Pilgrimage is an easy machine which starts with identifying the ImageMagick tool that the target web application uses to shrink images. The tool is vulnerable to Arbitrary File Reads which enable us to fetch the credentials from a database file. These credentials were used to SSH and gain a user shell. The privilege escalation consists of exploiting Binwalk that runs inside a cron script.
Read More
Topology – HackTheBox -Writeup
Machine Name: Topology
IP: 10.10.11.217
Difficulty: Easy
Summary
Topology is an easy machine which starts by exploiting LaTeX injection to read files on the server that contain password hashes. After cracking the password hash, it was possible to login via SSH and obtain the user flag. The privilege escalation consisted of enumerating for processes that are run by root. One of the processes being run by root executed “.plt” files in a particular folder to which the user had write permissions. Finally, it was a simple matter of looking up the documentation on running OS commands for that particular extension and use it to gain a shell as root.
Read More
Jupiter – HackTheBox Writeup
Machine Name: Jupiter
IP: 10.10.11.216
Difficulty: Medium
Summary
Jupiter is a medium machine that starts with discovering a subdomain that retrieves data from the database using queries sent through the request, making it vulnerable to SQLi. The SQL injection is leveraged to gain a shell as user Postgres. A configuration script writable by Postgres, and run by Juno is used to gain a shell as Juno. Juno is a part of “science” group which uses Jupyter Notebook. The Jupyter service is run by Jovian. The logs of Jupyter can be read by Juno, which are used obtain tokens to login to the Jupyter Hub. The notebook is used to execute commands and gain a shell as Jovian. To escalate privileges as root, a binary which can be run using sudo, uses a configuration file which can be written by Jovian. This misconfiguration is leveraged to gain a shell as root.
Read More
Format – HackTheBox Writeup
Machine Name: Format
IP: 10.10.11.213
Difficulty: Medium
Summary
Format is a medium machine that starts with discovering two ports that run Gitea and a Microblog respectively. First, an LFI is discovered on the Microblog after reviewing the source code. Further analysing the source code, one could bypass the mechanism to become Pro user and upload image files. One of the parameters that causes LFI creates a new if it doesn’t already exist. This allowed writing a PHP shell through which a shell was obtained as www-data. A redis server running on a socket was discovered and used to obtain credentials for the user “cooper”. Privilege escalation involved exploiting a python format string vulnerability for a script that could be run using sudo.
Read More
Snoopy – HackTheBox Writeup
Machine Name: Snoopy
IP: 10.10.11.212
Difficulty: Hard
Summary
Snoopy is a hard machine that starts with discovering subdomains through DNS zone transfer, and exploiting an LFI to obtain site configuration files that revealed mailserver secret key. The key was used to update the mail server’s DNS records to receive mails on my local SMTP server. The mattermost subdomain discovered had an “email password reset link” page. The password was received on the SMTP server for user cbrown. Authenticated session of mattermost provided an option to interact with the server through SSH which was intercepted to perform a man-in-the-middle attack to fetch the SSH credentials of cbrown. The user cbrown could run “git apply” command as user sbrown which was exploited by using a known vulnerability that uses symbolic links to access files of the user running Git. This was used to write the SSH public key into sbrown and gain a SSH shell. Privilege escalation involved exploiting ClamAV’s XXE vulnerability to fetch the private key of root.
Read More
MonitorsTwo- HackTheBox Writeup
Machine Name: MonitorsTwo
IP: 10.10.11.211
Difficulty: Easy
Summary
MonitorsTwo is an easy machine that starts with exploiting the Cacti monitoring software to gain a shell. The shell obtained is a container host where we find hashes of user in a database file. After cracking the hashes, we obtain the user shell through SSH. Privilege escalation consists of leveraging insufficient permissions on the Docker overlay2 filesystem which allows host users to run privileged binaries on the container. To create a setuid bash binary on the docker container, capsh’s capabilities were misused to gain privileges as root. Finally, the binary was executed on the host machine to obtain a root shell.
Read More
OnlyForYou – HackTheBox Writeup
Machine Name: OnlyForYou
IP: 10.10.11.210
Difficulty: Medium
Summary
OnlyForYou is a medium machine that starts with discovering a subdomain that is vulnerable to LFI. The LFI is used to read the source code of the application. Improper sanitization of user data in the a part of code that executes shell commands was leveraged to gain a shell as www-data. From this shell, two active ports were found, one of which hosted a login page that used default credentials. The dashboard revealed that the application uses Neo4j database. This information was used to test for Cipher injection. The cipher injection was successful and was used to gain password hashes from the database. The cracked hashes were used to login as user John. Privilege escalation involved abusing the “pip3 download” command that could be run as root by the user.
Read More
Sohni Mahiwal – Paar Chanaa De
Folklore has always occupied a sacred corner of my heart, a realm where stories traverse cultures, touching lives with its timeless tales, is nothing short of being magical. It never ceases to fascinate me. More so, when folklore is told in other forms of expression like music, than in writings. Paar Chanaa De is one of my all time favorites from Coke Studio that references the Sohni Mahiwal tale and expresses the pain of separation and longing for one’s beloved. In the spirit of preserving this tradition of retelling folklore, this is an attempt to relive the tragic Sohni Mahiwal and touch the very ache of separation. Delicately sieving through myriad accounts, skimming over a few, I present to you, in fleeting elegance, the essence I could glean from this timeless tale:
Read More
Busqueda – HackTheBox Writeup
Machine Name: Busqueda
IP: 10.10.11.208
Difficulty: Easy
Summary
Busqueda is an easy machine that challenges you to read code, find the vulnerability, and craft syntactically correct payloads that suit the code when injected. The privilege escalation is straight forward and explores relative path hijacking through SUID scripts to get root.
Read More
Forest – HackTheBox Writeup
Machine Name: Forest
IP: 10.10.10.161
Difficulty: Easy
Summary
Forest is a easy machine that starts with enumerating usernames through LDAP and performing Kerberoasting on that user. After cracking the TGT hash, we obtain the user shell. The privilege escalation involved mapping the Active Directory domain and understanding the group memberships and permissions that could be exploited. WriteDACL permissions were discovered for one of the groups which was abused to perform the DCSync attack to dump the hashes and finally pass them to gain the administrator shell.
Read More