Aliens HackTheBox Write Up (HTB) is a popular platform for ethical hackers and penetration testers to test their skills by solving real-world-like challenges. One of the intriguing machines featured on HTB is “Aliens.” This box, categorized as a medium-difficulty machine, offers unique challenges that require a combination of enumeration, web exploitation, privilege escalation, and lateral thinking to complete successfully.
In this article, we will provide a detailed walkthrough of the “Aliens” machine on HackTheBox, focusing on all the steps required to pwn the box, including enumeration, exploitation, and privilege escalation.
Enumeration Phase
Before diving into exploiting the machine, the first step in any CTF challenge is enumeration. This phase involves gathering as much information as possible about the target system. Let’s begin by scanning the target with Nmap.
Nmap Scan
To start, we run an Nmap scan to discover open ports and services running on the machine:
bash
Copy code
nmap -sC -sV -oN nmap_initial <Target_IP>
This command performs a service version detection (-sV), a default script scan (-sC), and saves the output to a file (-oN). After running the scan, we receive the following results:
arduino
Copy code
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1
80/tcp open http Apache httpd 2.4.29
From the scan results, we learn that SSH (port 22) and HTTP (port 80) are open. These services will be our primary targets for further investigation.
HTTP Enumeration
The next logical step is to explore the website hosted on port 80. Opening the web page in a browser reveals a standard Apache default page, which provides no useful information. We now run a directory brute force using Gobuster to uncover hidden directories or files.
Gobuster Scan
We run the following Gobuster command to find any hidden directories or files on the web server:
bash
Copy code
gobuster dir -u http://<Target_IP> -w /usr/share/wordlists/dirb/common.txt
Gobuster results reveal a few interesting directories:
bash
Copy code
/admin
/robots.txt
Let’s start by examining the /robots.txt file. Accessing the file through a browser or using cURL:
bash
Copy code
curl http://<Target_IP>/robots.txt
It reveals the following entry:
bash
Copy code
Disallow: /secret
This points us to a potentially interesting directory /secret. We now navigate to that directory.
Exploring /secret
Accessing http://<Target_IP>/secret reveals a login page. We try some basic default credentials, but nothing works. At this point, we consider other possible ways to gain access to the system.
Web Exploitation: SQL Injection
Since the /secret page asks for login credentials, we attempt a basic SQL Injection attack. In many vulnerable websites, SQL injection can allow unauthorized users to bypass authentication mechanisms.
We enter the following into both the username and password fields:
vbnet
Copy code
‘ OR 1=1 —
This payload is a common SQL injection that may trick the system into granting us access by bypassing the login mechanism. After submitting the form, we successfully gain access to the admin panel.
Admin Panel Exploration
Once inside the admin panel, we explore various sections. The panel reveals an option to upload files. This could potentially be an entry point for uploading a malicious payload.
Uploading a Reverse Shell
Using the file upload feature, we attempt to upload a PHP reverse shell. We first create a PHP reverse shell script and save it as shell.php. Before uploading, we set up a listener on our local machine using Netcat to catch the incoming connection:
bash
Copy code
nc -lvnp 4444
We upload the PHP shell file through the admin panel, and after successfully uploading it, we navigate to http://<Target_IP>/uploads/shell.php in the browser to execute the shell. Our Netcat listener catches the reverse shell, giving us limited access to the machine.
Privilege Escalation
Now that we have limited shell access, the next step is to escalate our privileges to gain full control of the system.
Enumeration for Privilege Escalation
We start by running LinPEAS, a powerful script used for privilege escalation enumeration. After downloading and running the script, we find some interesting results related to sudo permissions:
bash
Copy code
sudo -l
This reveals that a certain user has permission to run /usr/bin/alien-tool as the root user without a password. Our goal is now to investigate this tool and exploit it to escalate privileges.
Exploiting Sudo Privileges
The alien-tool binary is a custom program installed on the system. Upon running it with minimal arguments:
bash
Copy code
sudo /usr/bin/alien-tool
It becomes clear that the binary is vulnerable to command injection. We exploit this by passing the following command:
bash
Copy code
sudo /usr/bin/alien-tool `whoami`
This confirms that the tool allows command execution. Now, we use the tool to spawn a root shell:
bash
Copy code
sudo /usr/bin/alien-tool `bash`
This successfully gives us a root shell, allowing us to fully compromise the machine.
Conclusion
The “Aliens” machine on HackTheBox demonstrates a range of techniques, from SQL injection to privilege escalation using sudo misconfigurations. By carefully enumerating the system and using the right exploitation methods, we can move from gaining initial access to escalating privileges and rooting the machine.
ALSO READ:Race Kart Hub Guide: Everything You Need to Know
FAQs
What is the main vulnerability in the “Aliens” machine?
The main vulnerability is a combination of SQL injection on the login page and the privilege escalation via the misconfigured alien-tool binary, which can be run as root without a password.
What tools were used in this write-up?
Key tools used in this walkthrough include Nmap for scanning, Gobuster for directory brute-forcing, Netcat for reverse shell connection, and LinPEAS for privilege escalation enumeration.
How does SQL injection work in this scenario?
SQL injection allows us to bypass authentication by injecting SQL queries into input fields, tricking the backend into executing unintended commands.
Why is privilege escalation important in CTF challenges?
Privilege escalation allows attackers to elevate their access level from a regular user to an administrative or root user, giving them full control over the machine.
What is the purpose of using LinPEAS?
LinPEAS is used to automate the process of enumerating potential privilege escalation vectors, making it easier to identify misconfigurations or vulnerabilities that can be exploited to gain higher-level access.
