Hacking Note
  • 🧐Cyber Defenders
    • Flare-on 1
    • KrakenKeylogger
    • AzurePot
    • Sysinternals
    • BlackEnergy
    • Eli
    • MrGamer
    • GET PDF
  • 😎HackTheBox Machine
    • Surveillance
    • Monitored
    • Skyfall
    • WifineticTwo
    • Analytics
    • Lantern
  • 🙂TryHackMe Room
    • Squid Game
    • Stealth
  • 😐Some CTF Pentest Boxs
    • AKasec CTF 2024
      • AKasec CTF 2024 ( English Writeup )
  • Pwnable.VN
    • Mineme2
  • 👿Fortresses Hackthebox
    • Jet
Powered by GitBook
On this page
  1. HackTheBox Machine

Skyfall

Link machine : https://app.hackthebox.com/machines/586

PreviousMonitoredNextWifineticTwo

Last updated 7 months ago

Pwned : https://www.hackthebox.com/achievement/machine/1410710/586

My note about Skyfall machine.

Enumeration :

Add skyfall.htb and demo.skyfall.htb to /etc/hosts and view the web page :

On this website there are some options like Fetch URL, Download,Upload file, I tried webshell upload and reverse shell on this one but it doesn't seem to work.

There is another notable function called Minio Metrics, but when I click on it to view it, I get error 403 Forbidden .

A bit of research tells me there is a security vulnerability in the minio service, which also contains several CVEs, and one of these I'm looking into is CVE-2023-28432 (CVSS 7.5).

WhiteHat also have a blog about this : https://whitehat.vn/threads/canh-bao-lo-hong-nghiem-trong-cao-trong-minio.17181/

Okay, the problem is that the website when accessed returns a 403 forbidden error, so if we can ignore this then it will provide some useful information.

Continue researching 403 bypass on hacktricks book and there are more resources that can help.

Open Burpsuite first then tried to bypass :

View this and got the new subdomain :

Follow the CVE - POC had found , try exploit with that :

Exploit successfully

Got MINIO_ROOT_PASSWORD and MINIO_ROOT_USER this is important credentials.

Now have this credentials we can gain access with MinIO client :

Enumerations :

Download all this file backup, got ssh key on v1 but can't connect, on v2/.bashrc get Vault TOKEN and Vault ADDRESS -> Gain User Access ( assky).

Install vault : https://developer.hashicorp.com/vault/install#Linux

Use vault to connect from all these credentials:

vault read sys/internal/ui/resultant-acl --format=json -> get ssh role

Privilege escalation -> Gain Root Access

Run vault-unseal with -d option will give the the log and write that to debug.log , create a debug.log file can help we get the data from this :

Get Master Token -> Use this and follow the User Login Step done before which may help to login as root.

vault list ssh/roles -> list role to connect ssh -> use admin role to connect.

😎
There is 1 subdomain from this subdomain, this subdomain can be obtained from the view source on port 80
have a login page on the subdomain, log in with the credentials displayed on it ( guest/guest)
\t ( decode to hex is 09 ) is the way to pass this error on this website.
Password is the OTP generate -> this randomly each time connect
Pwned.
LogoMinIO Object Storage for Linux — MinIO Object Storage for Linux
LogoGitHub - acheiii/CVE-2023-28432: CVE-2023-28432 POCGitHub