HackTheBox: Popcorn

My goal is to document my journey on achieving the OSCP Certification. This Medium blog is not the place where you can find a quick writeup for a box.

Introduction

Some of you must be thinking, not another HTB writeup. But that’s not the case here. Let me elaborate:

My goal is to document my journey on achieving the OSCP Certification. This Medium blog is not the place where you can find a quick writeup for a box. That’s why I don’t want to call this blog series a “writeup”. It’s more of a pentest. You see, as a penetration tester, my regular assessments are different from hacking boxes. The focus does not lie on cracking e.g. a server in the shortest amount of time, using metasploit. It’s much more thorough. Every little abnormality and finding is being noted. Don’t get me wrong, this blog will show you how to exploit the target to get the user.txt and root.txt but it will offer much more information about the target, what vulnerabilities led to root and how to fix these vulnerabilities. A very important part of penetrationtest reports are the recommendations for the client. The client has to know what is vulnerable in their application, but much more important is how to fix the vulnerability, so that this issue will never appear again.

A step towards safer applications without any security flaws and vulnerabilities is Secure Coding. As a developer of web applications today, you are confronted with a wide range of potential dangers. Knowing the threats, avoiding pitfalls and counteracting them with the right measures is undoubtedly one of the most important skills of every developer. This aspect will also be part of my blog series.

Setup

Before we start, a few words to my setup:

• Kali Linux on a VM
• Tilix: A tiling terminal emulator for Linux
• Cherry Tree for note keeping, I would highly recommend the template from James Hall

Enumeration

Today we will be looking at Popcorn from HackTheBox, so get your VPN up and running.

First let’s start with enumeration in order to gain as much information about the machine as possible. The first step is using nmap. Nmap is not only a port scanner. It can also be used in order to run scripts, such as vulnerability scripts, or cipher suite scans. There is a lot to find out about nmap, so take your time and look at the help page. Every pentester has their own unique parameters which they use with nmap. My methodology with nmap looks like this:

nmap -A -oA nmap 10.10.10.6

This scan setup runs very fast and shows important results. The -A enables OS detection, version detection, script scanning, and traceroute. The -oA nmap saves our scan in a file. On a regular pentest, I would run a different nmap setup. Parameters like -p- for scanning all ports or -sU for a UDP scan are very important if you want to get the most information from a server. It just depends on how much time you have. I highly reccomand this nmap cheat sheet.

We can look at our scan with this command:

less nmap.nmap 

nmap port scan

Vulnerabilities

There are some interesting findings to be written down in cherry tree, which would also be documented in a pentest report:

• OpenSSH5.1p1 falls into the category “using components with known vulnerabilities”, because first of all, it has not been updated in a long time. The newest version of OpenSSH is 8.3p1. And second, the version 5.1p1 has vulnerabilities listed in CVE. A counter measure would be to update to the newest version, being 8.3p1. It’s important, that all components are being checked and updated on a regular basis. (Risk: Medium)
• Apache 2.2.12 also falls into the category “using components with known vulnerabilities”. This version has a shocking amount of vulnerabilities documented in CVE: The newest version 2.4.46. If this were a client server, I would set the risk to critical and immediately make sure that this issue is being fixed asap.
• I would note down OpenSSH5.1p1, Apache2.2.12 and Ubuntu Linux in a pentest report. Not as a finding, but just bad practice. The category would be “information leakage”. An attacker does not have to know what version of Apache or OpenSSH the server is running. This just makes it easier for an attack.

If port 443 were open, I would scan it again using this command:

nmap — script ssl-enum-ciphers -p 443 10.10.10.6

This would give us information about which TLS versions the server is using and which cipher suites. TLSv1.0 would be noted down as a low finding, just as the use of insecure cipher suites.

This is another cool script from nmap, which scans the server for common vulnerabilities:

nmap — script vuln 10.10.10.6

Here are the results of the scan:

nmap vulnerability scan

Wow, a lot of information. It shows us our two open ports and checks them against common vulnerabilities. The http-enum section is interesting, showing us four directories. These findings should always be written down. It also says that the Apache server is vulnerable against a denial of service

kali-linux hacking pentesting security hackthebox linux

This Edureka video on "Ethical Hacking using Kali Linux " will help you understand all about penetration testing, its methodologies, and tools.

Kali Linux is a purpose built security operating system with a large variety of popular penetration testing tools. Ethical Hacking: Introducing Kali Linux

Welcome to my second article here on Medium. Today we will be looking at Bastion from HackTheBox. This is a rather realistic box in my opinion and it made a lot of fun. This article will be similiar to my first article, because I will provide some more information on the Box and why it is vulnerable.

Ethical Hacking using Kali Linux will help you understand all about penetration testing, its methodologies, and tools.

GitHackTools is a the best Hacking and PenTesting tools installer on the world. BruteDum can work with any Linux distros if they support Python 3.