HackTheBox – Starting Point Phase – Tier 2

HTB Labs - Tier 2 - "Base" Machine Walkthrough | By: CyberAlp0

AUTHORCyberAlp0
READ TIME08 MIN
HTB Labs - Tier 2 - "Base" Machine Walkthrough | By: CyberAlp0

Hey Folks, this is CyberAlp0. Welcome to a new walkthrough powered by Hack The Box — Tier 2, featuring the machine “Base”.

Base is a Linux-based machine that demonstrates how insecure PHP authentication logic can lead to full system compromise. The attack chain starts with discovering a leaked swap file containing backend source code, exploiting a strcmp () type juggling vulnerability to bypass login, uploading a PHP reverse shell, and escalating privileges through a misconfigured sudo permission on the find command.

Executive Summary

Below is a high-level overview of the attack methodology used to compromise the machine.

Stage I: Scanning

An Nmap scan revealed two open TCP ports: SSH (22) and HTTP (80). The web server hosted a PHP-based application with a login panel.

Stage II: Enumeration 

Directory brute-forcing uncovered the /login directory containing three files, including a .swp swap file that leaked the PHP source code. The code revealed that strcmp() with loose comparison (==) was used for authentication — a known vulnerable pattern.

Stage III: Exploitation

The strcmp() function was bypassed by sending array parameters (username[]=&password[]=) via Burp Suite, granting access to an upload page. A PHP reverse shell was uploaded and executed, providing initial access as www-data. Credentials found in config.php allowed switching to user john, who had sudo privileges on /usr/bin/find. Using find -exec, a root shell was spawned, fully compromising the machine.

Let’s waste no time and begin pwning the machine…..

Step 1: Connecting to the Starting Point Labs Servers.

To attack the target machine, you have to be on the same network. You can read my blog which will guide you step-by-step into connecting to the target machine.

Step 2: Spawning the Machine and Starting to Solve the Tasks.

Task 1: Which two TCP ports are open on the remote host?

Answer: 22,80

Walkthrough:

Upon scanning the target using the NmapAutomator, we can find out that there are two opened TCP ports which are 22, and 80

Scanning the target using nmapautomator to find the opened ports and the services.
Scanning the target using nmapautomator to find the opened ports and the services.

Task 2: What is the relative path on the web server for the login page?

Answer: /login/login.php

Walkthrough:

To view the web application page of the machine, we will resolve the IP address of the machine on the local DNS server by adding the IP address against the name of the machine in the /etc/hosts.

sudo vim /etc/hosts
Resolving the IP address of the machine against the name of the machine.
Resolving the IP address of the machine against the name of the machine.

Based on that, we can view the web page of the web application by entering the URL of the machine in the web browser. (http://base.htb). After that look at the login page and observer the URL, you will find that the path for the login is (/login/login.php).

Finding the different directories related to the web application.
Finding the different directories related to the web application.

Also, you can use gobuster or ffuf for directory brute forcing. Use the following command:

gobuster dir http://10.129.95.184 -w /usr/share/wordlists/dirb/common.txt
Preforming directory brute forcing on the target web application.
Preforming directory brute forcing on the target web application.

Task 3: How many files are present in the ‘/login’ directory?

Answer: 3

Walkthrough:

Based on the past screenshot, we can find out the directory is consisting of 3 different files.

The files under the /login page.
The files under the /login page.

Task 4: What is the file extension of a swap file?

Answer: .swp

Walkthrough:

I think no need to walkthrough this.

Note that: Swap files are files on disk that Linux uses as overflow memory when RAM is full. Instead of crashing, the system moves inactive data from RAM to the swap file to free up space. Swap files usually refer to something different — editor swap files. When you edit a file in vim or nano, the editor creates a temporary backup. This is important because:
Those files may contain sensitive data like passwords, config files, or source code
Those files often left behind accidentally on web servers
Those files can be accessed directly, e.g.: http://base.htb/.login.php.swp

Task 5: Which PHP function is being used in the backend code to compare the user submitted username and password to the valid username and password?

Answer: strcmp()

Walkthrough:

For that, we will take a closer look to the files under the path /login to see whether we can find any useful information. By taking a closer look to the file named as /login.php.swp, we will find that some of its content is encrypted. However, there are PHP codes including an interesting popular function used for validating usernames and passwords, which is strcmp().

Finding out the strcmp() is the function used in PHP for validating the username and password.
Finding out the strcmp() is the function used in PHP for validating the username and password.
Note that:
strcmp() compares two strings and returns:
(0) — if they're equal
(< 0) — if string1 is less than string2
(> 0) — if string1 is greater than string2

The authentication is like this:

if (strcmp($_POST['password'], "s3cr3t_p@ss") == 0) {
    // login success
}

Task 6: In which directory are the uploaded files stored?

Answer: _uploaded

Walkthrough:

By re-preforming directory brute forcing against the target using gobuster, using a larger commonly used list called “big.txt”, we shall find that there is a directory called _uploaded. This directory didn’t appear in the previous scanning as we used a shorter list called “common.txt”.

sudo gobuster dir -u http://10.129.25.2 -w /usr/share/wordlists/dirb/big/txt
Performing a wider scan on the target machine using a big list file. Note that I have reset the machine.
Performing a wider scan on the target machine using a big list file. Note that I have reset the machine.

This is the directory that is used to save all the uploaded files. To test that, we will upload a text file using the upload page. To view the contents of this page, just type the following URL:

http://base.htb/_uploaded
This is the content of the _uploaded directory where are the files are saved and stored.
This is the content of the _uploaded directory where are the files are saved and stored.

Now, let us find out how we can get access to the upload admin panel, where we will upload the files to the server.

Based on the previous task, we found out that the authentication is done using the strcmp(). Upon entering dummy data as a username and password, it responds with an alarm stating that the username or the password is not correct.

strcmp() is validating the username and the password.
strcmp() is validating the username and the password.

When you pass an array instead of a string to strcmp() , it returns NULL and throws a warning. The critical part is:

NULL == 0true (loose comparison)
NULL === 0false (strict comparison)

Also, we need to understand whether the authentication request is a GET or a POST request. You can find out that by intercepting the traffic using the burpsuite while attempting to login.

Analysing the request using the burpsuite.
Analysing the request using the burpsuite.

Based on the screenshot, it appears that this request is a POST request.

Difference between GET request and POST Request
Difference between GET request and POST Request

Thus, we will exploit the fact that is strcmp() returns with NULL when attempting to enter any username or password. When intercepting the traffic using the burp suite, then we will Intercept the login request and change the body to:

username[]=&password[]=
Manipulating the POST request to get access to the upload page.
Manipulating the POST request to get access to the upload page.

Let me summarise what happened in the back end for you to understand how the exploit worked?

The back end code does this:

if (strcmp($password, $_POST['password']) == 0)

When you enter the password as equals to test for example, PHP receives $_POST[‘password’] as the string “test”:

strcmp("s3cr3t", "test")-1  (not equal)
-1 == 0false  →  login fails

But when you set the request to be password[], The [] tells PHP to treat this parameter as an array, so $_POST[‘password’] becomes [] (empty array) instead of a string:

strcmp("s3cr3t", [])NULL  (can't compare string to array)
NULL == 0true   →  login bypassed!

How did it work?

It’s a two-step trick:

  • strcmp() breaks — it expects two strings, but receives an array. It can’t handle that, so it returns NULL.
  • Loose comparison fails — PHP’s == considers NULL and 0 as equal. So NULL ==0 evaluates to true, passing the check.
The bypass worked properly, and 302 HTTP status code appeared and I am being redirected to a PHP page called upload.php.
The bypass worked properly, and 302 HTTP status code appeared and I am being redirected to a PHP page called upload.php.

You can right click on the response and copy the URL and paste it on the browser, and you will be redirected to the upload PHP page as shown in the following screenshot.

The upload PHP page where the admin is able to upload all the files.
The upload PHP page where the admin is able to upload all the files.
You may also find the /upload.php clearly mentioned in the login.php.swp file. As per the code configuration leaked, it is clearly describing that if the user didn’t enter the right username and password, show an alert stating “Wrong username or password”, and if the values are correct “else function”, redirect the user to the /upload.php page.
Finding the /upload.php page in the leaked configuration file.
Finding the /upload.php page in the leaked configuration file.

Since, this is a PHP-based web application, we can upload/inject a malicious PHP code in which will open for us a backdoor in the server. For that, we will use a normal inject.php after we modify it to call our IP address and through a specific port. 

Only modify the IP to the IP address of your machine (tun0 interface), and specify the port.
Only modify the IP to the IP address of your machine (tun0 interface), and specify the port.

Then, upload the inject.php file and it will be saved in the path /_uploaded/inject.php. Start the listener using the netcat and observe the terminal once calling this address (http://base.htb/_uploaded/inject.php)

sudo nc -lvnp 2233
Listening to the incoming connections from the target's server.
Listening to the incoming connections from the target's server.

Transfer the shell into an interactive shell by following the following commands in raw:

# On target (inside reverse shell):
python3 -c 'import pty; pty.spawn("/bin/bash")'
# Press Ctrl+Z to background the shell
# On attacker (local terminal):
stty raw -echo; fg
# Back in the reverse shell on target:
export TERM=xterm
export SHELL=bash

Task 7: Which user exists on the remote host with a home directory?

Answer: john

Walkthrough:

After getting a reverse shell on the server, we can navigate the server using the basic command lines. By navigating the home directory, we will find that the user is named john

John is the ordinary user under the /home directory.
John is the ordinary user under the /home directory.

Task 8: What is the password for the user present on the system?

Answer: thisisagoodpassword

Walkthrough:

After getting a reverse shell, we can navigate different paths. I found an interesting path where I found a config.php file under the following path /var/www/html/login

Looking for the configuration file in which the username and password are saved.
Looking for the configuration file in which the username and password are saved.
The config.php file stores the username and the password.
The config.php file stores the username and the password.

Task 9: What is the full path to the command that the user john can run as user root on the remote host?

Answer: /usr/bin/find

Walkthrough:

We need to switch to john first as we are now logged in as a “www-data” user. Use the following command to switch to the user john.

su john

Enter the password you have found in the config.php file which is “thisisagoodpassword”.

Switching to the user john instead of www-date.
Switching to the user john instead of www-date.

Then, enter the following command to list all commands john can run as root. 

sudo -l

Task 10: What action can the find command use to execute commands?

Answer: exec

Walkthrough:

The -exec flag tells the find to run a command on every result it finds. Normally it's used like:

find /home -name "*.txt" -exec cat {} \;

This finds all (.txt) files and runs “cat” on each one. The {} is replaced by the filename, and \; marks the end of the command.

If john can run find as root:

sudo find / -exec /bin/bash \;

Here’s what happens step by step:

  1. sudo find — runs find with root privileges
  2. / — searches from root directory, which will immediately find something
  3. -exec /bin/bash \; — as soon as it finds the first file, it executes /bin/bash
  4. Since find is running as root, the spawned bash shell is also root

You don’t actually care about finding files — you’re just abusing the -exec flag to run a command as root.

Task 11: Submitting the User Flag

Answer: f54846c258f3b4612f78a819573d158e

Walkthrough:

This is found in the user.flag under the john home directory. 

The user flag for the user john.
The user flag for the user john.

The user flag of the machine “Base” is: f54846c258f3b4612f78a819573d158e

Task 12: Submitting the Root Flag

Answer: 51709519ea18ab37dd6fc58096bea949

Walkthrough:

After getting the root privileges from abusing the -exec flag in the find command, we are logged in as a root

sudo find / -exec /bin/bash \;
Capturing the root flag for the BASE HTB
Capturing the root flag for the BASE HTB

The root flag for the “Base” machine is: 51709519ea18ab37dd6fc58096bea949

Hope you enjoyed reading my blog about solving Base machine from HTB — Tier 2 — Starting Point Phase. 

See You in another write-up!

[ #base ][ #htb ][ #hackthebox ][ #cyberalp0 ][ #cyberskii ][ #Web Application Penetration Testing ][ #writeup ][ #writeups ][ #Web Application Security ][ #networksecurity ][ #ippsec ][ #Kali Linux ]