Post

HTB: Craft Experience

img

Introduction

This is not a walkthrough guide or tutorial on how to go about obtaining user or root on this system. Simply put, this is a write up of my experience in owning the system Craft.

This system definitely mimics a real world scenario that an individual in the penetration testing field may encounter. You may even see something like this for an interview challenge or at least getting a shell/user access.

I recommend adding craft.htb to your /etc/hosts file and add any other sub-domains you may come across as you work on this machine.

User/Shell Access

In order to successfully complete this system there are significant points where enumeration is key. In addition, being able to do code review and understand weak/dangerous functions will be critical to getting your initial foothold onto the system.

I don’t have a particularly strong code review background. I am able to read and understand code, but I don’t fully know what is considered good and bad practices when it comes to certain functions or libraries. Take Python Pickle library for example. This method should never be used to accept files from a user as they could abuse this and obtain remote code execution through the pickle.load() function.

Make sure you review everything presented to you. You might just find some critical information that helps you get onto the system.

While trying to remain as vague as possible, once you’ve obtained your remote code execution and obtain a shell you may notice something odd. You may think wow I already have root, that was easy. You might find yourself in a “holding cell”

Even though you are in said “holding cell” it is recommended that you follow standard post-exploitation steps. Try to see what information you can exfiltrate to get user and then even root

Root Access

I found the necessary pieces to obtain root fairly quickly running Linux Smart Enumeration in Level 2 (dump all the things) mode. Something popped up in the output that caught my eye in which I’ve never seen this before.

This is only possible once you’ve done your enumeration from above.

Once you’ve found this odd piece, do some research by looking it up in Google. I had a bit of a hard time trying to pull the necessary information in order to get a root shell. In the end I think obtaining root on this system was simple and fun.

This post is licensed under CC BY 4.0 by the author.