EUROPA
- Layout for this exercise:

1 - INTRODUCTION
- The goal of this exercise is to develop a hacking process for the vulnerable machine Europa, what is a retired machine from the Hack The Box pentesting platform:
https://www.hackthebox.eu
2 - ENUMERATION
- Europa's IP is 10.10.10.22:

- Scanning with Nmap:

- Going deeper with the scanning:

- So there are two domains that should be added to the /etc/hosts file:

- sslyze is also able to find both domains:



- Connecting to admin.portal we have a Login form:

3 - EXPLOITATION
- The exploitation process consists of two steps:
3.1 - Database exploitation
- Let's start by exploiting with sqlmap any potential database at Europa:
- sqlmap has different options to be used, for instance:




- Launching sqlmap against Europa's administrator portal we find two databases:


- Going deeper with database admin and dumping all available information:


- Decrypting the password, what is common for both users:

- Now we can login successfully to the admin-portal console with admin's email and his password SuperSecretPassword!

3.2 - PHP code exploitation
- Once logged in, the Dashboard has got a Tools tab:

- Going to Tools we find a VPN generator script:

- Intercepting the VPN generation with Burp:


- So there is a parameter called pattern, what is used by the preg_place PHP function in this way:

- One of the modifiers is the /e feature, what has been deprecated in later versions of PHP because of its associated vulnerabilities:


- As said before, the modifier e is the origin of this vulnerability:

- Here is another interesting explanation about this vulnerability:
http://www.madirish.net/402
- So basically what modifier e does is to evaluate the subsequent string as PHP code.
- We can take advantage of this circumstance to handle the user input by adding the e modifier to the pattern parameter:

- Going to Burp and sending the input to the Repeater let's try to read /etc/passwd:



- Now, creating a shellcode with Msfvenom:

- Encoding as URL format:

- Adding to Burp request:

- Setting a listener session:

- Finally, launching the Burp Repeater we achieve a shell reverse connection:


- Improving the shell:

- The current user is www-data:

4 - CAPTURING THE 1st FLAG
- Reading user.txt:

5 - PRIVILEGE ESCALATION
- Looking at the crontab jobs, there is one task called clearlog running every minute by the user root, what can be interested to be exploited:

- Reading clearlogs:

- So what we need to do is to replace content of logcleared.sh with an exploitation code of our interest.
- By the way, logcleared.sh does not even exist at the moment, so it must be created from the scratch:

- Msfvenom comes again to our help, now using a different port than before:

- Setting a listener session at port 6666:

- Echoing the exploit to logcleared.sh:

- The script is successfully created:

- Giving running privileges:

- Now, if we don't wait the crontab time period and execute the script by ourselves it happens that the shell is run by www-data (not by root) so we have a low privilege shell:


- However, stopping the last session, launching a new one, and waiting the crontab task until logcleared.sh is run by root we finally achieve a reverse root shell:

6 - READING THE 2nd FLAG
- Reading root.txt:
