In this post, I would like to share a walkthrough of the Writer Machine from HackTheBox


This room has been considered difficulty rated as a Medium machine on HackThebox

Source: HackTheBox Website

What will you gain from the Writer machine?


For the user flag, you will execute some SQL Injection on the login page and enumerate MySQL database when you got logged as www-data


As for the root flag, you need to abuse the Sendmail on kyle’s shell and obtain another user which is john’s shell. From john shell, you also need to abuse the apt to obtain a root shell

Information Gathering


Once we have started the VPN connection which requires to download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN 


Some Nmap results show a few ports open.


Let’s open the browser and straight into the website interface.


We didn’t find any interesting information on the website that we can use to exploit


Let’s run some gobuster tools to enumerate the website directory


There have a few directories that we can verify on the website. However, there is one directory that has caught my attention which is /administrative


We managed to see an Admin Login Page where we need to find a way to login to the Dashboard. I have tried to execute the login using Cross-Site Scripting but sadly it doesn’t work at all.


I have been stuck here for a while now and asking for hints on the Discord Application. A lot of my friends said that I should try to run some SQL Injection, but it failed.

sqlmap Enumeration


Let’s run some tools such as sqlmap to enumerate the website with SQL Injection.


I notice that we can exploit the website by using some injections using the POST parameter ‘uname’


To be honest, I’m not familiar with uname sqli attack method so let’s do some research on it.


After a while, I got some nudge on SQL Injection that we can use to execute on the login page


On the username and password column, we can run some injections such as ‘or 1=1– 2


Voila! We managed to get access. to the Dashboard by using SQL Injection


Let’s roam around the Dashboard to find anything useful that we can use to exploit, and we notice there are a few sections such as Dashboard, Stories, Users, and Settings that we can investigate.


I found a wealth of information when I access the Stories section. We can modify any of those IDs where we can find any function such as upload

Gaining Privileges Access on Writer Machine


I knew it! Let’s try to upload some PHP reverse shells by using the upload function


The reverse shell didn’t come back to us after I uploaded it on the website interface.


Oh, man! My mistake of not being aware of the file format that we can use to upload to the system.


We can change the file format from PHP format to jpg format by using some simple command as cp /targetfilename to /newfilename


Now, we can upload the file to the system


But firstly, we need to start our nc listener so that the reverse shell comes back to us.


We can inspect the packet by using BurpSuite and the packet can be seen as shown above.


Let’s try to encode our bash reverse shell command by using the echo function as above.


Once that has been completed, we can put our code under the “image_url” section which I show above


Boom! we managed to obtain a shell on another terminal. Let’s check the MySQL configuration that locates at /etc/mysql/mariadb.cnf


Before we proceed with MySQL enumeration, there’s some documentation that we can study about it over here

mysql enumeration


We can access the mysql by executing mysql -u <username> -h localhost -p


We successfully login into the MariaDB system


Inside the MariaDB database, we can see there’s dev and information stored there. Let’s access that database


There have around 10 tables been saved in the dev database


We should be able to get the password hashes by running the command “select * from auth_user


A file will need to create and paste the password hashes inside it.


For us to obtain the password in plaintext, we should execute the hashcat tools such as hashcat -a 0 -m 10000 hashes –wordlist rockyou.txt


Damn! We got an obstacle while getting the password


Luckily, we managed to get the password after a few tries been made.

Maintaining Privileges Access on Writer Machine

SSH ACCESS


Voila! We successfully access the machine via SSH service using the credentials that we found earlier.


We can read the user flag by executing the “cat user.txt” command

Escalate to Root Privileges Access on Writer Machine

Escalate from kyle to john


There’s a disclaimer file when I try to read the user flag. I did notice that some bash shell and email functions have been saved on the file.


We need to start our nc listener on others terminal


An email will need to be sent so that we can retrieve a reverse shell on our machine.


To get root privileges access, we can get a reverse shell by abusing apt via Netcat reverse shell


Boom! We got a root reverse shell such as above.


We should be able to read the root flag by executing the “cat root.txt” command


-THE END-


Happy Learning, Guys!