In this post, I would like to share a walkthrough of the Undetected Machine from Hack the Box


This room will be considered as a medium machine on Hack The Box


What will you gain from the Undetected machine?


For the user flag, you will need to use CVE-2017-9841 to get a reverse shell on the machine. Once we are inside the machine via reverse shell, we need to find the username and password to access via SSH


As for the root flag, you need to reverse engineer a few files so that we can obtain a root password

Information Gathering on Undetected Machine


Once we have started the VPN connection which requires a download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN


From the Nmap output, we have been provided with two open ports as ssh and HTTP. Sadly, there’s no other information that we can use for further escalate.


Let’s access the website interface.


It looks like a normal website interface at first glance.


Let’s run gobuster to enumerate any interesting directory stored under the website interface.


There is nothing that looks interesting at all from the gobuster result.


After roaming on the website interface for a while, a button of store re-direct us to a new domain. Let’s add that domain into our /etc/hosts


It’s the same website as previously but there is three-button such as Empty, Account, and Login


I try to login into the website dashboard, but we got an error state something such as:


Due To A website migration we are currently not taking any online orders. Contact us if you wish to make a purchase

Enumerate any other directory on the Undetected Machine


Let’s try to run again gobuster on the domain if there’s any interesting directory.


I notice that all directory is common except for the /vendor directory


After a while, we have found that PHPUnit is running version 5.6


Aside from that, we also managed to find a PHP file named eval-stdin.php


Sadly, we only see a blank page on the PHP file.


Let’s do some research on the internet if there’s any exploit on PHPUnit version 5.6

CVE-2017-9841


There’s an exploit explanation been found over vulhub/README.md at master · vulhub/vulhub · GitHub


Let’s try to execute the exploit and try to inspect via BurpSuite so that we can see what happen


We successfully executed the PHP code on the website and it returns the output that we want.


It’s the same goes within the terminal


Let’s start our nc listener on the terminal


It’s looking as we wanted


As a result, we managed to retrieve the reverse shell connection back to us.


Let’s see what is been stored within the /var directory. There’s a backups that might stored something useful for us.


There’s one file called info that has been assigned to www-data


Let’s see the extension of the file


Let’s see the content of the file by using the strings command but the command is not installed inside the machine.


As a result, we need to run it on our own machine to analyze the content of the file.


Once we have fully transferred the file into our own machine, let’s run again the strings command


Oh wow! We found hex encode under the /bin/bash command


However, we got a hash after the hex has been decoded.


Let’s use hashcat or john to crack the hash so that a password can be retrieved


I also notice that there are two user which is steven1 and steven


Let’s access the machine using ssh service with either steven or steven1 as the username


We managed to access the machine via steven1’s credentials


Finally, we can read the user flag using the command “cat user.txt

Escalate to Root Privileges Access on Undetected Machine


Sadly, we cannot get any SUID file permission using the sudo -l command


However, I’m curious about /var/mail whether there’s any email sent to us.


We managed to read the email content that was sent to Steven saying there is some problem with Apache Service.


Let’s find where the apache service has been saved inside the machine


After a while of searching the service, we found it saves inside /usr/lib/ directory


Let’s transfer the mod_reader.so into our own machine

Reverse Engineering the file


From now, i will have a tough time playing because it’s out of my comfort zone


Firstly, let’s open Ghidra tools for further analyze


We are required to upload the file on Ghidra and it will look as above


We need to analyze the code carefully.

A few hours later…….


I notice that the b64_decode function has been written over here. Let’s see where this function leads us into.


We managed to see a b64_decode on the decompile on your right screen.


Therefore, we need to decode the b64 code and we managed to see a new file located in /usr/sbin directory


The file extension is similar to the previous file that we found


We managed to see a function called shadow_pw which it might be a password somewhere in this file


Now, we can see auth_password but we need to get information on the decompile section.


The information that requires is been highlighted above and we need to arrange the order such as shown below


We can copy the arrangement on the cyber chef and we can obtain the root password in the output section


After that, we can change to the root user but sadly the authentication failed.


However, we can get root access by executing ssh root@localhost on the steven1 ssh session.


We can read the root flag by executing the command “cat root.txt


-THE END-


Happy Learning Guys!

Extra Information on Paper machine


We can go to /etc/shadow so that we can unlock and read the write-up