In this post, I would like to share a walkthrough of the Undetected Machine from Hack the Box

This room will be considered as a medium machine on Hack The Box

What will you gain from the Undetected machine?

For the user flag, you will need to use CVE-2017-9841 to get a reverse shell on the machine. Once we are inside the machine via reverse shell, we need to find the username and password to access via SSH

As for the root flag, you need to reverse engineer a few files so that we can obtain a root password

Information Gathering on Undetected Machine

Once we have started the VPN connection which requires a download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN

From the Nmap output, we have been provided with two open ports as ssh and HTTP. Sadly, there’s no other information that we can use for further escalate.

Let’s access the website interface.

It looks like a normal website interface at first glance.

Let’s run gobuster to enumerate any interesting directory stored under the website interface.

There is nothing that looks interesting at all from the gobuster result.

After roaming on the website interface for a while, a button of store re-direct us to a new domain. Let’s add that domain into our /etc/hosts

It’s the same website as previously but there is three-button such as Empty, Account, and Login

I try to login into the website dashboard, but we got an error state something such as:

Due To A website migration we are currently not taking any online orders. Contact us if you wish to make a purchase

Enumerate any other directory on the Undetected Machine

Let’s try to run again gobuster on the domain if there’s any interesting directory.

I notice that all directory is common except for the /vendor directory

After a while, we have found that PHPUnit is running version 5.6

Aside from that, we also managed to find a PHP file named eval-stdin.php

Sadly, we only see a blank page on the PHP file.

Let’s do some research on the internet if there’s any exploit on PHPUnit version 5.6


There’s an exploit explanation been found over vulhub/ at master · vulhub/vulhub · GitHub

Let’s try to execute the exploit and try to inspect via BurpSuite so that we can see what happen

We successfully executed the PHP code on the website and it returns the output that we want.

It’s the same goes within the terminal

Let’s start our nc listener on the terminal

It’s looking as we wanted

As a result, we managed to retrieve the reverse shell connection back to us.

Let’s see what is been stored within the /var directory. There’s a backups that might stored something useful for us.

There’s one file called info that has been assigned to www-data

Let’s see the extension of the file

Let’s see the content of the file by using the strings command but the command is not installed inside the machine.

As a result, we need to run it on our own machine to analyze the content of the file.

Once we have fully transferred the file into our own machine, let’s run again the strings command

Oh wow! We found hex encode under the /bin/bash command

However, we got a hash after the hex has been decoded.

Let’s use hashcat or john to crack the hash so that a password can be retrieved

I also notice that there are two user which is steven1 and steven

Let’s access the machine using ssh service with either steven or steven1 as the username

We managed to access the machine via steven1’s credentials

Finally, we can read the user flag using the command “cat user.txt

Escalate to Root Privileges Access on Undetected Machine

Sadly, we cannot get any SUID file permission using the sudo -l command

However, I’m curious about /var/mail whether there’s any email sent to us.

We managed to read the email content that was sent to Steven saying there is some problem with Apache Service.

Let’s find where the apache service has been saved inside the machine

After a while of searching the service, we found it saves inside /usr/lib/ directory

Let’s transfer the into our own machine

Reverse Engineering the file

From now, i will have a tough time playing because it’s out of my comfort zone

Firstly, let’s open Ghidra tools for further analyze

We are required to upload the file on Ghidra and it will look as above

We need to analyze the code carefully.

A few hours later…….

I notice that the b64_decode function has been written over here. Let’s see where this function leads us into.

We managed to see a b64_decode on the decompile on your right screen.

Therefore, we need to decode the b64 code and we managed to see a new file located in /usr/sbin directory

The file extension is similar to the previous file that we found

We managed to see a function called shadow_pw which it might be a password somewhere in this file

Now, we can see auth_password but we need to get information on the decompile section.

The information that requires is been highlighted above and we need to arrange the order such as shown below

We can copy the arrangement on the cyber chef and we can obtain the root password in the output section

After that, we can change to the root user but sadly the authentication failed.

However, we can get root access by executing ssh root@localhost on the steven1 ssh session.

We can read the root flag by executing the command “cat root.txt


Happy Learning Guys!

Extra Information on Paper machine

We can go to /etc/shadow so that we can unlock and read the write-up