In this post, I would like to share a walkthrough of the Phoenix Machine from Hack the Box


This room will be considered as a Hard machine on Hack The box

What will you gain from the Phoenix machine?


For the user flag, you will need to abuse a vulnerability on asgaros-forum and use an exploit that is available on the internet. We also enumerate MySQL database and wp-login to escalate to user privileges access.


As for the root flag, you need to take advantage of the cron job where we can throw a reverse shell on the machine

Information Gathering on Phoenix Machine


Once we have started the VPN connection which requires a download from Hackthebox, we can start information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN


The Nmap result shows three open ports such as 22, 80, and 443.


Let’s access the website interface


Sadly, there is nothing we can see on the website interface.


Let’s execute the gobuster tool to enumerate the directory on the machine.


However, I notice that there is a WAF has been implemented on the machine. As a result, let’s analyze the website source code


I have managed to find the CMS that the website is using which is WordPress 5.9


Let’s start running wpscan tool to check on the WordPress


From wpscan tool result, I notice asgaros-forum is outdated which we can take advantage of


Let’s do some research on asgaros-forum


The screenshot above shows some warning that we can make use of it


We can use the exploit.py from the website and execute the command such as python3 exploit <url> <.phtml file>


Let’s start our nc listener so that reverse connection back to us.


We didn’t receive a response on the website which looks good.


Voila! We managed to retrieve our reverse connection back to us.

Let’s establish a proper shell


Let’s roam the machine to see any interesting file or folder        


We managed to find the two-factor folder as shown above


The file contains a lengthy line which I didn’t manage to find any interesting


We managed to find a MySQL password that we can use for the database on the machine


Let’s access the MySQL database using the credentials that we found earlier.


We found password hashes that we can crack later.


We can crack using the john tool but I didn’t have a screenshot to show over here.


Let’s see what is stored in /etc/security/access.conf file


I notice that there’s an IP Address of 10.11.12.13


I notice that there’s an IP Address of 10.11.12.13


Let’s access the localhost interface using the ssh service


We can read the user flag using the command “cat user.txt”

Escalate to Root Privileges Access


Let’s run the usual command such as sudo -l to escalation


Let’s monitor the processes that run on the victim’s machine by executing the ps aux command


There is a file called cron.sh.x which looks weird to me.


Let’s execute the file


I have found out that the rsync –server -te.LsfxC –ignore-existing . /backup that we can abuse it


We can add a new file on backups


We can abuse the SUID of rsync that is stated on gftobins


After a few minutes, the /bin/bash does not change to the SUID file


Let’s throw a reverse shell on the command


We got a root reverse shell


We can read the root flag by executing the command “cat root.txt


-THE END-


Happy Learning Guys!

Extra Information on Paper machine


We can go to /etc/shadow so that we can unlock and read the write-up