In this post, I would like to share a walkthrough of the Altered Machine from Hack the Box
This room will be considered as a Hard machine on Hack The box
What will you gain from the Altered machine?
For the user flag, you will need to abuse the password reset function which you required to bypass the rate limit using HTTP Headers. After we success login to the dashboard, we need to find the endpoint which is vulnerable to SQL Injection
As for the root flag, you need to abuse dirty-pipe vulnerability
Information Gathering on Altered Machine
Once we have started the VPN connection which requires a download from Hackthebox, we can start information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN
I found out that there are only 2 ports open which is ssh and HTTP
Let’s access the website interface.
A Login page has been shown when we try to access the website. Sadly, we don’t have any credentials to play with.
As a result, let’s try entering the common user and password such as admin:admin
However, an error saying “Invalid Password” appears
Let’s try to inspect and see the response to the request
Nothing looks promising to me.
Let’s reset the password by clicking the forgot password
Aside from that, let’s see the response to that request, and nothing looks weird to me
We are required to enter a Pincode which we don’t have now
I did notice there’s a cookie of XSRF-TOKEN and laravel-session.
Therefore, let’s try to brute the pincode using wfuzz.
Bruteforce the pincode
From the wfuzz result, we notice that the character is 6625 which it’s something that I want to look at.
As a result, the website has given us an error saying “Too Many Requests“
We can create a list of IP addresses (only the ending potion) to work with.
However, we stuck with an output that we not expecting to see.
After a few hours of troubleshooting, we managed to retrieve the output that we wanted to see.
After entering the pincode on the right column, we have been directed to a page on which we can change the password
Let’s try to access using the password that we change earlier.
At last, we managed to access the Dashboard.
We can see the description of each player is different
Therefore, let’s try to inspect the request via Burpsuite
Let’s copy the id=&secret= output at the bottom of the request
We need to do some modifications to the request payload into json payload
Trying to enumerate with SQL Injection
We can try the common SQLinjection such as or 1=1;– – and i can notice that the website is vulnerable to that attacks method on altered website
We can see the schema name from the SQL database
We can see the table name from the SQL database
Aside from that, we can also retrieve usernames and password from the SQL database but it looks not promising at all.
We know that they are vulnerable to SQL Injection so let’s use the load file command to retrieve information from the server
Let’s see if any new folder or URL has been written on the sNginx configuration
I notice that laravel is been stored inside the server
Let’s throw a reverse shell on the machine
Sadly, the file is not found on the website interface
After a few minutes of troubleshooting, i was curious whether we need $ symbol before cmd
And it works like charm!
We need to inspect the request via Burpsuite and change the request method
Let’s start our nc listener
After we encode the reverse shell, it doesn’t work at all
Maybe we need to add bash -c before our actual reverse shell and click send on the request. As a result, the response is not responding at all which is good
We got the reverse shell connection back to us
We can read the user flag by executing cat /home/htb/user.txt command
Escalate to Root Privileges Access on altered machine
Let’s see all the common directories that usually have SUID binary stored inside
Sadly, we cannot find any interesting SUID binary
The same goes with ps aux
Let’s see the kernel version
We need a password for www-data
When I execute the su –, it worked like a PAM-Wordle game
From the kernel version, I am aware that the version can be exploited with
I have done some research on dirtypipe vulnerability
We are required to download the exploit on your own machine
For this machine, i will use only the second exploit
Therefore, we need to compile the code
Let’s transfer the compiled file to the victim’s machine
Let’s give execution permission to the file
We require one SUID binary to escalate to root
Let’s find the right SUID binary that we can abuse it
Let’s execute the exploit as shown above
We managed to access to the root
We can read the root flag by executing the “cat root.txt” command