In this post, I would like to share a walkthrough of the Overflow Machine from Hack the Box


This room will be considered as a Hard machine on Hack The box

What will you gain from the Overflow machine?


For the user flag, you will need to analyze the cookie which results to execute padbuster so that we can decrypt the cookie. As a result, we will manage to access as admin, and we need to play with SQL Injection which we are required to dump the database. Aside from that, we also need to play with ExifTool exploit and enumerate further on the machine after we successfully get a shell


As for the root flag, you need to play with some buffer overflow and get a root shell by exploiting an arbitrary read vulnerability to get a root flag

Information Gathering on Overflow Machine


Once we have started the VPN connection which requires a download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN


From the Nmap output, I notice that a few ports are open


Let’s access the website interface


There is nothing much to see except the Sign In and Sign Up


Let’s register a new account


I notice that the only difference is on the taskbar such as profile, blog, and pricing


Let’s inspect the request from the website. I notice that there’s a cookie that requires an auth on the request packet.


Therefore, let’s do some modifications to the cookie by removing the last two characters


We managed to see an error saying “Unable to verify cookie! Invalid Padding. Please login again

Oracle Padding method


Let’s run padbuster which tool is used for URL EncyrptedSample Block size


As shown in the screenshot above, we can summarize that ID 1 returns 200 which its status saying OK. On the other hand, ID 2 returns error status 302 which directed us to ../logout.php?err=1


As it has been suggested on the error condition which we can see earlier that it’s ID 2. Therefore, let’s enter number 2 so that we can proceed with the next step.


The process will take several minutes, and we will be getting the full decrypted cookie when it’s finished. The decrypted value that we managed to see is user=darknite which shows us what decrypted value looks like.


As a result, we can run the command again with the additional command such as -plaintext user=admin


We got a new cookie which it will use for admin


We are required to change the current cookie with the cookie that we obtain from padbuster


Finally, we managed to get an Admin Panel


We got CMS Made Simple login page but sadly we didn’t have any credentials to use


On the logs page, we managed to see an error saying “Unauthorized!!


For some reason, I’m thinking of testing some SQL Injection methods.


Let’s save the request packet as overflow.req (any name that you like)


As a result, we can use it with sqlmap

Enumerate further using sqlmap


l found out that the request is exposed to UNION injection


We can dump all the databases into our machine


While enumerating the database, we found there are 4 databases but the one that caught my attention is cmsmsdb


We managed to obtain some tables that might be useful for us


We managed to obtain user and password hashes


Therefore, we can download the actual source code for CMS to make it simple to analyze even deeper

After analyzing the source code, let’s run the sqlmap on that tables and we managed to get sitemask

Let’s crack the hashes using hashcat!


Finally, we have the password for the editor’s hash


Let’s enter the credentials that we found earlier


At last, we managed to access the CMSMadeSimple Dashboard


While roaming around inside the Dashboard, we managed to find out there’s a subdomain devbuild-job.overflow.htb


There is a login page when browsing the subdomain


At last, we managed to see the dashboard.


Let’s upload one example picture into the application


From the response of the packet, we notice that there’s ExifTool has been executed and it makes me think we can use the exiftool’s exploit

Exploit using ExifTool


We should be downloading the exploit into our machine


However, we need to install the requirement such as djvulibre-bin package so that we can proceed


We are required to change the IP and port of the reverse shell


Therefore, we can proceed with the execution of the exploit.py


As a result, we can upload an image.jpg into the application


We can start our nc listener


We can inspect the packet via burpsuite and click send. However, we didn’t receive any response which is good for us.


We managed to obtain a reverse shell


Let’s get a proper shell using the command above.

Enumerate deeper on the Overflow machine


There are two users whose user flag might be stored within one of them. Sadly, we don’t. have access to it yet.


I notice that there are a few PHP files residing inside /html/config directory


We managed to find out the potential developer’s password


However, I cannot access the machine as a developer.


My friends mentioned the credential is valid but for some reason, I cannot change it to the developer. I have taken the measure of rerunning the VPN Connection


Finally, I have successfully login as a developer


I notice a weird file inside the /opt directory


Inside the commontask.sh, i notice a bash command that will curl the file.


Therefore, let’s add the subdomain inside the /etc/hosts file


For our own machine, we need to create a basic reverse shell as shown above.


We need to start a python proxy so that the machine managed to catch the file that is saved on our machine.


From the previous activity, it doesn’t work for some reason.


Let’s send the file using the python proxy


At last, we managed to retrieve the reverse shell as a tester


We can read the user flag by executing the “cat user.txt” command

Escalate to Root Privileges Access


Let’s download the file_encrypt on our machine so that we can analyze the binary


The file_ecyrpt can be analyze using ghidra


The screenshot above is ghidra interface


Let’s analyze also using gdb


We are required to break the main


Aside from that, we also need to break the check_pin point


We managed to obtain a pincode after some analysis on gdb


Let’s enter our pincode and it’s work but we need a name for it to work more


Therefore, let’s find the name by running the command above


We can create a new file in which the content can be anything


We can type the command above but don’t execute the command yet because it will be used later


On another shell, let’s execute the binary


As a result, we got some encrypted files that we cannot be read at all


We can read the flag but decrypt the input from hex and xor


We can also retrieve ssh id_rsa by only modifying the command above


Finally, we got the ssh id_rsa


At last, we managed to access the machine via ssh


We can read the root flat by executing the “cat root.txt” command