In this post, I would like to share a walkthrough of the Overflow Machine from Hack the Box
This room will be considered as a Hard machine on Hack The box
What will you gain from the Overflow machine?
For the user flag, you will need to analyze the cookie which results to execute padbuster so that we can decrypt the cookie. As a result, we will manage to access as admin, and we need to play with SQL Injection which we are required to dump the database. Aside from that, we also need to play with ExifTool exploit and enumerate further on the machine after we successfully get a shell
As for the root flag, you need to play with some buffer overflow and get a root shell by exploiting an arbitrary read vulnerability to get a root flag
Information Gathering on Overflow Machine
Once we have started the VPN connection which requires a download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN
From the Nmap output, I notice that a few ports are open
Let’s access the website interface
There is nothing much to see except the Sign In and Sign Up
Let’s register a new account
I notice that the only difference is on the taskbar such as profile, blog, and pricing
Let’s inspect the request from the website. I notice that there’s a cookie that requires an auth on the request packet.
Therefore, let’s do some modifications to the cookie by removing the last two characters
We managed to see an error saying “Unable to verify cookie! Invalid Padding. Please login again“
Oracle Padding method
Let’s run padbuster which tool is used for URL EncyrptedSample Block size
As shown in the screenshot above, we can summarize that ID 1 returns 200 which its status saying OK. On the other hand, ID 2 returns error status 302 which directed us to ../logout.php?err=1
As it has been suggested on the error condition which we can see earlier that it’s ID 2. Therefore, let’s enter number 2 so that we can proceed with the next step.
The process will take several minutes, and we will be getting the full decrypted cookie when it’s finished. The decrypted value that we managed to see is user=darknite which shows us what decrypted value looks like.
As a result, we can run the command again with the additional command such as -plaintext user=admin
We got a new cookie which it will use for admin
We are required to change the current cookie with the cookie that we obtain from padbuster
Finally, we managed to get an Admin Panel
We got CMS Made Simple login page but sadly we didn’t have any credentials to use
On the logs page, we managed to see an error saying “Unauthorized!!“
For some reason, I’m thinking of testing some SQL Injection methods.
Let’s save the request packet as overflow.req (any name that you like)
As a result, we can use it with sqlmap
Enumerate further using sqlmap
l found out that the request is exposed to UNION injection
We can dump all the databases into our machine
While enumerating the database, we found there are 4 databases but the one that caught my attention is cmsmsdb
We managed to obtain some tables that might be useful for us
We managed to obtain user and password hashes
Therefore, we can download the actual source code for CMS to make it simple to analyze even deeper
Let’s crack the hashes using hashcat!
Finally, we have the password for the editor’s hash
Let’s enter the credentials that we found earlier
At last, we managed to access the CMSMadeSimple Dashboard
While roaming around inside the Dashboard, we managed to find out there’s a subdomain devbuild-job.overflow.htb
There is a login page when browsing the subdomain
At last, we managed to see the dashboard.
Let’s upload one example picture into the application
From the response of the packet, we notice that there’s ExifTool has been executed and it makes me think we can use the exiftool’s exploit
Exploit using ExifTool
We should be downloading the exploit into our machine
However, we need to install the requirement such as djvulibre-bin package so that we can proceed
We are required to change the IP and port of the reverse shell
Therefore, we can proceed with the execution of the exploit.py
As a result, we can upload an image.jpg into the application
We can start our nc listener
We can inspect the packet via burpsuite and click send. However, we didn’t receive any response which is good for us.
We managed to obtain a reverse shell
Let’s get a proper shell using the command above.
Enumerate deeper on the Overflow machine
There are two users whose user flag might be stored within one of them. Sadly, we don’t. have access to it yet.
I notice that there are a few PHP files residing inside /html/config directory
We managed to find out the potential developer’s password
However, I cannot access the machine as a developer.
My friends mentioned the credential is valid but for some reason, I cannot change it to the developer. I have taken the measure of rerunning the VPN Connection
Finally, I have successfully login as a developer
I notice a weird file inside the /opt directory
Inside the commontask.sh, i notice a bash command that will curl the file.
Therefore, let’s add the subdomain inside the /etc/hosts file
For our own machine, we need to create a basic reverse shell as shown above.
We need to start a python proxy so that the machine managed to catch the file that is saved on our machine.
From the previous activity, it doesn’t work for some reason.
Let’s send the file using the python proxy
At last, we managed to retrieve the reverse shell as a tester
We can read the user flag by executing the “cat user.txt” command
Escalate to Root Privileges Access
Let’s download the file_encrypt on our machine so that we can analyze the binary
The file_ecyrpt can be analyze using ghidra
The screenshot above is ghidra interface
Let’s analyze also using gdb
We are required to break the main
Aside from that, we also need to break the check_pin point
We managed to obtain a pincode after some analysis on gdb
Let’s enter our pincode and it’s work but we need a name for it to work more
Therefore, let’s find the name by running the command above
We can create a new file in which the content can be anything
We can type the command above but don’t execute the command yet because it will be used later
On another shell, let’s execute the binary
As a result, we got some encrypted files that we cannot be read at all
We can read the flag but decrypt the input from hex and xor
We can also retrieve ssh id_rsa by only modifying the command above
Finally, we got the ssh id_rsa
At last, we managed to access the machine via ssh
We can read the root flat by executing the “cat root.txt” command