In this post, I would like to share a walkthrough of the Overflow Machine from Hack the Box

This room will be considered as a Hard machine on Hack The box

What will you gain from the Overflow machine?

For the user flag, you will need to analyze the cookie which results to execute padbuster so that we can decrypt the cookie. As a result, we will manage to access as admin, and we need to play with SQL Injection which we are required to dump the database. Aside from that, we also need to play with ExifTool exploit and enumerate further on the machine after we successfully get a shell

As for the root flag, you need to play with some buffer overflow and get a root shell by exploiting an arbitrary read vulnerability to get a root flag

Information Gathering on Overflow Machine

Once we have started the VPN connection which requires a download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN

From the Nmap output, I notice that a few ports are open

Let’s access the website interface

There is nothing much to see except the Sign In and Sign Up

Let’s register a new account

I notice that the only difference is on the taskbar such as profile, blog, and pricing

Let’s inspect the request from the website. I notice that there’s a cookie that requires an auth on the request packet.

Therefore, let’s do some modifications to the cookie by removing the last two characters

We managed to see an error saying “Unable to verify cookie! Invalid Padding. Please login again

Oracle Padding method

Let’s run padbuster which tool is used for URL EncyrptedSample Block size

As shown in the screenshot above, we can summarize that ID 1 returns 200 which its status saying OK. On the other hand, ID 2 returns error status 302 which directed us to ../logout.php?err=1

As it has been suggested on the error condition which we can see earlier that it’s ID 2. Therefore, let’s enter number 2 so that we can proceed with the next step.

The process will take several minutes, and we will be getting the full decrypted cookie when it’s finished. The decrypted value that we managed to see is user=darknite which shows us what decrypted value looks like.

As a result, we can run the command again with the additional command such as -plaintext user=admin

We got a new cookie which it will use for admin

We are required to change the current cookie with the cookie that we obtain from padbuster

Finally, we managed to get an Admin Panel

We got CMS Made Simple login page but sadly we didn’t have any credentials to use

On the logs page, we managed to see an error saying “Unauthorized!!

For some reason, I’m thinking of testing some SQL Injection methods.

Let’s save the request packet as overflow.req (any name that you like)

As a result, we can use it with sqlmap

Enumerate further using sqlmap

l found out that the request is exposed to UNION injection

We can dump all the databases into our machine

While enumerating the database, we found there are 4 databases but the one that caught my attention is cmsmsdb

We managed to obtain some tables that might be useful for us

We managed to obtain user and password hashes

Therefore, we can download the actual source code for CMS to make it simple to analyze even deeper

After analyzing the source code, let’s run the sqlmap on that tables and we managed to get sitemask

Let’s crack the hashes using hashcat!

Finally, we have the password for the editor’s hash

Let’s enter the credentials that we found earlier

At last, we managed to access the CMSMadeSimple Dashboard

While roaming around inside the Dashboard, we managed to find out there’s a subdomain devbuild-job.overflow.htb

There is a login page when browsing the subdomain

At last, we managed to see the dashboard.

Let’s upload one example picture into the application

From the response of the packet, we notice that there’s ExifTool has been executed and it makes me think we can use the exiftool’s exploit

Exploit using ExifTool

We should be downloading the exploit into our machine

However, we need to install the requirement such as djvulibre-bin package so that we can proceed

We are required to change the IP and port of the reverse shell

Therefore, we can proceed with the execution of the

As a result, we can upload an image.jpg into the application

We can start our nc listener

We can inspect the packet via burpsuite and click send. However, we didn’t receive any response which is good for us.

We managed to obtain a reverse shell

Let’s get a proper shell using the command above.

Enumerate deeper on the Overflow machine

There are two users whose user flag might be stored within one of them. Sadly, we don’t. have access to it yet.

I notice that there are a few PHP files residing inside /html/config directory

We managed to find out the potential developer’s password

However, I cannot access the machine as a developer.

My friends mentioned the credential is valid but for some reason, I cannot change it to the developer. I have taken the measure of rerunning the VPN Connection

Finally, I have successfully login as a developer

I notice a weird file inside the /opt directory

Inside the, i notice a bash command that will curl the file.

Therefore, let’s add the subdomain inside the /etc/hosts file

For our own machine, we need to create a basic reverse shell as shown above.

We need to start a python proxy so that the machine managed to catch the file that is saved on our machine.

From the previous activity, it doesn’t work for some reason.

Let’s send the file using the python proxy

At last, we managed to retrieve the reverse shell as a tester

We can read the user flag by executing the “cat user.txt” command

Escalate to Root Privileges Access

Let’s download the file_encrypt on our machine so that we can analyze the binary

The file_ecyrpt can be analyze using ghidra

The screenshot above is ghidra interface

Let’s analyze also using gdb

We are required to break the main

Aside from that, we also need to break the check_pin point

We managed to obtain a pincode after some analysis on gdb

Let’s enter our pincode and it’s work but we need a name for it to work more

Therefore, let’s find the name by running the command above

We can create a new file in which the content can be anything

We can type the command above but don’t execute the command yet because it will be used later

On another shell, let’s execute the binary

As a result, we got some encrypted files that we cannot be read at all

We can read the flag but decrypt the input from hex and xor

We can also retrieve ssh id_rsa by only modifying the command above

Finally, we got the ssh id_rsa

At last, we managed to access the machine via ssh

We can read the root flat by executing the “cat root.txt” command