In this post, I would like to share a walkthrough of the Backendtwo Machine from Hack the Box


This room will be considered a medium machine on Hack The box

What will you gain from the Backendtwo machine?


For the user flag, you will need to abuse the API on the website which will give us a shell that way


As for the root flag, you need to play the PAM-Wordle game to get some information the permission

Information Gathering on Backendtwo Machine


Once we have started the VPN connection which requires a download from Hackthebox, we can start information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN


Let’s access the website interface


It’s a JSON message that appears on the website interface.

Website API enumeration


We managed to see some new endpoints when we access <ip>/API/v1


However, we got an error saying that “not found” and “not authenticated”


What a surprise! We have a different message when we access our own user endpoints.


Let’s enumerate the possible endpoints after the /api/v1/user directory using gobuster


On the result, there are two directories that caught my attention which is signup and login


We got something interesting to play with when accessing the signup endpoints


Let’s send the payload to the burpsuite


On the burpsuite response, it shows that the account is created.


After we click on the forward the request, it have said that the account has already existed


Let’s pass the payload to the burpsuite but it looks like some HTML appears after the access token


Let’s decode the access token on the jwt.io


I almost forgot about other directories that I overlooked from the gobuster result.


On the request payload, we can add the payload with the authorization bearer with the new token.


We got a page error that mention something such as “Unable to render the definition

FastApi dashboard


I notice that the application is running on openapi.json


After a while, it works like a charm!

After looking at the dashboard, I notice that we can play around with the default parameters.
From the description, it says that UHC API is version 2.0 which returns the response as 200 “Successful Response”

When we try to execute the admin check, it shows the result as “false”


For the user-id, we are aware of UHC Admin is set as user number 1


For the user-id, we are aware of UHC Guest is set as user number 2


We are aware of UHC Player is set as user number 11


Finally, i got our own user-id when fetching it as number 12


The response from the get_user_flag is giving us an error said “Not Authorized”


Therefore, let’s authorize with the credentials that we created earlier.


After login in using the credentials, we were able to change the request body just like shown above.


The output has shown above


Therefore, let’s run some basic and well-known commands in Linux

Getting a reverse shell as user


We can add a new line which is “is_superuser: true”


After taking a break from playing the machine, I notice we cannot login as darknite again which i have to create a new account


We need to encode /etc/passwd into base64 and we managed to sight the content


After re-login to the account that has a superuser, it leads us to obtain the flag with this method.


Let’s analyze the user.py file if there are any hints that can help us to move deeper


However, we cannot obtain the ssh public key


We can send a payload to the server by taking advantage of user.py with the data that can bypass the parameters. We also can add the Authorization token to the payload


Therefore, we should be able to curl the user that we have created in the payload


Finally, we have successfully accessed the machine with the reverse shell connection


We can read the user flag by typing the “cat user.txt” command

Escalate to Root Privileges Access


I did notice some other files that caught my attention before reading the user flag. There’s an auth.log that contains a password for ssh i presume.


Let’s run Sudo -l command to see if any SUID binary has been implemented in this machine. However, I notice that a similar game that been implemented on Altered Machine


I was thinking if the method is the same for this Backendtwo machine too.


For us to retrieve any passcode that we can use for the game, we need to access the machine via ssh service.


At last, we have obtained the correct passcode for the game which gives us the privileges of access


As a result, let’s just try running sudo su and see if we can reach root this way


And surprisingly, it works like charm!


We can read the root flag by executing the “cat /root/root.txt” command