In this post, I would like to share a walkthrough of the Retired Machine from Hack the Box

This room will be considered a medium machine on Hack The box

What will you gain from the Retired machine?

For the user flag, you will need to abuse the Local File Inclusion (LFI) on the website where you will find some interesting files. We need to analyze the file that we obtained using the LFI method to produce an exploit that gives us a shell to the machine.

As for the root flag, you need to modify the binfmt_rootkit file to get a root shell that way.

Information Gathering on Retired Machine

Once we have started the VPN connection which requires a download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN

Let’s access the website interface

On the website interface, nothing much that we can take advantage of, but I did notice that the Website’s URL is vulnerable to Local File Inclusion

Therefore, let’s test our theories on the website.

Sadly, we got a blank page when trying to execute the LFI attack, but it works well with BurpSuite.

Let’s enumerate the directory deeper by using gobuster but we didn’t manage to obtain any useful information that was required.

As a result, we need to change our tool for the directory brute-forcing where we found two directories such as beta and default.

It’s the same website interface when trying the default.html

However, we managed to sight the upload function when accessing the beta.html directory.

We can try to upload a random file on the website and see what happened next.

What a surprise! We are being redirected to activate_license.php page even though it’s just a blank page. Let’s see the content of the website by using BurpSuite.

From the PHP source code, we can verify that the file is executing the socket_connce to localhost with port 1337 being configured.

Based on my understanding of Linux OS and my experience, there should be some process such as Sched Debug

As a result, we found the activate_license is running on proc 423

Finally, we have managed to locate the activate_license file on the server.

Sadly, we are given nonsense language which we might analyze using gdb or Ghidra.

Analyze the activate_license using Ghidra

Let’s try to download the file into the machine by using wget function but we cannot retrieve it that way.

Therefore, let’s download it into our machine using the curl function and it works!

As i expected, the activate_license file is in ELF formatting.

Let’s start our ghidra.

I will skip the analysis step for your excitement, and you should be able to create an exploit from the analysis result which resulted in a reverse connection callback.

Obtained an SSH Access

We can execute the systemctl list-timers so that we can be aware of the process of the application that running on the server. The function is quite like ps aux.

Let’s find the location of the website_backup.service on the server which resulted as shown above.

We managed to find another location of execution of service start which led to /usr/bin/webbackup

Therefore, let’s a simple method to obtain the SSH public key using the ln -s /home/dev/.ssh/id_rsa id_rsa

There is a zip file that is automatically stored on the /var/www/ location which later we can move the file to a different location.

We can unzip the file and i notice there is id_rsa file saved inside the zip file

At last, we have finally obtained the SSH public key

We can give 600 permissions to the SSH public key

It’s a success! We have successfully accessed the machine via the SSH service.

We can read the user flag by typing the “cat user.txt” command

Escalate to Root Privileges Access on Retired Machine

Let’s manually see what folder stored inside the /home/ directory

However, there’s some directory that we can use for further escalation.

We cannot mostly read the content of the file but there’s something that caught my attention which /proc/sys/fs/binfmt_misc

Let’s do some research on the internet

After a while, i found some interesting GitHub that we can use on this machine

Let’s download the file to our machine.

The content of the file will look something like as above.

What we need to do is modify the file such as mentioned below:

  • Remove everything from lines 31-34 on the original file
  • change the line 98 into echo “$binfmt_line” | /usr/lib/emuemu/reg_helper

Once completed modification, we need to transfer it into the victim’s machine

We should be given execution permission for the file

The only thing that we need to do next executes the file as shown above.

We can read the root flag by typing the “cat root.txt” command