In this post, I would like to share a walkthrough of the Seventeen Machine from Hack the Box


This room will be considered a Hard machine on Hack The box

What will you gain from the Seventeen machine?


For the user flag, you will need to play with SQL injection and get a reverse shell connection back to us by using RoundCube WebMail Installer exploitation


As for the root flag, you need to abuse the confusion attack

Information Gathering on Seventeen Machine


Once we have started the VPN connection which requires a download from Hackthebox, we can start information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN


There are a few ports open such as SSH and HTTP (80 and 8000)


Let’s access the website interface


Nothing that we can look at on the website itself. Therefore, let’s enumerate more using gobuster.


From the gobuster scanning, we didn’t find anything useful over there.


As a result, let’s enumerate vhost using gobuster


However, i managed to notice that exam.seventeen.htb is available. Let’s access that domain to see to be used to proceed further


Nothing much that we can investigate the domain now. Let’s enumerate the directory using gobuster.


Nothing looks accessible to us.


Let’s play with the common SQL injection that we know basically. I notice that we can make use of the injection attack.

Enumerate using SQLmap


After running sqlmap, we found a few databases that we can analyze further.


We managed to obtain a few tables but nothing much interesting can be found


Oh, wait! There is something looks interesting when we try to investigate the user’s tables.


After roaming on another database, we found some usernames I presume that we can use later stage.


At this stage, let’s gamble with the information that we obtained earlier.


When trying to access oldmanagement directory on the website, we are given a student login page.


After trying all the credentials from the database enumeration that we did earlier, and we managed to find one that worked!


Finally, we can sight the dashboard of the School File Management System.


Let’s try to upload a PHP file into the system


We can obtain the PHP reverse shell over here


Let’s upload it as shown above.


Sadly, we cannot get a reverse connection this way.


I have been stuck for a while here and cannot think of anything to proceed with anymore. After talking to my friends and getting some ideas from them, I have an idea of how to proceed from here.

Roundcube webmail installer


We managed to access the installer of the Roundcube file and let’s incept it using burpsuite


The screenshot above shows the original incept.


We need to modify the payload such as above and need to hold off on the next step.


Let’s start our nc listener and we can click the forward button.


By default, we should be getting the reverse shell connection back to us.

Enumerate more inside the machine.


After a while, we managed to find some configurations that leak some passwords.


We managed to access the machine as mark


We can read the user flag by typing the “cat user.txt” command

Escalate to Root Privileges Access


Let’s access the machine with a different user such as Kavi


I notice that there is a script (/opt/app/startup.sh) that we might be able to use for a later stage.


Let’s execute the script and see what happens. However, the script stops at [+] Starting the app


After analyzing the loglevel folder on /opt/app/node_modules, we know the file is using npm


We can add our reverse shell on /lib/loglevel.js as shown above.


Let’s execute again the script but got a few errors


Therefore, let’s install the verdaccio application on our machine


Let’s add a new user on the verdaccio


Let’s start the verdaccio application


Sadly, we are stumbling with an error saying it’s a Bad Request.


After a while, we managed to solve the error and we successfully uploaded the malicious file to our machine


On the victim’s machine, we need to modify the .npmrc file where the IP needs to be our VPN IP


Once we finish modifying the .npmrc file, we can start our script again.


At last, we managed to receive the reverse connection back to us.


We can read the root flag by typing the “cat root.txt” command

Extra Information on Seventeen Machine