In this post, I would like to share a walkthrough of the Seventeen Machine from Hack the Box

This room will be considered a Hard machine on Hack The box

What will you gain from the Seventeen machine?

For the user flag, you will need to play with SQL injection and get a reverse shell connection back to us by using RoundCube WebMail Installer exploitation

As for the root flag, you need to abuse the confusion attack

Information Gathering on Seventeen Machine

Once we have started the VPN connection which requires a download from Hackthebox, we can start information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN

There are a few ports open such as SSH and HTTP (80 and 8000)

Let’s access the website interface

Nothing that we can look at on the website itself. Therefore, let’s enumerate more using gobuster.

From the gobuster scanning, we didn’t find anything useful over there.

As a result, let’s enumerate vhost using gobuster

However, i managed to notice that exam.seventeen.htb is available. Let’s access that domain to see to be used to proceed further

Nothing much that we can investigate the domain now. Let’s enumerate the directory using gobuster.

Nothing looks accessible to us.

Let’s play with the common SQL injection that we know basically. I notice that we can make use of the injection attack.

Enumerate using SQLmap

After running sqlmap, we found a few databases that we can analyze further.

We managed to obtain a few tables but nothing much interesting can be found

Oh, wait! There is something looks interesting when we try to investigate the user’s tables.

After roaming on another database, we found some usernames I presume that we can use later stage.

At this stage, let’s gamble with the information that we obtained earlier.

When trying to access oldmanagement directory on the website, we are given a student login page.

After trying all the credentials from the database enumeration that we did earlier, and we managed to find one that worked!

Finally, we can sight the dashboard of the School File Management System.

Let’s try to upload a PHP file into the system

We can obtain the PHP reverse shell over here

Let’s upload it as shown above.

Sadly, we cannot get a reverse connection this way.

I have been stuck for a while here and cannot think of anything to proceed with anymore. After talking to my friends and getting some ideas from them, I have an idea of how to proceed from here.

Roundcube webmail installer

We managed to access the installer of the Roundcube file and let’s incept it using burpsuite

The screenshot above shows the original incept.

We need to modify the payload such as above and need to hold off on the next step.

Let’s start our nc listener and we can click the forward button.

By default, we should be getting the reverse shell connection back to us.

Enumerate more inside the machine.

After a while, we managed to find some configurations that leak some passwords.

We managed to access the machine as mark

We can read the user flag by typing the “cat user.txt” command

Escalate to Root Privileges Access

Let’s access the machine with a different user such as Kavi

I notice that there is a script (/opt/app/startup.sh) that we might be able to use for a later stage.

Let’s execute the script and see what happens. However, the script stops at [+] Starting the app

After analyzing the loglevel folder on /opt/app/node_modules, we know the file is using npm

We can add our reverse shell on /lib/loglevel.js as shown above.

Let’s execute again the script but got a few errors

Therefore, let’s install the verdaccio application on our machine

Let’s add a new user on the verdaccio

Let’s start the verdaccio application

Sadly, we are stumbling with an error saying it’s a Bad Request.

After a while, we managed to solve the error and we successfully uploaded the malicious file to our machine

On the victim’s machine, we need to modify the .npmrc file where the IP needs to be our VPN IP

Once we finish modifying the .npmrc file, we can start our script again.

At last, we managed to receive the reverse connection back to us.

We can read the root flag by typing the “cat root.txt” command

Extra Information on Seventeen Machine

One thought on “HackTheBox: Seventeen Machine Walkthrough – Hard Difficulty”
  1. Hey, I solved this machine and didn’t quite understand the box overall as it wasn’t configured properly but after reading your writeup, I am now even more confused like how did you know there was a sql injection and which parameter was vulnerable, did you try running sqlmap on parameters? Also the part where we have to get a reverse shell, what does _plugin_help POST parameter mean, weren’t we supposed to perform directory traversal on _plguin_name ? And from escalating to kavi you didn’t showed how you got to him, please answer my queuris, Thanks!

Leave a Reply

Your email address will not be published. Required fields are marked *