In this post, I would like to share a walkthrough of the Shared Machine from Hack the Box
This room will be considered a medium machine on Hack the Box
What will you gain from the Shared machine?
For the user flag, you will need to abuse the SQL Injection via a cookie which we will be able to retrieve credentials so that we can access the machine via SSH service
As for the root flag, you need to reverse engineering the Redis application where we will be able to obtain Redis credentials and take advantage of the REDIS exploit
Information Gathering on Shared Machine
Once we have started the VPN connection which requires a download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN
Let’s access the website interface
However, the IP has redirected us to a domain that we didn’t whitelist yet.
Therefore, let’s whitelist the domain and access the website again
Finally, we can access the website itself and sighted the interface.
From my analysis, I notice that this website is a selling clothes type of business. Let’s try to buy the clothes by clicking the “Proceed To Checkout“
On the checkout interface, we are required to enter information for the credit card but i don’t want to test the actual credit card which it’s dangerous
As a result, let’s try to inspect the packet that comes from this website
SQL Injection attack by using BurpSuite
I did notice some interesting on the request packet, especially on the custom_cart. Let’s try to play around with the custom_cart payload.
I was thinking of SQL Injection exploit over here
No error has been reflected in the Response space which looks good but let’s analyze the response packet.
Uwu! It works and let’s sighted it on the browser application.
We have managed to see the database on the response packet which it’s a good thing at least.
Let’s see the table content by using the SQL Injection syntax
At last, we got the username from the database enumeration using burp suite
We also found the password hash from the database syntax too
Cracking the james_mason password
Let’s crack the password by using the John the Ripper tool
However, we got a weird password, and I don’t think that we successfully retrieve the password at all
After troubleshooting the issues, we finally retrieve the actual password
As a result, we have successfully accessed the machine via SSH Service
Sadly, the user flag is not stored in this username. Therefore, let’s enumerate more on the victim’s machine
I notice that James mason group is a developer which can be useful for further escalation
There’s a folder that executes under the developer group access
However, we notice that no files have been saved in this folder.
To be frankly honest, I don’t have any clue about any attack that we can use over here. As a result, let’s do some research on the internet.
After a while, I managed to find this website that we can use for further escalation
Let’s copy-paste the command on the website but I did some modifications to the command
After re-do the command, I notice that the folder has been deleted which means there was a cleanup script implemented on the server.
Therefore, let’s do a quick one so that the folder and file will not be deleted before we managed to retrieve the SSH private key
At last, we managed to obtain the key on /dev/shm directory
Finally, we got the SSH private key and copy-paste to our attacker’s machine
However, we didn’t know any user to use for the SSH private key
Inside the /home/ directory, we managed to sight another user configures on the server.
Uwu! We managed to access the server using dan_smith via SSH service.
We can read the user flag by typing the command “cat user.txt“
Escalate to Root Privileges Access on Shared Machine
From the above command, we have aware that dan_smith is assigned to the sysadmin group.
We managed to find a file called redis_connector_dev that had been stored on /usr/local/bin directory
The file has been assigned to the root and sysadmin group
However, we managed to see the information of the server by using the file
As a result, let’s download and try on our attacker’s machine
Let’s start our nc listener to retrieve any juicy information from the file
Let’s execute the file
We managed to see some information and it can be the password at the bottom of the connection
Let’s create the reverse shell on the /dev/shm directory
Therefore, let’s start our nc listener
Let’s execute the redis-cli with the password that we found earlier and execute the root shell
Finally, we managed to obtain the root reverse shell
However, it got disconnected after a few minutes
When i rechecked the redis-cli and i could see that the connection has been disconnected
We can read the root flag by using the “cat root.txt” command