In this post, I would like to share a walkthrough of the Shared Machine from Hack the Box

This room will be considered a medium machine on Hack the Box

What will you gain from the Shared machine?

For the user flag, you will need to abuse the SQL Injection via a cookie which we will be able to retrieve credentials so that we can access the machine via SSH service

As for the root flag, you need to reverse engineering the Redis application where we will be able to obtain Redis credentials and take advantage of the REDIS exploit

Information Gathering on Shared Machine

Once we have started the VPN connection which requires a download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN

Let’s access the website interface

However, the IP has redirected us to a domain that we didn’t whitelist yet.

Therefore, let’s whitelist the domain and access the website again

Finally, we can access the website itself and sighted the interface.

From my analysis, I notice that this website is a selling clothes type of business. Let’s try to buy the clothes by clicking the “Proceed To Checkout

On the checkout interface, we are required to enter information for the credit card but i don’t want to test the actual credit card which it’s dangerous

As a result, let’s try to inspect the packet that comes from this website

SQL Injection attack by using BurpSuite

I did notice some interesting on the request packet, especially on the custom_cart. Let’s try to play around with the custom_cart payload.

I was thinking of SQL Injection exploit over here

No error has been reflected in the Response space which looks good but let’s analyze the response packet.

Uwu! It works and let’s sighted it on the browser application.

We have managed to see the database on the response packet which it’s a good thing at least.

Let’s see the table content by using the SQL Injection syntax

At last, we got the username from the database enumeration using burp suite

We also found the password hash from the database syntax too

Cracking the james_mason password

Let’s crack the password by using the John the Ripper tool

However, we got a weird password, and I don’t think that we successfully retrieve the password at all

After troubleshooting the issues, we finally retrieve the actual password

As a result, we have successfully accessed the machine via SSH Service

Sadly, the user flag is not stored in this username. Therefore, let’s enumerate more on the victim’s machine

I notice that James mason group is a developer which can be useful for further escalation

There’s a folder that executes under the developer group access

However, we notice that no files have been saved in this folder.

To be frankly honest, I don’t have any clue about any attack that we can use over here. As a result, let’s do some research on the internet.

After a while, I managed to find this website that we can use for further escalation

Let’s copy-paste the command on the website but I did some modifications to the command

After re-do the command, I notice that the folder has been deleted which means there was a cleanup script implemented on the server.

Therefore, let’s do a quick one so that the folder and file will not be deleted before we managed to retrieve the SSH private key

At last, we managed to obtain the key on /dev/shm directory

Finally, we got the SSH private key and copy-paste to our attacker’s machine

However, we didn’t know any user to use for the SSH private key

Inside the /home/ directory, we managed to sight another user configures on the server.

Uwu! We managed to access the server using dan_smith via SSH service.

We can read the user flag by typing the command “cat user.txt

Escalate to Root Privileges Access on Shared Machine

From the above command, we have aware that dan_smith is assigned to the sysadmin group.

We managed to find a file called redis_connector_dev that had been stored on /usr/local/bin directory

The file has been assigned to the root and sysadmin group

However, we managed to see the information of the server by using the file

As a result, let’s download and try on our attacker’s machine

Let’s start our nc listener to retrieve any juicy information from the file

Let’s execute the file

We managed to see some information and it can be the password at the bottom of the connection

Let’s create the reverse shell on the /dev/shm directory

Therefore, let’s start our nc listener

Let’s execute the redis-cli with the password that we found earlier and execute the root shell

Finally, we managed to obtain the root reverse shell

However, it got disconnected after a few minutes

When i rechecked the redis-cli and i could see that the connection has been disconnected

We can read the root flag by using the “cat root.txt” command

Extra Information