In this post, I would like to share a walkthrough of the Extension Machine from Hack the Box


This room will be considered a Hard machine on Hack the Box

What will you gain from the Extension machine?


For the user flag, you will need to find leaked multiple information from the management/dump which will try to brute-force the token. By exploiting the IDOR vulnerability to verify the username of “jean”. We also can bypass the cross-site scripting filters to attack the Gitea’s API which lead to find a backup file frm the another user. Once we completed the downloading the backup file on our attacker’s machine, we will find a SSH access to the host. and some password to use on the next user.


As for the root flag, you need to enumerate more on MySQL database and insert a command injection on the MySQL database. and get RCE on the website which we are required to validated our account. The docker socket (docker.sock) which can be found on te container can be writable which lead to a simple container breakout

Information Gathering on Extension Machine


Once we have started the VPN connection which requires a download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN


Only two-port are open for this machine


Let’s access the website interface


However, the website interface didn’t show any interest that we can make use


Therefore, let’s enumerate the website directory by using gobuster


Nothing much to see except for the login and register directory


Sadly, We don’t have any credentials that we can use to access the interface


Let’s see the source code of the website if we might find some interesting code embedded together. Finally, we found some code that looks interesting to us.


However, when we try to inspect the management/dump on burpsuite where we stumbled upon an error of “405 Method Not Allowed”

Get information using Burpsuite


We will need to inspect the login page and I notice there’s a JSON code on line 19


For this attack, i just need to change login to management/dump and modify the JSON item to something such as:


{


“download”:”users”


}


The result will be shown something such as above


“name”: “Gia Stehr”,


“email”: “gia@snippet.htb”,


“password”: “ef92b778bafe771e89245b89ecbc08a44a4e166c06659911881f383d4473e94f”,


However, i notice that the credentials that have been highlighted above


At last, we managed to obtain a password for username gia from here

Snippet Dashboard and read the snippet’s hidden message


Finally, we managed to access the dashboard for the git


There’s something written on one of the snippets. I managed to notice that this snippet parks under snippet/1


I’ve been thinking if there’s another snippet than snippet/1


Sadly, we cannot see anything on snippet2 which we are not authorized to view this snippet


However, there’s no snippet/3 has been stored on the website or server


Let’s try to bypass the snippet/2 so that we can read the hidden message


Let’s create our own snippet such as shown above.


Therefore, let’s edit the snippet that we created earlier and move it to snippet/2


Boom! We have finally seen the hidden message where it’s a curl command. However, I notice that authorization has some base64 encoded


As a result, let’s try to decode the base64 code and I notice that it’s some credentials for some website


From the gobuster output, there are a lot of subdomains where we can see the status 200. It’s ridiculously hard and confusing, to be honest.


As a result, let’s enumerate using wfuzz which will result in lesser payload

gitea’s enumeration on extension machine


Finally, we got dev.snippet.htb website that shows a Gitea Website. However, we already know that the other subdomain will be Gitea Based


We managed to access the Gitea Dashboard using jean’s credentials


Inside jean’s extension repository, there are a few files that we can investigate


Let’s try creating a new issue for the extension’s repository


Therefore, let’s start our python server


Let’s create the issues as above and save them as any name


We managed to retrieve a file that doesn’t exist at all.


At last, we managed to obtain Charlie’s backup folder into Gitea’s Dashboard


As a result, let’s download the file to our attacker’s machine


We managed to find an SSH private key that we can use to access the machine via SSH service.


Finally, we successfully access the machine via SSH service


Sadly, we cannot find the user flag inside Charlie’s home directory


However, the user flag is stored in jean’s directory


We can read the user flag by typing the command “cat user.txt

Escalate to Root Privileges Access


From the netstat output, we can see that there are some ports open within the server such as the database port open.


Sadly, we cannot execute the MySQL database command within the server itself.


Therefore, let’s run the MySQL command from the attacker’s side by doing the port forwarding method.


Once we managed to login into the database, we can execute the command to update the role of the gia@snippet.htb into the manager’s role


As a manager, we can create a new user into the database which contains a reverse shell together.


We can start our listener so that we can retrieve our connection back to us.


After searching for the username on the Dashboard, we managed to see it at the end of the page. For us to obtain the reverse shell connection, we are required to click the “Validate” Button.


Finally, we managed to retrieve back the connection


Sadly, only a file called docker.sock is saved inside the /app directory.


We can execute the command above to get /bin/bash as SUID Binary


Finally, we have successfully into the root’s bash shell


We can read the root flag by typing the “cat /root/root.txt” command

Extra Information