In this post, I would like to share a walkthrough of the Moderators Machine from Hack the Box


This room will be considered a Hard machine on Hack The Box

What will you gain from the Moderators machine?


For the user flag, you will need to enumerate the website where we will find an upload page that we are required to bypass the filters to obtain a webshell. We can also use port forwarding using chisel where we will able to access internal WordPress. Inside the WordPress dashboard, we can exploit the WordPress plugin “Brandfolder” to get a database password. We managed to obtain the SSH key from the other WordPress Plugin.


As for the root flag, you need to access VirtualBox encryption to obtain LUKS where we will able to retrieve the Root’s Password

Information Gathering on Moderators’ Machine


Once we have started the VPN connection which requires a download from Hackthebox, we can start information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN


Only two-port are open for this machine.


Therefore, let’s access the website interface


When i trying to analyze the website, i didn’t find any interesting thing that we can abuse.


As a result, let’s directory enumeration using gobuster


Sadly, there’s no directory that we can look further.


Those are the fuction that we can look inside the website interface.


It looks like a walkthrough for the attack’s report


The screenshot above shows the example of the report


There is no subdomain that we can look for further escalation.


Oh no! I’m running out of ideas at this moment.


After a while, i just notice that the report id is totally different


Let’s enumerate the report id using wfuzz


At last, we have a bunch of id that we can use


Wow! It’s a valid report id that contains some information inside.


Inside one of the report, there’s a additional information such as the LOGS: logs/


However, only the blank page has been shown to us.


However, when we access the logs.pdf location which it show the information such as logs removed


We should be converting the actual id into md5


As a result, we have some information been shown as above.


Finally, we have found a file upload page from the previous activity.


Let’s create a malicious pdf file that which we will use it for obtaining a shell on the mac


We have inspected the packet via Burpsuite which looks like the above.


Sadly, we got an error even though we uploaded the pdf file.


Therefore, let’s bypass the packet by adding the %PDF-1.5 and %%EOF on the packet itself.


The file uploaded is a success.


At last, we managed to obtain a shell by using the method above.

Using Chisel


We are required to transfer the chisel into our victim’s machine so that we can execute the port forwarding


The screenshot above show that the port forwarding is a success.


It look like a WordPress interface


Therefore, we can create a file called wp-load.php which contain the reverse shell command but sadly, the file cannot be created at all.


As a result, we need to create the file on our attacker’s machine and move it into our victim’s machine.

Let’s execute the call back from the machine by using the command above.

At last, we managed to retrieve the reverse shell connection back to us.


We can read the user flag by using the command “cat user.txt

Escalate to Root Privileges Access on Moderators machine


We can access the machine by obtaining the SSH private key and downloading it into our attacker’s machine


Finally, we managed to access it using the SSH service.


There’s a new directory has been stored inside the /opt directory


I notice that the file that was saved inside the /opt/site.new is WordPress file


Inside the wp-config.php have stored a Database configuration such as Database name, username, and password.


We can execute the SQL command so that we can access the Database.


We can generate the WordPress password Hash Generator over here


Therefore, let’s reset the password by running the command above.


However, the website connection was been reset for some reason


After a while, we managed to solve the issues


Let’s access the wp-admin directory on the website itself.


We should enter the credentials that we created earlier on the SQL Database.


As a result, we managed to see the WordPress Dashboard


There’s a plugin that I haven’t seen before for WordPress


It’s a SSH private key for john which we might be able to login as John



Let’s copy and paste the SSH private key into our attacker’s machine


At last, we managed to access the machine as John


There is a file that looks like a VirtualBox file


From the result above, we are aware that John can run sudo as all


Finally, we managed to change from john to root


We can read the root flag by running the command “cat root.txt

Extra Information