In this post, I would like to share a walkthrough of the Moderators Machine from Hack the Box

This room will be considered a Hard machine on Hack The Box

What will you gain from the Moderators machine?

For the user flag, you will need to enumerate the website where we will find an upload page that we are required to bypass the filters to obtain a webshell. We can also use port forwarding using chisel where we will able to access internal WordPress. Inside the WordPress dashboard, we can exploit the WordPress plugin “Brandfolder” to get a database password. We managed to obtain the SSH key from the other WordPress Plugin.

As for the root flag, you need to access VirtualBox encryption to obtain LUKS where we will able to retrieve the Root’s Password

Information Gathering on Moderators’ Machine

Once we have started the VPN connection which requires a download from Hackthebox, we can start information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN

Only two-port are open for this machine.

Therefore, let’s access the website interface

When i trying to analyze the website, i didn’t find any interesting thing that we can abuse.

As a result, let’s directory enumeration using gobuster

Sadly, there’s no directory that we can look further.

Those are the fuction that we can look inside the website interface.

It looks like a walkthrough for the attack’s report

The screenshot above shows the example of the report

There is no subdomain that we can look for further escalation.

Oh no! I’m running out of ideas at this moment.

After a while, i just notice that the report id is totally different

Let’s enumerate the report id using wfuzz

At last, we have a bunch of id that we can use

Wow! It’s a valid report id that contains some information inside.

Inside one of the report, there’s a additional information such as the LOGS: logs/

However, only the blank page has been shown to us.

However, when we access the logs.pdf location which it show the information such as logs removed

We should be converting the actual id into md5

As a result, we have some information been shown as above.

Finally, we have found a file upload page from the previous activity.

Let’s create a malicious pdf file that which we will use it for obtaining a shell on the mac

We have inspected the packet via Burpsuite which looks like the above.

Sadly, we got an error even though we uploaded the pdf file.

Therefore, let’s bypass the packet by adding the %PDF-1.5 and %%EOF on the packet itself.

The file uploaded is a success.

At last, we managed to obtain a shell by using the method above.

Using Chisel

We are required to transfer the chisel into our victim’s machine so that we can execute the port forwarding

The screenshot above show that the port forwarding is a success.

It look like a WordPress interface

Therefore, we can create a file called wp-load.php which contain the reverse shell command but sadly, the file cannot be created at all.

As a result, we need to create the file on our attacker’s machine and move it into our victim’s machine.

Let’s execute the call back from the machine by using the command above.

At last, we managed to retrieve the reverse shell connection back to us.

We can read the user flag by using the command “cat user.txt

Escalate to Root Privileges Access on Moderators machine

We can access the machine by obtaining the SSH private key and downloading it into our attacker’s machine

Finally, we managed to access it using the SSH service.

There’s a new directory has been stored inside the /opt directory

I notice that the file that was saved inside the /opt/ is WordPress file

Inside the wp-config.php have stored a Database configuration such as Database name, username, and password.

We can execute the SQL command so that we can access the Database.

We can generate the WordPress password Hash Generator over here

Therefore, let’s reset the password by running the command above.

However, the website connection was been reset for some reason

After a while, we managed to solve the issues

Let’s access the wp-admin directory on the website itself.

We should enter the credentials that we created earlier on the SQL Database.

As a result, we managed to see the WordPress Dashboard

There’s a plugin that I haven’t seen before for WordPress

It’s a SSH private key for john which we might be able to login as John

Let’s copy and paste the SSH private key into our attacker’s machine

At last, we managed to access the machine as John

There is a file that looks like a VirtualBox file

From the result above, we are aware that John can run sudo as all

Finally, we managed to change from john to root

We can read the root flag by running the command “cat root.txt

Extra Information