In this post, I would like to share a walkthrough of the Overgraph Machine from Hack the Box


This room will be considered a Hard machine on Hack The Box

What will you gain from the Overgraph machine?


For the user flag, you will need to abuse the Cross-Site Scripting (XSS) where we can execute CSTI (Client-Side Template Injection). We can upload and exploit the FFmpeg video with the help of the admin’s token so that we can obtain the SSH private key


As for the root flag, you need to analyze the binary which involves the heap exploit.

Information Gathering on Overgraph Machine


Once we have started the VPN connection which requires a download from Hackthebox, we can start information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN


Let’s access the website interface


Nothing that we can find interesting on the website itself.


We found one subdomain such as internal.graph.htb

Enumerate the Graph Management website


However, we are given a login page for the Graph Management


I also find some subdomains that show us an error such as “Cannot GET /


I managed to find a graphql directory which we might be able to abuse for further escalation


However, we can retrieve the information by using schema code


I have successfully retrieved the Graph Management Dashboard


Let’s try to access the login page by entering any random credentials


As a result, let’s brute-force the username by using burpsuite


Let’s register our email so that we can access the website interface


Then, we enter the code such as 1234 which we can access there


Finally, we managed to access the Graph Maangement Dashboard


We also read the message on Inbox


The screenshot above shows on the Upload Function


We are required to modify the value inside the Local Storage so that we can use the Upload Function.


Let’s do some research on any exploit that we can use over here.


After a while, we managed to find one exploit that we can use here. We need to modify the file such as shown above in order for the exploit to work!


We need to upload the exploit that we modify earlier


It works like charm! For the next step, we can retrieve the SSH private key so that we can use it via SSH service.

-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
QyNTUxOQAAACAvdFWzL7vVSn9cH6fgB3Sgtt2OG4XRGYh5ugf8FLAYDAAAAJjebJ3U3myd
1AAAAAtzc2gtZWQyNTUxOQAAACAvdFWzL7vVSn9cH6fgB3Sgtt2OG4XRGYh5ugf8FLAYDA
AAAEDzdpSxHTz6JXGQhbQsRsDbZoJ+8d3FI5MZ1SJ4NGmdYC90VbMvu9VKf1wfp+AHdKC2
3Y4bhdEZiHm6B/wUsBgMAAAADnVzZXJAb3ZlcmdyYXBoAQIDBAUGBw==
-----END OPENSSH PRIVATE KEY-----

At last, we have obtained the SSH private key from the exploited we use earlier.


Finally, we successfully accessed the machine via SSH service.


We can read the user flag by typing the command “cat user.txt

Escalate to Root Privileges Access on Overgraph Machine


At first, we need to analyze all the potential folders inside the victim’s machine but found a dead-end


Therefore, let’s see what port is open locally by typing netstat -tnlp command


When we try to access the port locally and it has execute some application which is “Custom Reporting v1”


Sadly, when we randomly enter any token and it returns an error such as “Invalid Token


We need to locate where the file is been stored inside the victim’s machine


As a result, let’s download the binary file into our machine

Analyze the binary using Ghidra


We need to put the file into Ghidra


When analyzing the main function, i managed to sight the process of the function


However, we managed to see how the token work when analyzing on the auth function

Brute-Forcing the token


I found a script on the internet where it will force the token which resulted as shown above.


At last, we managed to run the apps as shown in the screenshot above.


After running the script, we managed to get some good responses back to us.


Due to some issues, I cannot run the file on my machine so let’s try to execute the file on the victim’s machine itself


Let’s start our port forwarding process


And let’s execute the file with the REMOTE function


Finally, we got root from the process but sadly the root is not fully operational as planned


Let’s start our pwncat-cs listener


Therefore, let’s execute our bash shell on the root terminal


We have successfully grabbed the root shell


We can read the root flag by typing the command “cat root.txt

Extra Information