In this post, I would like to share a walkthrough of the Overgraph Machine from Hack the Box

This room will be considered a Hard machine on Hack The Box

What will you gain from the Overgraph machine?

For the user flag, you will need to abuse the Cross-Site Scripting (XSS) where we can execute CSTI (Client-Side Template Injection). We can upload and exploit the FFmpeg video with the help of the admin’s token so that we can obtain the SSH private key

As for the root flag, you need to analyze the binary which involves the heap exploit.

Information Gathering on Overgraph Machine

Once we have started the VPN connection which requires a download from Hackthebox, we can start information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN

Let’s access the website interface

Nothing that we can find interesting on the website itself.

We found one subdomain such as internal.graph.htb

Enumerate the Graph Management website

However, we are given a login page for the Graph Management

I also find some subdomains that show us an error such as “Cannot GET /

I managed to find a graphql directory which we might be able to abuse for further escalation

However, we can retrieve the information by using schema code

I have successfully retrieved the Graph Management Dashboard

Let’s try to access the login page by entering any random credentials

As a result, let’s brute-force the username by using burpsuite

Let’s register our email so that we can access the website interface

Then, we enter the code such as 1234 which we can access there

Finally, we managed to access the Graph Maangement Dashboard

We also read the message on Inbox

The screenshot above shows on the Upload Function

We are required to modify the value inside the Local Storage so that we can use the Upload Function.

Let’s do some research on any exploit that we can use over here.

After a while, we managed to find one exploit that we can use here. We need to modify the file such as shown above in order for the exploit to work!

We need to upload the exploit that we modify earlier

It works like charm! For the next step, we can retrieve the SSH private key so that we can use it via SSH service.


At last, we have obtained the SSH private key from the exploited we use earlier.

Finally, we successfully accessed the machine via SSH service.

We can read the user flag by typing the command “cat user.txt

Escalate to Root Privileges Access on Overgraph Machine

At first, we need to analyze all the potential folders inside the victim’s machine but found a dead-end

Therefore, let’s see what port is open locally by typing netstat -tnlp command

When we try to access the port locally and it has execute some application which is “Custom Reporting v1”

Sadly, when we randomly enter any token and it returns an error such as “Invalid Token

We need to locate where the file is been stored inside the victim’s machine

As a result, let’s download the binary file into our machine

Analyze the binary using Ghidra

We need to put the file into Ghidra

When analyzing the main function, i managed to sight the process of the function

However, we managed to see how the token work when analyzing on the auth function

Brute-Forcing the token

I found a script on the internet where it will force the token which resulted as shown above.

At last, we managed to run the apps as shown in the screenshot above.

After running the script, we managed to get some good responses back to us.

Due to some issues, I cannot run the file on my machine so let’s try to execute the file on the victim’s machine itself

Let’s start our port forwarding process

And let’s execute the file with the REMOTE function

Finally, we got root from the process but sadly the root is not fully operational as planned

Let’s start our pwncat-cs listener

Therefore, let’s execute our bash shell on the root terminal

We have successfully grabbed the root shell

We can read the root flag by typing the command “cat root.txt

Extra Information