In this post, I would like to share a walkthrough of the Health Machine from Hack the Box
This room will be considered a Medium machine on Hack The Box
What will you gain from the Health machine?
For the user flag, you will need to abuse the SQL Injection via redirect exploit and use SSRF attack to exploit on Gogs which leaks the user table.
As for the root flag, you need to exploit a cron job by generating a tasks directly to the database where also can bypassing the filtering the website
Information Gathering on Health Machine
Once we have started the VPN connection which requires a download from Hackthebox, we can start information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN
Let’s access the website interface.
We managed to see the website that show a page that ask us to configure the webhook
Before we enter the information on the form, we can start our nc listener that listen to port 80
The information that we enter will look something as shown above.
Sadly, we didn’t get any response back on the nc listener.
As a result, let’s start our nc listener which is using port 9000
As previously, we enter the information as shown above.
Let’s redirect the website to localhost which uses port 3000
Finally, we managed to obtain some data on the nc listener and I did notice that the website is using Gogs.
After a while, i do some research and found some good information here
As a result, we can redirect the website to use SQL injection (union select method)
At last, we managed some username: Susanne with the password hash
We are required to change the password hash into base64 encoded
Therefore, we can crack the password hash by using hashcat and we got the password as february15
Voila! We have successfully accessed the machine via SSH service
We can read the user flag by typing the ‘cat user.txt‘ command
Escalate to Root Privileges Access
As usual, we can try to find the SUID Binary by typing the “sudo -l” command
However, there’s nothing that looks interesting at the first glance.
When i look deeper into hidden files, i notice there’s one file that stand out for me at least. The file is called .env
Inside the env file, i notice a database username and password have been written on MySQL connection.
We should be creating a new webhook on the website which is the only difference would be the interval as */1 * * * *
As a result, let’s access MySQL with the credentials that we found earlier.
The screenshot above shows the tasks that have been created.
Let’s try to retrieve the root ssh private key so that we can access it via SSH Service.
At last, we managed to retrieve the SSH private key
Finally, we have successfully accessed the machine as root via SSH service.
We can read the root flag by typing the “cat root.txt” command