In this post, I would like to share a walkthrough of the Forgot Machine from Hack the Box


This room will be considered a medium machine on Hack the Box

What will you gain from the Forgot machine?


For the user flag, you will need to reset the user’s password by running the host header injection where we will use a forgot password vulnerability. We should be getting SSH creds when we try to abuse the wildcard routes and use the Varnish HTTP cache to get the cache of the admin page.


As for the root flag, you will find an SQL credential in the python file where we should inject some malicious code into the MySQL database. As a result, we will escalate to root privileges access that way

Information Gathering on Forgot Machine


Once we have started the VPN connection which requires a download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN

Text

Description automatically generated

Let’s access the website interface

Graphical user interface, text, chat or text message

Description automatically generated

There is a login page interface when we try to access the website itself.


By looking at the source code of the webpage, there is nothing interesting that we can poke it with. As a result, let’s enumerate by using gobuster tool


From the gobuster output, we managed to sight that there’s a /forgot and /reset directory that we can access.

Forgot Password Vulnerability


Therefore, let’s access the forgot page and try to reset the username so that we can take advantage of the function.

* We can find the username from the source code, but we might be obtaining different usernames every minute. *


We can see the message above that highlighted in red that the “Password reset link has been sent to user inbox” but sadly, we don’t have any email or inbox that we can use over here.


Let’s start our nc listener


We managed to notice that there’s a token for the request of the traffic.


By default, we should be able to reset the password for the username


It should look like something shown above.


Once we managed to change the password, we should be able to login to the Dashboard by using the password that we changed earlier.


Finally, we managed to access the Dashboard as shown above.


As a result, let’s roam the Dashboard and managed to find an Escalation Form as shown in the screenshot above.


There are a few tickets that have been raised and I notice one ticket stands out too much such as “SSH Credentials are Not Working for Jenkins Slave Machine


We can read the admin tickets by injecting the cache page on the Escalation form which should leak the tickets information


At last, we manage to obtain a password for Diego which I assume it’s the credentials for SSH service.

SSH access to the machine via diego credentials


As i predicted, it really the credentials for the SSH service.


We can read the user flag by typing the command “cat user.txt

Escalation to Root Privileges Access


As usual, we can find the SUID binary or any file that we can abuse later by running the command “sudo -l


From the python script file, we managed to obtain details on the MySQL database.


Let’s access MySQL by using the details that we obtained earlier.


We will able to see the database list by running the command “show databases;” as shown above


We can change the database to the app by using the command above.


Therefore, we can insert some command into the database where we should be able to change the /bin/bash into the SUID binary


We should be able to run the script that we obtained earlier, and we don’t receive any major errors.


As a result, we should be getting the root shell by running the bash -p command


We can read the root flag by executing the command “cat /root/root.txt

Extra Information