In this post, I would like to share a walkthrough of the Forgot Machine from Hack the Box
This room will be considered a medium machine on Hack the Box
What will you gain from the Forgot machine?
For the user flag, you will need to reset the user’s password by running the host header injection where we will use a forgot password vulnerability. We should be getting SSH creds when we try to abuse the wildcard routes and use the Varnish HTTP cache to get the cache of the admin page.
As for the root flag, you will find an SQL credential in the python file where we should inject some malicious code into the MySQL database. As a result, we will escalate to root privileges access that way
Information Gathering on Forgot Machine
Once we have started the VPN connection which requires a download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN
Let’s access the website interface
There is a login page interface when we try to access the website itself.
By looking at the source code of the webpage, there is nothing interesting that we can poke it with. As a result, let’s enumerate by using gobuster tool
From the gobuster output, we managed to sight that there’s a /forgot and /reset directory that we can access.
Forgot Password Vulnerability
Therefore, let’s access the forgot page and try to reset the username so that we can take advantage of the function.
* We can find the username from the source code, but we might be obtaining different usernames every minute. *
We can see the message above that highlighted in red that the “Password reset link has been sent to user inbox” but sadly, we don’t have any email or inbox that we can use over here.
Let’s start our nc listener
We managed to notice that there’s a token for the request of the traffic.
By default, we should be able to reset the password for the username
It should look like something shown above.
Once we managed to change the password, we should be able to login to the Dashboard by using the password that we changed earlier.
Finally, we managed to access the Dashboard as shown above.
As a result, let’s roam the Dashboard and managed to find an Escalation Form as shown in the screenshot above.
There are a few tickets that have been raised and I notice one ticket stands out too much such as “SSH Credentials are Not Working for Jenkins Slave Machine“
We can read the admin tickets by injecting the cache page on the Escalation form which should leak the tickets information
At last, we manage to obtain a password for Diego which I assume it’s the credentials for SSH service.
SSH access to the machine via diego credentials
As i predicted, it really the credentials for the SSH service.
We can read the user flag by typing the command “cat user.txt“
Escalation to Root Privileges Access
As usual, we can find the SUID binary or any file that we can abuse later by running the command “sudo -l“
From the python script file, we managed to obtain details on the MySQL database.
Let’s access MySQL by using the details that we obtained earlier.
We will able to see the database list by running the command “show databases;” as shown above
We can change the database to the app by using the command above.
Therefore, we can insert some command into the database where we should be able to change the /bin/bash into the SUID binary
We should be able to run the script that we obtained earlier, and we don’t receive any major errors.
As a result, we should be getting the root shell by running the bash -p command
We can read the root flag by executing the command “cat /root/root.txt“