In this post, I would like to share a walkthrough of the Rainyday Machine from Hack the Box


This room will be considered a Hard machine on Hack the Box

Rainyday

What will you gain from the RainyDay machine?


For the user flag, you will need to enumerate with the IDOR vulnerability which will leak hashes. After that, we need to crack the hash that we obtained and found one credential with which we can access the website. When we are inside the website itself, we can execute a python reverse shell to retrieve a shell. Then, we should be doing some port forwarding by using the chisel where we managed to find another subdomain that we can abuse. We should be accessing the website using the same credentials that we found earlier. For us to read the user’s private SSH key, we can run pspy64 to know where the file is located.


As for the root flag, you need to find the SUID binary which it’s a file called hash_password.py where we should get the secret salt. Then, we will be using secret salt to obtain the root password by trying to bruteforce it.

Information Gathering on RainyDay Machine


Once we have started the VPN connection which requires a download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN

Enumerate the website interface


Let’s access the website interface

Graphical user interface, application, website

Description automatically generated

From the look of the website, we might be dealing with a container after managing to access the server via a reverse shell connection.


We only see a few functions such as Home, My Container, and Login on the website page. Therefore, let’s enumerate the directory by using dirsearch tool


As a result, we managed to see the login directory with the additional directory also there such as /api/ and /register


The website shows a login page when we are trying to access the login directory


The first attack that I will be trying would be SQL Injection(error based) and sadly, it’s a failure for the attack.

Graphical user interface, website

Description automatically generated

However, we can register a new account on the /register directory

Graphical user interface, website

Description automatically generated

Sadly, the response said, “Error – Registration is currently closed!

Enumeration on API Web Directory

Graphical user interface, text, application, email

Description automatically generated

Let’s see another directory which is /api/ and there’s something that we can look at inside the /api/ directory

Graphical user interface, application

Description automatically generated

We can see the list of the API by accessing the/api/list directory which jack is been assigned as a user. We can make use of the user “jack” in the latter stage of the escalation.

Graphical user interface

Description automatically generated

Sadly, there’s nothing that seems useful when trying to access the /api/healthcheck directory for now.


We can check the /api/user information by keying the id as 1 but sadly we have errors such as “Not allowed to view other users info!

Graphical user interface, application

Description automatically generated
Graphical user interface, text

Description automatically generated
Graphical user interface, text, application

Description automatically generated

However, we have managed to obtain some information by adding (.) after the id number

Graphical user interface, text

Description automatically generated

As we tested earlier, I notice that only three (3) users were saved on the machine.


We can use either john the ripper or hashcat to crack the hashes for us. Let’s move forward a little bit for this action because it will eventually take a long time to crack the hashes (the reason is it’s a bcrypt hashes)


In the end, we should be getting some results as shown below:

gary:$2b$12$WTik5.ucdomZhgsX6U/.meSgr14LcpWXsCA0KxldEw8kksUtDuAu:rubberducky

Containers details on the Rainyday (RainyCloud) machine

Graphical user interface, application

Description automatically generated

As shown in the screenshot above, we can create a New Container when accessing the “My Container” page.


Therefore, let’s create the new container by entering the details

Retrieve a Reverse Shell Connection on Docker


Let’s start our nc listener on our attacker’s machine


After that, we can click the “execute a command (background)” button and enter some python3 shell to retrieve the shell on the machine.

For your information: I have tried using python reverse shell and it doesn’t give me anything at all. As a result, i change to python3 and we managed to retrieve a reverse shell connection

Graphical user interface

Description automatically generated with medium confidence
Graphical user interface, text

Description automatically generated

At last, we managed to obtain a reverse shell but sadly it seems like a docker container.

Graphical user interface, text, chat or text message

Description automatically generated
Graphical user interface, text

Description automatically generated

The screenshot above shows that chisel is running on our attacker’s machine


The screenshot above also shows the chisel is running on the victim’s machine


However, the subdomain that we found have been given us an error such as “Access Denied – Invalid IP

Graphical user interface, text, application, email

Description automatically generated

As a result, we got the same page when we access the /api/


When we try to re-access the healthcheck directory again, we managed to see more information than before

Graphical user interface, text, application

Description automatically generated

As we register and login back intoc11 the dashboard, we found the same page on the “My Container” as before.


Let’s start our nc listener but we will be using a different port this time

Graphical user interface, text

Description automatically generated

Uwu! We managed to retrieve a new reverse shell again and let’s straight running psp64 on the spot


We notice that there’s sleep running on PID 1194

Graphical user interface, text, chat or text message

Description automatically generated

As a result, let’s see what is stored in that PID folder on /proc/1194/. As shown in the screenshot above, we can retrieve jack ssh id_rsa

Access the Rainyday machine by using SSH Access

Graphical user interface

Description automatically generated

As usual, we need to give permission to the id_rsa so that it will not ask for the password

Text

Description automatically generated

Finally, we have success the machine via SSH service.

A screenshot of a computer

Description automatically generated with medium confidence

We can read the user flag by executing the command “cat user.txt”

A screenshot of a computer

Description automatically generated with medium confidence

However, we can also obtain the user flag by reading the file user.txt on the container.

Escalate to Root Privileges Access on Rainyday Machine


Normally, we can see the SUID binary by running the command “sudo -l”


After a while of thinking, we can create a python code and save it into our file inside the /tmp/ directory

A screenshot of a computer

Description automatically generated with medium confidence

Therefore, we can run the file as jack_adm which will execute the python file and we change it into jack_adm user

Text

Description automatically generated

We can obtain any SUID binary by running the “sudo -l” command


Let’s create a file that contains the root hashes that we found earlier at /api/user/2.0 directory


We can filter the password with the key


Therefore, let’s crack the password by using either john the ripper or hashcat tool


Finally, we managed to obtain the root password as shown above


We should be able to access the root privileges by entering the password that we found during the cracking activity


We should be able to read the root flag by typing the “cat root.txt” command

Extra Information