In this post, I would like to share a walkthrough of the Rainyday Machine from Hack the Box
This room will be considered a Hard machine on Hack the Box
What will you gain from the RainyDay machine?
For the user flag, you will need to enumerate with the IDOR vulnerability which will leak hashes. After that, we need to crack the hash that we obtained and found one credential with which we can access the website. When we are inside the website itself, we can execute a python reverse shell to retrieve a shell. Then, we should be doing some port forwarding by using the chisel where we managed to find another subdomain that we can abuse. We should be accessing the website using the same credentials that we found earlier. For us to read the user’s private SSH key, we can run pspy64 to know where the file is located.
As for the root flag, you need to find the SUID binary which it’s a file called hash_password.py where we should get the secret salt. Then, we will be using secret salt to obtain the root password by trying to bruteforce it.
Information Gathering on RainyDay Machine
Once we have started the VPN connection which requires a download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN
Enumerate the website interface
Let’s access the website interface
From the look of the website, we might be dealing with a container after managing to access the server via a reverse shell connection.
We only see a few functions such as Home, My Container, and Login on the website page. Therefore, let’s enumerate the directory by using dirsearch tool
As a result, we managed to see the login directory with the additional directory also there such as /api/ and /register
The website shows a login page when we are trying to access the login directory
The first attack that I will be trying would be SQL Injection(error based) and sadly, it’s a failure for the attack.
However, we can register a new account on the /register directory
Sadly, the response said, “Error – Registration is currently closed!”
Enumeration on API Web Directory
Let’s see another directory which is /api/ and there’s something that we can look at inside the /api/ directory
We can see the list of the API by accessing the/api/list directory which jack is been assigned as a user. We can make use of the user “jack” in the latter stage of the escalation.
Sadly, there’s nothing that seems useful when trying to access the /api/healthcheck directory for now.
We can check the /api/user information by keying the id as 1 but sadly we have errors such as “Not allowed to view other users info!”
However, we have managed to obtain some information by adding (.) after the id number
As we tested earlier, I notice that only three (3) users were saved on the machine.
We can use either john the ripper or hashcat to crack the hashes for us. Let’s move forward a little bit for this action because it will eventually take a long time to crack the hashes (the reason is it’s a bcrypt hashes)
In the end, we should be getting some results as shown below:
Containers details on the Rainyday (RainyCloud) machine
As shown in the screenshot above, we can create a New Container when accessing the “My Container” page.
Therefore, let’s create the new container by entering the details
Retrieve a Reverse Shell Connection on Docker
Let’s start our nc listener on our attacker’s machine
After that, we can click the “execute a command (background)” button and enter some python3 shell to retrieve the shell on the machine.
For your information: I have tried using python reverse shell and it doesn’t give me anything at all. As a result, i change to python3 and we managed to retrieve a reverse shell connection
At last, we managed to obtain a reverse shell but sadly it seems like a docker container.
The screenshot above shows that chisel is running on our attacker’s machine
The screenshot above also shows the chisel is running on the victim’s machine
However, the subdomain that we found have been given us an error such as “Access Denied – Invalid IP”
As a result, we got the same page when we access the /api/
When we try to re-access the healthcheck directory again, we managed to see more information than before
As we register and login back intoc11 the dashboard, we found the same page on the “My Container” as before.
Let’s start our nc listener but we will be using a different port this time
Uwu! We managed to retrieve a new reverse shell again and let’s straight running psp64 on the spot
We notice that there’s sleep running on PID 1194
As a result, let’s see what is stored in that PID folder on /proc/1194/. As shown in the screenshot above, we can retrieve jack ssh id_rsa
Access the Rainyday machine by using SSH Access
As usual, we need to give permission to the id_rsa so that it will not ask for the password
Finally, we have success the machine via SSH service.
We can read the user flag by executing the command “cat user.txt”
However, we can also obtain the user flag by reading the file user.txt on the container.
Escalate to Root Privileges Access on Rainyday Machine
Normally, we can see the SUID binary by running the command “sudo -l”
After a while of thinking, we can create a python code and save it into our file inside the /tmp/ directory
Therefore, we can run the file as jack_adm which will execute the python file and we change it into jack_adm user
We can obtain any SUID binary by running the “sudo -l” command
Let’s create a file that contains the root hashes that we found earlier at /api/user/2.0 directory
We can filter the password with the key
Therefore, let’s crack the password by using either john the ripper or hashcat tool
Finally, we managed to obtain the root password as shown above
We should be able to access the root privileges by entering the password that we found during the cracking activity
We should be able to read the root flag by typing the “cat root.txt” command