In this post, I would like to share a walkthrough of the Mentor Machine from Hack the Box
This room will be considered a medium machine on Hack the Box
What will you gain from the Mentor machine?
For the user flag, you will need to enumerate the new subdomain which is the API.mentorquotes.htb. We managed to obtain API documentation where it will list all the endpoints. The web application is exposed with command injection which leads to obtaining a reverse shell that way. Once we are inside the machine, we are required to find any credentials, especially the database and we need to dump the hashes from the database. We should obtain a user (James) password when from the SNMP configuration file
As for the root flag, you only need to execute the SH binary where we should be changed to Root Privileges Access
Information Gathering on Mentor Machine
Once we have started the VPN connection which requires a download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN
Let’s access the website interface
However, there is nothing that looks interesting at all for now.
I was wondering if any UDP port is open to the public to access
Therefore, let’s enumerate the snmp by running the snmpwalk command as shown above.
We also found a dead-end path when looking at the gobuster result.
Therefore, let’s enumerate the vhost on the machine and we got a lot of subdomains found here.
We can make it easier to obtain the subdomain that we needed by firing the wfuzz tool and executing the command above.
Let’s access the subdomain that we found earlier
Enumerate the API subdomain on the mentor machine
As the subdomain suggests, it’s a website that uses an API function with the JSON language.
We should sign up for the account like the screenshot above.
The screenshot above shows the different methods such as curl
Finally, we can try to login the dashboard by entering the credentials that we created earlier including the email address
By default, we should be getting the same method as the screenshot above
We also can run the syntax on our terminal by using the curl command but sadly we got an error saying “Only admin users can access this resource“
We also can use the burpsuite to obtain the information as shown above.
Therefore, we can retrieve any users available by accessing the /users/ directory
As a result, we can access the /admin/ directory which we also added the authorization that we found earlier, and it leads to a JSON information
At last, we managed to sight the /admin/backup directory which the response details mentioned “Method not Allowed”
We are required to change the Content-Type to application/json and we managed to get a JSON information
Let’s start our listener so that we can obtain the reverse shell connection back to us.
We should insert the rev shell command via burpsite but nothing happens
However, we need to change a different reverse shell command and it works like charm!
Sadly, we got an error when trying to retrieve via pwncat-cs
Nevermind, we can change the listener to a normal and common listener as nc -lvnp 9007
Finally, we managed to obtain the reverse shell back to us.
There’s a file called db.py which is saved inside the /app/app/ directory
While analyzing the source code of db.py and I notice there’s a credential for the psql database which we can take advantages
Enumeration using psql database
Sadly, we cannot transfer the file using the curl command
However, we managed to upload the chisel by using wget command
The screenshot above shows how to start the port forwarding on the machine with our machine.
Let’s try to access the psql database by using the credentials.
We can run the command as dt to list out the relation of the database
As usual, we also can retrieve the user information by running the command “select * from users;“
At last, we managed to get the password as service_acc which also use by svc from the hash
At last, we managed to obtain access via SSH service.
We can read the user flag by typing the command “cat user.txt“
Escalate to Root Privileges Access
Firstly, we need to upload the linpeas into the victim’s machine
We should be giving the linpeas file an execution permission
From the linpeas output, we notice that there’s a configuration file that we should analyze further
For some reason, we managed to retrieve a password for a user
I managed to access the other user by using the password that we found earlier.
However, we managed to find a SUID binary that we can abuse by running the “sudo -l” command
It’s an easy step to escalate to Root privileges by just running the command “sudo /bin/sh“
We can read the root flag by running the command “cat /root/root.txt“