In this post, I would like to share a walkthrough of the Broscience Machine from Hack the Box

This room will be considered an Insane machine on Hack the Box

What will you gain from the Broscience machine?

For the user flag, you will need to activate.php which it will be allowing the attacker to register a new account. An exploit of deserialization vulnerability which we obtain from the source code will help to craft a malicious PHP serialized object and double encode it which we send as the cookie. As a result, it will provide us with a shell on the machine. We should enumerate the MySQL database and find hashes that can be cracked so that we can access the new user.

As for the root flag, you need to inject a command in certification on OpenSSL to obtain a shell as root

Information Gathering on Broscience Machine

Once we have started the VPN connection which requires a download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN

Let’s access the website interface

The domain cannot be accessed because we didn’t whitelist the domain yet on our /etc/hosts file

The screenshot above shows the website can finally be accessed by us and we only find a function that works such as the login page.

However, we didn’t manage to obtain any credentials that can be used over here.

From the gobuster, i notice there are a few directories that we can try to look at and analyze it further

The screenshot above shows the index of include and images

Therefore, let’s try to access one of the PHP files that resides inside the /include directory but we

However, we got a blank page when trying to access the utils.php file

I notice that there’s a Local File Inclusion Vulnerability detected on the web application so let’s try to inject the website with the “?path=../../../etc/passwd“. Sadly, we only obtain an error saying “Attack detected

Enumerate the website with Path Injection

As a result, let’s encode the path and try to inject it into the application. We managed to get a good response from that

Let’s try to access the db_connect.php with it encoded and surprisingly we got a PHP source code for that

Another PHP file that we need to analyze further is register.php

If you have fully analyzed the source code, you will notice that we are required to obtain the activation link via email but sadly we don’t have any valid email to be used on this machine itself.

The screenshot above shows what the activation code looks like in burpsuite interface

We can copy-paste the source code into our machine if you want to look at the coloring syntax

Therefore, let’s start our Python server on our terminal

Let’s register our new account so that we can access the dashboard

We also need to PHP the activate code so that we can use it to bypass the process to validate the activation code

Next, we should copy the activation code that has been encoded with the PHP into Burpsuite under /activate.php?code=”activation code”

Don’t worry too much if you don’t get it to work on your first try because it takes me around more than 4 tries before i managed to make it works

Successfully logged into the Dashboard

At last, we managed to successfully access the dashboard

As a result, let’s create a PHP file that contains the reverse shell command

The code above is used for retrieving the file that contains the reverse shell code

We should encode it with PHP so that we can use it to paste on the cookie section

Let’s start our python server.

After a while, the respondents say that the file has been successfully transferred

Let’s call the file that contains the reverse shell back so that it will trigger the shell

Boom! We have finally retrieved the reverse shell connection back to us.

We should be looking at the same directory that we found earlier during the website enumeration

Let’s enter the credentials that we obtain from the db_connect.php

Therefore, let’s access the database by using the credentials that we found inside the db_connect.php earlier.

We managed to obtain the hashes of the username and password

I put all the hashes into a file called hashes

We managed to obtain three credentials that we can try to access the machine

Uwu! We have successfully escalated to a new user which is bill with the password that we find earlier

However, i will try access via SSH service because it’s more stable than reverse shell

We can read the user flag by running the “cat user.txt” command

Escalate to Root Privileges Access on Broscience

As usual, we can find the SUID binary by typing “sudo -l” command but sadly the user cannot run the sudo command

The next step of finding the SUID binary or malicious file by running pspy64 so let’s upload the pspy64 into the victim’s machine

Let’s start the pspy64 and wait to see any malicious file or process that stands out

After a while, we managed to see some interesting process

Let’s analyze the source code inside the file

As a result, let’s execute the command above and enter only the chmod u+s /bin/bash on the Common Name(e.g. server FQDN or Your name) column

The bash have been assigned to SUID Binary

Therefore, let’s execute the command above

We can read the root flag by typing the “cat /root/root.txt” command

Extra Information on broscience machine

Leave a Reply

Your email address will not be published. Required fields are marked *