In this post, I would like to share a walkthrough of the Broscience Machine from Hack the Box
This room will be considered an Insane machine on Hack the Box
What will you gain from the Broscience machine?
For the user flag, you will need to activate.php which it will be allowing the attacker to register a new account. An exploit of deserialization vulnerability which we obtain from the source code will help to craft a malicious PHP serialized object and double encode it which we send as the cookie. As a result, it will provide us with a shell on the machine. We should enumerate the MySQL database and find hashes that can be cracked so that we can access the new user.
As for the root flag, you need to inject a command in certification on OpenSSL to obtain a shell as root
Information Gathering on Broscience Machine
Once we have started the VPN connection which requires a download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN
Let’s access the website interface
The domain cannot be accessed because we didn’t whitelist the domain yet on our /etc/hosts file
The screenshot above shows the website can finally be accessed by us and we only find a function that works such as the login page.
However, we didn’t manage to obtain any credentials that can be used over here.
From the gobuster, i notice there are a few directories that we can try to look at and analyze it further
The screenshot above shows the index of include and images
Therefore, let’s try to access one of the PHP files that resides inside the /include directory but we
However, we got a blank page when trying to access the utils.php file
I notice that there’s a Local File Inclusion Vulnerability detected on the web application so let’s try to inject the website with the “?path=../../../etc/passwd“. Sadly, we only obtain an error saying “Attack detected“
Enumerate the website with Path Injection
As a result, let’s encode the path and try to inject it into the application. We managed to get a good response from that
Let’s try to access the db_connect.php with it encoded and surprisingly we got a PHP source code for that
Another PHP file that we need to analyze further is register.php
If you have fully analyzed the source code, you will notice that we are required to obtain the activation link via email but sadly we don’t have any valid email to be used on this machine itself.
The screenshot above shows what the activation code looks like in burpsuite interface
We can copy-paste the source code into our machine if you want to look at the coloring syntax
Therefore, let’s start our Python server on our terminal
We also need to PHP the activate code so that we can use it to bypass the process to validate the activation code
Next, we should copy the activation code that has been encoded with the PHP into Burpsuite under /activate.php?code=”activation code”
Don’t worry too much if you don’t get it to work on your first try because it takes me around more than 4 tries before i managed to make it works
Successfully logged into the Dashboard
At last, we managed to successfully access the dashboard
As a result, let’s create a PHP file that contains the reverse shell command
The code above is used for retrieving the file that contains the reverse shell code
We should encode it with PHP so that we can use it to paste on the cookie section
Let’s start our python server.
After a while, the respondents say that the file has been successfully transferred
Let’s call the file that contains the reverse shell back so that it will trigger the shell
Boom! We have finally retrieved the reverse shell connection back to us.
We should be looking at the same directory that we found earlier during the website enumeration
Let’s enter the credentials that we obtain from the db_connect.php
Therefore, let’s access the database by using the credentials that we found inside the db_connect.php earlier.
We managed to obtain the hashes of the username and password
I put all the hashes into a file called hashes
We managed to obtain three credentials that we can try to access the machine
Uwu! We have successfully escalated to a new user which is bill with the password that we find earlier
However, i will try access via SSH service because it’s more stable than reverse shell
We can read the user flag by running the “cat user.txt” command
Escalate to Root Privileges Access on Broscience
As usual, we can find the SUID binary by typing “sudo -l” command but sadly the user cannot run the sudo command
The next step of finding the SUID binary or malicious file by running pspy64 so let’s upload the pspy64 into the victim’s machine
Let’s start the pspy64 and wait to see any malicious file or process that stands out
After a while, we managed to see some interesting process
Let’s analyze the source code inside the renew_cert.sh file
As a result, let’s execute the command above and enter only the chmod u+s /bin/bash on the Common Name(e.g. server FQDN or Your name) column
The bash have been assigned to SUID Binary
Therefore, let’s execute the command above
We can read the root flag by typing the “cat /root/root.txt” command