In this post, I would like to share a walkthrough of the Interface Machine from Hack the Box

This room will be considered a medium machine on Hack the Box

What will you gain from the Interface machine?

For the user flag, you will need to do some fuzzing which you can see an endpoint to upload a file, especially the HTML file format. As a result, we can exploit the dompdf tool by using Remote Code Execution which gives us a PHP reverse shell.

As for the root flag, you need to abuse a cron task in which the machine has a cleanup script which we need to find a way to work around on that. We will bypass the method by taking advantage of the cleancache script so that it will allow us to obtain SUID permission

Enumeration on the machine

Information Gathering on Interface Machine

Once we have started the VPN connection which requires a download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN

Let’s access the website interface

Sadly, there is nothing that we can investigate regarding the website interface

As a result, let’s investigate via Burpsuite in case we might find anything useful that we can use later. However, we managed to find a domain from the response under Content-Security-Policy

When we try to access the website, there’s an error appears such as “File not found

Directory fuzzing with ffuf with the domain

We managed to obtain the directory /vendor/ when enumerate with ffuf and let’s try to access the website

Sadly, there’s an error saying “Access denied” so let’s enumerate the directory even further

However, we managed a new directory such as dompdf that resides inside the /vendor/ directory

Again, we found a dead-end here by seeing the error message “Access denied

The screenshot above shows the packet via Burpsuite. Therefore, let’s try to access the /api/ directory which we might retrieve any useful information there.

However, we got a response showing an API packet which it indicates the server or application is using an API

In another enumeration under the API directory, we managed to find a new directory such as html2pdf

Weaponization with Dompdf vulnerability

Exploiting the dompdf vulnerability on the Interface machine

Let’s execute the payload that we have seen on the dompdf exploitation page which you can see in the screenshot above.

On the other hand, we should be able to insert the reverse shell on the <filename>.php which is the file that we configured within the CSS file and can be called the PHP file.

Firstly, we are required to start our Python server on our attacker’s machine.

However, i got the error “File not found” again on this page.

As mentioned on the exploit page, let’s change the

Therefore, let’s start our pwncat-cs started on our attacker’s machine

Initial Access to the machine

Trying to retrieve reverse shell connection from dompdf vulnerability

Based on the exploit that we found earlier, we can execute the transfer file via burpsuite

However, we cannot get the actual response from the Python server where we should get the response from both the CSS file and PHP file from the Python server

As a result, we should be md5sum as the URL of the exploitation which we will be using so that the exploit will work like charms.

In this part of the activity, we can use the exploitation mentioned on the exploit earlier by using the curl command

After a while of troubleshooting the issues, it’s finally getting a positive response on the Python server

Finally, we managed to retrieve the reverse shell connection back to us.

We can read the user flag by typing the “cat user.txt” command

Laternal Movement

Escalate to Root Privileges Access

For us to analyze the server file or process, we should use the pspy64 and try to transfer the pspy64 into our victim’s machine

By default, we should be giving the pspy64 file execution permission as shown in the screenshot above.

Executing pspy64 on the machine to analyze the process

While we analyze the pspy64, we notice that there is a bash file such as which we can abuse

The file can be located at the location.

The script on the file looks like something as shown above.

The /bin/bash file still cannot be the escalate to Root Privileges Access as normal

The command above shows the method that will escalate to root access

We should execute the bash file on the cleancache

At last, the /bin/bash permission has changed to SUID binary

We can read the root flag by typing the “cat /root/root.txt” command

Extra Information