In this post, I would like to share a walkthrough of the Interface Machine from Hack the Box
This room will be considered a medium machine on Hack the Box
What will you gain from the Interface machine?
For the user flag, you will need to do some fuzzing which you can see an endpoint to upload a file, especially the HTML file format. As a result, we can exploit the dompdf tool by using Remote Code Execution which gives us a PHP reverse shell.
As for the root flag, you need to abuse a cron task in which the machine has a cleanup script which we need to find a way to work around on that. We will bypass the method by taking advantage of the cleancache script so that it will allow us to obtain SUID permission
Enumeration on the machine
Information Gathering on Interface Machine
Once we have started the VPN connection which requires a download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN
Let’s access the website interface
Sadly, there is nothing that we can investigate regarding the website interface
As a result, let’s investigate via Burpsuite in case we might find anything useful that we can use later. However, we managed to find a domain from the response under Content-Security-Policy
When we try to access the website, there’s an error appears such as “File not found”
Directory fuzzing with ffuf with the domain
We managed to obtain the directory /vendor/ when enumerate with ffuf and let’s try to access the website
Sadly, there’s an error saying “Access denied” so let’s enumerate the directory even further
However, we managed a new directory such as dompdf that resides inside the /vendor/ directory
Again, we found a dead-end here by seeing the error message “Access denied“
The screenshot above shows the packet via Burpsuite. Therefore, let’s try to access the /api/ directory which we might retrieve any useful information there.
However, we got a response showing an API packet which it indicates the server or application is using an API
In another enumeration under the API directory, we managed to find a new directory such as html2pdf
Weaponization with Dompdf vulnerability
Exploiting the dompdf vulnerability on the Interface machine
Let’s execute the payload that we have seen on the dompdf exploitation page which you can see in the screenshot above.
On the other hand, we should be able to insert the reverse shell on the <filename>.php which is the file that we configured within the CSS file and can be called the PHP file.
Firstly, we are required to start our Python server on our attacker’s machine.
However, i got the error “File not found” again on this page.
As mentioned on the exploit page, let’s change the
Therefore, let’s start our pwncat-cs started on our attacker’s machine
Initial Access to the machine
Trying to retrieve reverse shell connection from dompdf vulnerability
Based on the exploit that we found earlier, we can execute the transfer file via burpsuite
However, we cannot get the actual response from the Python server where we should get the response from both the CSS file and PHP file from the Python server
As a result, we should be md5sum as the URL of the exploitation which we will be using so that the exploit will work like charms.
In this part of the activity, we can use the exploitation mentioned on the exploit earlier by using the curl command
After a while of troubleshooting the issues, it’s finally getting a positive response on the Python server
Finally, we managed to retrieve the reverse shell connection back to us.
We can read the user flag by typing the “cat user.txt” command
Escalate to Root Privileges Access
For us to analyze the server file or process, we should use the pspy64 and try to transfer the pspy64 into our victim’s machine
By default, we should be giving the pspy64 file execution permission as shown in the screenshot above.
Executing pspy64 on the machine to analyze the process
While we analyze the pspy64, we notice that there is a bash file such as cleancache.sh which we can abuse
The file can be located at the location.
The script on the file looks like something as shown above.
The /bin/bash file still cannot be the escalate to Root Privileges Access as normal
The command above shows the method that will escalate to root access
We should execute the bash file on the cleancache
At last, the /bin/bash permission has changed to SUID binary
We can read the root flag by typing the “cat /root/root.txt” command