In this post, I would like to share a walkthrough of the Bagel Machine from Hack the Box


This room will be considered a medium machine on Hack the Box

What will you gain from the Bagel machine?


For the user flag, you will need to abuse the Local File Inclusion (LFI) which will lead to knowing the processes of the system and obtaining the credentials. As a result, we will try to take advantages of JSON Deserialization so that we can access the machine.


As for the root flag, you need to abuse the dotnet script which it will allow us to read the flag.

Information Gathering on Bagel Machine


Once we have started the VPN connection which requires a download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN

[darknite@parrot]─[~/Document/htb/Bagel]
└──╼ $nmap -sC -sV 10.10.11.201 -oA initial 
Starting Nmap 7.92 ( https://nmap.org ) at 2023-03-02 18:40 EST
Nmap scan report for 10.10.11.201
Host is up (0.26s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT     STATE SERVICE  VERSION
22/tcp   open  ssh      OpenSSH 8.8 (protocol 2.0)
| ssh-hostkey: 
|   256 6e:4e:13:41:f2:fe:d9:e0:f7:27:5b:ed:ed:cc:68:c2 (ECDSA)
|_  256 80:a7:cd:10:e7:2f:db:95:8b:86:9b:1b:20:65:2a:98 (ED25519)
5000/tcp open  upnp?
| fingerprint-strings: 
|   GetRequest: 
|     HTTP/1.1 400 Bad Request
|     Server: Microsoft-NetCore/2.0
|     Date: Thu, 02 Mar 2023 23:40:56 GMT
|     Connection: close
|   HTTPOptions: 
|     HTTP/1.1 400 Bad Request
|     Server: Microsoft-NetCore/2.0
|     Date: Thu, 02 Mar 2023 23:41:13 GMT
|     Connection: close
|   Help: 
|     HTTP/1.1 400 Bad Request
|     Content-Type: text/html
|     Server: Microsoft-NetCore/2.0
|     Date: Thu, 02 Mar 2023 23:41:24 GMT
|     Content-Length: 52
|     Connection: close
|     Keep-Alive: true
|     <h1>Bad Request (Invalid request line (parts).)</h1>
|   RTSPRequest: 
|     HTTP/1.1 400 Bad Request
|     Content-Type: text/html
|     Server: Microsoft-NetCore/2.0
|     Date: Thu, 02 Mar 2023 23:40:56 GMT
|     Content-Length: 54
|     Connection: close
|     Keep-Alive: true
|     <h1>Bad Request (Invalid request line (version).)</h1>
|   SSLSessionReq, TerminalServerCookie: 
|     HTTP/1.1 400 Bad Request
|     Content-Type: text/html
|     Server: Microsoft-NetCore/2.0
|     Date: Thu, 02 Mar 2023 23:41:25 GMT
|     Content-Length: 52
|     Connection: close
|     Keep-Alive: true
|     <h1>Bad Request (Invalid request line (parts).)</h1>
|   TLSSessionReq: 
|     HTTP/1.1 400 Bad Request
|     Content-Type: text/html
|     Server: Microsoft-NetCore/2.0
|     Date: Thu, 02 Mar 2023 23:41:26 GMT
|     Content-Length: 52
|     Connection: close
|     Keep-Alive: true
|_    <h1>Bad Request (Invalid request line (parts).)</h1>
8000/tcp open  http-alt Werkzeug/2.2.2 Python/3.10.9
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.1 404 NOT FOUND
|     Server: Werkzeug/2.2.2 Python/3.10.9
|     Date: Thu, 02 Mar 2023 23:40:57 GMT
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 207
|     Connection: close
|     <!doctype html>
|     <html lang=en>
|     <title>404 Not Found</title>
|     <h1>Not Found</h1>
|     <p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
|   GetRequest: 
|     HTTP/1.1 302 FOUND
|     Server: Werkzeug/2.2.2 Python/3.10.9
|     Date: Thu, 02 Mar 2023 23:40:51 GMT
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 263
|     Location: http://bagel.htb:8000/?page=index.html
|     Connection: close
|     <!doctype html>
|     <html lang=en>
|     <title>Redirecting...</title>
|     <h1>Redirecting...</h1>
|     <p>You should be redirected automatically to the target URL: <a href="http://bagel.htb:8000/?page=index.html">http://bagel.htb:8000/?page=index.html</a>. If not, click the link.
|   Socks5: 
|     <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
|     "http://www.w3.org/TR/html4/strict.dtd">
|     <html>
|     <head>
|     <meta http-equiv="Content-Type" content="text/html;charset=utf-8">
|     <title>Error response</title>
|     </head>
|     <body>
|     <h1>Error response</h1>
|     <p>Error code: 400</p>
|     <p>Message: Bad request syntax ('
|     ').</p>
|     <p>Error code explanation: HTTPStatus.BAD_REQUEST - Bad request syntax or unsupported method.</p>
|     </body>
|_    </html>
|_http-server-header: Werkzeug/2.2.2 Python/3.10.9
|_http-title: Did not follow redirect to http://bagel.htb:8000/?page=index.html

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 149.02 seconds

Let’s try to access the website interface using port 8000 that we found earlier within the Nmap result

Text

Description automatically generated

As a result, we should be whitelisting the domain for us to access the website interface

Text

Description automatically generated

We can see the packet via burpsuite and the response has redirected us to a different URL

Graphical user interface, text, application

Description automatically generated

From the look of the request, i’m guessing that the application is vulnerable to Local File Inclusion (LFI)


Therefore, let’s our Proof of Concept by trying to access the /etc/passwd, and its works as I expected.


As we don’t know anything else, we can try to bypass it by seeing what is the latest directory or file that the server accessed.


At last, we found a Python file that we can investigate further.

Text

Description automatically generated with low confidence

Inside the Python file, we notice some files that we can try to take advantage of it. I notice that there’s a WebSocket connection such as http://127.0.0.1:5000


We should try to brute-force the cmdline command which leads to a DLL file that resides inside the /opt/bagel/bin/Debug/net6.0

Text

Description automatically generated

Inside the DLL file, we managed to find content that look like a Dotnet language.

Graphical user interface, text

Description automatically generated

We should analyze the bagel.dll file by using dnSPY


The screenshot above shows the dnSPY interface to analyze the bagel.dll


On the database function for the bagel.dll, i found one password that we can use later.

Enumerate with Local File Inclusion (LFI) using python


As some people are already aware, i’m not good with programming so i ask for help from ChatGPT to generate a Python script for me.


At last, we managed to obtain an SSH public key from the machine


We should be given execution permission for the file


Finally, we have successfully accessed the machine via SSH service


We can read the User Flag by typing the “cat user.txt” command

Escalate to Root Privileges Access


Previously, we notice that there are other users and let’s change to that user(developer)

Graphical user interface, text, application

Description automatically generated

As usual, let’s enumerate by typing “sudo -l” command and notice that we can dotnet with root access


Therefore, let’s execute the dotnet with fsi which look like as shown above


As a result, we can execute the command above


At last, we have a root shell on our machine


We can read the root flag by typing the “cat root.txt” command

Extra Information

Text

Description automatically generated