In this post, I would like to share a walkthrough of the Inject Machine from Hack the Box

This room will be considered an Easy machine on Hack the Box

What will you gain from the Inject machine?

For the user flag, you will need to execute the PATH Traversal which leaks the framework application where it is using Spring Cloud Framework. The vulnerability is vulnerable to RCE which is called CVE-2022-22963 which will lead to retrieving a shell as frank. After enumerating further on Frank’s home directory, we will find Phil’s password.

As for the root flag, you only need to abuse the ansible script so that we can execute the commands as root

Information Gathering on Inject Machine

Once we have started the VPN connection which requires a download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN

└──╼ $nmap -sC -sV -oA initial
Starting Nmap 7.92 ( []( ) at 2023-03-12 07:26 EDT
Nmap scan report for
Host is up (0.17s latency).
Not shown: 997 closed tcp ports (conn-refused)
22/tcp    open     ssh         OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 ca:f1:0c:51:5a:59:62:77:f0:a8:0c:5c:7c:8d:da:f8 (RSA)
|   256 d5:1c:81:c9:7b:07:6b:1c:c1:b4:29:25:4b:52:21:9f (ECDSA)
|_  256 db:1d:8c:eb:94:72:b0:d3:ed:44:b9:6c:93:a7:f9:1d (ED25519)
8080/tcp  open     nagios-nsca Nagios NSCA
|_http-title: Home
49160/tcp filtered unknown
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at []( .
Nmap done: 1 IP address (1 host up) scanned in 37.45 seconds

Let’s access the website interface with port 8080

The website interface looks simple with the login and register function

Sadly, the register function is still in “Under Construction” progress which it’s too bad for us.

Upload functionality

However, i notice that there’s an Upload function that we can use later.

Therefore, let’s try to upload one image into the application to ensure the upload functionality work

We can inspect it via Burpsuite to look at the response of the packet

On the browser itself, it shows that the image has been successfully uploaded.

I did notice the path is vulnerable to Local File Inclusion (LFI) which we can take advantage of it

Let’s execute the common LFI which is /etc/passwd and unfortunately, it works like a charm

As a result, we should be finding any malicious files that look suspicious to us.

I notice that suspicious files such as pom.xml

Inside the pom.xml file, i notice one dependency related to spring-cloud-function-web

From the exploit, we can use functionRouter where we can create a malicious file

We can create a reverse shell file as shown in the screenshot above.

Let’s start our Python server on our attacker’s machine

We should be able to create a file in the server via the curl command

By default, we can see that the file is successfully transferred to the server.

Before executing the command that will execute the reverse shell connection, we are required to start our pwncat-cs as shown above.

The screenshot above will execute the bash file

Boom! We have retrieved the reverse shell connection back to us.

I do notice there’s one directory that i never see before

Inside the .m2 directory, there’s one XML file that is saved as settings.xml

I managed to find a credential that we can use to escalate to user access

At last, we managed to access the machine as Phil

We can read the user flag by typing the “cat user.txt” command

Escalate to Root Privileges Access

As usual, we can find the SUID binary by typing the “sudo -l” command

Inside the /opt/automation/tasks, there’s one YML file named playbook_1.yml

From the look of the yml file, we can try to modify the file to obtain the root shell

The modification file would look something as shown above.

After a while, we can execute the bash -p command to change to root access

We can read the root flag by typing the “cat root.txt” command