In this post, I would like to share a walkthrough of the Inject Machine from Hack the Box


This room will be considered an Easy machine on Hack the Box

What will you gain from the Inject machine?


For the user flag, you will need to execute the PATH Traversal which leaks the framework application where it is using Spring Cloud Framework. The vulnerability is vulnerable to RCE which is called CVE-2022-22963 which will lead to retrieving a shell as frank. After enumerating further on Frank’s home directory, we will find Phil’s password.


As for the root flag, you only need to abuse the ansible script so that we can execute the commands as root

Information Gathering on Inject Machine


Once we have started the VPN connection which requires a download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN

darknite@parrot]─[~/Document/htb/inject]
└──╼ $nmap -sC -sV 10.10.11.204 -oA initial
Starting Nmap 7.92 ( [https://nmap.org](https://nmap.org/) ) at 2023-03-12 07:26 EDT
Nmap scan report for 10.129.179.197
Host is up (0.17s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT      STATE    SERVICE     VERSION
22/tcp    open     ssh         OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 ca:f1:0c:51:5a:59:62:77:f0:a8:0c:5c:7c:8d:da:f8 (RSA)
|   256 d5:1c:81:c9:7b:07:6b:1c:c1:b4:29:25:4b:52:21:9f (ECDSA)
|_  256 db:1d:8c:eb:94:72:b0:d3:ed:44:b9:6c:93:a7:f9:1d (ED25519)
8080/tcp  open     nagios-nsca Nagios NSCA
|_http-title: Home
49160/tcp filtered unknown
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at [https://nmap.org/submit/](https://nmap.org/submit/) .
Nmap done: 1 IP address (1 host up) scanned in 37.45 seconds

Let’s access the website interface with port 8080


The website interface looks simple with the login and register function


Sadly, the register function is still in “Under Construction” progress which it’s too bad for us.

Upload functionality


However, i notice that there’s an Upload function that we can use later.


Therefore, let’s try to upload one image into the application to ensure the upload functionality work


We can inspect it via Burpsuite to look at the response of the packet


On the browser itself, it shows that the image has been successfully uploaded.


I did notice the path is vulnerable to Local File Inclusion (LFI) which we can take advantage of it


Let’s execute the common LFI which is /etc/passwd and unfortunately, it works like a charm


As a result, we should be finding any malicious files that look suspicious to us.


I notice that suspicious files such as pom.xml


Inside the pom.xml file, i notice one dependency related to spring-cloud-function-web


From the exploit, we can use functionRouter where we can create a malicious file


We can create a reverse shell file as shown in the screenshot above.


Let’s start our Python server on our attacker’s machine


We should be able to create a file in the server via the curl command


By default, we can see that the file is successfully transferred to the server.


Before executing the command that will execute the reverse shell connection, we are required to start our pwncat-cs as shown above.


The screenshot above will execute the bash file


Boom! We have retrieved the reverse shell connection back to us.


I do notice there’s one directory that i never see before


Inside the .m2 directory, there’s one XML file that is saved as settings.xml


I managed to find a credential that we can use to escalate to user access


At last, we managed to access the machine as Phil


We can read the user flag by typing the “cat user.txt” command

Escalate to Root Privileges Access


As usual, we can find the SUID binary by typing the “sudo -l” command


Inside the /opt/automation/tasks, there’s one YML file named playbook_1.yml


From the look of the yml file, we can try to modify the file to obtain the root shell


The modification file would look something as shown above.


After a while, we can execute the bash -p command to change to root access


We can read the root flag by typing the “cat root.txt” command