In this post, I would like to share a walkthrough of the Inject Machine from Hack the Box
This room will be considered an Easy machine on Hack the Box
What will you gain from the Inject machine?
For the user flag, you will need to execute the PATH Traversal which leaks the framework application where it is using Spring Cloud Framework. The vulnerability is vulnerable to RCE which is called CVE-2022-22963 which will lead to retrieving a shell as frank. After enumerating further on Frank’s home directory, we will find Phil’s password.
As for the root flag, you only need to abuse the ansible script so that we can execute the commands as root
Information Gathering on Inject Machine
Once we have started the VPN connection which requires a download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN
└──╼ $nmap -sC -sV 10.10.11.204 -oA initial
Starting Nmap 7.92 ( [https://nmap.org](https://nmap.org/) ) at 2023-03-12 07:26 EDT
Nmap scan report for 10.129.179.197
Host is up (0.17s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| 3072 ca:f1:0c:51:5a:59:62:77:f0:a8:0c:5c:7c:8d:da:f8 (RSA)
| 256 d5:1c:81:c9:7b:07:6b:1c:c1:b4:29:25:4b:52:21:9f (ECDSA)
|_ 256 db:1d:8c:eb:94:72:b0:d3:ed:44:b9:6c:93:a7:f9:1d (ED25519)
8080/tcp open nagios-nsca Nagios NSCA
49160/tcp filtered unknown
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at [https://nmap.org/submit/](https://nmap.org/submit/) .
Nmap done: 1 IP address (1 host up) scanned in 37.45 seconds
Let’s access the website interface with port 8080
The website interface looks simple with the login and register function
Sadly, the register function is still in “Under Construction” progress which it’s too bad for us.
However, i notice that there’s an Upload function that we can use later.
Therefore, let’s try to upload one image into the application to ensure the upload functionality work
We can inspect it via Burpsuite to look at the response of the packet
On the browser itself, it shows that the image has been successfully uploaded.
I did notice the path is vulnerable to Local File Inclusion (LFI) which we can take advantage of it
Let’s execute the common LFI which is /etc/passwd and unfortunately, it works like a charm
As a result, we should be finding any malicious files that look suspicious to us.
I notice that suspicious files such as pom.xml
Inside the pom.xml file, i notice one dependency related to spring-cloud-function-web
From the exploit, we can use functionRouter where we can create a malicious file
We can create a reverse shell file as shown in the screenshot above.
Let’s start our Python server on our attacker’s machine
We should be able to create a file in the server via the curl command
By default, we can see that the file is successfully transferred to the server.
Before executing the command that will execute the reverse shell connection, we are required to start our pwncat-cs as shown above.
The screenshot above will execute the bash file
Boom! We have retrieved the reverse shell connection back to us.
I do notice there’s one directory that i never see before
Inside the .m2 directory, there’s one XML file that is saved as settings.xml
I managed to find a credential that we can use to escalate to user access
At last, we managed to access the machine as Phil
We can read the user flag by typing the “cat user.txt” command
Escalate to Root Privileges Access
As usual, we can find the SUID binary by typing the “sudo -l” command
Inside the /opt/automation/tasks, there’s one YML file named playbook_1.yml
From the look of the yml file, we can try to modify the file to obtain the root shell
The modification file would look something as shown above.
After a while, we can execute the bash -p command to change to root access
We can read the root flag by typing the “cat root.txt” command