In this post, I would like to share a walkthrough of the Gofer Machine from Hack the Box

This room will be considered a Hard machine on Hack the Box

What will you gain from the Gofer machine?

For the user flag, you will need to bypass it with a different method that requires web application authentication which allows for the gopher protocol. We should create a malicious LibreOffice Writer file by using a phishing email method which is required to communicate with an internal SMTP server. We can obtain the user access by running pspy64 which will expose the credentials for the user access.

As for the root flag, you need to exploit a use-after-free vulnerability which we are required to execute and access the program of simple notes as root.

For those who want to learan or improve CyberSecurity skills especially Red Teaming and Blue Team, You can use the link https://affiliate.hackthebox.com/gnfp67dzy7p0 to support me

Academy link can be found https://affiliate.hackthebox.com/wanmohdariffwanmohdrosdi6259vv

Information Gathering on Gofer Machine

Once we have started the VPN connection which requires a download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN

┌─[darknite@parrot][~/Documents/htb/gofer]
└──╼ $ nmap -sC -sV 10.10.11.225 -oA initial 
Starting Nmap 7.93 ( https://nmap.org ) at 2023-08-03 06:13 EDT
Nmap scan report for 10.10.11.225
Host is up (0.036s latency).
Not shown: 995 closed tcp ports (conn-refused)
PORT    STATE    SERVICE     VERSION
22/tcp  open     ssh         OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey: 
|   3072 aa25826eb804b6a9a95e1a91f09451dd (RSA)
|   256 1821baa7dce44f60d781039a5dc2e596 (ECDSA)
|_  256 a42d0d45132a9e7f867af6f778bc42d9 (ED25519)
25/tcp  filtered smtp
80/tcp  open     http        Apache httpd 2.4.56
|_http-server-header: Apache/2.4.56 (Debian)
|_http-title: Did not follow redirect to http://gofer.htb/
139/tcp open     netbios-ssn Samba smbd 4.6.2
445/tcp open     netbios-ssn Samba smbd 4.6.2
Service Info: Host: gofer.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_nbstat: NetBIOS name: GOFER, NetBIOS user: <unknown>, NetBIOS MAC: 000000000000 (Xerox)
| smb2-time: 
|   date: 2023-08-03T10:14:03
|_  start_date: N/A
| smb2-security-mode: 
|   311: 
|_    Message signing enabled but not required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.15 seconds
┌─[darknite@parrot][~/Documents/htb/gofer]
└──╼ $ 

Let’s access the website interface

There is nothing interesting that we can poke into

Sadly, there is no directory that we can analyze further

However, we managed to obtain the subdomain of the domain which it’s “proxy.gofer.htb”

We are required to enter a credentials of username and password that we don’t have at the moment.

SMB enumeration on the machine

We should be able to see the smb purpose here.

From the output, we managed to notice that backup

We are provided with the message saying “Missing URL parameter” while trying to access the index page.

The output on Burpsuite is the same as the curl output

Therefore, let’s try to access it using an LFI attack which gives an error message “Blacklisted keyword”

However, it works in Burpsuite

At last, we managed to execute some command injection

We should download Gopherus on our attacker’s machine

However, the python script doesn’t work well with python3 environment

We managed to execute the gopherus with python2 environment

We should be obtaining the command that we will be using to send emails to the administrator

As a result, we are required to create a malicious Microsoft Word document or LibreOffice Document in the Linux Operating System

We should add some malicious code inside the macro

The screenshot above shows what my malicious code looks like

We should set the malicious to work by modifying the settings

Let’s start our listener on our attacker’s machine

We have successfully transferred the malicious document into the victim’s machine

Boom! We have successfully retrieved our reverse shell connection back to us.

We can read the user flag by typing the “cat user.txt” command

Escalate to Root Privileges Access

Let’s upload pspy64 into our victim’s machine

Oh wow! We have sighted the credentials of tbuckley on the process running

We have successfully changed the user to tbuckley

By default, we should be able to SSH into the machine with the credentials that we found earlier.

Sadly, we don’t have the command sudo inside the machine. Therefore, let’s gain the Binary with the different method

All binary look normal expect for the notes binary

Let’s see the source code of the notes’ binary

Let’s transfer the binary into our attack’s machine and analyze it by using the Ghidra tool

The screenshot shows the source code of the binary

At last, we managed to obtain a potential username

We should create a reverse shell command on tar

As a result, the access is granted.

Boom! We have obtained the reverse shell connection back to us.

We can read the root flag by typing the “cat root.txt” command

Extra Information

Leave a Reply

Your email address will not be published. Required fields are marked *