In this post, I would like to share a walkthrough of the Drive Machine from Hack the Box


This room will be considered a Hard machine on Hack the Box

What will you gain from the Drive machine?


For the user flag, you will need to exploit an IDOR vulnerability that allows me to gain unauthorized access to the administrator’s files and extract certain credentials, granting SSH access. Utilizing this access, I’ll infiltrate a Gitea instance and employ the extracted credentials to gain entry to a backup script and uncover passwords used for site backups. Within these backups, I’ll encounter hashes for additional users, which I’ll decrypt to obtain their passwords.


As for the root flag, you need to exploit the command-line client binary vulnerable to buffer overflow. I will demonstrate this vulnerability, along with two methods to achieve Remote Code Execution (RCE) through an unintended SQL injection

For those who want to learn or improve CyberSecurity skills especially Red Teaming and Blue Team, You can use the link https://affiliate.hackthebox.com/gnfp67dzy7p0 to support me

Academy link can be found https://affiliate.hackthebox.com/wanmohdariffwanmohdrosdi6259

Information Gathering on Drive Machine


Once we have started the VPN connection which requires a download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN

[darknite@parrot]─[~/Documents/htb/drive]
└──╼ $nmap -sC -sV 10.10.11.235 -oA initial 
Starting Nmap 7.93 ( https://nmap.org ) at 2023-10-16 05:48 EST
Nmap scan report for 10.10.11.235
Host is up (0.020s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT     STATE    SERVICE VERSION
22/tcp   open     ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 275a9fdb91c316e57da60d6dcb6bbd4a (RSA)
|   256 9d076bc847280df29f81f2b8c3a67853 (ECDSA)
|_  256 1d30349f797369bdf667f3343c1ff94e (ED25519)
80/tcp   open     http    nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://drive.htb/
|_http-server-header: nginx/1.18.0 (Ubuntu)
3000/tcp filtered ppp
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.42 seconds
┌─[darknite@parrot]─[~/Documents/htb/drive]
└──╼ $

Let’s access the website interface.


There is nothing has been found interesting except for the login and register button


We also didn’t find any useful information via Burpsuite on the main page.


As a result, let’s try to register a new account so that we can investigate further


We successfully accessed the dashboard when we entered the credentials that we created earlier.


The output via burpsuite will look something as shown in the screenshot above.


The interface will appear as shown in the screenshot above when we click the dashboard button on the main page.


From what i noticed on the page, we can play around the functions such as “Change Properties”, “Delete”, “Edit Content” and “Just View”


It looks like something as shown above when we click the “Just View” Function.

IDOR vulnerability on the Drive machine


We should inspect the packet when we try to click one of the files found inside the dashboard page.

Enumerate by using the wfuzz tool


We can retrieve a few payloads after we execute the command that is shown above. The output of the payload will be “79”, “98”, “99”, “101” and “100”

Enumerate using burpsuite intruder


We can brute-forcing the ID that can be used to look into another account.


Let’s access the first id that shows in the burpsuite intruder output which is “79”. Surprisingly, we have retrieved some potential usernames and passwords to access the server.


However, the credentials that we found earlier cannot be used to access the login page.


However, we managed to access the machine with the credentials that we found earlier via SSH service.


We only found the snap directory which nothing stored in the directory

Investigate the SQLite Database


We found a few files that indicated to SQLite database. Therefore, let’s download one file db.sqlite3 into our machine.


There are a lot of sqlite syntax when we execute the dump command.


Let’s look at what is stored in the table column.


We managed to find a few pieces of information including hashes.


We have successfully some credentials when we try to crack the hashes by using hashcat.


After trying a few credentials, we have successfully accessed the machine as tom via SSH service.


We can read the user flag by using the “cat user.txt” command

Escalate to Root Privileges Access


When trying to read the user flag, i noticed there’s a file called “doodleGrive-cli” that assigned as binary file


Therefore, let’s download the binary file into our machine


We can analyze the binary file within the Ghidra tool and manage to see a username and password for the binary file


We also can find the username and password by using the “strings” command


As a result, we can create a file named exploit which contains the command permitting/bin/bash


Therefore, we can enter the username and password when executing the binary and choose the number 5 which activates the user account.


At last, the bash file has been assigned as a binary file which we can use to escalate to the root


We can read the root flag by typing the “cat root.txt” command

Another method to obtain root access


The source code that we use here is shown in the screenshot above.


We need to rename dark.so as 0.so and permit to execute. Once that happens, we can execute the doodleGrive-cli binary


As a result, we can run some syntax that is used to load the char function on the binary file


After a while, the bash file also change to binary file


We can read the root flag by typing the “cat root.txt” command