In this post, I would like to share a walkthrough of the Visual  Machine from Hack the Box


This room will be considered a Medium machine on Hack the Box

What will you gain from the Visual machine?


For the user flag, you will need to abuse the platform where users can input a hosted Git URL, and the system will fetch a Visual Studio project from the URL and initiate the compilation process. I will deploy a Gitea server within a container and upload a project configured with a pre-build action designed to execute a command and access a shell.


As for the root flag, you need to place a webshell in the XAMPP web root directory to obtain a shell as a local service. The service operates without SeImpersonate privileges; however, I will utilize the FullPower executable to restore this privilege, followed by GodPotato to elevate privileges to System levelv

For those who want to learan or improve CyberSecurity skills especially Red Teaming and Blue Team, You can use the link https://affiliate.hackthebox.com/gnfp67dzy7p0 to support me

Academy link can be found https://affiliate.hackthebox.com/wanmohdariffwanmohdrosdi6259vvv

Information Gathering on Visual Machine


Once we have started the VPN connection which requires a download from Hackthebox, we can start

PowerShell
┌─[darknite@parrot]─[~/Documents/htb/visual]
└──╼ $ nmap -sC -sV 10.10.11.234 -oA intial
Starting Nmap 7.93 ( https://nmap.org ) at 2023-10-04 00:17 EDT
Nmap scan report for 10.10.11.234
Host is up (0.096s latency).
Not shown: 999 filtered tcp ports (no-response)
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.56 ((Win64) OpenSSL/1.1.1t PHP/8.1.17)
|_http-title: Visual - Revolutionizing Visual Studio Builds
|_http-server-header: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.1.17

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 30.97 seconds
┌─[darknite@parrot]─[~/Documents/htb/visual]
└──╼ $ 

Let’s access the website interface


At first glance, nothing is interesting to play around on the website interface.


After a while, i noticed that we could submit our repo URL which it’s very suspicious. Another thing that i am aware of on the website interface is the GIT Integration where i believe the website is running using the git platform.


Therefore, let’s enter our IP address which includes the .git file


We managed to obtain the information on the git which was stored in the website interface.


The screenshot above shows the response where the file exists.

Dotnet execution on Visual Machine


We need to install the dotnet that supports 6.0 which can be found here


At last, the dotnet script has successfully worked as shown in the screenshot above.


For starters, we need to create a new template on the dotnet


The file will be created exactly as shown above.


We are required to add the project dark into the sln


Let’s update the git init on our machine.


We need to configure the git repo for our project.


We also need to update our server and git to ensure that the project is saved.


Once the git has been updated on our machine, we need to re-do the process of submitting our git repo on the website.


Finally, we managed to upload our git project on the website interface.


The screenshot above shows the content of the csproj for your reference.


The git build will take some time to be compiled on the website interface.


Our git project has successfully uploaded on the website interface, we will see the response shown in the screenshot above.


Let’s start our listener on our machine.


As a result, let’s insert our PowerShell command on the csproj file which should be a success.


We are required updating the git project on our machine as show previously


We managed to see that our build has timed out which might be positive for us.


Finally, we managed to retrieve the reverse shell connection


We have successfully accessed the machine as enox user.


We can read the user flag by typing the “type user.txt” command

Escalate to Root Privileges Access


Firstly, we need to verify the privileged access that Enox can execute


We should upload the PHP file so that we can execute any command on the website.


Boom! We managed to execute some commands on that php file.


As a result, we need to execute the PowerShell command to retrieve the reverse shell connection on our machine.


At last, we have retrieved the reverse shell connection to us.


As expected, the privileges access granted is the same as user enox

Full Powers Exploitation on Visual Machine


We can download The FullPowers script here


We need to upload the FullPowers and nc into our victim’s machine


At last, we managed to see a lot more privileged access while executing with FullPowers


We can execute the nc command on the victim’s machine which provides us with some reverse shell connection


We have successfully retrieved the reverse shell connection by using the fullpowers.exe on the victim’s machine.


From the screenshot above, we can see that privileged access has been enabled

GodPotato payload on the visual machine


Let’s upload the GodPotato script into our victim’s machine


We managed to ensure that GodPotato script worked on the victim’s machine


Therefore, we can retrieve the reverse shell connection by running the command above.


Boom! We successfully access the machine as nt authority\system access


We can read the root flag by typing the “type root.txt” command