Hack The Box: Derailed Machine Walkthrough – Insane Difficulty

Written by darknite -
on July 22, 2023

In this post, I would like to share a walkthrough of the Derailed Machine from Hack the Box

This room will be considered an Insane machine on Hack the Box

Testing

What will you gain from the Derailed machine?

For the user flag, you will need to create a new user with XSS script notes on the rails notes application which the notes report will be reviewed by the admin. We will be using the administrator’s browser session so that we can read the admin page with a file read vulnerability.

As for the root flag, you need to exploit the vulnerability on openmediavault’s RPC which we can insert a SSH key for root access

Information Gathering on Derailed Machine

Once we have started the VPN connection which requires a download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN 

# Nmap 7.92 scan initiated Tue Feb 21 07:37:12 2023 as: nmap -sC -sV -oA initial -Pn 10.10.11.190
Nmap scan report for 10.10.11.190
Host is up (0.19s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey: 
|   3072 16:23:b0:9a:de:0e:34:92:cb:2b:18:17:0f:f2:7b:1a (RSA)
|   256 50:44:5e:88:6b:3e:4b:5b:f9:34:1d:ed:e5:2d:91:df (ECDSA)
|_  256 0a:bd:92:23:df:44:02:6f:27:8d:a6:ab:b4:07:78:37 (ED25519)
3000/tcp open  http    nginx 1.18.0
|_http-title: derailed.htb
|_http-server-header: nginx/1.18.0
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Feb 21 07:37:46 2023 -- 1 IP address (1 host up) scanned in 34.79 seconds
# Nmap 7.92 scan initiated Tue Feb 21 07:37:12 2023 as: nmap -sC -sV -oA initial -Pn 10.10.11.190
Nmap scan report for 10.10.11.190
Host is up (0.19s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey: 
|   3072 16:23:b0:9a:de:0e:34:92:cb:2b:18:17:0f:f2:7b:1a (RSA)
|   256 50:44:5e:88:6b:3e:4b:5b:f9:34:1d:ed:e5:2d:91:df (ECDSA)
|_  256 0a:bd:92:23:df:44:02:6f:27:8d:a6:ab:b4:07:78:37 (ED25519)
3000/tcp open  http    nginx 1.18.0
|_http-title: derailed.htb
|_http-server-header: nginx/1.18.0
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Feb 21 07:37:46 2023 -- 1 IP address (1 host up) scanned in 34.79 seconds

Let’s access the website interface

There are a few functions that we can abuse such as login, sign up, and one blank box which we can create a new clipnote

As a result, let’s try to register a new account on the website application

Therefore, let’s try to login using the credentials that we register earlier.

Nothing happens when trying to enter any malicious file

Sadly, the creator has patched this path

The intended way to escalate the privileged access

Firstly, let’s inject the packet with the XSS method and need to encode the strings to character code.

Let’s just enter just a simple payload

Let’s start our nc listener

It looks fine so far.

Next, we need to trigger the payload by submitting a simple command on the reporting endpoint

After a while, the malicious file has finally uploaded to the machine.

Finally, the reverse shell connection is back to us.

We can read the user flag by typing the “cat user.txt” command

Escalate to Root Privileges Access

It looks like a log that we can execute.

We managed to find the username “Marcus” and “openmediavault-webgui” on the machine.

At last, we managed to find a hash for the toby’s credentials.

We are also successfully a password for the toby

It’s successful access to another user

There is a file that obviously caught my attention

Let’s execute the command above to test the omv command

Let’s try port-forwarding the machine connection

The website interface from the port-forwarding the connection.

My bad, the command should only use the omv-confdabdam read conf.system.usermngmnt.user

We are required. to modify the command as root and ssh key

Sadly, it doesn’t work at all which it’s weird to me

Finally, it has worked as I am hoping for.

Therefore, let’s execute the command that applies the change on the omv command

We can copy-paste the private key into the machine.

Boom! We have successfully the machine via SSH private key

We can read the root flag by typing into the “cat root.txt” command

Extra Information

Categories:

Insane Machine

Tags:

BurpSuiteChallengesCross Site ScriptingHackTheBoxjohn the ripperLinuxomv-scriptPenetration TestingsshSSH key

No responses yet

Leave a Reply

Your email address will not be published. Required fields are marked *