Hack The Box: Sandworm Machine Walkthrough – Medium

Written by darknite -
on November 18, 2023

In this post, I would like to share a walkthrough of the Sandworm Machine from Hack the Box

This room will be considered a medium machine on Hack the Box

Testing

What will you gain from the Sandworm machine?

For the user flag, you will need to find the vulnerability on the website that allows users to send and receive PGP-encrypted messages and provides a demonstration area for testing encryption, decryption, and signing functions. Unfortunately, a vulnerability involving server-side template injection has been discovered within the verification demo. Exploiting this flaw could potentially provide access to establish a foothold on the machine

As for the root flag, you only need to abuse the access is confined within a Firejail sandbox. I aim to locate credentials for the subsequent user within an httpie configuration. Subsequently, I plan to alter a Rust program, currently executing on a cron job by the initial user, to regain access to that user but outside the confinement of the Firejail sandbox. Using this access, I intend to exploit the CVE-2022-31214 vulnerability in Firejail, gaining root access

Information Gathering on Sandworm Machine

Once we have started the VPN connection which requires a download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN

─[darknite@parrot]─[~/Document/htb/sandworm]
└──╼ $nmap -sC -sV 10.10.11.218 -oA initial 
Starting Nmap 7.92 ( https://nmap.org ) at 2023-06-19 00:09 EDT
Nmap scan report for 10.10.11.218
Host is up (0.17s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
|_  256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
80/tcp  open  http     nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to https://ssa.htb/
443/tcp open  ssl/http nginx 1.18.0 (Ubuntu)
| ssl-cert: Subject: commonName=SSA/organizationName=Secret Spy Agency/stateOrProvinceName=Classified/countryName=SA
| Not valid before: 2023-05-04T18:03:25
|_Not valid after:  2050-09-19T18:03:25
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Secret Spy Agency | Secret Security Service
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 44.42 seconds
┌─[darknite@parrot]─[~/Document/htb/sandworm]
└──╼ $

Let’s access the website interface

Nothing look interesting on the website interface

From the contact section, we are presented with encrypted text as shown above.

We are required to create a public key with an encrypted message.

Therefore, let’s create a key by using the command above

We are required to enter a passphrase for the key

We can retrieve the public key by running the command above.

As a result, we can sign the file that we created as shown above.

The screenshot above shows the encrypted message that we can use right now.

Boom! We have SSTI vector attack work as shown above.

Therefore, let’s edit the key by executing the command above.

A screenshot of a computer program Description automatically generated with medium confidence

We should be testing with ‘id’ on the gpg key so that we can ensure the injection work

A screenshot of a computer Description automatically generated with low confidence

As we expected, it works like a charm!

We should add our reverse shell command as above.

As done previously, we need to re-sign the encrypted message as above.

At last, we have a reverse shell connection, but it looks like it’s not very stable at all.

We managed to find a credential that we could use to access the machine via SSH service.

We can read the user flag by typing the “cat user.txt” command

Escalate to Root Privileges Access

We managed to find a file called lib.rs which we can abuse later.

Therefore, let’s execute the tipnet that is found on the machine.

A picture containing text, screenshot Description automatically generated

By default, we can replace the existing lib.rs file with our modification lib.rs file as shown above.

A screenshot of a computer Description automatically generated with medium confidence

Boom! At last, we have a reverse shell connection as Atlas privileges access.

While roaming on the machine, we managed to find a file that looked like us which is firejail

As we expected, we can abuse the firejail which assigned as SUID binary

As a result, we should be transferring the exploit into our victim’s machine.

Let’s execute the exploit with the Python3 command

On another reverse shell, we should execute the firejail command

A picture containing font, screenshot, graphics, text Description automatically generated

We can read the root flag by running the “cat root.txt” command

Extra Information

Categories:

Medium Machine

Tags:

Challengescommand injectionfirejailgpg-keyHackTheBoxlinpeasLinuxPenetration Testingsshsstitipnet

No responses yet

Leave a Reply

Your email address will not be published. Required fields are marked *