In this post, I would like to share a walkthrough of the Late Machine from Hack the Box

This room will be considered an Easy machine on Hack The box

What will you gain from the Late machine?

For the user flag, you will need to abuse the flask application using a common attack which is the SSTI method

As for the root flag, you need to abuse the ssh file to get root ssh shell.

Information Gathering on Late Machine

Once we have started the VPN connection which requires a download from Hackthebox, we can start information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN

Text

Description automatically generated

Let’s access the website interface

A picture containing text, indoor, monitor, electronics

Description automatically generated

There’s nothing that we can see on the website interface.

As a result, let’s enumerate the website using gobuster

Text

Description automatically generated

From the gobuster result, we didn’t find anything interesting. Therefore, let’s analyze more on the website interface in case we miss anything useful

Graphical user interface, text, application

Description automatically generated

I have noticed that there’s a link that we can click, and it directs us to a subdomain of the website

Graphical user interface, application, Teams

Description automatically generated

It will look something like the screenshot above

Flask Vulnerability

Graphical user interface, text, application

Description automatically generated

The first thing that came to my mind when see flask is SSTI attack method where i found the payload here

Let’s convert the ssti attack into text format and take a screenshot on our machine

A screenshot of a computer

Description automatically generated

It worked!

Let’s throw an SSTI payload that will read the file inside the machine

Text

Description automatically generated

At last, we got the SSTI worked for us

Therefore, let’s change the payload and include the curl command so that it can retrieve the shell file on our machine

The shell file will look something as shown above

Text

Description automatically generated

From the looking of it, it works!

A screenshot of a computer

Description automatically generated with medium confidence

Finally, we got a reverse shell connection back to us.

Graphical user interface, text, application

Description automatically generated
Text

Description automatically generated

We can read the user flag by executing the command “cat user.txt

Getting SSH private key

Graphical user interface, text

Description automatically generated

In order to get a proper connection on the machine, let’s retrieve the ssh private key

Graphical user interface, text

Description automatically generated
Graphical user interface, text

Description automatically generated

We can download easier by using pwncat tool

A picture containing text, clock, orange

Description automatically generated

We are required to give permission to the id_rsa file

Graphical user interface, text, application, chat or text message

Description automatically generated

At last, we can access the machine using the ssh service.

Escalate to Root Privileges Access on Late Machine

Graphical user interface

Description automatically generated
Graphical user interface

Description automatically generated

We can run ps aux to see any interesting proceed that has been running in the background. Luckily for us, we managed to see a certain file been run as root such as /usr/local/sbin/ssh-alert.sh

Text

Description automatically generated
Text

Description automatically generated

Let’s execute the command above to get root access via the ssh service

A screenshot of a computer

Description automatically generated with low confidence
Graphical user interface, text

Description automatically generated

Let’s access via ssh service again and surprise, we managed to get bash system

A screenshot of a video game

Description automatically generated with medium confidence

We need to execute the command bash -p to become a root user

Text

Description automatically generated

We can read the root flag by executing the command “cat /root/root.txt

Extra Information

A screenshot of a computer

Description automatically generated with medium confidence

Categories:

No responses yet

Leave a Reply

Your email address will not be published. Required fields are marked *