Reading Time: 7 minutes

In this post, I would like to share a walkthrough of the Extension Machine from Hack the Box

This room will be considered a Hard machine on Hack the Box

What will you gain from the Extension machine?

For the user flag, you will need to find leaked multiple information from the management/dump which will try to brute-force the token. By exploiting the IDOR vulnerability to verify the username of “jean”. We also can bypass the cross-site scripting filters to attack the Gitea’s API which lead to find a backup file frm the another user. Once we completed the downloading the backup file on our attacker’s machine, we will find a SSH access to the host. and some password to use on the next user.

As for the root flag, you need to enumerate more on MySQL database and insert a command injection on the MySQL database. and get RCE on the website which we are required to validated our account. The docker socket (docker.sock) which can be found on te container can be writable which lead to a simple container breakout

Information Gathering on Extension Machine

Once we have started the VPN connection which requires a download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN

Only two-port are open for this machine

Let’s access the website interface

However, the website interface didn’t show any interest that we can make use

Therefore, let’s enumerate the website directory by using gobuster

Nothing much to see except for the login and register directory

Sadly, We don’t have any credentials that we can use to access the interface

Let’s see the source code of the website if we might find some interesting code embedded together. Finally, we found some code that looks interesting to us.

However, when we try to inspect the management/dump on burpsuite where we stumbled upon an error of “405 Method Not Allowed”

Get information using Burpsuite

We will need to inspect the login page and I notice there’s a JSON code on line 19

For this attack, i just need to change login to management/dump and modify the JSON item to something such as:

{

“download”:”users”

}

The result will be shown something such as above

“name”: “Gia Stehr”,

“email”: “gia@snippet.htb”,

“password”: “ef92b778bafe771e89245b89ecbc08a44a4e166c06659911881f383d4473e94f”,

However, i notice that the credentials that have been highlighted above

At last, we managed to obtain a password for username gia from here

Snippet Dashboard and read the snippet’s hidden message

Finally, we managed to access the dashboard for the git

There’s something written on one of the snippets. I managed to notice that this snippet parks under snippet/1

I’ve been thinking if there’s another snippet than snippet/1

Sadly, we cannot see anything on snippet2 which we are not authorized to view this snippet

However, there’s no snippet/3 has been stored on the website or server

Let’s try to bypass the snippet/2 so that we can read the hidden message

Let’s create our own snippet such as shown above.

Therefore, let’s edit the snippet that we created earlier and move it to snippet/2

Boom! We have finally seen the hidden message where it’s a curl command. However, I notice that authorization has some base64 encoded

As a result, let’s try to decode the base64 code and I notice that it’s some credentials for some website

From the gobuster output, there are a lot of subdomains where we can see the status 200. It’s ridiculously hard and confusing, to be honest.

As a result, let’s enumerate using wfuzz which will result in lesser payload

gitea’s enumeration on extension machine

Finally, we got dev.snippet.htb website that shows a Gitea Website. However, we already know that the other subdomain will be Gitea Based

We managed to access the Gitea Dashboard using jean’s credentials

Inside jean’s extension repository, there are a few files that we can investigate

Let’s try creating a new issue for the extension’s repository

Therefore, let’s start our python server

Let’s create the issues as above and save them as any name

We managed to retrieve a file that doesn’t exist at all.

At last, we managed to obtain Charlie’s backup folder into Gitea’s Dashboard

As a result, let’s download the file to our attacker’s machine

We managed to find an SSH private key that we can use to access the machine via SSH service.

Finally, we successfully access the machine via SSH service

Sadly, we cannot find the user flag inside Charlie’s home directory

However, the user flag is stored in jean’s directory

We can read the user flag by typing the command “cat user.txt”

Escalate to Root Privileges Access

From the netstat output, we can see that there are some ports open within the server such as the database port open.

Sadly, we cannot execute the MySQL database command within the server itself.

Therefore, let’s run the MySQL command from the attacker’s side by doing the port forwarding method.

Once we managed to login into the database, we can execute the command to update the role of the gia@snippet.htb into the manager’s role

As a manager, we can create a new user into the database which contains a reverse shell together.

We can start our listener so that we can retrieve our connection back to us.

After searching for the username on the Dashboard, we managed to see it at the end of the page. For us to obtain the reverse shell connection, we are required to click the “Validate” Button.

Finally, we managed to retrieve back the connection

Sadly, only a file called docker.sock is saved inside the /app directory.

We can execute the command above to get /bin/bash as SUID Binary

Finally, we have successfully into the root’s bash shell

We can read the root flag by typing the “cat /root/root.txt” command

Extra Information