In this post, I would like to share a walkthrough of the Altered Machine from Hack the Box

This room will be considered as a Hard machine on Hack The box

What will you gain from the Altered machine?

For the user flag, you will need to abuse the password reset function which you required to bypass the rate limit using HTTP Headers. After we success login to the dashboard, we need to find the endpoint which is vulnerable to SQL Injection

As for the root flag, you need to abuse dirty-pipe vulnerability

Information Gathering on Altered Machine

Once we have started the VPN connection which requires a download from Hackthebox, we can start information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN

I found out that there are only 2 ports open which is ssh and HTTP

Let’s access the website interface.

A Login page has been shown when we try to access the website. Sadly, we don’t have any credentials to play with.

As a result, let’s try entering the common user and password such as admin:admin

However, an error saying “Invalid Password” appears

Let’s try to inspect and see the response to the request

Nothing looks promising to me.

Let’s reset the password by clicking the forgot password

Aside from that, let’s see the response to that request, and nothing looks weird to me

We are required to enter a Pincode which we don’t have now

I did notice there’s a cookie of XSRF-TOKEN and laravel-session.

Therefore, let’s try to brute the pincode using wfuzz.

Bruteforce the pincode

From the wfuzz result, we notice that the character is 6625 which it’s something that I want to look at.

As a result, the website has given us an error saying “Too Many Requests

We can create a list of IP addresses (only the ending potion) to work with.

However, we stuck with an output that we not expecting to see.

After a few hours of troubleshooting, we managed to retrieve the output that we wanted to see.

After entering the pincode on the right column, we have been directed to a page on which we can change the password

Let’s try to access using the password that we change earlier.

At last, we managed to access the Dashboard.

We can see the description of each player is different

Therefore, let’s try to inspect the request via Burpsuite

Let’s copy the id=&secret= output at the bottom of the request

We need to do some modifications to the request payload into json payload

Trying to enumerate with SQL Injection

We can try the common SQLinjection such as or 1=1;– – and i can notice that the website is vulnerable to that attacks method on altered website

We can see the schema name from the SQL database

We can see the table name from the SQL database

Aside from that, we can also retrieve usernames and password from the SQL database but it looks not promising at all.

We know that they are vulnerable to SQL Injection so let’s use the load file command to retrieve information from the server

Let’s see if any new folder or URL has been written on the sNginx configuration

I notice that laravel is been stored inside the server

Let’s throw a reverse shell on the machine

Sadly, the file is not found on the website interface

After a few minutes of troubleshooting, i was curious whether we need $ symbol before cmd

And it works like charm!

We need to inspect the request via Burpsuite and change the request method

Let’s start our nc listener

Let’s throw a reverse shell on the request

After we encode the reverse shell, it doesn’t work at all

Maybe we need to add bash -c before our actual reverse shell and click send on the request. As a result, the response is not responding at all which is good

We got the reverse shell connection back to us

We can read the user flag by executing cat /home/htb/user.txt command

Escalate to Root Privileges Access on altered machine

Let’s see all the common directories that usually have SUID binary stored inside

Sadly, we cannot find any interesting SUID binary

The same goes with ps aux

Let’s see the kernel version

We need a password for www-data

When I execute the su –, it worked like a PAM-Wordle game

From the kernel version, I am aware that the version can be exploited with

I have done some research on dirtypipe vulnerability

We are required to download the exploit on your own machine

For this machine, i will use only the second exploit

Therefore, we need to compile the code

Let’s transfer the compiled file to the victim’s machine

Let’s give execution permission to the file

We require one SUID binary to escalate to root

Let’s find the right SUID binary that we can abuse it

Let’s execute the exploit as shown above

We managed to access to the root

We can read the root flag by executing the “cat root.txt” command

Categories:

No responses yet

Leave a Reply

Your email address will not be published. Required fields are marked *