In this post, I would like to share a walkthrough of the Awkward Machine from Hack the Box

This room will be considered a medium machine on Hack the Box

What will you gain from the Awkward machine?

For the user flag, you will need to bypass the authentication check where we need to find dump user hashes by using the API. We also should be able to do SSRF with another API. Aside from that, we also need to play around with the python exploit which will lead to file disclosure vulnerability. As a result, we should be able to obtain credentials to the server via SSH access.

As for the root flag, you need to modify the file on the cart progress which we should be getting a root reverse shell and read the root flag that way.

Information Gathering on Awkward Machine

Once we have started the VPN connection which requires a download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN

Let’s access the website interface

Graphical user interface, application

Description automatically generated

However, it will take some time for the website to come back to us.

Graphical user interface, text

Description automatically generated

However, the IP Address must redirect us to a domain server.

Analyze the website interface on an awkward machine

A picture containing text, screenshot

Description automatically generated

Finally, we got a valid website interface

Graphical user interface, website

Description automatically generated

It looks like it’s a type of website that contains a shop

Graphical user interface, text, application, email, Teams

Description automatically generated

As we didn’t find anything on the website interface, let’s enumerate the directory using gobuster

Text

Description automatically generated

Sadly, nothing on the gobuster output looks interesting

We can find some file such as /hr that resides /src/router (router.js) when trying to inspect the website

Aside from that, we also can find the directory as /api which we can be looking into it.

Enumerate Hat Valley HR

Graphical user interface, application

Description automatically generated

A login page appeared when we access the hr directory

Graphical user interface, text

Description automatically generated

Therefore, let’s enumerate the subdomain if available using gobuster tool.

Inspecting the traffic with the website interface

Firstly, we can try to change the cookie by inspecting the traffic

We should be able to see the token as a guest and we can try to change it to something useful.

A screenshot of a computer

Description automatically generated

For example, we can change the token to admin and try to refresh the page

Graphical user interface, application, Teams

Description automatically generated

We have successfully accessed the Dashboard only “admin” token

Roaming around the hat-valley.htb website interface via curl

Another method that we can use over here would something such as follow

From the analysis on the app.js, we can see there are a few directories that we can analyze further.

Text

Description automatically generated

The screenshot above shows the details of the user’s existence.

Graphical user interface

Description automatically generated

We can obtain the password for the user assigned by entering the hash at the crackstation.

We also should be able to crack it with john the ripper as shown above

Accessing the HR dashboard

As a result, let’s access Hat Valley HR by using the credentials that we found earlier.

Hat Valley HR dashboard

Finally, we have managed to access the Dashboard as Christopher.

Analyze the website via burpsuite

Therefore, let’s analyze the packet via burpsuite and notice there are some cookie tokens that we can take advantage of it

Playing with the jwt2john method

A screenshot of a computer

Description automatically generated with medium confidence

Firstly, we are required to download the jwt2john.py into our attacker’s machine

We also can use the jwt token to crack the password just like the command above.

Text

Description automatically generated

As a result, we can obtain the password for the jwt by using john the ripper.

Graphical user interface, application, website

Description automatically generated

We can modify the jwt token by changing the details on the username and adding the password on the secret key section.

Text

Description automatically generated

Boom! We have a valid /etc/passwd when we replace the jwt token that we modify with the existing jwt token on burpsuite

Text

Description automatically generated

I managed to find a python exploit from the internet and use it to see anything interesting that was saved inside the server itself.

A screenshot of a computer

Description automatically generated with medium confidence

Let’s see the file that is written within the .bashrc file and try to download it on our attacker’s machine

Obtain the folder and file from the exploit earlier

Graphical user interface, website

Description automatically generated

The file contains a complete directory that supposedly a computer should use inside their machine.

Text

Description automatically generated

Therefore, let’s roam and analyze the file where we managed to find a password and username to access the machine.

SSH access to the Awkward machine

Graphical user interface, text

Description automatically generated

Finally, we managed to access the machine via SSH service

Text

Description automatically generated

We can read the user flag by typing the “cat user.txt” command

Escalate to Root Privileges Access

Another proof the subdomain can be seen from the /etc/hosts on the machine which exposes store.hat-valley.htb as another domain or subdomain that is available on the server.

Website

Description automatically generated

So, let’s try to sight the subdomain of the website.

Graphical user interface, website

Description automatically generated

As a result, let’s try to buy an item on the store’s website and see the response or process on the machine

Trying to play around with the cart process

Text

Description automatically generated

There is one file that we should be analyzing further

Text

Description automatically generated

The content within the file will look something as shown in the screenshot above.

We should copy the file to a different name and delete the original file. Then, we should copy back the file that we replace earlier with the original file name

A screenshot of a computer

Description automatically generated with medium confidence

Let’s download the reverse shell into our victim’s machine and saved it into /tmp directory

Once the file is completing the upload inside the /tmp directory, we should be giving the file the execution permission as shown above.

After that, we should modify the file which should look like something as shown above.

As a result, let’s start our shell listener

Graphical user interface, website

Description automatically generated

Then, we should trying to buy any item and we should be inspecting the packet via burpsuite

Graphical user interface, text, application

Description automatically generated

When we try to inspect via burpsuite, we need to make a twick on the request which we are required to execute the bash file that we upload earlier to the victim’s machine/

Text

Description automatically generated

At last, we managed to retrieve another reverse shell connection back to us.

Graphical user interface, text, application, chat or text message

Description automatically generated

The content of the csv file contain as shown in the screenshot above.

As a result, we should be putting the command that similiar that we found inside the gtfobins

It look like we should be getting the root reverse shell connection back to us by default.

Finally, a root’s reverse shell connection is back to us as expected

Text

Description automatically generated

We can read the root flag by typing the “cat root.txt” command

Extra Information on awkward

Text

Description automatically generated

Categories:

No responses yet

Leave a Reply

Your email address will not be published. Required fields are marked *