Hack The Box: Awkward Machine Walkthrough – Medium Difficulty

In this post, I would like to share a walkthrough of the Awkward Machine from Hack the Box

This room will be considered a medium machine on Hack the Box

What will you gain from the Awkward machine?

For the user flag, you will need to bypass the authentication check where we need to find dump user hashes by using the API. We also should be able to do SSRF with another API. Aside from that, we also need to play around with the python exploit which will lead to file disclosure vulnerability. As a result, we should be able to obtain credentials to the server via SSH access.

As for the root flag, you need to modify the file on the cart progress which we should be getting a root reverse shell and read the root flag that way.

Information Gathering on Awkward Machine

Once we have started the VPN connection which requires a download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN

Let’s access the website interface

However, it will take some time for the website to come back to us.

However, the IP Address must redirect us to a domain server.

Analyze the website interface on an awkward machine

Finally, we got a valid website interface

It looks like it’s a type of website that contains a shop

As we didn’t find anything on the website interface, let’s enumerate the directory using gobuster

Sadly, nothing on the gobuster output looks interesting

We can find some file such as /hr that resides /src/router (router.js) when trying to inspect the website

Aside from that, we also can find the directory as /api which we can be looking into it.

Enumerate Hat Valley HR

A login page appeared when we access the hr directory

Therefore, let’s enumerate the subdomain if available using gobuster tool.

Inspecting the traffic with the website interface

Firstly, we can try to change the cookie by inspecting the traffic

We should be able to see the token as a guest and we can try to change it to something useful.

For example, we can change the token to admin and try to refresh the page

We have successfully accessed the Dashboard only “admin” token

Roaming around the hat-valley.htb website interface via curl

Another method that we can use over here would something such as follow

From the analysis on the app.js, we can see there are a few directories that we can analyze further.

The screenshot above shows the details of the user’s existence.

We can obtain the password for the user assigned by entering the hash at the crackstation.

We also should be able to crack it with john the ripper as shown above

Accessing the HR dashboard

As a result, let’s access Hat Valley HR by using the credentials that we found earlier.

Hat Valley HR dashboard

Finally, we have managed to access the Dashboard as Christopher.

Analyze the website via burpsuite

Therefore, let’s analyze the packet via burpsuite and notice there are some cookie tokens that we can take advantage of it

Playing with the jwt2john method

Firstly, we are required to download the jwt2john.py into our attacker’s machine

We also can use the jwt token to crack the password just like the command above.

As a result, we can obtain the password for the jwt by using john the ripper.

We can modify the jwt token by changing the details on the username and adding the password on the secret key section.

Boom! We have a valid /etc/passwd when we replace the jwt token that we modify with the existing jwt token on burpsuite

I managed to find a python exploit from the internet and use it to see anything interesting that was saved inside the server itself.

Let’s see the file that is written within the .bashrc file and try to download it on our attacker’s machine

Obtain the folder and file from the exploit earlier

The file contains a complete directory that supposedly a computer should use inside their machine.

Therefore, let’s roam and analyze the file where we managed to find a password and username to access the machine.

SSH access to the Awkward machine

Finally, we managed to access the machine via SSH service

We can read the user flag by typing the “cat user.txt” command

Escalate to Root Privileges Access

Another proof the subdomain can be seen from the /etc/hosts on the machine which exposes store.hat-valley.htb as another domain or subdomain that is available on the server.

So, let’s try to sight the subdomain of the website.

As a result, let’s try to buy an item on the store’s website and see the response or process on the machine

Trying to play around with the cart process

There is one file that we should be analyzing further

The content within the file will look something as shown in the screenshot above.

We should copy the file to a different name and delete the original file. Then, we should copy back the file that we replace earlier with the original file name

Let’s download the reverse shell into our victim’s machine and saved it into /tmp directory

Once the file is completing the upload inside the /tmp directory, we should be giving the file the execution permission as shown above.

After that, we should modify the file which should look like something as shown above.

As a result, let’s start our shell listener

Then, we should trying to buy any item and we should be inspecting the packet via burpsuite

When we try to inspect via burpsuite, we need to make a twick on the request which we are required to execute the bash file that we upload earlier to the victim’s machine/

At last, we managed to retrieve another reverse shell connection back to us.

The content of the csv file contain as shown in the screenshot above.

As a result, we should be putting the command that similiar that we found inside the gtfobins

It look like we should be getting the root reverse shell connection back to us by default.

Finally, a root’s reverse shell connection is back to us as expected

We can read the root flag by typing the “cat root.txt” command

Extra Information on awkward