In this post, I would like to share a walkthrough of the Awkward Machine from Hack the Box
This room will be considered a medium machine on Hack the Box
- What will you gain from the Awkward machine?
- Information Gathering on Awkward Machine
- Analyze the website interface on an awkward machine
- Enumerate Hat Valley HR
- Inspecting the traffic with the website interface
- Roaming around the hat-valley.htb website interface via curl
- Hat Valley HR dashboard
- Obtain the folder and file from the exploit earlier
- SSH access to the Awkward machine
- Escalate to Root Privileges Access
- Trying to play around with the cart process
- Extra Information on awkward
What will you gain from the Awkward machine?
For the user flag, you will need to bypass the authentication check where we need to find dump user hashes by using the API. We also should be able to do SSRF with another API. Aside from that, we also need to play around with the python exploit which will lead to file disclosure vulnerability. As a result, we should be able to obtain credentials to the server via SSH access.
As for the root flag, you need to modify the file on the cart progress which we should be getting a root reverse shell and read the root flag that way.
Information Gathering on Awkward Machine
Once we have started the VPN connection which requires a download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN
Let’s access the website interface
However, it will take some time for the website to come back to us.
However, the IP Address must redirect us to a domain server.
Analyze the website interface on an awkward machine
Finally, we got a valid website interface
It looks like it’s a type of website that contains a shop
As we didn’t find anything on the website interface, let’s enumerate the directory using gobuster
Sadly, nothing on the gobuster output looks interesting
We can find some file such as /hr that resides /src/router (router.js) when trying to inspect the website
Aside from that, we also can find the directory as /api which we can be looking into it.
Enumerate Hat Valley HR
A login page appeared when we access the hr directory
Therefore, let’s enumerate the subdomain if available using gobuster tool.
Inspecting the traffic with the website interface
Firstly, we can try to change the cookie by inspecting the traffic
We should be able to see the token as a guest and we can try to change it to something useful.
For example, we can change the token to admin and try to refresh the page
We have successfully accessed the Dashboard only “admin” token
Roaming around the hat-valley.htb website interface via curl
Another method that we can use over here would something such as follow
From the analysis on the app.js, we can see there are a few directories that we can analyze further.
The screenshot above shows the details of the user’s existence.
We can obtain the password for the user assigned by entering the hash at the crackstation.
We also should be able to crack it with john the ripper as shown above
Accessing the HR dashboard
As a result, let’s access Hat Valley HR by using the credentials that we found earlier.
Hat Valley HR dashboard
Finally, we have managed to access the Dashboard as Christopher.
Analyze the website via burpsuite
Therefore, let’s analyze the packet via burpsuite and notice there are some cookie tokens that we can take advantage of it
Playing with the jwt2john method
Firstly, we are required to download the jwt2john.py into our attacker’s machine
We also can use the jwt token to crack the password just like the command above.
As a result, we can obtain the password for the jwt by using john the ripper.
We can modify the jwt token by changing the details on the username and adding the password on the secret key section.
Boom! We have a valid /etc/passwd when we replace the jwt token that we modify with the existing jwt token on burpsuite
I managed to find a python exploit from the internet and use it to see anything interesting that was saved inside the server itself.
Let’s see the file that is written within the .bashrc file and try to download it on our attacker’s machine
Obtain the folder and file from the exploit earlier
The file contains a complete directory that supposedly a computer should use inside their machine.
Therefore, let’s roam and analyze the file where we managed to find a password and username to access the machine.
SSH access to the Awkward machine
Finally, we managed to access the machine via SSH service
We can read the user flag by typing the “cat user.txt” command
Escalate to Root Privileges Access
Another proof the subdomain can be seen from the /etc/hosts on the machine which exposes store.hat-valley.htb as another domain or subdomain that is available on the server.
So, let’s try to sight the subdomain of the website.
As a result, let’s try to buy an item on the store’s website and see the response or process on the machine
Trying to play around with the cart process
There is one file that we should be analyzing further
The content within the file will look something as shown in the screenshot above.
We should copy the file to a different name and delete the original file. Then, we should copy back the file that we replace earlier with the original file name
Let’s download the reverse shell into our victim’s machine and saved it into /tmp directory
Once the file is completing the upload inside the /tmp directory, we should be giving the file the execution permission as shown above.
After that, we should modify the file which should look like something as shown above.
As a result, let’s start our shell listener
Then, we should trying to buy any item and we should be inspecting the packet via burpsuite
When we try to inspect via burpsuite, we need to make a twick on the request which we are required to execute the bash file that we upload earlier to the victim’s machine/
At last, we managed to retrieve another reverse shell connection back to us.
The content of the csv file contain as shown in the screenshot above.
As a result, we should be putting the command that similiar that we found inside the gtfobins
It look like we should be getting the root reverse shell connection back to us by default.
Finally, a root’s reverse shell connection is back to us as expected
We can read the root flag by typing the “cat root.txt” command
No responses yet