In this post, I would like to share a walkthrough of the Bagel Machine from Hack the Box
This room will be considered a medium machine on Hack the Box
What will you gain from the Bagel machine?
For the user flag, you will need to abuse the Local File Inclusion (LFI) which will lead to knowing the processes of the system and obtaining the credentials. As a result, we will try to take advantages of JSON Deserialization so that we can access the machine.
As for the root flag, you need to abuse the dotnet script which it will allow us to read the flag.
Information Gathering on Bagel Machine
Once we have started the VPN connection which requires a download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN
[darknite@parrot]─[~/Document/htb/Bagel]
└──╼ $nmap -sC -sV 10.10.11.201 -oA initial
Starting Nmap 7.92 ( https://nmap.org ) at 2023-03-02 18:40 EST
Nmap scan report for 10.10.11.201
Host is up (0.26s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.8 (protocol 2.0)
| ssh-hostkey:
| 256 6e:4e:13:41:f2:fe:d9:e0:f7:27:5b:ed:ed:cc:68:c2 (ECDSA)
|_ 256 80:a7:cd:10:e7:2f:db:95:8b:86:9b:1b:20:65:2a:98 (ED25519)
5000/tcp open upnp?
| fingerprint-strings:
| GetRequest:
| HTTP/1.1 400 Bad Request
| Server: Microsoft-NetCore/2.0
| Date: Thu, 02 Mar 2023 23:40:56 GMT
| Connection: close
| HTTPOptions:
| HTTP/1.1 400 Bad Request
| Server: Microsoft-NetCore/2.0
| Date: Thu, 02 Mar 2023 23:41:13 GMT
| Connection: close
| Help:
| HTTP/1.1 400 Bad Request
| Content-Type: text/html
| Server: Microsoft-NetCore/2.0
| Date: Thu, 02 Mar 2023 23:41:24 GMT
| Content-Length: 52
| Connection: close
| Keep-Alive: true
| <h1>Bad Request (Invalid request line (parts).)</h1>
| RTSPRequest:
| HTTP/1.1 400 Bad Request
| Content-Type: text/html
| Server: Microsoft-NetCore/2.0
| Date: Thu, 02 Mar 2023 23:40:56 GMT
| Content-Length: 54
| Connection: close
| Keep-Alive: true
| <h1>Bad Request (Invalid request line (version).)</h1>
| SSLSessionReq, TerminalServerCookie:
| HTTP/1.1 400 Bad Request
| Content-Type: text/html
| Server: Microsoft-NetCore/2.0
| Date: Thu, 02 Mar 2023 23:41:25 GMT
| Content-Length: 52
| Connection: close
| Keep-Alive: true
| <h1>Bad Request (Invalid request line (parts).)</h1>
| TLSSessionReq:
| HTTP/1.1 400 Bad Request
| Content-Type: text/html
| Server: Microsoft-NetCore/2.0
| Date: Thu, 02 Mar 2023 23:41:26 GMT
| Content-Length: 52
| Connection: close
| Keep-Alive: true
|_ <h1>Bad Request (Invalid request line (parts).)</h1>
8000/tcp open http-alt Werkzeug/2.2.2 Python/3.10.9
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.1 404 NOT FOUND
| Server: Werkzeug/2.2.2 Python/3.10.9
| Date: Thu, 02 Mar 2023 23:40:57 GMT
| Content-Type: text/html; charset=utf-8
| Content-Length: 207
| Connection: close
| <!doctype html>
| <html lang=en>
| <title>404 Not Found</title>
| <h1>Not Found</h1>
| <p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
| GetRequest:
| HTTP/1.1 302 FOUND
| Server: Werkzeug/2.2.2 Python/3.10.9
| Date: Thu, 02 Mar 2023 23:40:51 GMT
| Content-Type: text/html; charset=utf-8
| Content-Length: 263
| Location: http://bagel.htb:8000/?page=index.html
| Connection: close
| <!doctype html>
| <html lang=en>
| <title>Redirecting...</title>
| <h1>Redirecting...</h1>
| <p>You should be redirected automatically to the target URL: <a href="http://bagel.htb:8000/?page=index.html">http://bagel.htb:8000/?page=index.html</a>. If not, click the link.
| Socks5:
| <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
| "http://www.w3.org/TR/html4/strict.dtd">
| <html>
| <head>
| <meta http-equiv="Content-Type" content="text/html;charset=utf-8">
| <title>Error response</title>
| </head>
| <body>
| <h1>Error response</h1>
| <p>Error code: 400</p>
| <p>Message: Bad request syntax ('
| ').</p>
| <p>Error code explanation: HTTPStatus.BAD_REQUEST - Bad request syntax or unsupported method.</p>
| </body>
|_ </html>
|_http-server-header: Werkzeug/2.2.2 Python/3.10.9
|_http-title: Did not follow redirect to http://bagel.htb:8000/?page=index.html
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 149.02 seconds
Let’s try to access the website interface using port 8000 that we found earlier within the Nmap result
As a result, we should be whitelisting the domain for us to access the website interface
We can see the packet via burpsuite and the response has redirected us to a different URL
From the look of the request, i’m guessing that the application is vulnerable to Local File Inclusion (LFI)
Therefore, let’s our Proof of Concept by trying to access the /etc/passwd, and its works as I expected.
As we don’t know anything else, we can try to bypass it by seeing what is the latest directory or file that the server accessed.
At last, we found a Python file that we can investigate further.
Inside the Python file, we notice some files that we can try to take advantage of it. I notice that there’s a WebSocket connection such as http://127.0.0.1:5000
We should try to brute-force the cmdline command which leads to a DLL file that resides inside the /opt/bagel/bin/Debug/net6.0
Inside the DLL file, we managed to find content that look like a Dotnet language.
We should analyze the bagel.dll file by using dnSPY
The screenshot above shows the dnSPY interface to analyze the bagel.dll
On the database function for the bagel.dll, i found one password that we can use later.
Enumerate with Local File Inclusion (LFI) using python
As some people are already aware, i’m not good with programming so i ask for help from ChatGPT to generate a Python script for me.
At last, we managed to obtain an SSH public key from the machine
We should be given execution permission for the file
Finally, we have successfully accessed the machine via SSH service
We can read the User Flag by typing the “cat user.txt” command
Escalate to Root Privileges Access
Previously, we notice that there are other users and let’s change to that user(developer)
As usual, let’s enumerate by typing “sudo -l” command and notice that we can dotnet with root access
Therefore, let’s execute the dotnet with fsi which look like as shown above
As a result, we can execute the command above
At last, we have a root shell on our machine
We can read the root flag by typing the “cat root.txt” command
No responses yet