In this post, I would like to share a walkthrough of the Derailed Machine from Hack the Box
This room will be considered an Insane machine on Hack the Box
What will you gain from the Derailed machine?
For the user flag, you will need to create a new user with XSS script notes on the rails notes application which the notes report will be reviewed by the admin. We will be using the administrator’s browser session so that we can read the admin page with a file read vulnerability.
As for the root flag, you need to exploit the vulnerability on openmediavault’s RPC which we can insert a SSH key for root access
Information Gathering on Derailed Machine
Once we have started the VPN connection which requires a download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN
# Nmap 7.92 scan initiated Tue Feb 21 07:37:12 2023 as: nmap -sC -sV -oA initial -Pn 10.10.11.190
Nmap scan report for 10.10.11.190
Host is up (0.19s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey:
| 3072 16:23:b0:9a:de:0e:34:92:cb:2b:18:17:0f:f2:7b:1a (RSA)
| 256 50:44:5e:88:6b:3e:4b:5b:f9:34:1d:ed:e5:2d:91:df (ECDSA)
|_ 256 0a:bd:92:23:df:44:02:6f:27:8d:a6:ab:b4:07:78:37 (ED25519)
3000/tcp open http nginx 1.18.0
|_http-title: derailed.htb
|_http-server-header: nginx/1.18.0
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Feb 21 07:37:46 2023 -- 1 IP address (1 host up) scanned in 34.79 seconds
# Nmap 7.92 scan initiated Tue Feb 21 07:37:12 2023 as: nmap -sC -sV -oA initial -Pn 10.10.11.190
Nmap scan report for 10.10.11.190
Host is up (0.19s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey:
| 3072 16:23:b0:9a:de:0e:34:92:cb:2b:18:17:0f:f2:7b:1a (RSA)
| 256 50:44:5e:88:6b:3e:4b:5b:f9:34:1d:ed:e5:2d:91:df (ECDSA)
|_ 256 0a:bd:92:23:df:44:02:6f:27:8d:a6:ab:b4:07:78:37 (ED25519)
3000/tcp open http nginx 1.18.0
|_http-title: derailed.htb
|_http-server-header: nginx/1.18.0
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Feb 21 07:37:46 2023 -- 1 IP address (1 host up) scanned in 34.79 seconds
Let’s access the website interface
There are a few functions that we can abuse such as login, sign up, and one blank box which we can create a new clipnote
As a result, let’s try to register a new account on the website application
Therefore, let’s try to login using the credentials that we register earlier.
Nothing happens when trying to enter any malicious file
Sadly, the creator has patched this path
The intended way to escalate the privileged access
Firstly, let’s inject the packet with the XSS method and need to encode the strings to character code.
Let’s just enter just a simple payload
Let’s start our nc listener
It looks fine so far.
Next, we need to trigger the payload by submitting a simple command on the reporting endpoint
After a while, the malicious file has finally uploaded to the machine.
Finally, the reverse shell connection is back to us.
We can read the user flag by typing the “cat user.txt” command
Escalate to Root Privileges Access
It looks like a log that we can execute.
We managed to find the username “Marcus” and “openmediavault-webgui” on the machine.
At last, we managed to find a hash for the toby’s credentials.
We are also successfully a password for the toby
It’s successful access to another user
There is a file that obviously caught my attention
Let’s execute the command above to test the omv command
Let’s try port-forwarding the machine connection
The website interface from the port-forwarding the connection.
My bad, the command should only use the omv-confdabdam read conf.system.usermngmnt.user
We are required. to modify the command as root and ssh key
Sadly, it doesn’t work at all which it’s weird to me
Finally, it has worked as I am hoping for.
Therefore, let’s execute the command that applies the change on the omv command
We can copy-paste the private key into the machine.
Boom! We have successfully the machine via SSH private key
We can read the root flag by typing into the “cat root.txt” command
No responses yet