In this post, I would like to share a walkthrough of the Mentor Machine from Hack the Box

This room will be considered a medium machine on Hack the Box

What will you gain from the Mentor machine?

For the user flag, you will need to enumerate the new subdomain which is the API.mentorquotes.htb. We managed to obtain API documentation where it will list all the endpoints. The web application is exposed with command injection which leads to obtaining a reverse shell that way. Once we are inside the machine, we are required to find any credentials, especially the database and we need to dump the hashes from the database. We should obtain a user (James) password when from the SNMP configuration file

As for the root flag, you only need to execute the SH binary where we should be changed to Root Privileges Access

Information Gathering on Mentor Machine

Once we have started the VPN connection which requires a download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN

Graphical user interface, text

Description automatically generated

Let’s access the website interface

However, there is nothing that looks interesting at all for now.

I was wondering if any UDP port is open to the public to access

Therefore, let’s enumerate the snmp by running the snmpwalk command as shown above.

We also found a dead-end path when looking at the gobuster result.

Therefore, let’s enumerate the vhost on the machine and we got a lot of subdomains found here.

We can make it easier to obtain the subdomain that we needed by firing the wfuzz tool and executing the command above.

Let’s access the subdomain that we found earlier

Enumerate the API subdomain on the mentor machine

As the subdomain suggests, it’s a website that uses an API function with the JSON language.

We should sign up for the account like the screenshot above.

The screenshot above shows the different methods such as curl

Finally, we can try to login the dashboard by entering the credentials that we created earlier including the email address

By default, we should be getting the same method as the screenshot above

We also can run the syntax on our terminal by using the curl command but sadly we got an error saying “Only admin users can access this resource

We also can use the burpsuite to obtain the information as shown above.

Therefore, we can retrieve any users available by accessing the /users/ directory

As a result, we can access the /admin/ directory which we also added the authorization that we found earlier, and it leads to a JSON information

At last, we managed to sight the /admin/backup directory which the response details mentioned “Method not Allowed”

We are required to change the Content-Type to application/json and we managed to get a JSON information

Let’s start our listener so that we can obtain the reverse shell connection back to us.

We should insert the rev shell command via burpsite but nothing happens

However, we need to change a different reverse shell command and it works like charm!

Sadly, we got an error when trying to retrieve via pwncat-cs

Nevermind, we can change the listener to a normal and common listener as nc -lvnp 9007

Finally, we managed to obtain the reverse shell back to us.

There’s a file called db.py which is saved inside the /app/app/ directory

While analyzing the source code of db.py and I notice there’s a credential for the psql database which we can take advantages

Enumeration using psql database

Sadly, we cannot transfer the file using the curl command

However, we managed to upload the chisel by using wget command

The screenshot above shows how to start the port forwarding on the machine with our machine.

Let’s try to access the psql database by using the credentials.

We can run the command as dt to list out the relation of the database

As usual, we also can retrieve the user information by running the command “select * from users;

At last, we managed to get the password as service_acc which also use by svc from the hash

At last, we managed to obtain access via SSH service.

We can read the user flag by typing the command “cat user.txt

Escalate to Root Privileges Access

Firstly, we need to upload the linpeas into the victim’s machine

We should be giving the linpeas file an execution permission

From the linpeas output, we notice that there’s a configuration file that we should analyze further

For some reason, we managed to retrieve a password for a user

I managed to access the other user by using the password that we found earlier.

However, we managed to find a SUID binary that we can abuse by running the “sudo -l” command

It’s an easy step to escalate to Root privileges by just running the command “sudo /bin/sh

We can read the root flag by running the command “cat /root/root.txt

Extra Information

Categories:

No responses yet

Leave a Reply

Your email address will not be published. Required fields are marked *