In this post, I would like to share a walkthrough of the Overgraph Machine from Hack the Box
This room will be considered a Hard machine on Hack The Box
What will you gain from the Overgraph machine?
For the user flag, you will need to abuse the Cross-Site Scripting (XSS) where we can execute CSTI (Client-Side Template Injection). We can upload and exploit the FFmpeg video with the help of the admin’s token so that we can obtain the SSH private key
As for the root flag, you need to analyze the binary which involves the heap exploit.
Information Gathering on Overgraph Machine
Once we have started the VPN connection which requires a download from Hackthebox, we can start information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN
Let’s access the website interface
Nothing that we can find interesting on the website itself.
We found one subdomain such as internal.graph.htb
Enumerate the Graph Management website
However, we are given a login page for the Graph Management
I also find some subdomains that show us an error such as “Cannot GET /“
I managed to find a graphql directory which we might be able to abuse for further escalation
However, we can retrieve the information by using schema code
I have successfully retrieved the Graph Management Dashboard
Let’s try to access the login page by entering any random credentials
As a result, let’s brute-force the username by using burpsuite
Let’s register our email so that we can access the website interface
Then, we enter the code such as 1234 which we can access there
Finally, we managed to access the Graph Maangement Dashboard
We also read the message on Inbox
The screenshot above shows on the Upload Function
We are required to modify the value inside the Local Storage so that we can use the Upload Function.
Let’s do some research on any exploit that we can use over here.
After a while, we managed to find one exploit that we can use here. We need to modify the file such as shown above in order for the exploit to work!
We need to upload the exploit that we modify earlier
It works like charm! For the next step, we can retrieve the SSH private key so that we can use it via SSH service.
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
QyNTUxOQAAACAvdFWzL7vVSn9cH6fgB3Sgtt2OG4XRGYh5ugf8FLAYDAAAAJjebJ3U3myd
1AAAAAtzc2gtZWQyNTUxOQAAACAvdFWzL7vVSn9cH6fgB3Sgtt2OG4XRGYh5ugf8FLAYDA
AAAEDzdpSxHTz6JXGQhbQsRsDbZoJ+8d3FI5MZ1SJ4NGmdYC90VbMvu9VKf1wfp+AHdKC2
3Y4bhdEZiHm6B/wUsBgMAAAADnVzZXJAb3ZlcmdyYXBoAQIDBAUGBw==
-----END OPENSSH PRIVATE KEY-----
At last, we have obtained the SSH private key from the exploited we use earlier.
Finally, we successfully accessed the machine via SSH service.
We can read the user flag by typing the command “cat user.txt“
Escalate to Root Privileges Access on Overgraph Machine
At first, we need to analyze all the potential folders inside the victim’s machine but found a dead-end
Therefore, let’s see what port is open locally by typing netstat -tnlp command
When we try to access the port locally and it has execute some application which is “Custom Reporting v1”
Sadly, when we randomly enter any token and it returns an error such as “Invalid Token“
We need to locate where the file is been stored inside the victim’s machine
As a result, let’s download the binary file into our machine
Analyze the binary using Ghidra
We need to put the file into Ghidra
When analyzing the main function, i managed to sight the process of the function
However, we managed to see how the token work when analyzing on the auth function
Brute-Forcing the token
I found a script on the internet where it will force the token which resulted as shown above.
At last, we managed to run the apps as shown in the screenshot above.
After running the script, we managed to get some good responses back to us.
Due to some issues, I cannot run the file on my machine so let’s try to execute the file on the victim’s machine itself
Let’s start our port forwarding process
And let’s execute the file with the REMOTE function
Finally, we got root from the process but sadly the root is not fully operational as planned
Let’s start our pwncat-cs listener
Therefore, let’s execute our bash shell on the root terminal
We have successfully grabbed the root shell
We can read the root flag by typing the command “cat root.txt“
Extra Information
One response
hii darknite please pasword