In this post, I would like to share a walkthrough of the Phoenix Machine from Hack the Box

This room will be considered as a Hard machine on Hack The box

What will you gain from the Phoenix machine?

For the user flag, you will need to abuse a vulnerability on asgaros-forum and use an exploit that is available on the internet. We also enumerate MySQL database and wp-login to escalate to user privileges access.

As for the root flag, you need to take advantage of the cron job where we can throw a reverse shell on the machine

Information Gathering on Phoenix Machine

Once we have started the VPN connection which requires a download from Hackthebox, we can start information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN

The Nmap result shows three open ports such as 22, 80, and 443.

Let’s access the website interface

Sadly, there is nothing we can see on the website interface.

Let’s execute the gobuster tool to enumerate the directory on the machine.

However, I notice that there is a WAF has been implemented on the machine. As a result, let’s analyze the website source code

I have managed to find the CMS that the website is using which is WordPress 5.9

Let’s start running wpscan tool to check on the WordPress

From wpscan tool result, I notice asgaros-forum is outdated which we can take advantage of

Let’s do some research on asgaros-forum

The screenshot above shows some warning that we can make use of it

We can use the exploit.py from the website and execute the command such as python3 exploit <url> <.phtml file>

Let’s start our nc listener so that reverse connection back to us.

We didn’t receive a response on the website which looks good.

Voila! We managed to retrieve our reverse connection back to us.

Let’s establish a proper shell

Let’s roam the machine to see any interesting file or folder        

We managed to find the two-factor folder as shown above

The file contains a long line which I didn’t manage to find any interesting

We managed to find a MySQL password that we can use for the database on the machine

Let’s access the MySQL database using the credentials that we found earlier.

We found password hashes that we can crack later.

We can crack using john tool but I didn’t have a screenshot to show over here.

Let’s see what is stored in /etc/security/access.conf file

I notice that there’s an IP Address 10.11.12.13

I notice that there’s an IP Address 10.11.12.13

Let’s access the localhost interface using the ssh service

We can read the user flag using the command “cat user.txt”

Escalate to Root Privileges Access

Let’s run the usual command such as sudo -l to escalation

Let’s monitor the processes that run on the victim’s machine by executing the ps aux command

There is a file called cron.sh.x which looks weird to me.

Let’s execute the file

I have found out that the rsync –server -te.LsfxC –ignore-existing . /backup that we can abuse it

We can add a new file on backups

We can abuse the SUID of rsync that is stated on gftobins

After a few minutes, the /bin/bash does not change to the SUID file

Let’s throw a reverse shell on the command

We got a root reverse shell

We can read the root flag by executing the command “cat root.txt

-THE END-

Happy Learning Guys!

Extra Information on Paper machine

We can go to /etc/shadow so that we can unlock and read the write-up

Leave a Reply

Your email address will not be published.