In this post, I would like to share a walkthrough of the Response Machine from Hack the Box

This room will be considered an Insane machine on Hack the Box

What will you gain from the Response machine?

For the user flag, you will need to abuse the proxy that is connected to the SSRF vulnerability. As a result, we will manage to access the chat application which we can access as guests later, we need to get the admin access by redirecting the chat application using the LDAP auth to the attacker’s machine. There, we will be able to obtain bob’s credentials from the FTP server by trying to abuse them with Cross protocol request forgery. We can retrieve the SSH key by doing some exploits that include the directory traversal.

As for the root flag, you need to analyze the PCAP and analyze the core.auto_update file where it will decode the traffic and obtain the AES key from dump memory. We will try to download a copy of a zip file from the root’s home directory.

Information Gathering on Response Machine

Once we have started the VPN connection which requires a download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN

Let’s access the website interface

However, the website itself has nothing interesting that we can popup or abuse.

Website enumeration on Response machine

We might sight a group of potential usernames that we can access on the machine

From the gobuster output, there is nothing that looks suspicious except for the /status/ that stands a little bit.

Text

Description automatically generated

Let’s enumerate the website directory with another gobuster activity which leads to an error

Text

Description automatically generated

As a result, let’s enumerate with the PHP file extension that has been scanned.

Graphical user interface, application

Description automatically generated

Therefore, let’s access the status of the website and notice there is some pending status with the “loading data” on the monitored servers.

Found main.js.php and analyze it further

Text

Description automatically generated

Let’s access the website directory with the filename of “main.js.php” which gives us a bunch of PHP file code that we can analyze further

Text

Description automatically generated

We managed to find a subdomain such api.response.htb and proxy.response.htb

Graphical user interface, text

Description automatically generated

The screenshot above shows the request and response on the burpsuite

Graphical user interface, application

Description automatically generated

The subdomain of “proxy.response.htb” have provided us with an API website interface.

Graphical user interface, website

Description automatically generated

Sadly, the website has given us a status error as “403 Forbidden” when we access the website on the browser.

Enumerate the proxy.response.htb

Graphical user interface, text, chat or text message

Description automatically generated

As a result, let’s inspect the packet via burpsuite which the response gives us an error of “missing data

Playing with json parameters to obtain the body that base64 encoded

Graphical user interface, text

Description automatically generated

We can abuse the packet with the JSON information by inspecting it with burpsuite. As a result, we managed to retrieve a base64 encoded on the response packet.

Text

Description automatically generated

From the base64 encoding, we must obtain a burpsuite

Text

Description automatically generated

Therefore, let’s add some json information and see how it’s happening

From the base64 encode, we managed to notice that there is also a different subdomain which chat.response.htb

LDAP enumeration on the Response machine

As a result, we need to tackle this issue with the LDAP server running on our attacker’s machine

I found two ways to escalate with the LDAP server as below:

Step 1

We can overcome this by installing the slapd service on our attacker machine which you are required to configure the machine by entering the command dkpg-reconfigure slapd

Step 2

We can redirect the LDAP service to our LDAP server where we should be able to see what the response would be

We should be able to access chat.response.htb application but there is an error of Internal Server Error

I will inspect the packet via burpsuite which it looks like we can access the chat.response.htb right now

Let’s try to access the dashboard by entering common credentials such as guest:guest

The application looks like a chat application for now

We can use any method that I mentioned earlier to obtain admin access to the chat application.

Cross protocol request forgery

Based on the application above, bob did mention some information such as the following:

IP: 172.18.0.5
USERNAME FTP: ftp_user
Password: Secret12345

We can abuse the FTP smuggling which we should be able to retrieve the password for bob’s access

ftp
---
ftp_user / Secret12345

ssh
---
bob / F6uXVwEjdZ46fsbXDmQK7YPY3OM

We should write a simple html code to retrieve the malicious javascript as shown above.

The screenshot above show on how the javascript code look like

The screenshot above shows what the output will look like.

SSH to Bob

Text

Description automatically generated
Text

Description automatically generated
Text

Description automatically generated

We can read the user flag by typing the command “cat user.txt

Escalate to Root Privileges Access

We can upload the pspy64 into the victim’s machine

Therefore, we should be able to give the execution permission to the pspy64 file

I managed to notice that there was some scan.sh file that resides with the /home/scryh/scan directory

As a result, I try to access the directory to see the file itself

There’s a log.txt file stored inside the output directory

There is some log that looks like a scanning log and the IP address mentioned inside the log.txt will be changed and different for other people.

The screenshot above shows the possible content inside the data directory

We also can just run the same command that has been written inside the scan.sh file

I notice there are a few LDAP functions that have been installed in the victim’s machine

Let’s copy-paste the information from the output that we found earlier in the ldapserach

Therefore, let’s execute the command that will add a new entry on the ldap service which used with ldapadd function

We should be able to see that our information has been added to the LDAP service on the machine.

As a result, we should be running the dnsmasq command so that we will get some information sent to our fake email.

Let’s create our malicious certification by running the command above which should provide us with SSH public key

By default, we should be getting the information on smtpd function which look like an actual email that has been sent to us.

We can copy-paste the base64 code into our machine by creating a new file and converting the base64 which we need to save the decoded file into the pdf file.

SSH to Scryh

Boom! We have successfully retrieved the SSH public key on our pdf file

At last, we should copy the SSH key by pasting it into a new file

We should give the SSH key permission of 600 (The 600 permission means that the owner of the file will be able to have full read and write access to the file while other people will not have that permission)

We cannot access the machine as srych access via pwncat so let’s change to a normal SSH service

It works like charm!

Incident Handling on the machine

We should download those three files into our attacker’s machine to analyze even further

The pdf above shows some reports on the incident that happen to the organization.

We also can analyze the dump.pcap by using Wireshark

Extract the AES file by using the bulk_extractor tool on the Response machine

Firstly, we are required to download and install the bulk_extractor on our attacker’s machine

Let’s install the bulk_extractor on our attacker’s machine

However, there are no binary files that we can use to extract the file with the binary file. As a result, I will try to install it on different platforms such as Kali Linux.

To install the binary on any Linux type of Operating System, you are required to execute the following command

./configure
sudo make
sudo make install

Therefore, let’s extract the file from the core.auto_update by running the command “bulk_extractor core.auto_update -o auto_update

The screenshot above shows the process of the bulk_extractor. The result should be giving us some files that might be useful to us in the latter stage of the escalation

Once the process is completed, you will be provided with a bunch of files as shown in the screenshot above. However, there are a few text files that caught my attention immediately.

The screenshot above shows what is been stored inside the AES keys

Another file content that contains an email domain history has been saved inside the email_domain_histogram file

There is a lot of information when accessing the domain.txt file

We should execute as the command shown in the screenshot above by using the RsaCtfTool

As a result, we should be obtaining the SSH public key so that we can access the machine via SSH service.

Finally, we managed to access the machine via SSH service

We can read the root flag by typing the “cat /root/root.txt” command

Categories:

No responses yet

Leave a Reply

Your email address will not be published. Required fields are marked *