In this post, I would like to share a walkthrough of the Response Machine from Hack the Box
This room will be considered an Insane machine on Hack the Box
What will you gain from the Response machine?
For the user flag, you will need to abuse the proxy that is connected to the SSRF vulnerability. As a result, we will manage to access the chat application which we can access as guests later, we need to get the admin access by redirecting the chat application using the LDAP auth to the attacker’s machine. There, we will be able to obtain bob’s credentials from the FTP server by trying to abuse them with Cross protocol request forgery. We can retrieve the SSH key by doing some exploits that include the directory traversal.
As for the root flag, you need to analyze the PCAP and analyze the core.auto_update file where it will decode the traffic and obtain the AES key from dump memory. We will try to download a copy of a zip file from the root’s home directory.
Information Gathering on Response Machine
Once we have started the VPN connection which requires a download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN
Let’s access the website interface
However, the website itself has nothing interesting that we can popup or abuse.
- What will you gain from the Response machine?
- Information Gathering on Response Machine
- Website enumeration on Response machine
- Enumerate the proxy.response.htb
- LDAP enumeration on the Response machine
- Cross protocol request forgery
- Escalate to Root Privileges Access
- SSH to Scryh
- Incident Handling on the machine
- Extract the AES file by using the bulk_extractor tool on the Response machine
Website enumeration on Response machine
We might sight a group of potential usernames that we can access on the machine
From the gobuster output, there is nothing that looks suspicious except for the /status/ that stands a little bit.
Let’s enumerate the website directory with another gobuster activity which leads to an error
As a result, let’s enumerate with the PHP file extension that has been scanned.
Therefore, let’s access the status of the website and notice there is some pending status with the “loading data” on the monitored servers.
Found main.js.php and analyze it further
Let’s access the website directory with the filename of “main.js.php” which gives us a bunch of PHP file code that we can analyze further
We managed to find a subdomain such api.response.htb and proxy.response.htb
The screenshot above shows the request and response on the burpsuite
The subdomain of “proxy.response.htb” have provided us with an API website interface.
Sadly, the website has given us a status error as “403 Forbidden” when we access the website on the browser.
Enumerate the proxy.response.htb
As a result, let’s inspect the packet via burpsuite which the response gives us an error of “missing data”
Playing with json parameters to obtain the body that base64 encoded
We can abuse the packet with the JSON information by inspecting it with burpsuite. As a result, we managed to retrieve a base64 encoded on the response packet.
From the base64 encoding, we must obtain a burpsuite
Therefore, let’s add some json information and see how it’s happening
From the base64 encode, we managed to notice that there is also a different subdomain which chat.response.htb
LDAP enumeration on the Response machine
As a result, we need to tackle this issue with the LDAP server running on our attacker’s machine
I found two ways to escalate with the LDAP server as below:
Step 1
We can overcome this by installing the slapd service on our attacker machine which you are required to configure the machine by entering the command dkpg-reconfigure slapd
Step 2
We can redirect the LDAP service to our LDAP server where we should be able to see what the response would be
We should be able to access chat.response.htb application but there is an error of Internal Server Error
I will inspect the packet via burpsuite which it looks like we can access the chat.response.htb right now
Let’s try to access the dashboard by entering common credentials such as guest:guest
The application looks like a chat application for now
We can use any method that I mentioned earlier to obtain admin access to the chat application.
Cross protocol request forgery
Based on the application above, bob did mention some information such as the following:
IP: 172.18.0.5
USERNAME FTP: ftp_user
Password: Secret12345
We can abuse the FTP smuggling which we should be able to retrieve the password for bob’s access
ftp
---
ftp_user / Secret12345
ssh
---
bob / F6uXVwEjdZ46fsbXDmQK7YPY3OM
We should write a simple html code to retrieve the malicious javascript as shown above.
The screenshot above show on how the javascript code look like
The screenshot above shows what the output will look like.
SSH to Bob
We can read the user flag by typing the command “cat user.txt”
Escalate to Root Privileges Access
We can upload the pspy64 into the victim’s machine
Therefore, we should be able to give the execution permission to the pspy64 file
I managed to notice that there was some scan.sh file that resides with the /home/scryh/scan directory
As a result, I try to access the directory to see the file itself
There’s a log.txt file stored inside the output directory
There is some log that looks like a scanning log and the IP address mentioned inside the log.txt will be changed and different for other people.
The screenshot above shows the possible content inside the data directory
We also can just run the same command that has been written inside the scan.sh file
I notice there are a few LDAP functions that have been installed in the victim’s machine
Let’s copy-paste the information from the output that we found earlier in the ldapserach
Therefore, let’s execute the command that will add a new entry on the ldap service which used with ldapadd function
We should be able to see that our information has been added to the LDAP service on the machine.
As a result, we should be running the dnsmasq command so that we will get some information sent to our fake email.
Let’s create our malicious certification by running the command above which should provide us with SSH public key
By default, we should be getting the information on smtpd function which look like an actual email that has been sent to us.
We can copy-paste the base64 code into our machine by creating a new file and converting the base64 which we need to save the decoded file into the pdf file.
SSH to Scryh
Boom! We have successfully retrieved the SSH public key on our pdf file
At last, we should copy the SSH key by pasting it into a new file
We should give the SSH key permission of 600 (The 600 permission means that the owner of the file will be able to have full read and write access to the file while other people will not have that permission)
We cannot access the machine as srych access via pwncat so let’s change to a normal SSH service
It works like charm!
Incident Handling on the machine
We should download those three files into our attacker’s machine to analyze even further
The pdf above shows some reports on the incident that happen to the organization.
We also can analyze the dump.pcap by using Wireshark
Extract the AES file by using the bulk_extractor tool on the Response machine
Firstly, we are required to download and install the bulk_extractor on our attacker’s machine
Let’s install the bulk_extractor on our attacker’s machine
However, there are no binary files that we can use to extract the file with the binary file. As a result, I will try to install it on different platforms such as Kali Linux.
To install the binary on any Linux type of Operating System, you are required to execute the following command
./configure
sudo make
sudo make install
Therefore, let’s extract the file from the core.auto_update by running the command “bulk_extractor core.auto_update -o auto_update“
The screenshot above shows the process of the bulk_extractor. The result should be giving us some files that might be useful to us in the latter stage of the escalation
Once the process is completed, you will be provided with a bunch of files as shown in the screenshot above. However, there are a few text files that caught my attention immediately.
The screenshot above shows what is been stored inside the AES keys
Another file content that contains an email domain history has been saved inside the email_domain_histogram file
There is a lot of information when accessing the domain.txt file
We should execute as the command shown in the screenshot above by using the RsaCtfTool
As a result, we should be obtaining the SSH public key so that we can access the machine via SSH service.
Finally, we managed to access the machine via SSH service
We can read the root flag by typing the “cat /root/root.txt” command
No responses yet