In this post, I would like to share a walkthrough of the Shared Machine from Hack the Box


This room will be considered a medium machine on Hack the Box

What will you gain from the Shared machine?


For the user flag, you will need to abuse the SQL Injection via a cookie which we will be able to retrieve credentials so that we can access the machine via SSH service


As for the root flag, you need to reverse engineering the Redis application where we will be able to obtain Redis credentials and take advantage of the REDIS exploit

Information Gathering on Shared Machine


Once we have started the VPN connection which requires a download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN


Let’s access the website interface


However, the IP has redirected us to a domain that we didn’t whitelist yet.


Therefore, let’s whitelist the domain and access the website again


Finally, we can access the website itself and sighted the interface.


From my analysis, I notice that this website is a selling clothes type of business. Let’s try to buy the clothes by clicking the “Proceed To Checkout


On the checkout interface, we are required to enter information for the credit card but i don’t want to test the actual credit card which it’s dangerous


As a result, let’s try to inspect the packet that comes from this website

SQL Injection attack by using BurpSuite


I did notice some interesting on the request packet, especially on the custom_cart. Let’s try to play around with the custom_cart payload.


I was thinking of SQL Injection exploit over here


No error has been reflected in the Response space which looks good but let’s analyze the response packet.


Uwu! It works and let’s sighted it on the browser application.


We have managed to see the database on the response packet which it’s a good thing at least.


Let’s see the table content by using the SQL Injection syntax


At last, we got the username from the database enumeration using burp suite


We also found the password hash from the database syntax too

Cracking the james_mason password


Let’s crack the password by using the John the Ripper tool


However, we got a weird password, and I don’t think that we successfully retrieve the password at all


After troubleshooting the issues, we finally retrieve the actual password


As a result, we have successfully accessed the machine via SSH Service


Sadly, the user flag is not stored in this username. Therefore, let’s enumerate more on the victim’s machine


I notice that James mason group is a developer which can be useful for further escalation


There’s a folder that executes under the developer group access


However, we notice that no files have been saved in this folder.


To be frankly honest, I don’t have any clue about any attack that we can use over here. As a result, let’s do some research on the internet.


After a while, I managed to find this website that we can use for further escalation


Let’s copy-paste the command on the website but I did some modifications to the command


After re-do the command, I notice that the folder has been deleted which means there was a cleanup script implemented on the server.


Therefore, let’s do a quick one so that the folder and file will not be deleted before we managed to retrieve the SSH private key


At last, we managed to obtain the key on /dev/shm directory


Finally, we got the SSH private key and copy-paste to our attacker’s machine


However, we didn’t know any user to use for the SSH private key


Inside the /home/ directory, we managed to sight another user configures on the server.


Uwu! We managed to access the server using dan_smith via SSH service.


We can read the user flag by typing the command “cat user.txt

Escalate to Root Privileges Access on Shared Machine


From the above command, we have aware that dan_smith is assigned to the sysadmin group.


We managed to find a file called redis_connector_dev that had been stored on /usr/local/bin directory


The file has been assigned to the root and sysadmin group


However, we managed to see the information of the server by using the file


As a result, let’s download and try on our attacker’s machine


Let’s start our nc listener to retrieve any juicy information from the file


Let’s execute the file


We managed to see some information and it can be the password at the bottom of the connection


Let’s create the reverse shell on the /dev/shm directory


Therefore, let’s start our nc listener


Let’s execute the redis-cli with the password that we found earlier and execute the root shell


Finally, we managed to obtain the root reverse shell


However, it got disconnected after a few minutes


When i rechecked the redis-cli and i could see that the connection has been disconnected


We can read the root flag by using the “cat root.txt” command

Extra Information