Hack The Box: Surveillance Machine Walkthrough – Medium Difficulty

In this post, I would like to share a walkthrough of the Surveillance Machine from Hack the Box

This room will be considered a medium machine on Hack the Box

What will you gain from the Surveillance machine?

For the user flag, you must encompass vulnerabilities characterized by detailed descriptions but lacking public proofs of concept (POCs) at the time of inception, presenting an intriguing puzzle. It commences with a Craft CMS instance. I plan to leverage an arbitrary object injection vulnerability to achieve remote code execution (RCE) and establish a shell. Additionally, I aim to uncover a password hash for a separate user within a database backup and subsequently decipher it. This user possesses the capability to log into a ZoneMinder instance hosted on localhost. Subsequently, I intend to exploit a vulnerability within ZoneMinder to attain access as a zoneminder user.

As for the root flag, you need to exploit the sudo privileges of the zoneminder user, specifically by leveraging command injection within one of their scripts.

For those who want to learan or improve CyberSecurity skills especially Red Teaming and Blue Team, You can use the link https://affiliate.hackthebox.com/gnfp67dzy7p0 to support me

Academy link can be found https://affiliate.hackthebox.com/wanmohdariffwanmohdrosdi6259vvv

Information Gathering on Surveillance Machine

Once we have started the VPN connection which requires a download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN

┌─[darknite@parrot]─[~/Documents/htb/Surveillance]
└──╼ $nmap -sC -sV 10.10.11.245 -oA intial 
Starting Nmap 7.93 ( https://nmap.org ) at 2024-04-20 05:53 -02
Nmap scan report for 10.10.11.245
Host is up (0.045s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 96071cc6773e07a0cc6f2419744d570b (ECDSA)
|_  256 0ba4c0cfe23b95aef6f5df7d0c88d6ce (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://surveillance.htb/
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.24 seconds
┌─[darknite@parrot]─[~/Documents/htb/Surveillance]
└──╼ $

Let’s access the website interface

However, there is nothing that we abuse appears on the website interface

Therefore, let’s enumerate the website directory by using gobuster. Sadly, we didn’t find anything interesting in the directory

However, there’s one thing that stands out which is that it’s been powered by CraftCMS

When we clicked on the CraftCMS it was redirected to a GitHub here

Let’s do some research on the internet

I found the exploit script which we can use for this activity and let’s download the script into our machine

Let’s rename the Python script into anything easy to remember and execute

After that, let’s execute the Python script that we found earlier

Let’s download the bash file on the victim’s machine

It looks successful on the Python server

Therefore, let’s trigger the bash file

After a while, we retrieved the reverse shell connection back to us.

Moving forward, we found the zip file that looks something like a database file

Let’s download the zip file into our machine

Let’s read and analyze the SQL database file and we found a potential username and password

Therefore, let’s save the hash into a new file and try to crack the hash

We can crack the hash by using hashcat but it took a long time to complete the cracking.

As a result, let’s use the crackstation to obtain the password

Finally, we successfully access the machine as Matthew and we can read the user flag by typing the “cat user.txt” command

Escalate to Root Privileges Access

Sadly, we cannot obtain any binary to work for the next stage.

However, we found a potential port that we can use in the next stage

Let’s start our port-forwarding the port that we found earlier.

The website that we have executes the port forwarding as shown above

We should be able to obtain the password for the access

After we had carefully analyzed the database.php file, I noticed that there was a password stored as shown above

Let’s access the database using the credentials that we found earlier.

Sadly, we didn’t manage to find anything useful in the database and it seems like a rabbit hole way

We have noticed that the version for ZM will be 1.36.32

CVE-2023-26035 vulnerability

There are a lot of methods to exploit the vulnerability, especially using Metasploit but I decided to do it manually with BurpSuite

Let’s play around with the website that we use port-forwarding via BurpSuite

On our machine, we need to create a file that contains the reverse shell command

Let’s use the curl command to retrieve the file and execute it using bash

It looks like it is working like a charm

We have successfully retrieved a new reverse shell connection as zoneminder.

As usual, we should be looking for any binary that we can abuse for root escalation

There are a lot of files that are saved in Perl file format

We should be able to execute the command above to retrieve a root shell

As expected, we managed to obtain the root shell

We can read the root flag by typing the “cat root.txt” command

Extra Information on Surveillance