In this post, I would like to share a walkthrough of the Undetected Machine from Hack the Box
This room will be considered as a medium machine on Hack The Box
What will you gain from the Undetected machine?
For the user flag, you will need to use CVE-2017-9841 to get a reverse shell on the machine. Once we are inside the machine via reverse shell, we need to find the username and password to access via SSH
As for the root flag, you need to reverse engineer a few files so that we can obtain a root password
Information Gathering on Undetected Machine
Once we have started the VPN connection which requires a download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN
From the Nmap output, we have been provided with two open ports as ssh and HTTP. Sadly, there’s no other information that we can use for further escalate.
Let’s access the website interface.
It looks like a normal website interface at first glance.
Let’s run gobuster to enumerate any interesting directory stored under the website interface.
There is nothing that looks interesting at all from the gobuster result.
After roaming on the website interface for a while, a button of store re-direct us to a new domain. Let’s add that domain into our /etc/hosts
It’s the same website as previously but there is three-button such as Empty, Account, and Login
I try to login into the website dashboard, but we got an error state something such as:
Due To A website migration we are currently not taking any online orders. Contact us if you wish to make a purchase
Enumerate any other directory on the Undetected Machine
Let’s try to run again gobuster on the domain if there’s any interesting directory.
I notice that all directory is common except for the /vendor directory
After a while, we have found that PHPUnit is running version 5.6
Aside from that, we also managed to find a PHP file named eval-stdin.php
Sadly, we only see a blank page on the PHP file.
Let’s do some research on the internet if there’s any exploit on PHPUnit version 5.6
CVE-2017-9841
There’s an exploit explanation been found over vulhub/README.md at master · vulhub/vulhub · GitHub
Let’s try to execute the exploit and try to inspect via BurpSuite so that we can see what happen
We successfully executed the PHP code on the website and it returns the output that we want.
It’s the same goes within the terminal
Let’s start our nc listener on the terminal
It’s looking as we wanted
As a result, we managed to retrieve the reverse shell connection back to us.
Let’s see what is been stored within the /var directory. There’s a backups that might stored something useful for us.
There’s one file called info that has been assigned to www-data
Let’s see the extension of the file
Let’s see the content of the file by using the strings command but the command is not installed inside the machine.
As a result, we need to run it on our own machine to analyze the content of the file.
Once we have fully transferred the file into our own machine, let’s run again the strings command
Oh wow! We found hex encode under the /bin/bash command
However, we got a hash after the hex has been decoded.
Let’s use hashcat or john to crack the hash so that a password can be retrieved
I also notice that there are two user which is steven1 and steven
Let’s access the machine using ssh service with either steven or steven1 as the username
We managed to access the machine via steven1’s credentials
Finally, we can read the user flag using the command “cat user.txt“
Escalate to Root Privileges Access on Undetected Machine
Sadly, we cannot get any SUID file permission using the sudo -l command
However, I’m curious about /var/mail whether there’s any email sent to us.
We managed to read the email content that was sent to Steven saying there is some problem with Apache Service.
Let’s find where the apache service has been saved inside the machine
After a while of searching the service, we found it saves inside /usr/lib/ directory
Let’s transfer the mod_reader.so into our own machine
Reverse Engineering the file
From now, i will have a tough time playing because it’s out of my comfort zone
Firstly, let’s open Ghidra tools for further analyze
We are required to upload the file on Ghidra and it will look as above
We need to analyze the code carefully.
A few hours later…….
I notice that the b64_decode function has been written over here. Let’s see where this function leads us into.
We managed to see a b64_decode on the decompile on your right screen.
Therefore, we need to decode the b64 code and we managed to see a new file located in /usr/sbin directory
The file extension is similar to the previous file that we found
We managed to see a function called shadow_pw which it might be a password somewhere in this file
Now, we can see auth_password but we need to get information on the decompile section.
The information that requires is been highlighted above and we need to arrange the order such as shown below
We can copy the arrangement on the cyber chef and we can obtain the root password in the output section
After that, we can change to the root user but sadly the authentication failed.
However, we can get root access by executing ssh root@localhost on the steven1 ssh session.
We can read the root flag by executing the command “cat root.txt“
-THE END-
Happy Learning Guys!
Extra Information on Paper machine
We can go to /etc/shadow so that we can unlock and read the write-up
No responses yet