In this post, I would like to share a walkthrough of the Vessel Machine from Hack the Box
This room will be considered a medium machine on Hack the Box
What will you gain from the Vessel machine?
For the user flag, you will need to download a git repo using git-dumper from a website. We can abuse the type of confusion to get SQL Injection and a hash, we also can abuse the information disclosure vulnerability to get access to OWA. We will take advantage of mass assignment vulnerability to access the web-accessible directory to execute a shell command. To pivot to the next user, i will open notes.pdf to recover a password.
As for the root flag, you need to abuse a SetUID binary of pins to execute /bin/bash and get a shell as root
Information Gathering on Vessel Machine
Once we have started the VPN connection which requires a download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN
Let’s access the website interface.
It’s just a simple website with most of the function not working except for the Login function.
When i try to access the login function, it’s been redirected to a login page
From the output, i notice /dev directory is a thing inside the website interface.
Therefore, let’s access the /dev directory it’s taking a long to response
Sadly, it’s giving us an error 404 page when we try to access the /dev/
However, i notice it’s a GitHub error page.
As a result, we are required to git dumper to retrieve the information we needed.
Analyze the git data
Let’s try dumping the git data into our attacker’s machine
After a while, we can see the content of the file that we dump previously.
Let’s see the log for the git and i notice Ethan is one of the authors that might be one of the users inside the machine.
There is one database of information that has been stored in the machine
There is some information saved inside the index.js
Node.js SQL Injection
After some research on the internet about node.js SQL Injection, i managed to find this website here
Therefore, let’s bypass the authentication check by using the method we found earlier.
Using BurpSuite to launch the node.js SQL Injection
Let’s try to log in to the dashboard and incept it using burpsuite. For the credential data, we can modify it according to the payload on the website that we found earlier.
At last, we managed to access the dashboard from the payload that we use in burpsuite.
Let’s try all function on the dashboard and clicking analytics redirect us to a new domain
The domain is shown above and we need to add the host in the /etc/hosts so that we can access the website directly
After we whitelisted the domain inside /etc/hosts and we managed to see a login page for OpenWeb Analytics.
Let’s try admin@vessel.htb on the forget password function to verify which email address is valid and available to us so that we can exploit it.
Oh wow! From the screenshot above, it mentioned that admin@vessel.htb is a valid email address in the system.
We can see the source code of the file that has been shown above.
After a while of analyzing the code of the website, we can change the password of the external website.
We can run the python script that is shown above, and the script shows the system appears to be vulnerable to the exploit.
After removing the checking syntax from the python script, the script is giving us a URL that we can call back using curl or browsing on the internet.
For me, i will curl the URL on my terminal and it looks exactly as shown in the screenshot above.
Enumerate using the pdf file that we found earlier
Finally, we got a reverse shell connection back to us
We have a lot of directories that we can investigate
Inside the .notes directory, there are two files that we can access so that we can analyze
As a result, let’s download those two files to our attacker’s machine
Sadly, the file required a password to open the file.
To be frankly honest, i will skip the password step for now.
At last, we can open the file using the password that we obtained earlier. There is a password written inside the pdf file.
Let’s access the machine using the credentials that we obtained so far via SSH service.
We can read the user flag by typing the “cat user.txt” command
Escalate to Root Privileges Access on Vessel Machine
Let’s upload linpeas.sh into the victim’s machine
Let’s execute the linpeas.sh and see the result later.
There’s some information that has been found in linpeas script.
Firstly, we need to create a new folder on /tmp directory.
We can execute the command above on the first terminal
On another terminal, we can access the machine by using the SSH service and running the command above
After that, we need to kill the process as shown in the screenshot above.
We can see the tail has gone and been replaced with a bash
At last, the bash has been assigned as SUID Binary.
Finally, we managed to obtain a root shell
We can read the root flag by typing the “cat root.txt” command
No responses yet