In this post, I would like to share a walkthrough of the Zipping Machine from Hack the Box
This room will be considered a medium machine on Hack the Box
What will you gain from the Zipping machine?
For the user flag, you will need to create symbolic links within the zip file and access files from the host file system. I will obtain the source code for the website and identify a filter bypass that allows SQL injection in another section of the site. Leveraging this injection, I will create a web shell and incorporate it, exploiting a Local File Inclusion (LFI) vulnerability to achieve execution.
As for the root flag, you need to manipulate a custom binary using a malicious shared object
For those who want to learan or improve CyberSecurity skills especially Red Teaming and Blue Team, You can use the link https://affiliate.hackthebox.com/gnfp67dzy7p0 to support me
Academy link can be found https://affiliate.hackthebox.com/wanmohdariffwanmohdrosdi6259vv
Information Gathering on Zipping Machine
Once we have started the VPN connection which requires a download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN
┌─[darknite@parrot]─[~/Documents/htb/Zipping]
└──╼ $ nmap -sC -sV 10.10.11.229 -oA initial
Starting Nmap 7.93 ( https://nmap.org ) at 2023-08-30 22:38 EDT
Nmap scan report for 10.10.11.229
Host is up (0.031s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.0p1 Ubuntu 1ubuntu7.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 9d6eec022d0f6a3860c6aaac1ee0c284 (ECDSA)
|_ 256 eb9511c7a6faad74aba2c5f6a4021841 (ED25519)
80/tcp open http Apache httpd 2.4.54 ((Ubuntu))
|_http-server-header: Apache/2.4.54 (Ubuntu)
|_http-title: Zipping | Watch store
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.82 seconds
┌─[darknite@parrot]─[~/Documents/htb/Zipping]
└──╼ $
Let’s access the website interface
There is not much that looks interesting at all
Let’s enumerate with the gobuster and manage to find an upload.php which we investigate further
After entering the upload.php page, it looks like a page that requires uploading a file into the application
Unintended way to obtain the reverse shell on the machine
Let’s retrieve the /etc/passwd with the symlink
As a result, we should zip the malicious file for zip
Let’s modify the hexadecimal like above. Each file has a different number
At last, we have successfully retrieved the /etc/passwd content by using these methods
We should be creating the reverse shell command as shown above.
Let’s modify the hexadecimal number that will take advantage of the payload
Sadly, it looks like the payload doesn’t work at all. After a while, I managed to make it work like a charm with only the state test.php
Intended way to obtain the reverse shell on the machine
We managed to see the version of MySQL on the machine. In this activity, we need to encode the malicious command twice as shown below:
echo " reverse shell" | base64
<?php exec("echo 'base64 encoded' | base64 -d | bash"); ?>
We should get some encoded code and use the from_base64 function to retrieve the reverse shell connection
We should get our reverse shell connection back to us
Finally, we have obtained the reverse shell connection back to us.
We can read the user flag by typing the command “cat user.txt”
Escalate to Root Privileges Access
After I have analyzed the binary using the ghidra tools, I have successfully obtained the password for the binary to work
By executing the command strace, i have found the location that we can use to obtain the root shell. Therefore, let’s try to compile the malicious file that is named exactly like written in the file
The malicious code will look something as shown above.
We are required to compile the c file format into the so file format.
We can transfer the malicious file that we compiled on our attacker’s machine into the victim’s machine
Let’s execute the binary and enter the password so that we can obtain the reverse shell connection
Boom! We have successfully retrieved the reverse shell connection back to us.
We can read the root flag by typing the “cat root.txt” command
No responses yet