Hack The Box: Zipping Machine – Medium Difficulty

Written by darknite -
on January 14, 2024

In this post, I would like to share a walkthrough of the Zipping Machine from Hack the Box

This room will be considered a medium machine on Hack the Box

Testing

What will you gain from the Zipping machine?

For the user flag, you will need to create symbolic links within the zip file and access files from the host file system. I will obtain the source code for the website and identify a filter bypass that allows SQL injection in another section of the site. Leveraging this injection, I will create a web shell and incorporate it, exploiting a Local File Inclusion (LFI) vulnerability to achieve execution.

As for the root flag, you need to manipulate a custom binary using a malicious shared object

For those who want to learan or improve CyberSecurity skills especially Red Teaming and Blue Team, You can use the link https://affiliate.hackthebox.com/gnfp67dzy7p0 to support me

Academy link can be found https://affiliate.hackthebox.com/wanmohdariffwanmohdrosdi6259vv

Information Gathering on Zipping Machine

Once we have started the VPN connection which requires a download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN

┌─[darknite@parrot]─[~/Documents/htb/Zipping]
└──╼ $ nmap -sC -sV 10.10.11.229 -oA initial 
Starting Nmap 7.93 ( https://nmap.org ) at 2023-08-30 22:38 EDT
Nmap scan report for 10.10.11.229
Host is up (0.031s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.0p1 Ubuntu 1ubuntu7.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 9d6eec022d0f6a3860c6aaac1ee0c284 (ECDSA)
|_  256 eb9511c7a6faad74aba2c5f6a4021841 (ED25519)
80/tcp open  http    Apache httpd 2.4.54 ((Ubuntu))
|_http-server-header: Apache/2.4.54 (Ubuntu)
|_http-title: Zipping | Watch store
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.82 seconds
┌─[darknite@parrot]─[~/Documents/htb/Zipping]
└──╼ $

Let’s access the website interface

There is not much that looks interesting at all

Let’s enumerate with the gobuster and manage to find an upload.php which we investigate further

After entering the upload.php page, it looks like a page that requires uploading a file into the application

Unintended way to obtain the reverse shell on the machine

Let’s retrieve the /etc/passwd with the symlink

As a result, we should zip the malicious file for zip

Let’s modify the hexadecimal like above. Each file has a different number

At last, we have successfully retrieved the /etc/passwd content by using these methods

We should be creating the reverse shell command as shown above.

Let’s modify the hexadecimal number that will take advantage of the payload

Sadly, it looks like the payload doesn’t work at all. After a while, I managed to make it work like a charm with only the state test.php

Intended way to obtain the reverse shell on the machine

We managed to see the version of MySQL on the machine. In this activity, we need to encode the malicious command twice as shown below:

echo " reverse shell" | base64 
<?php exec("echo 'base64 encoded' | base64 -d | bash"); ?>

We should get some encoded code and use the from_base64 function to retrieve the reverse shell connection

We should get our reverse shell connection back to us

Finally, we have obtained the reverse shell connection back to us.

We can read the user flag by typing the command “cat user.txt”

Escalate to Root Privileges Access

After I have analyzed the binary using the ghidra tools, I have successfully obtained the password for the binary to work

By executing the command strace, i have found the location that we can use to obtain the root shell. Therefore, let’s try to compile the malicious file that is named exactly like written in the file

The malicious code will look something as shown above.

We are required to compile the c file format into the so file format.

We can transfer the malicious file that we compiled on our attacker’s machine into the victim’s machine

Let’s execute the binary and enter the password so that we can obtain the reverse shell connection

Boom! We have successfully retrieved the reverse shell connection back to us.

We can read the root flag by typing the “cat root.txt” command

Extra Information

Categories:

Medium Machine

Tags:

BurpSuiteChallengesghidragobusterHackTheBoxLinuxnull byte injectionPenetration Testingstrace

No responses yet

Leave a Reply

Your email address will not be published. Required fields are marked *