In this post, I would like to share a walkthrough of the Backendtwo Machine from Hack the Box
This room will be considered a medium machine on Hack The box
What will you gain from the Backendtwo machine?
For the user flag, you will need to abuse the API on the website which will give us a shell that way
As for the root flag, you need to play the PAM-Wordle game to get some information the permission
Information Gathering on Backendtwo Machine
Once we have started the VPN connection which requires a download from Hackthebox, we can start information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN
Let’s access the website interface
It’s a JSON message that appears on the website interface.
Website API enumeration
We managed to see some new endpoints when we access <ip>/API/v1
However, we got an error saying that “not found” and “not authenticated”
What a surprise! We have a different message when we access our own user endpoints.
Let’s enumerate the possible endpoints after the /api/v1/user directory using gobuster
On the result, there are two directories that caught my attention which is signup and login
We got something interesting to play with when accessing the signup endpoints
Let’s send the payload to the burpsuite
On the burpsuite response, it shows that the account is created.
After we click on the forward the request, it have said that the account has already existed
Let’s pass the payload to the burpsuite but it looks like some HTML appears after the access token
Let’s decode the access token on the jwt.io
I almost forgot about other directories that I overlooked from the gobuster result.
On the request payload, we can add the payload with the authorization bearer with the new token.
We got a page error that mention something such as “Unable to render the definition“
I notice that the application is running on openapi.json
After a while, it works like a charm!
When we try to execute the admin check, it shows the result as “false”
For the user-id, we are aware of UHC Admin is set as user number 1
For the user-id, we are aware of UHC Guest is set as user number 2
We are aware of UHC Player is set as user number 11
Finally, i got our own user-id when fetching it as number 12
The response from the get_user_flag is giving us an error said “Not Authorized”
Therefore, let’s authorize with the credentials that we created earlier.
After login in using the credentials, we were able to change the request body just like shown above.
The output has shown above
Therefore, let’s run some basic and well-known commands in Linux
Getting a reverse shell as user
We can add a new line which is “is_superuser: true”
After taking a break from playing the machine, I notice we cannot login as darknite again which i have to create a new account
We need to encode /etc/passwd into base64 and we managed to sight the content
After re-login to the account that has a superuser, it leads us to obtain the flag with this method.
Let’s analyze the user.py file if there are any hints that can help us to move deeper
However, we cannot obtain the ssh public key
We can send a payload to the server by taking advantage of user.py with the data that can bypass the parameters. We also can add the Authorization token to the payload
Therefore, we should be able to curl the user that we have created in the payload
Finally, we have successfully accessed the machine with the reverse shell connection
We can read the user flag by typing the “cat user.txt” command
Escalate to Root Privileges Access
I did notice some other files that caught my attention before reading the user flag. There’s an auth.log that contains a password for ssh i presume.
Let’s run Sudo -l command to see if any SUID binary has been implemented in this machine. However, I notice that a similar game that been implemented on Altered Machine
I was thinking if the method is the same for this Backendtwo machine too.
For us to retrieve any passcode that we can use for the game, we need to access the machine via ssh service.
At last, we have obtained the correct passcode for the game which gives us the privileges of access
As a result, let’s just try running sudo su and see if we can reach root this way
And surprisingly, it works like charm!
We can read the root flag by executing the “cat /root/root.txt” command