In this post, I would like to share a walkthrough of the Backendtwo Machine from Hack the Box

This room will be considered a medium machine on Hack The box

What will you gain from the Backendtwo machine?

For the user flag, you will need to abuse the API on the website which will give us a shell that way

As for the root flag, you need to play the PAM-Wordle game to get some information the permission

Information Gathering on Backendtwo Machine

Once we have started the VPN connection which requires a download from Hackthebox, we can start information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN

Let’s access the website interface

It’s a JSON message that appears on the website interface.

Website API enumeration

We managed to see some new endpoints when we access <ip>/API/v1

However, we got an error saying that “not found” and “not authenticated”

What a surprise! We have a different message when we access our own user endpoints.

Let’s enumerate the possible endpoints after the /api/v1/user directory using gobuster

On the result, there are two directories that caught my attention which is signup and login

We got something interesting to play with when accessing the signup endpoints

Let’s send the payload to the burpsuite

On the burpsuite response, it shows that the account is created.

After we click on the forward the request, it have said that the account has already existed

Let’s pass the payload to the burpsuite but it looks like some HTML appears after the access token

Let’s decode the access token on the jwt.io

I almost forgot about other directories that I overlooked from the gobuster result.

On the request payload, we can add the payload with the authorization bearer with the new token.

We got a page error that mention something such as “Unable to render the definition

FastApi dashboard

I notice that the application is running on openapi.json

After a while, it works like a charm!

After looking at the dashboard, I notice that we can play around with the default parameters.
From the description, it says that UHC API is version 2.0 which returns the response as 200 “Successful Response”

When we try to execute the admin check, it shows the result as “false”

For the user-id, we are aware of UHC Admin is set as user number 1

For the user-id, we are aware of UHC Guest is set as user number 2

We are aware of UHC Player is set as user number 11

Finally, i got our own user-id when fetching it as number 12

The response from the get_user_flag is giving us an error said “Not Authorized”

Therefore, let’s authorize with the credentials that we created earlier.

After login in using the credentials, we were able to change the request body just like shown above.

The output has shown above

Therefore, let’s run some basic and well-known commands in Linux

Getting a reverse shell as user

We can add a new line which is “is_superuser: true”

After taking a break from playing the machine, I notice we cannot login as darknite again which i have to create a new account

We need to encode /etc/passwd into base64 and we managed to sight the content

After re-login to the account that has a superuser, it leads us to obtain the flag with this method.

Let’s analyze the user.py file if there are any hints that can help us to move deeper

However, we cannot obtain the ssh public key

We can send a payload to the server by taking advantage of user.py with the data that can bypass the parameters. We also can add the Authorization token to the payload

Therefore, we should be able to curl the user that we have created in the payload

Finally, we have successfully accessed the machine with the reverse shell connection

We can read the user flag by typing the “cat user.txt” command

Escalate to Root Privileges Access

I did notice some other files that caught my attention before reading the user flag. There’s an auth.log that contains a password for ssh i presume.

Let’s run Sudo -l command to see if any SUID binary has been implemented in this machine. However, I notice that a similar game that been implemented on Altered Machine

I was thinking if the method is the same for this Backendtwo machine too.

For us to retrieve any passcode that we can use for the game, we need to access the machine via ssh service.

At last, we have obtained the correct passcode for the game which gives us the privileges of access

As a result, let’s just try running sudo su and see if we can reach root this way

And surprisingly, it works like charm!

We can read the root flag by executing the “cat /root/root.txt” command

Leave a Reply

Your email address will not be published.