In this post, I would like to share a walkthrough of the OnlyforYou Machine from Hack the Box
This room will be considered a medium machine on Hack the Box
What will you gain from the OnlyforYou machine?
For the user flag, you will need to able to read different files throughout an LFI Vulnerability that exists in the form which also we can execute RCE from the form.
As for the root flag, you need to take advantage of Gogs internal website which we should be able to exploit using this_is_fine_wuzzi script. We should be able to upload the script into the Gogs application and execute the exploit by downloading the file using pip3. As a result, we should be able to modify the permission of bash into SUID binary
Information Gathering on OnlyforYou Machine
Once we have started the VPN connection which requires a download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN
┌─[darknite@parrot]─[~/Documents/htb/onlyforyou]
└──╼ $ nmap -sC -sV 10.10.11.210 -oA initial
Starting Nmap 7.93 ( https://nmap.org ) at 2023-08-18 06:39 EDT
Nmap scan report for 10.10.11.210
Host is up (0.032s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 e883e0a9fd43df38198aaa35438411ec (RSA)
| 256 83f235229b03860c16cfb3fa9f5acd08 (ECDSA)
|_ 256 445f7aa377690a77789b04e09f11db80 (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://only4you.htb/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.66 seconds
┌─[darknite@parrot]─[~/Documents/htb/onlyforyou]
└──╼ $
Let’s access the website interface
However, nothing interesting has been found on the website interface.
We managed to find a subdomain on the website interface.
Another way to obtain the subdomain is by running ffuf command which we should be getting the same result/output
We also sighted a team member which we can abuse later in the stage.
Let’s access the subdomain which we can download the source code.
Analyze the application source code
The downloaded file is something as shown above.
Inside the app.py, there’s an extensive line of code that we can analyze further
@app.route('/download', methods=['POST'])
def download():
image = request.form['image']
filename = posixpath.normpath(image)
if '..' in filename or filename.startswith('../'):
flash('Hacking detected!', 'danger')
return redirect('/list')
if not os.path.isabs(filename):
filename = os.path.join(app.config['LIST_FOLDER'], filename)
try:
if not os.path.isfile(filename):
flash('Image doesn\'t exist!', 'danger')
return redirect('/list')
except (TypeError, ValueError):
raise BadRequest()
return send_file(filename, as_attachment=True)
The section of line that caught my attention would be something as shown above.
We can inspect the packet via burpsuite which looks like something as above.
There are some files that we can download into our machine.
Sadly, we can see the content of images
At last, we managed to find a Local File Inclusion (LFI) via burpsuite.
We can analyze further a few files that we can show publicly to us.
As a result, we should be entering some information or details on the contact form.
The actual packet will look something as shown above
Let’s start our nc listener on our attacker’s machine.
Therefore, let’s insert our malicious command injection and it looks so promising to us.
Boom! We managed to retrieve the reverse shell connection back to us.
We managed to find a few ports that opened that the Nmap output didn’t highlight in their result
As a result, let’s upload Chisel onto the victim’s machine
Finally, we managed to connect the chisel between our machine with the victim’s machine
Port 3000 enumeration
On port 3000, it’s a Gogs website interface.
Port 8001 enumeration
While port 8001, has redirected us to a login page.
Let’s enter common credentials such as admin: admin
Boom! We have successfully accessed the dashboard.
SQL Injection on Onlyforyou Machine
Let’s execute some SQL Injection commands on the search endpoint
At last, we managed to obtain the information from the SQL command
After a few tries of SQL command, we managed to obtain the hashes from the machine.
Let’s use the crackstation to crack the hashes because I’m too lazy to use John the Ripper or Hashcat
Finally, we managed to access the machine via SSH service.
We can read the user flag by typing the “cat user.txt” command
Escalate to Root Privileges Access
As usual, we will be able to obtain the binary by typing the “sudo -l” command
We should be downloading the exploit into the vulnerability
When we completed downloading the exploit into our machine, those files should be inside the exploit folder
The screenshot above shows the original code inside the setup.py file.
We should modify the file by adding the “os.system(“chmod u+s /bin/bash”)”
By default, we can compile the file by running the “python3 -m build”
Therefore, let’s create the folder on the dashboard
As a result, we should be uploading the malicious file into the upload function
Before we download the tar file into the victim’s machine, we can verify that the /bin/bash still has not been changed to SUID binary
The command above should be getting us to download the file into the machine
Boom! The bash file has changed into the SUID binary
We can read the root flag by typing the “cat root.txt” command
No responses yet