In this post, I would like to share a walkthrough of the Secret Machine from HackTheBox
This room is been considered difficulty rated as an Easy machine on HackThebox
What you will gain from Secret machine?
For the user flag, you will download a token_secret from the files on the website. We were also required to play jwt code with the token secret and execute a shell from BurpSuite
As for the root flag, you need to find a program on the machine where we are required to crash the program so that we can obtain the root flag
Information Gathering on Secret Machine
Once we have started the VPN connection which requires download from Hackthebox, we can start information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN
Let’s access the website interface to find any vulnerability that we can exploit
Sadly, we didn’t find anything to exploit on the website interface except there’s the documentation for registering and login users. It might be useful later on.
From the Nmap result, I notice there’s a port 3000/tcp open which it has installed with Node.js (Express middleware)
Enumerate directory using gobuster
Let’s enumerate for any interesting directory on the machine by using gobuster
The output above appear from a normal enumeration using port 80 and the same output show when i enumerate using port 3000
There have two interesting that caught my attention such as
Let’s dig deeper on the /api/ directory which leads us to find another directory such as /users. From this point, i have been wondering whether there’s a registered directory that we can use over here.
Before that, let’s try to look into /download the directory and who knows if there’s something we can use from that directory.
## Sorry for not being able to provide evidence on the gobuster result for /download/ directory ##
Let’s go download the files that we managed to obtain from the gobuster result.
Therefore, let’s unzip the files which we have successfully downloaded just now and see the content of the folder.
Inside the folder, there are a few files that have been stored which I didn’t see anything interesting.
As a result, let’s see anything that has been hidden from our eyes.
Other files that we can look into is .env and .git therefore let’s dig deeper on the file or folder.
Due to some spacing on the post, I will skip another file except for the file that I need to showcase in this post.
Let’s read the HEAD file which the content will look such as below:
From the file content, I managed that .env have been removed for a security reason
We need to should restore the git commit that has been removed previously by using the command git revert id
Gaining Privileges Acces on Secret Machine
As a result, we can read the .env file which has been removed where we have presented with the token_secret which we will be using in the next step.
The next step that we can do is to register a username on the machine.
Normally, we use a browser or burpsuite to register and login directly but this time, I will make sure of the curl command for this activity.
As a result, we can login to the API using the credentials that we created just now. However, we get a jwt code after we try to login to the API interface.
Let’s decode the jwt code on the website jwt.io where you can see the output similar as shown above.
Right now, we can change the name from darknite to theadmin which we found out from the document earlier.
We are required to put together the content of token_secret over here.
Getting reverse shell connection
Let’s start our nc listener
Let’s execute the curl command to send the shell to the system so that we managed to obtain the reverse shell connection back to us.
For this activity, I use the python reverse shell command to successfully obtain the shell.
## For those who are wondering on the command –proxy http://127.0.0.1:8080 is used for. The purpose to incept the packet using BurpSuite ##
Sadly, our attempt look unsuccessfully to obtain the reverse shell connection.
As a result, I need to use a different type of shell command from Online – Reverse Shell Generator (revshells.com)
I will try using the shell command shown above to get the shell back.
Voila! We have successfully obtained a reverse shell.
It looks like we access it as dasith privileges.
We can read the user flag by executing the command “cat user.txt“
Escalate Root Priviliges on Secret machine
We can run automation tools such as linpeas.sh to find us any interesting file or SUID that we can use for exploitation.
However, I will find the SUID or malicious program manually
There’s no way to get ssh access to the machine via dasith privileges access.
Based on my experience, there should be something interesting to look at on those directories:
Uwu! There’s something on the /opt/ directory that we can analyze further.
Let’s analyze the code.c file
I notice that there’s a function for coredump generation that have been enabling that we are required to crash some program.
For that purpose, we should be getting another reverse shell whose function such as follows:
- One Reverse Shell is executing program
- One Reverse Shell is to kill/crash the program
Getting SSH private key
The screenshot above shows that we can possibly retrieve ssh id_rsa so that we can use it to access the machine via ssh
We can use ps aux command to find PID of the program which in my case is 1543.
So, let’s kill that program by using the command “kill -6 PID“
Finally, the program has crashed based on the screenshot above.
Let’s look at the log of the crash at /var/crash directory
Right now, we should be reading the file that contains ssh key.
You will be able to see the SSH key as shown above.
We can give permission to the root_id_rsa
We should be able to access the machine via ssh but sadly we failed.
After a while, i notice my mistake where i should be giving permission chmod 600 root_id_rsa rather than chmod +x root_id_rsa
It should be working now.
Finally, we managed to access the machine as root privileges access via ssh
We should be able to read the root flag by executing “cat root.txt“
Another way to get a root flag without ssh access is by changing /root/.ssh/id_rsa to /root/root.txt just shown above.
Happy Learning Guys!
We can go to /etc/shadow so that we can unlock and read the write-up