In this post, I would like to share a walkthrough of the Seventeen Machine from Hack the Box
This room will be considered a Hard machine on Hack The box
What will you gain from the Seventeen machine?
For the user flag, you will need to play with SQL injection and get a reverse shell connection back to us by using RoundCube WebMail Installer exploitation
As for the root flag, you need to abuse the confusion attack
Information Gathering on Seventeen Machine
Once we have started the VPN connection which requires a download from Hackthebox, we can start information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN
There are a few ports open such as SSH and HTTP (80 and 8000)
Let’s access the website interface
Nothing that we can look at on the website itself. Therefore, let’s enumerate more using gobuster.
From the gobuster scanning, we didn’t find anything useful over there.
As a result, let’s enumerate vhost using gobuster
However, i managed to notice that exam.seventeen.htb is available. Let’s access that domain to see to be used to proceed further
Nothing much that we can investigate the domain now. Let’s enumerate the directory using gobuster.
Nothing looks accessible to us.
Let’s play with the common SQL injection that we know basically. I notice that we can make use of the injection attack.
Enumerate using SQLmap
After running sqlmap, we found a few databases that we can analyze further.
We managed to obtain a few tables but nothing much interesting can be found
Oh, wait! There is something looks interesting when we try to investigate the user’s tables.
After roaming on another database, we found some usernames I presume that we can use later stage.
At this stage, let’s gamble with the information that we obtained earlier.
When trying to access oldmanagement directory on the website, we are given a student login page.
After trying all the credentials from the database enumeration that we did earlier, and we managed to find one that worked!
Finally, we can sight the dashboard of the School File Management System.
Let’s try to upload a PHP file into the system
We can obtain the PHP reverse shell over here
Let’s upload it as shown above.
Sadly, we cannot get a reverse connection this way.
I have been stuck for a while here and cannot think of anything to proceed with anymore. After talking to my friends and getting some ideas from them, I have an idea of how to proceed from here.
Roundcube webmail installer
We managed to access the installer of the Roundcube file and let’s incept it using burpsuite
The screenshot above shows the original incept.
We need to modify the payload such as above and need to hold off on the next step.
Let’s start our nc listener and we can click the forward button.
By default, we should be getting the reverse shell connection back to us.
Enumerate more inside the machine.
After a while, we managed to find some configurations that leak some passwords.
We managed to access the machine as mark
We can read the user flag by typing the “cat user.txt” command
Escalate to Root Privileges Access
Let’s access the machine with a different user such as Kavi
I notice that there is a script (/opt/app/startup.sh) that we might be able to use for a later stage.
Let’s execute the script and see what happens. However, the script stops at [+] Starting the app
After analyzing the loglevel folder on /opt/app/node_modules, we know the file is using npm
We can add our reverse shell on /lib/loglevel.js as shown above.
Let’s execute again the script but got a few errors
Therefore, let’s install the verdaccio application on our machine
Let’s add a new user on the verdaccio
Let’s start the verdaccio application
Sadly, we are stumbling with an error saying it’s a Bad Request.
After a while, we managed to solve the error and we successfully uploaded the malicious file to our machine
On the victim’s machine, we need to modify the .npmrc file where the IP needs to be our VPN IP
Once we finish modifying the .npmrc file, we can start our script again.
At last, we managed to receive the reverse connection back to us.
We can read the root flag by typing the “cat root.txt” command
Extra Information on Seventeen Machine
One response
Hey, I solved this machine and didn’t quite understand the box overall as it wasn’t configured properly but after reading your writeup, I am now even more confused like how did you know there was a sql injection and which parameter was vulnerable, did you try running sqlmap on parameters? Also the part where we have to get a reverse shell, what does _plugin_help POST parameter mean, weren’t we supposed to perform directory traversal on _plguin_name ? And from escalating to kavi you didn’t showed how you got to him, please answer my queuris, Thanks!