In this post, I would like to share a walkthrough of the Writer Machine from HackTheBox
This room has been considered difficulty rated as a Medium machine on HackThebox
What will you gain from the Writer machine?
For the user flag, you will execute some SQL Injection on the login page and enumerate MySQL database when you got logged as www-data
As for the root flag, you need to abuse the Sendmail on kyle’s shell and obtain another user which is john’s shell. From john shell, you also need to abuse the apt to obtain a root shell
Information Gathering
Once we have started the VPN connection which requires to download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN
Some Nmap results show a few ports open.
Let’s open the browser and straight into the website interface.
We didn’t find any interesting information on the website that we can use to exploit
Let’s run some gobuster tools to enumerate the website directory
There have a few directories that we can verify on the website. However, there is one directory that has caught my attention which is /administrative
We managed to see an Admin Login Page where we need to find a way to login to the Dashboard. I have tried to execute the login using Cross-Site Scripting but sadly it doesn’t work at all.
I have been stuck here for a while now and asking for hints on the Discord Application. A lot of my friends said that I should try to run some SQL Injection, but it failed.
sqlmap Enumeration
Let’s run some tools such as sqlmap to enumerate the website with SQL Injection.
I notice that we can exploit the website by using some injections using the POST parameter ‘uname’
To be honest, I’m not familiar with uname sqli attack method so let’s do some research on it.
After a while, I got some nudge on SQL Injection that we can use to execute on the login page
On the username and password column, we can run some injections such as ‘or 1=1– 2
Voila! We managed to get access. to the Dashboard by using SQL Injection
Let’s roam around the Dashboard to find anything useful that we can use to exploit, and we notice there are a few sections such as Dashboard, Stories, Users, and Settings that we can investigate.
I found a wealth of information when I access the Stories section. We can modify any of those IDs where we can find any function such as upload
Gaining Privileges Access on Writer Machine
I knew it! Let’s try to upload some PHP reverse shells by using the upload function
The reverse shell didn’t come back to us after I uploaded it on the website interface.
Oh, man! My mistake of not being aware of the file format that we can use to upload to the system.
We can change the file format from PHP format to jpg format by using some simple command as cp /targetfilename to /newfilename
Now, we can upload the file to the system
But firstly, we need to start our nc listener so that the reverse shell comes back to us.
We can inspect the packet by using BurpSuite and the packet can be seen as shown above.
Let’s try to encode our bash reverse shell command by using the echo function as above.
Once that has been completed, we can put our code under the “image_url” section which I show above
Boom! we managed to obtain a shell on another terminal. Let’s check the MySQL configuration that locates at /etc/mysql/mariadb.cnf
Before we proceed with MySQL enumeration, there’s some documentation that we can study about it over here
mysql enumeration
We can access the mysql by executing mysql -u <username> -h localhost -p
We successfully login into the MariaDB system
Inside the MariaDB database, we can see there’s dev and information stored there. Let’s access that database
There have around 10 tables been saved in the dev database
We should be able to get the password hashes by running the command “select * from auth_user“
A file will need to create and paste the password hashes inside it.
For us to obtain the password in plaintext, we should execute the hashcat tools such as hashcat -a 0 -m 10000 hashes –wordlist rockyou.txt
Damn! We got an obstacle while getting the password
Luckily, we managed to get the password after a few tries been made.
Maintaining Privileges Access on Writer Machine
SSH ACCESS
Voila! We successfully access the machine via SSH service using the credentials that we found earlier.
We can read the user flag by executing the “cat user.txt” command
Escalate to Root Privileges Access on Writer Machine
Escalate from kyle to john
There’s a disclaimer file when I try to read the user flag. I did notice that some bash shell and email functions have been saved on the file.
We need to start our nc listener on others terminal
An email will need to be sent so that we can retrieve a reverse shell on our machine.
To get root privileges access, we can get a reverse shell by abusing apt via Netcat reverse shell
Boom! We got a root reverse shell such as above.
We should be able to read the root flag by executing the “cat root.txt” command
-THE END-
Happy Learning, Guys!
One response
Nice one bro