Kami's Cybersecurity Blog

Box Write-ups:

This blog is an excellent resource for learning cybersecurity. I will be posting write-ups on Hack The Box machines, providing insights into offensive cybersecurity. Hack The Box offers a range of challenging boxes, each designed to assess your hacking skills. Our write-ups will assist you in comprehending and conquering these challenges.





Clicker

Clicker

Clicker is a Linux medium Hack the Box machine that was released on 09/23/2023 This box starts with a simple PHP application that allows a user to register an account and play a game that consists of clicking fast. The game endpoint allows users to use a POST parameter that I will modify by abusing a type juggling vulnerability to set my account as admin. Then, I will access the admin panel, from which I can export the highest scores of all players. By injecting PHP code into the game endpoint, specifically into the "nickname" parameter, and then exporting the player's scores, I will gain code execution and access to the box as www-data.

Once inside, I will abuse a program with SUID privileges as "jack" and exploit its functionality to read the ID_RSA of the user "jack" and connect as him via SSH. As "jack," I will exploit a shell script that I can run as root. The program uses some Perl environmental variables that may be vulnerable to variable hijacking. Since I can specify the 'setenv' parameter before running the program as root, I will hijack a variable to execute commands as root.



Visual

Visual

Visual is a medium Windows box from Hack The Box that was released on 09/30/2023. It runs an application that compiles .sln solutions for .NET v6 applications based on a GitHub repository. To gain access, I will create a malicious C++ program with a pre-build function that executes code. Additionally, I will create an HTTP repository, enabling the machine to upload my repository and gain code execution.

With code execution, I will access the box as Enox. This user can place files in the web root directory. Consequently, I will inject malicious PHP code into the web root directory to achieve code execution and obtain a shell as the NT Authority user.

This user has the capability to run a program called "Full Powers," allowing the user to acquire the "SeImpersonatePrivilege." I will exploit this privilege using a technique involving "potatoes." Notably, common potatoes won't work, as the box is a Windows Server 2019, and most of the known vulnerabilities have been patched for this Windows version. However, I will discover a new privilege escalation technique known as "GodPotatoe," released in May 2023, which will enable me to exploit the privilege and gain code execution as NT Authority System.



Drive

Drive

Drive is a challenging Linux box from Hack The Box, released on 10/14/2023. It features an application that allows users to create notes, use groups, reserve notes, and more, with multiple available features. To gain access, I will begin by modifying the request to the endpoint responsible for reserving a note. This will allow me to view content that I'm not supposed to see. Subsequently, I will read the username and password for the user Martin Cruz. With these credentials, I can log in via SSH as that user.

Once inside, I will discover an internally running Gitea application with a backup of the system. I will download the backup and also find the password for unzipping the backups.

Within the backup, there will be an SQLite database containing some 'Dejango' hashes. I will crack these hashes to find the password for the user 'tomHands' and then connect via SSH as that user. To achieve root access, I will need to reverse-engineer a binary with multiple functionalities, which the user Tom can run as root. Within the binary, I will exploit a SQL injection vulnerability, not for reading data, but for executing commands. I will create a malicious C library, load it into the application by bypassing all the filters, and finally execute commands as the root user.



Appsanity

Appsanity

Appsanity is a challenging Windows box from Hack The Box, released on 28/10/2023. It begins with a simple application that allows me to create a new user and send messages to a supervisor. To gain access, I will exploit the signup page by altering some parameters to add my user as a doctor, granting me higher privileges. I will discover a subdomain with an admin panel exclusively available to doctors. To authenticate as a doctor, I will reuse the cookie from the main website and use it on the portal panel.

Within the 'panel' portal, I will identify and exploit two vulnerabilities. One of them is an upload bypass, where I will bypass the filter for only PDF files and upload an ASPX reverse shell. Since I can't find my file to trigger the shell, I will abuse an SSRF on another endpoint of the 'portal' panel to perform internal port discovery. Using the SSRF, I will trigger the reverse shell on a web proxy.

I will gain access as 'svc_exampanel,' with limited privileges. However, I will have access to a DLL that I will reverse-engineer to understand its behavior. I will discover that it is using data from registry keys to bind with an SQLite database. By dumping the data from the registry key, I will find a possible password for another user on the box. This user, 'devdoc,' is part of the 'remote management system' group, allowing me to connect as him using WinRM.

As this user, I will find an internal .exe file using port '100' for interaction. I will debug and reverse the binary, realizing that it loads libraries depending on the functionality the user calls. I will notice that the program attempts to call a non-existent library when running the 'upload' function. To exploit this, I will find the folder where it's called and inject a malicious DLL file. Then, I will use Chisel to forward port 100 and interact with the service, triggering the 'upload' functionality and gaining a shell as the Administrator on the box.