This blog is an excellent resource for learning cybersecurity. I will be posting write-ups on Hack The Box machines, providing insights into offensive cybersecurity. Hack The Box offers a range of challenging boxes, each designed to assess your hacking skills. Our write-ups will assist you in comprehending and conquering these challenges.
Clicker
Clicker is a Linux medium Hack the Box machine that was released on 09/23/2023 This box starts with a simple PHP application that allows a user to register an account and play a game that consists of clicking fast. The game endpoint allows users to use a POST parameter that I will modify by abusing a type juggling vulnerability to set my account as admin. Then, I will access the admin panel, from which I can export the highest scores of all players. By injecting PHP code into the game endpoint, specifically into the "nickname" parameter, and then exporting the player's scores, I will gain code execution and access to the box as www-data.
Once inside, I will abuse a program with SUID privileges as "jack" and exploit its functionality to read the ID_RSA of the user "jack" and connect as him via SSH. As "jack," I will exploit a shell script that I can run as root. The program uses some Perl environmental variables that may be vulnerable to variable hijacking. Since I can specify the 'setenv' parameter before running the program as root, I will hijack a variable to execute commands as root.
Visual
Visual is a medium Windows box from Hack The Box that was released on 09/30/2023. It runs an application that compiles .sln solutions for .NET v6 applications based on a GitHub repository. To gain access, I will create a malicious C++ program with a pre-build function that executes code. Additionally, I will create an HTTP repository, enabling the machine to upload my repository and gain code execution.
With code execution, I will access the box as Enox. This user can place files in the web root directory. Consequently, I will inject malicious PHP code into the web root directory to achieve code execution and obtain a shell as the NT Authority user.
This user has the capability to run a program called "Full Powers," allowing the user to acquire the "SeImpersonatePrivilege." I will exploit this privilege using a technique involving "potatoes." Notably, common potatoes won't work, as the box is a Windows Server 2019, and most of the known vulnerabilities have been patched for this Windows version. However, I will discover a new privilege escalation technique known as "GodPotatoe," released in May 2023, which will enable me to exploit the privilege and gain code execution as NT Authority System.
Drive
Drive is a challenging Linux box from Hack The Box, released on 10/14/2023. It features an application that allows users to create notes, use groups, reserve notes, and more, with multiple available features. To gain access, I will begin by modifying the request to the endpoint responsible for reserving a note. This will allow me to view content that I'm not supposed to see. Subsequently, I will read the username and password for the user Martin Cruz. With these credentials, I can log in via SSH as that user.
Once inside, I will discover an internally running Gitea application with a backup of the system. I will download the backup and also find the password for unzipping the backups.
Within the backup, there will be an SQLite database containing some 'Dejango' hashes. I will crack these hashes to find the password for the user 'tomHands' and then connect via SSH as that user. To achieve root access, I will need to reverse-engineer a binary with multiple functionalities, which the user Tom can run as root. Within the binary, I will exploit a SQL injection vulnerability, not for reading data, but for executing commands. I will create a malicious C library, load it into the application by bypassing all the filters, and finally execute commands as the root user.
Appsanity
Appsanity is a challenging Windows box from Hack The Box, released on 28/10/2023. It begins with a simple application that allows me to create a new user and send messages to a supervisor. To gain access, I will exploit the signup page by altering some parameters to add my user as a doctor, granting me higher privileges. I will discover a subdomain with an admin panel exclusively available to doctors. To authenticate as a doctor, I will reuse the cookie from the main website and use it on the portal panel.
Within the 'panel' portal, I will identify and exploit two vulnerabilities. One of them is an upload bypass, where I will bypass the filter for only PDF files and upload an ASPX reverse shell. Since I can't find my file to trigger the shell, I will abuse an SSRF on another endpoint of the 'portal' panel to perform internal port discovery. Using the SSRF, I will trigger the reverse shell on a web proxy.
I will gain access as 'svc_exampanel,' with limited privileges. However, I will have access to a DLL that I will reverse-engineer to understand its behavior. I will discover that it is using data from registry keys to bind with an SQLite database. By dumping the data from the registry key, I will find a possible password for another user on the box. This user, 'devdoc,' is part of the 'remote management system' group, allowing me to connect as him using WinRM.
As this user, I will find an internal .exe file using port '100' for interaction. I will debug and reverse the binary, realizing that it loads libraries depending on the functionality the user calls. I will notice that the program attempts to call a non-existent library when running the 'upload' function. To exploit this, I will find the folder where it's called and inject a malicious DLL file. Then, I will use Chisel to forward port 100 and interact with the service, triggering the 'upload' functionality and gaining a shell as the Administrator on the box.