Hack The Box

Machine Info:

To exploit the intranet port, we use Havoc's SSRF, which triggers a WebSocket-based RCE. After forging the agent, we convert the protocol to WebSocket, allowing us to merge the two scripts effectively. This enables us to retrieve the user.txt flag and establish a persistent connection by writing the SSH key.

For root access, once the intranet port proxy is set up, we discover a vulnerability that bypasses authentication, enabling us to execute commands. Using this, we write the SSH key again for a persistent connection. Further exploration reveals that the iptables command has special permissions, which allows us to overwrite files. By leveraging this, we gain root access and retrieve the root.txt flag.

Enumeration:

Nmap:

nmap -sC -sV 10.129.205.176 
# Nmap 7.95 scan initiated Wed Jan 22 18:50:06 2025 as: /usr/lib/nmap/nmap --privileged -sV -sC -oA Backfire 10.129.205.176
Nmap scan report for 10.129.205.176
Host is up (0.063s latency).
Not shown: 996 closed tcp ports (reset)
PORT     STATE    SERVICE  VERSION
22/tcp   open     ssh      OpenSSH 9.2p1 Debian 2+deb12u4 (protocol 2.0)
| ssh-hostkey: 
|   256 7d:6b:ba:b6:25:48:77:ac:3a:a2:ef:ae:f5:1d:98:c4 (ECDSA)
|_  256 be:f3:27:9e:c6:d6:29:27:7b:98:18:91:4e:97:25:99 (ED25519)
443/tcp  open     ssl/http nginx 1.22.1
|_http-server-header: nginx/1.22.1
| tls-alpn: 
|   http/1.1
|   http/1.0
|_  http/0.9
| ssl-cert: Subject: commonName=127.0.0.1/stateOrProvinceName=Florida/countryName=US
| Subject Alternative Name: IP Address:127.0.0.1
| Not valid before: 2024-09-11T12:18:27
|_Not valid after:  2027-09-11T12:18:27
|_ssl-date: TLS randomness does not represent time
|_http-title: 404 Not Found
5000/tcp filtered upnp
8000/tcp open     http     nginx 1.22.1
|_http-server-header: nginx/1.22.1
|_http-open-proxy: Proxy might be redirecting requests
| http-ls: Volume /
| SIZE  TIME               FILENAME
| 1559  17-Dec-2024 11:31  disable_tls.patch
| 875   17-Dec-2024 11:34  havoc.yaotl
|_
|_http-title: Index of /
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Jan 22 18:50:25 2025 -- 1 IP address (1 host up) scanned in 18.78 seconds

⛔ This box is still active on HackTheBox. Once retired, this article will be published for public access as per HackTheBox's policy on publishing content from their platform.

⛔ For more hints and assistance, come chat with me and the rest of your peers in the HackTheBox Discord server. Or, you can reach out to me at my other social links in the site footer or site menu.

Appreciation

If my write-up helped you, I’d really appreciate it if you could show your support! 🙏 Also, if you like my content, please consider giving me respect on HTB—your support truly means a lot! 💚✨

Avatar

4shWIN Hacker

Rank: 504 Icon 371 Star Icon 1

Give me a Respect

Found a Mistake?

If you notice any errors or have feedback, feel free to email me at ashwin200323@gmail.com. Thanks for your help!