Toolbox is an Easy machine listed on Hack The Box. It was designed on March 12th, 2021 by MinatoTW. I was able to gain a foothold into Toolbox with a combination of Burpsuite and sqlmap. From there, Python-based shell improvements and exploiting default Docker credentials allowed for a pivot deeper into the machine.
Part One: Enumeration
While initially loading Toolbox did not bring up results, accessing the page via HTTPS was successful
Nmapping shows a variety of open ports. While the FTP server is likely vulnerable, the process of looking at the website provided greater and greater access, so the FTP server was never analyzed. After a Dirbuster scan revealed a likely admin page, adding that admin page to my host list allowed me to take a look at it.
Part Two: SQL Injection
While the admin page was accessible, default login credentials didn’t work. However, it’s pretty likely that there is a database in use here. Using Burpsuite, I look through the history, and use Save Item to keep one of the POST requests, with the goal of using sqlmap to find an entry point.
After saving this item as injection.txt, using sqlmap to get information with the command sqlmap -r injection.txt –dbs –batch –force-ssl seems successful.
However, I hit a snag when I tried to perform the next part of this, where I actually get the shell. The command I used was sqlmap -r injection.txt –batch –force-ssl –os-shell .
This is sort of a strange error, but after looking it up, I have learned that this is likely due to the occasionally-spotty presence of Hack The Box servers. If you encounter the same error I did, adjust your input by timing it like so.
Part Three: Developing Shell Access
Having the os-shell is a positive development, but greater access to the file system is needed. Setting up a Netcat server, and then using a simple bash shell accomplished the goal.
Once the bash shell was in use, the User flag was accessible.
Part Four: Getting a Better Shell
It is very rare that Root flags are accessible with the same access level as User flags are, and Toolbox is no exception. Improving my shell access with simple Python commands proves effective.
Part Five: Inception
Looking around, it becomes clear that the name of this machine comes from the fact that the Docker Toolbox is in use. I then use ifconfig to check private IP info
Noting the IP in use, I know that the gateway I am looking for will be at 172.17.0.1. Noting that this distribution is using Boot2Docker, I read through their GitHub page and quickly find that the default login credentials are
User: docker
Password: tcuser
from the sqlmap shell, I am able to gain SSH access to Toolbox itself. Immediately looking for the RSA key is successful.
Part Six: Getting The Root Flag
After confidently copying the RSA key into a file called id_rsa, I attempt to use the key to gain SSH access to Toolbox. This grants immediate access to the Root flag.
