Welcome to another Hack the Box walkthrough. In this blog post, I have demonstrated how I owned the DarkCorp machine on Hack the Box. Hack The Box is a cybersecurity platform that helps you bridge knowledge gaps and prepares you for cyber security jobs.
You can also test and grow your penetration testing skills, from gathering information to reporting. If you are new to this blog, please do not forget to like, comment and subscribe to my YouTube channel and follow me on LinkedIn for more updates.About the Machine
DarkCorp is an Insane level Windows machine on Hack the Box which features a vulnerability in Roundcube version 1.6.7 and below, and in version 1.5.7 and below, which is vulnerable to the XSS vulnerabilities CVE-2024-42009 and CVE-2024-42008, which have critical and high ratings respectively. These allow an unauthenticated attacker to steal emails and contacts, as well as send emails from a victim's account. All the victim user has to do is view a malicious email in Roundcube.
Attackers can gain a persistent foothold in the victim's browser across restarts, allowing them to exfiltrate emails continuously or steal the victim's password the next time it is entered. For a successful attack, no user interaction beyond viewing the attacker's email is required to exploit the critical XSS vulnerability (CVE-2024-42009). For CVE-2024-42008, a single click by the victim is needed for the exploit to work, but the attacker can make this interaction unobvious for the user.
The first step in pwning the DarkCorp machine like I have always done in my previous writeups is to connect my Kali Linux terminal with Hack the Box server. To establish this connection, I ran the following command in the terminal:
After the connection has been set up, I started the target machine, and I was assigned an IP address of 10.10.11.54.
With the target IP identified, I began my enumeration phase by running a detailed Nmap scan to fingerprint the open services and gather as much information as possible. I used the following command:
The -sC flag runs Nmap’s default scripts, -sV attempts to detect service versions, and -A enables aggressive scanning features such as OS detection, version detection, script scanning, and traceroute.
The scan revealed two open ports:
- Port 22 (SSH) - running OpenSSH 9.2p1 on Debian 12 (Bookworm).
This version is relatively up to date, suggesting the system might be well-maintained. Nonetheless, SSH could serve as a potential entry point later on if valid credentials or keys are discovered during enumeration.
- Port 80 (HTTP) - running nginx 1.22.1.
The HTTP service hosts a web application titled “DripMail”, as indicated by the http-title output. The server header also confirms nginx as the backend. Since CTF challenges often hide important clues or vulnerabilities in web interfaces, this immediately became the primary focus for further investigation.
Interestingly, the OS detection results were inconsistent - Nmap guessed Windows Server 2022, but the service banner clearly shows Debian Linux. This mismatch likely occurred because Nmap couldn’t find enough open and closed ports to accurately fingerprint the host. In CTF environments, such discrepancies are common and can often be ignored if banner information is more reliable.
The traceroute results showed the target is only two hops away, consistent with typical internal HackTheBox-style lab networks.
Overall, the initial scan indicates that DripMail is hosted on a Linux machine running nginx and SSH, pointing us toward web-based enumeration as the logical next step.
I visited to check what the webpage looks like but I got an
0 Comments