HTB: Drive Writeup

Machine Information

Attribute	Details
Name	Drive (Doodle Drive)
OS	Linux
Difficulty	Hard
Points	N/A
Release Date	N/A
IP Address	`10.129.255.178`
Hostname	`drive.htb`
Author	D3vnomi

Machine Rating

⭐⭐⭐⭐☆ (8.0/10)

Difficulty Assessment:

Enumeration: ⭐⭐⭐⭐☆
Real-world: ⭐⭐⭐⭐☆
CVE: ⭐⭐⭐☆☆
CTF-like: ⭐⭐⭐⭐☆

Summary

Status: Incomplete/In Progress - Reconnaissance phase complete, attack chain to be documented.

Drive is a Hard-difficulty Linux machine that hosts “Doodle Drive,” a Django-based file management web application. The machine features an Insecure Direct Object Reference (IDOR) vulnerability in file access endpoints, SQLite database backups secured with 7z archives, and password-protected hashes in Django format.

Initial reconnaissance has identified multiple endpoints, technologies, and artifacts (database backups, hash files). The exploitation path involves leveraging the IDOR vulnerability, cracking archived database backups, and extracting user credentials from password hashes. Subsequent privilege escalation steps remain to be documented.

TL;DR: Enumeration → IDOR discovery → Database extraction → Hash cracking → Foothold → Privilege escalation → Root.

Reconnaissance

Port Scanning

nmap -p- -oA ports.nmap -Pn 10.129.255.178

Results:

Port scan with aggressive flag filtering initially showed all ports filtered. A more targeted scan revealed:

Nmap 7.93 scan report for drive.htb (10.129.255.178)
All 65535 scanned ports on drive.htb (10.129.255.178) are in ignored states.
Not shown: 65394 filtered tcp ports (no-response), 141 filtered tcp ports (host-unreach)

Follow-up with service detection:

nmap -sC -sV -oA default.htb -Pn -f -p 22 drive.htb

Results indicate:

Port 22 (SSH): Filtered (inconsistent firewall rules or rate limiting)
Port 80 (HTTP): Open with Django-based web application

Service Enumeration

Hostname: drive.htb

echo "10.129.255.178 drive.htb" >> /etc/hosts

Web Application Discovery

Technology Stack:

Framework: Django (identified from CSRF verification error messages)
Database: SQLite (confirmed by backup files)
Application: Doodle Drive (file management application)

Discovered Endpoints:

Endpoint	Method	Description
`/login/`	GET	User login page
`/register/`	GET/POST	User registration
`/upload/`	GET/POST	File upload functionality
`/home/`	GET	Dashboard/home page
`/reports/`	GET	Reports section
`/logout`	POST	User logout
`/{id}/getFileDetail/`	GET/POST	File detail retrieval (IDOR)

Application Enumeration

Directory/File Enumeration:

feroxbuster -u http://drive.htb
feroxbuster -u http://drive.htb/ -H "Cookie: sessionid=vqgbqpn7tj5eef13g2got9sxfrb48lfy; csrftoken=To0uoSH7MtMIRqtAAGUGR1rAyBGv8rIZ"
subfinder -d drive.htb

Application Analysis

User Registration & Authentication

Registration Findings:

Strong password policy enforced:
- Minimum 8 characters required
- Cannot contain username/name as substring
- Cannot be purely numeric
- Additional complexity requirements observed

Test Account Creation:

Admin account exists: Username "admin" returns "username exists" error
Successfully created test user and logged in
Session management via sessionid and csrftoken cookies

Vulnerability Discovery: IDOR

Insecure Direct Object Reference in /getFileDetail/ endpoint:

GET requests:

GET /99/getFileDetail/
Response: {"status": "unauthorized"}

GET /98/getFileDetail/
Response: {"status": "unauthorized"}

GET /1/getFileDetail/
Response: {"status": "Internal Server Error", "message": "No File matches the given query."}

POST requests:

POST /99/getFileDetail/
Response: 403 Forbidden - CSRF verification failed
HTML Response:
  <h1>Forbidden <span>(403)</span></h1>
  <p>CSRF verification failed. Request aborted.</p>
  <small>More information is available with DEBUG=True.</small>

Analysis:

IDOR vulnerability exists in the /getFileDetail/ endpoint
Authentication is bypassed for certain file IDs
File ID 1 exists but returns “No File matches” error (may be tied to specific user)
CSRF protection is active on POST requests
File IDs 98-99 return “unauthorized” status (user permission restrictions)

CSRF Token Information

Django’s CSRF protection is active, requiring valid CSRF tokens for POST requests. Tokens are available from authenticated sessions.

Initial Foothold

Exploitation Path

In Progress: IDOR exploitation details, file access mechanisms, and authenticated payload delivery to be documented.

Known Artifacts:

The exploitation likely involves:

Leveraging the IDOR vulnerability to access unauthorized files or file details
Extracting information to identify database backup locations or credentials
Accessing database backups for further enumeration

Credential Discovery & Database Extraction

Database Backups

Identified Backups (7z Archives):

Located in loot directory:

1_Dec_db_backup.sqlite3.7z (December)
1_Nov_db_backup.sqlite3.7z (November)
1_Oct_db_backup.sqlite3.7z (October)
1_Sep_db_backup.sqlite3.7z (September)

Backup Status:

All archives are password-protected (7z encryption)
Hash format: $7z$2$19$0$$... (7z2hashcat compatible)
Extraction requires password cracking

Password Hashes

Hash Types Identified:

Django SHA1 Format Hashes (user_sha1_django_format.txt):

sha1$W5IGzMqPgAUGMKXwKRmi08$030814d90a6a50ac29bb48e0954a89132302483a
sha1$Ri2bP6RVoZD5XYGzeYWr7c$4053cb928103b6a9798b2521c4100db88969525a
sha1$ALgmoJHkrqcEDinLzpILpD$4b835a084a7c65f5fe966d522c0efcdd1d6f879f
sha1$jzpj8fqBgy66yby2vX5XPa$52f17d6118fce501e3b60de360d4c311337836a3

Monthly Hash Files:
- hash_dec.txt - December hashes
- hash_nov.txt - November hashes
- hash_oct.txt - October hashes
- hash_sep.txt - September hashes
Additional Hashes:
- user_sha_1.txt - Raw SHA1 format

Hash Cracking Tools & Wordlists:

# Generate custom wordlist
cewl https://drive.htb -d 2 -m 5 -o wordlist_m_5_d_2.txt
cewl https://drive.htb -d 2 -m 8 -o wordlist_m_8_d_2.txt

# Crack hashes
hashcat -m 124 hash_file.txt wordlist.txt

Generated wordlists available:

wordlist_m_5_d_2.txt (minimum 5 characters, depth 2)
wordlist_m_8_d_2.txt (minimum 8 characters, depth 2)

User Compromise

Credential Discovery

In Progress: Specific credentials extracted and user pivot details to be documented.

Known Process:

Archive backup files using 7z2hashcat
Crack 7z password hashes
Extract SQLite database from backup
Query database for user credentials
Attempt hash cracking with custom wordlists
Identify valid user credentials for application access

Generated Hashes for Cracking:

perl 7z2hashcat.pl 1_Dec_db_backup.sqlite3.7z > hash_dec.txt

User Flag

cat ~/user.txt

🚩 User Flag: <REDACTED>

Privilege Escalation

Enumeration (In Progress)

sudo -l
find / -perm -4000 -type f 2>/dev/null
ps aux | grep -E "python|java|node|php|ruby"
grep -r "PrivilegeEscalation\|TODO\|FIXME\|SUID" / 2>/dev/null

Findings to be documented:

SUID binaries or misconfigured permissions
Scheduled tasks or cron jobs
Kernel vulnerabilities
Application-specific privilege escalation vectors

Exploitation (Root/Administrator)

In Progress: Specific privilege escalation technique and payload details to be documented.

Root Flag

cat /root/root.txt

🚩 Root Flag: <REDACTED>

Attack Chain Summary

Reconnaissance & Enumeration
    ↓
Web Application Fingerprinting (Django + SQLite)
    ↓
IDOR Vulnerability Discovery (/getFileDetail/)
    ↓
Database Backup Extraction
    ↓
Archive Password Cracking (7z)
    ↓
SQLite Database Access
    ↓
Hash Cracking (Django SHA1)
    ↓
User Credential Discovery
    ↓
Application Authentication & Privilege Escalation
    ↓
System-level Privilege Escalation
    ↓
Root Access

Tools Used

Tool	Purpose	Version
`nmap`	Port scanning and service fingerprinting	7.93
`feroxbuster`	Recursive directory and file brute-forcing	N/A
`subfinder`	Subdomain enumeration	N/A
`cewl`	Custom wordlist generation from web content	N/A
`hashcat`	GPU-accelerated password hash cracking	N/A
`7z2hashcat`	7z archive hash extraction	N/A
`sqlite3`	SQLite database querying	N/A
`curl/wget`	HTTP requests and testing	N/A

Key Learnings & Security Insights

IDOR Vulnerabilities: Direct object reference flaws can lead to unauthorized information disclosure. Always implement proper access controls and verify user permissions server-side.
Archive Security: Even compressed archives with passwords can be vulnerable to brute-force attacks if weak passwords are used. Strong, random passwords are essential.
Database Security: Never expose database backups in accessible locations. Consider:
- Encrypting backups at rest
- Restricting access via filesystem permissions
- Implementing air-gapped backup storage
Django Security:
- CSRF tokens are effective but can be bypassed if not properly validated
- Default Django hashing algorithms (SHA1) are outdated; use bcrypt or Argon2
- DEBUG mode should never be enabled in production
Sensitive Information: Credentials and hashes should never be discoverable through enumeration or direct file access.
Custom Wordlists: Generated from application content (cewl), custom wordlists significantly improve crack success rates against user-created passwords.

Remediation Recommendations

Web Application

Implement strict server-side authorization checks for all file access endpoints
Use random, non-sequential file IDs (UUIDs preferred)
Apply rate limiting to prevent brute-force attacks on /getFileDetail/ endpoint
Never expose DEBUG information in production

Database & Backups

Encrypt database backups with strong encryption (AES-256)
Implement access controls on backup storage
Rotate backup passwords regularly
Use strong, randomly generated passwords (minimum 32 characters)

Authentication & Password Management

Migrate from SHA1 to Argon2 or bcrypt for password hashing
Enforce stronger password policies (minimum 12+ characters, complexity)
Implement multi-factor authentication (MFA)
Monitor and audit access to sensitive functions

Infrastructure

Implement network segmentation to limit lateral movement
Deploy intrusion detection systems (IDS)
Regular security audits and penetration testing
Maintain updated dependency versions

References & Further Reading

Author Notes

This writeup documents the reconnaissance phase and identified vulnerabilities of the Drive machine. The exploitation and privilege escalation phases are incomplete and should be filled in upon completion of the full engagement.

Disclaimer

This writeup is for educational purposes only. All activities described were performed in a controlled, legal environment (HackTheBox platform). Unauthorized access to computer systems is illegal. Always obtain proper authorization before conducting security testing.

Last Updated: 08 Mar 2026

Status: In Progress - Reconnaissance Complete, Exploitation & PE Sections Pending

Tags: #HackTheBox #Linux #Hard #Django #IDOR #PasswordCracking