HTB Labs - Tier 2 - "Base" Machine Walkthrough | By: CyberAlp0

Hey Folks, this is CyberAlp0. Welcome to a new walkthrough powered by Hack The Box — Tier 2, featuring the machine “Base”.
Base is a Linux-based machine that demonstrates how insecure PHP authentication logic can lead to full system compromise. The attack chain starts with discovering a leaked swap file containing backend source code, exploiting a strcmp () type juggling vulnerability to bypass login, uploading a PHP reverse shell, and escalating privileges through a misconfigured sudo permission on the find command.
Executive Summary
Below is a high-level overview of the attack methodology used to compromise the machine.
Stage I: Scanning
An Nmap scan revealed two open TCP ports: SSH (22) and HTTP (80). The web server hosted a PHP-based application with a login panel.
Stage II: Enumeration
Directory brute-forcing uncovered the /login directory containing three files, including a .swp swap file that leaked the PHP source code. The code revealed that strcmp() with loose comparison (==) was used for authentication — a known vulnerable pattern.
Stage III: Exploitation
The strcmp() function was bypassed by sending array parameters (username[]=&password[]=) via Burp Suite, granting access to an upload page. A PHP reverse shell was uploaded and executed, providing initial access as www-data. Credentials found in config.php allowed switching to user john, who had sudo privileges on /usr/bin/find. Using find -exec, a root shell was spawned, fully compromising the machine.
Let’s waste no time and begin pwning the machine…..
Step 1: Connecting to the Starting Point Labs Servers.
To attack the target machine, you have to be on the same network. You can read my blog which will guide you step-by-step into connecting to the target machine.
Step 2: Spawning the Machine and Starting to Solve the Tasks.
Task 1: Which two TCP ports are open on the remote host?
Answer: 22,80
Walkthrough:
Upon scanning the target using the NmapAutomator, we can find out that there are two opened TCP ports which are 22, and 80

Task 2: What is the relative path on the web server for the login page?
Answer: /login/login.php
Walkthrough:
To view the web application page of the machine, we will resolve the IP address of the machine on the local DNS server by adding the IP address against the name of the machine in the /etc/hosts.
sudo vim /etc/hosts
Based on that, we can view the web page of the web application by entering the URL of the machine in the web browser. (http://base.htb). After that look at the login page and observer the URL, you will find that the path for the login is (/login/login.php).

Also, you can use gobuster or ffuf for directory brute forcing. Use the following command:
gobuster dir http://10.129.95.184 -w /usr/share/wordlists/dirb/common.txt
Task 3: How many files are present in the ‘/login’ directory?
Answer: 3
Walkthrough:
Based on the past screenshot, we can find out the directory is consisting of 3 different files.

Task 4: What is the file extension of a swap file?
Answer: .swp
Walkthrough:
I think no need to walkthrough this.
Note that: Swap files are files on disk that Linux uses as overflow memory when RAM is full. Instead of crashing, the system moves inactive data from RAM to the swap file to free up space. Swap files usually refer to something different — editor swap files. When you edit a file in vim or nano, the editor creates a temporary backup. This is important because:
Those files may contain sensitive data like passwords, config files, or source code
Those files often left behind accidentally on web servers
Those files can be accessed directly, e.g.: http://base.htb/.login.php.swpTask 5: Which PHP function is being used in the backend code to compare the user submitted username and password to the valid username and password?
Answer: strcmp()
Walkthrough:
For that, we will take a closer look to the files under the path /login to see whether we can find any useful information. By taking a closer look to the file named as /login.php.swp, we will find that some of its content is encrypted. However, there are PHP codes including an interesting popular function used for validating usernames and passwords, which is strcmp().

Note that:
strcmp() compares two strings and returns:
(0) — if they're equal
(< 0) — if string1 is less than string2
(> 0) — if string1 is greater than string2
The authentication is like this:
if (strcmp($_POST['password'], "s3cr3t_p@ss") == 0) {
// login success
}Task 6: In which directory are the uploaded files stored?
Answer: _uploaded
Walkthrough:
By re-preforming directory brute forcing against the target using gobuster, using a larger commonly used list called “big.txt”, we shall find that there is a directory called _uploaded. This directory didn’t appear in the previous scanning as we used a shorter list called “common.txt”.
sudo gobuster dir -u http://10.129.25.2 -w /usr/share/wordlists/dirb/big/txt
This is the directory that is used to save all the uploaded files. To test that, we will upload a text file using the upload page. To view the contents of this page, just type the following URL:
http://base.htb/_uploaded
Now, let us find out how we can get access to the upload admin panel, where we will upload the files to the server.
Based on the previous task, we found out that the authentication is done using the strcmp(). Upon entering dummy data as a username and password, it responds with an alarm stating that the username or the password is not correct.

When you pass an array instead of a string to strcmp() , it returns NULL and throws a warning. The critical part is:
NULL == 0 → true (loose comparison)
NULL === 0 → false (strict comparison)Also, we need to understand whether the authentication request is a GET or a POST request. You can find out that by intercepting the traffic using the burpsuite while attempting to login.

Based on the screenshot, it appears that this request is a POST request.

Thus, we will exploit the fact that is strcmp() returns with NULL when attempting to enter any username or password. When intercepting the traffic using the burp suite, then we will Intercept the login request and change the body to:
username[]=&password[]=
Let me summarise what happened in the back end for you to understand how the exploit worked?
The back end code does this:
if (strcmp($password, $_POST['password']) == 0)When you enter the password as equals to test for example, PHP receives $_POST[‘password’] as the string “test”:
strcmp("s3cr3t", "test") → -1 (not equal)
-1 == 0 → false → login failsBut when you set the request to be password[], The [] tells PHP to treat this parameter as an array, so $_POST[‘password’] becomes [] (empty array) instead of a string:
strcmp("s3cr3t", []) → NULL (can't compare string to array)
NULL == 0 → true → login bypassed!How did it work?
It’s a two-step trick:
- strcmp() breaks — it expects two strings, but receives an array. It can’t handle that, so it returns NULL.
- Loose comparison fails — PHP’s == considers NULL and 0 as equal. So NULL ==0 evaluates to true, passing the check.

You can right click on the response and copy the URL and paste it on the browser, and you will be redirected to the upload PHP page as shown in the following screenshot.

You may also find the /upload.php clearly mentioned in the login.php.swp file. As per the code configuration leaked, it is clearly describing that if the user didn’t enter the right username and password, show an alert stating “Wrong username or password”, and if the values are correct “else function”, redirect the user to the /upload.php page.

Since, this is a PHP-based web application, we can upload/inject a malicious PHP code in which will open for us a backdoor in the server. For that, we will use a normal inject.php after we modify it to call our IP address and through a specific port.

Then, upload the inject.php file and it will be saved in the path /_uploaded/inject.php. Start the listener using the netcat and observe the terminal once calling this address (http://base.htb/_uploaded/inject.php)
sudo nc -lvnp 2233
Transfer the shell into an interactive shell by following the following commands in raw:
# On target (inside reverse shell):
python3 -c 'import pty; pty.spawn("/bin/bash")'
# Press Ctrl+Z to background the shell
# On attacker (local terminal):
stty raw -echo; fg
# Back in the reverse shell on target:
export TERM=xterm
export SHELL=bashTask 7: Which user exists on the remote host with a home directory?
Answer: john
Walkthrough:
After getting a reverse shell on the server, we can navigate the server using the basic command lines. By navigating the home directory, we will find that the user is named john

Task 8: What is the password for the user present on the system?
Answer: thisisagoodpassword
Walkthrough:
After getting a reverse shell, we can navigate different paths. I found an interesting path where I found a config.php file under the following path /var/www/html/login


Task 9: What is the full path to the command that the user john can run as user root on the remote host?
Answer: /usr/bin/find
Walkthrough:
We need to switch to john first as we are now logged in as a “www-data” user. Use the following command to switch to the user john.
su johnEnter the password you have found in the config.php file which is “thisisagoodpassword”.

Then, enter the following command to list all commands john can run as root.
sudo -lTask 10: What action can the find command use to execute commands?
Answer: exec
Walkthrough:
The -exec flag tells the find to run a command on every result it finds. Normally it's used like:
find /home -name "*.txt" -exec cat {} \;This finds all (.txt) files and runs “cat” on each one. The {} is replaced by the filename, and \; marks the end of the command.
If john can run find as root:
sudo find / -exec /bin/bash \;Here’s what happens step by step:
- sudo find — runs find with root privileges
- / — searches from root directory, which will immediately find something
- -exec /bin/bash \; — as soon as it finds the first file, it executes /bin/bash
- Since find is running as root, the spawned bash shell is also root
You don’t actually care about finding files — you’re just abusing the -exec flag to run a command as root.
Task 11: Submitting the User Flag
Answer: f54846c258f3b4612f78a819573d158e
Walkthrough:
This is found in the user.flag under the john home directory.

The user flag of the machine “Base” is: f54846c258f3b4612f78a819573d158e
Task 12: Submitting the Root Flag
Answer: 51709519ea18ab37dd6fc58096bea949
Walkthrough:
After getting the root privileges from abusing the -exec flag in the find command, we are logged in as a root
sudo find / -exec /bin/bash \;
The root flag for the “Base” machine is: 51709519ea18ab37dd6fc58096bea949
Hope you enjoyed reading my blog about solving Base machine from HTB — Tier 2 — Starting Point Phase.
See You in another write-up!


