HackTheBox Writeup — BountyHunter

Faisal Husaini
4 min readNov 20, 2021

--

Hello Guys , I am Faisal Husaini. My username on HTB is “fa1sal” . Also join me on discord.

The IP of this box is 10.10.11.100

Port Scan / Enumeration

nmap -sC -sV -p- -Pn --min-rate=10000 -oN nmap 10.10.11.100

We found two open ports

  • Port 22 → SSH
  • Port 80 → Web

Way to User

Checking the web on the browser, I get a redirected to a webpage of Bounty Hunters

Clicking on the Menu button, I got listed with three options, About — Contact- Portal

The About and Contact option didnt led me to anywhere, but clicking on the Portal option leads to a page named portal.php displaying that it is under development and also shares another shortcut link

Clicking on the link redirects to the log_submit.php page which contains a Beta test of the Bounty Report System which contains some input field

Adding some data and submitting the request while intercepting it through Burp Suite shows that the data is being sent through base64 encoding

Using Burp’s decoder to decode the string, we can see that it leads to XML Code

Modifying the code to trigger XXE Injection and then encoding it back to base64

Sending the request with our modified string gives us the output of the /etc/passwd file in the response

Since, not finding any other leads, so I ran gobuster to fuzz the web directories and files

The db.php file seems to be interesting, so I modified the payload to make it fetch the file using PHP wrappers

Sending the request after putting our modified payload gave us a base64 string in the response which is the base64 encoding of the db.php file contents

Decoding the string leads us to the database credentials

Since there is no admin user on the remote machine as confirmed from the /etc/passwd file but we did had a user named development, so I tried the password with that user through SSH and got connected successfully

Getting the user flag from the user’s home directory

Way to Root

On the user’s home directory, we see a file named contract.txt which has a note on a tool on the machine

Running sudo -l command, we can seee that the current user can run sudo with no password on ticketValidator.py file on the /opt directory

Checking the content of the file, we can see that it first fetched a md file as an input and can also see that it in the evaluate method that its using the eval function in an unsafe manner which can be manipulated to get RCE as root

So I created a MD file and added contents according to the python code requirements to trigger code execution

Running the code with sudo privileges

Getting reverse shell back on netcat successfully as root

Getting the root flag from the /root directory

References

--

--

Faisal Husaini

Hacker | Red Teamer | Python Coder | Gamer | Reverse Engineering Lover