HackTheBox Writeup — Player

Hello Guys , I am Faisal Husaini. My username on HTB is “sozfnx” . Also join me on discord.

The IP of this box is

Port Scan

We see 3 ports open , running NMAP against them , we get

We Port 22 and 6686 running OpenSSH and Port 80 running web services , checking the web part , we see

We get a forbidden message and also telling that we have no permission to access root directory of web server , so we now run Gobuster scan against the target and see that we get

We get 5 directories , interesting one “/launcher” , moving further to it

We see its a page for a product named PlayBuff which is yet to release as we see a timer above , also putting any email and clicking the Send button leads to the same page itself , so we now move onto bruteforcing vhosts on the target using wfuzz

After the completion of the bruteforce scan , we get three vhosts , so we move onto adding them to our hosts file under /etc/hosts and move on checking the different subdomains we got

On dev.player.htb , we get a login page and nothing much interesting , so we run Gobuster scan against it

Nothing much interesting as we got access denied on all those directories found , moving onto the staging.player.htb subdomain

We see a unfinished website which was not of any use for us right now , so we move onto the last subdomain chat.player.htb

We see that it is a chat messenging web app , also the message from Vincent tells us that the main domain exposes source code which will allow us to access the PlayBuff product before release , so we move onto that part now

Spidering the main host on Burp , we get

We see that it has two php files , one of them was the location of the same page and other was same , after spending much hours and getting a hint , someone told me to learn something related to vim , as vim creates a backup file with a ~ at the end of the filename , so I went onto doing that

We got the source code of that php file as Vincent told in the chat, from the code we can see that we can modify the JWT and get access to the product , so I use a online tool for this

We had to copy the cookie from “access” as above in the Burp Suite and then paste here and do the modifications as told on the code to get the access and then copy the cookie and paste it on the request and then see

We see that we got redirected to some other place , checking the response in the browser

We got a new webpage which is surely the PlayBuff product which was going to release after 22 days as given on the timer , also we see this stuff has a file upload thing , so we now try for file upload vuln exploit

When we upload any file , we see that

It gets uploaded successfully with a message of compression completed followed by a link to our uploads , clicking on the Buffed Media link , we get to

We get the download prompt for it , also the file extension is .avi which is for video files , whereas we uploaded a jpg file , so even we upload a video file , it gets uploaded and when we search on google about video upload exploits , we get

We get a very good link for creating video exploits which will help us in getting LFI , but which file we really need from LFI ? As we remember from our last time spidering on Burp , we got a contact.php file which leaked something which was also told in the chat by Vincent

We see that it shows something /var/www/backup/service_config which might be an interesting config file for us , so we try to get the using the tool from above for creating video exploit

We created our video exploit , now we upload the file like before and then download the compressed one on our box

Now we open and watch the video and see at the beginning that we got

We can see username and password leaked , so trying it on the higher SSH Port

We get connected successfully , but if we try running commands we see

We get forbidden command errors for every command we try , so as we know this port was running OpenSSH 7.2 , so I went on looking for any interesting CVEs for it and got

This exploit allows us to bypass the shell restrictions , so lets try this

So we got connected through the exploit , but here we can only read files using the .readfile command

We are still restricted to use any linux commands , but yes we can atleast read files , so I guess that maybe the user flag might be in the same directory as we were spawned in the home directory of telegen user

We see that we get the user flag by guess method , so what should we do now if we can read files , if we remember back the errors which we got from staging vhost, it was leaking one more php file

We see it shows a php file under /var/www/staging/fix.php , if we try to read the contents using the same method , we get

We see that we get one more creds , so we try this on the dev.player.htb

Trying to login here with the creds we got

We got successfully logged in as Peter and we can see its running Codiad

Searching for its exploits on google , I got one which gives us RCE on it , so lets try to exploit it

So I modified the script little bit and then exploited it and done the instructions give below

We can see that we got reverse shell as www-data

Running PSPY on the box , we see

We see that it has a cron for php running every minute on /var/lib/playbuff/buff.php , going to the directory we see

There are some other files as well , checking the code of buff.php

We see that the code includes another php file from /var/www/html/launcher

Which is present right here , but yeah before that , we can change the to telegen from here too as we got its creds before

We got connected as telegen successfully and then can read the user flag from here

Moving back to the www-data shell , all we can do it just remove the included php file and put our own php file which contains our reverse shell

So here we removed the original php file which was included and then put our reverse shell php there and put out netcat listener on and wait for a minute and see

We got another shell back , this time as root

The root flag was under the /root directory as always

This box was totally real life based box and I really enjoyed solving this after banging my head so much :P


Hacker | Bug Hunter | Python Coder | Gamer | Reverse Engineering Lover