HTB BountyHunter Walkthrough
We can start off by doing a nmap scan like normal
looks like only 2 ports are open. SSH and HTTP. Lets head over to the website and see what it is.
Looks like a simple website. I fired up burpsuite and started gobuster to see what directories there are.
The directory that stands out the most is db.php, but we wont be able to see anything since its a php site, and gobuster is reporting that the size is 0, so lets go check out portal.
Going to portal brings us to this beta page that makes it look like the database is not currently up and running. Lets take a look at burpsuite and see what is going on in that.
Going to the post request and looking at the data field we can see that we are getting the db results from xml. lets see if we can modify the post data and get xml injection
I added a simple LFI payload to burpsuite and applied the changes to change the encoded data that will be sent
<!DOCTYPE replace [<!ENTITY ent SYSTEM "file:///etc/passwd"> ]>
Dont forget to and &ent; to one of the bugreport fields.
After sending the response with the xml payload it looks like i was able to get back the passwd file making this webapp vulnerable to xml injection. Knowing this I want to now see if we can read the db.php file and see if there is anything in that.
I craft a new payload that should encode the php file so that we can get the base64 and then decode it to see the contents of the db.php file
Looks like we were able to get the contents of db.php so lets go decode it and see what is in it.
After decoding it looks like there is a db password. A lot of people like to reuse passwords, so lets see if we can use this password to sign into the ssh account.
Using the username from the etc/passwd file, and the password from the db.php file we can successfully login and grab the user.txt flag
After getting SSH access I used the command that everyone should try first. sudo -l
After using it, it looks like there is a python file we can run as sudo without needing a password. Lets cat this file and see what it is.
Looking at this script, it looks like it will open up a ticket and read each line to make sure the ticket is valid, or invalid. After looking through the code a line that sticks out to me is
validationNumber = eval(x.replace("**", ""))
The ecal() function in python is used to run python code, so if we can make a malicious ticket, we can potentially get root.
Lets open up nano and run through the script one line at a time making sure everything is True up until we get to the eval() function
When we get to the part of the ticket that the eval() function reads, I add in some python code that will run bash, and since we are going to run this with sudo we should be able to get a root shell when the script reads this ticket.
After running the script and entering the malicious ticket destination, we are able to get a root shell, and get the root flag.
- @ August 2, 2021 5:40 am