HackTheBox’s BountyHunter: A Walkthrough
Hello readers,
In this article, I will be guiding you to solve HTB’s ‘Bounty Hunter’, a retired box. I’ll be explaining in detail, how to root this machine
Credits for creating this box go to ejedev.Thank you, as this box helped me to learn a few new methods of injection and attack methodology,
We find our machine’s IP address=10.10.11.100
RECONNAISSANCE
Firstly, we perform a version, full port scan on the target, with the verbosity cranked up to 2
- Command — nmap -sV 10.10.11.100 -p 0–65535 -vv
Seeing that port 80 is open, we head to http://10.10.11.100:80,and are met with
Clicking on the pricing guide does not lead us anywhere and instead redirects us to the main page.
Looks like nothing is interesting in the source code of the main page, as well
ENUMERATION
Meanwhile, we run a directory fuzz on the website, using common.txt and find:-
- Command — dirb http://10.10.11.100 /usr/share/wordlists/dirb/common.txt
Let’s start with the fuzz results
- /assets,/js, and /css — We are met with error code 403-Forbidden Access
- /resources — We find a README file here
According to the note, a login section exists, with a ‘test’ account probably existing on it. There could also be a database on the system, we can interact with. Let’s keep this README file content in the back of our mind
Switching our focus back to the website, when clicking the portal button, we are led to — /portal.php, which then allows us to go to another webpage — /log_submit.php, where we find:-
We try to input some data in the form. When clicking on submit, gives us the image below. Maybe port 3306 is hiding somewhere
If you remember, we saw the clue given on the start-up page = BurpSuite can be used.
So we fire up our proxy, head to log_submit.php, and enter the values again, setting our intercept to on. After clicking on submit, we get:-
Copying the hash, from data, we send it to the Decoder. Having a hunch that the data was of Base64 format, we clicked on the “Decode as” option and clicked Base64.
Below, we get the XML Encoded version of the fields — Title, CWE, Reward, etc
Now, it’s time for some command injection. For this, I followed the following resource:-
PayloadBox — https://github.com/payloadbox/xxe-injection-payload-list
We are following the XML Entity Example from PayloadBox
Now, we make some changes to the data, in the test field, replacing the test, with “Noel hac”.
Now, send the captured packet from your proxy to Burp Repeater(to send and receive responses from the webserver). Copy-paste the base64 code you got. Highlight it, right-click, select ‘Convert Selection, select URL and then select ‘URL-encode key characters’
- Why do we do this? — The web server responds to us, with the help of encoded characters(that's why we received responses in hashed form). So the logical the to do would be to encode our input so that the webserver understands it
Upon clicking send, we get:-
Yes! The injected changes are reflecting in the response tab!. It means that the server is responding and is vulnerable to XXE Injection Attack
Aim — We are aiming to get the /etc/passwd file (to capture some credentials and to see if we can make the XML Injection possible to get it)
XXE Payload Entity:Example
<! — ?xml version=”1.0" ? →
<!DOCTYPE replace [<!ENTITY example “Doe”> ]>
<userInfo>
<firstName>John</firstName>
<lastName>&example;</lastName>
</userInfo>
We are following the XML File Disclosure Example from PayloadBox
Relating it to the payload we want to inject, we perform the following:-
What does the injection do:-
-Pass variable file
-Specify file (/etc/passwd)
-Specify &file; in <reward> field to execute the command — display passwd file
We take the hash in the image above, copy it to our repeater, change to URL Encoding, and send the packet, to receive a response
We get:-
We see one user (uid 1000) — named Development (probably the ‘test’ account)
Guess we don't have a password yet, so let’s target the /etc/shadow file
I tried many times with path traversal and direct path reference(after making changes, hashing it, and inserting in data), but the response did not bring back anything useful
GAINING AND MAINTAINING ACCESS
What we need to do is to target the file — db.php located in the vulnerable machine
For that, we need to make minor tweaks in our XXE Payload, to target the file
Following — XXE File Disclosure Injection Example
Making the tweaks to our XML, we get —
Taking this hash, inserting it into the packet, and performing the encoding process, we next press send to the packet, to get some responses back
Taking a closer look at the response, we get a hash, which we aim to decode, using Decoder
We decode it to get:-
TestUsername — test
DB username — admin
DB password — m19RoAU0hP41A41sTsq6K
We tried connecting to an SQL database, that might be hidden somewhere, but all requests to connect were being declined as a SQL server does not exist
We tried SSH logins with bounty, admin, Development, and failed. It did not strike me that ‘development’ can also be a username!
ssh development@10.10.11.100
Input the hash as the password
We are in! Upon ls’ing we get our user flag
Along with the user.txt, we find a file named contract.txt
We have full permissions on
Inside /tmp, we find a file named — root.md
and within /tmp, we have a directory named skytrain_inc, which in turn has a directory named ‘invalid tickets’ and a python script named ticketvalidator.py
When running the python script, it asks for the parameter — the path of the file as seen in the image below:-
If all conditions within the script was fulfilled, it renders the .md file as valid or invalid
Example of an invalid ticket
(Why is it invalid? — Because there is a problem with the python script, validating whether a ticket is valid or not)
PRIVILEGE ESCALATION
I did spend a lot of time going through the code, wondering if there was an error in the logic part of the program
Seems like we don't have to do much work here.
Let’s just pass root. md as a parameter to our python script,using sudo as we have full permissions
- Command — sudo /usr/bin/python3.8 /opt/skytrain_inc/ticketValidator.py
Parameter passed — root. md
We get root shell! There is no feeling like it.
Traversing to /root, we retrieve our root flag
REPORTING
Well, you have it now!
What I learned:-
- XXE Injection (This is the first time I have come across this concept and applied it hands-on).Got PayloadBox to help me out crafting the injection packet
- Usage of Burp Decoder
Conclusion:-
- This is an easy level box if you are familiar with XXE Injection
- Privilege Escalation was a piece of cake
- Burp Suite is a true swiss army knife tool. Very helpful for this box
Thanks for reading this blog entry and making it till here. Until then, there must be some vulnerable boxes, for me to pwn out there……
References:-
