In this post, I would like to share a walkthrough of the BountyHunter Machine from HackTheBox
This room has been considered difficulty rated as an Easy machine on HackThebox
What will you gain from the BountyHunter machine?
For the user flag, you will need to locate an XML External Entity vulnerability on the website here you will get user privileges to access via BurpSuite
As for the root flag, you will need to find the SUID file permission that we can use to escalate to the root. From there, we need to create a ticket code file where it will execute the command of our choice
Information Gathering
Once we have started the VPN connection which requires to download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN
Let’s open the browser and straight into the website interface.
On the website interface, we didn’t see any useful information for any escalation to the server.
However, we did see the Portal Link where it re-directs to a different webpage. There’s a here link that appears as shown in the screenshot above.
Gaining Privileges Access
A website interface such as Bounty Report System – Beta will appear just like the screenshot above.
Let’s test the beta system by inserting a single character on the Bounty Report System Beta website
Based on the result found during the burp suite activity, we managed to notice that data have been base64 encode
As a result, we can sight there’s an XML code from decoded the base64
Let’s run gobuster tool to enumerate further for any file or directory. The command that we can use in this activity is as below:
gobuster dir -u <ip> -w /<Path to>/Seclists/Discovery/Web-Content/big.txt
We have failed to get any files that look interesting to us.
Let’s run again gobuster but with an additional command (-x php) this time. It does resulting show a few PHP file extensions stored in the website such as db.php, index.php and more.
Why search for PHP files on the website?
It’s because I did notice there’s a file extension of PHP when browsing to Portal webpage.
We will encode the XML code into base64 code using the CyberChef Interface such as shown above.
We need to copy-paste the base64 code that we obtain from the CyberChef website on the data= at the bottom of the Request Packet. The Response that we will be retrieving can be seen in the Response column
We need to modify the XML code and need to encode it into Base64 code so that we can do the same process as previously.
In the title column, we can see some base64 code which we should decode so that we can fully read the code in plain text
We managed to get the password while decoding the base64. However, we are still clueless about the username and password that we obtained recently
The credentials that we have gotten such as below:
username: development
password: m19RoAU0hP41A1sTsq6K
Maintaing Priviliges Access
After looking carefully at the Nmap result, I notice that the SSH service port is open, and let’s access the machine via SSH service using the credentials above
Voila! We managed to access the machine.
We can read the user flag by executing the “cat user.txt” command
Escalate to Root Privileges Access
We should be able to find out the SUID file that can be used to escalate to Root by executing the command “sudo -l“
Let’s create the code and save it as anyname.md
We should be able to read the root flag by executing the command “sudo /usr/bin/python3.8 /opt/skytrain_inc/ticketValidator.py“
We need to enter the file that we saved earlier.
Another alternative to get a root flag is by changing the command ‘cat /root/root.txt” to ‘bash‘
You just need to read the root flag from /root/ Directory and enter the flag on the BountyHunter submit flag column
-THE END-
Happy Learning Guys!
Extra Information
We can go to /etc/shadow to unlock the write-up
One response
Nice writeup