HackTheBox: BountyHunter

XXE and Abusing Python’s eval function for Privilege Escalation

Alex Rodriguez
10 min readNov 20, 2021

--

FootHold

Nmap

All Ports

nmap -Pn -n --open -vv -p- -oA recon/nmap/all-ports bounty

A full port scan using Nmap (-p-) returned two ports that were open: 22 and 80.

Service Fingerprinting

nmap -Pn -n -vv -p 22,80 -sV -sC -oA recon/nmap/service-scan bounty

A service fingerprinting scan using Nmap (-sV) informs us that the SSH version running on the machine is OpenSSH 8.2p1 and we also learn that Apache v2.4.41 is also running on this machine.

Nothing immediately actionable is returned from the Nmap scans, however, we do have an HTTP server that can be further enumerated. The SSH version is pretty recent and SSH is normally secure so I won’t go down that rabbit hole.

Gobuster

gobuster dir -u http://bounty.htb -w /opt/SecLists/Discovery/Web-Content/raft-medium-directories.txt -t 15 -q --no-error -o recon/gobuster/bounty-root.dirs

Upon visiting the /resources folder, I discover a README.txt file containing the following information:

Tasks:[ ] Disable 'test' account on portal and switch to hashed password. Disable nopass.
[X] Write tracker submit script
[ ] Connect tracker submit script to the database
[X] Fix developer group permissions

I also identify that the server is running PHP because the main page has a link going to portal.php :

Since I now know that this server is running PHP, I’ll do some more brute forcing to see if I can find any other TXT or PHP files with the following command:

gobuster dir -u http://bounty.htb -w /opt/SecLists/Discovery/Web-Content/raft-medium-files.txt -x php,txt -t 15 -q --no-error -o recon/gobuster/bounty-root.files

--

--

Alex Rodriguez

I am an Offensive Security Engineer @ Amazon who writes about cybersecurity and anything related to technology. Opinions are my own.