HackTheBox: BountyHunter
XXE and Abusing Python’s eval function for Privilege Escalation
--
FootHold
Nmap
All Ports
nmap -Pn -n --open -vv -p- -oA recon/nmap/all-ports bounty
A full port scan using Nmap (-p-) returned two ports that were open: 22 and 80.
Service Fingerprinting
nmap -Pn -n -vv -p 22,80 -sV -sC -oA recon/nmap/service-scan bounty
A service fingerprinting scan using Nmap (-sV) informs us that the SSH version running on the machine is OpenSSH 8.2p1 and we also learn that Apache v2.4.41 is also running on this machine.
Nothing immediately actionable is returned from the Nmap scans, however, we do have an HTTP server that can be further enumerated. The SSH version is pretty recent and SSH is normally secure so I won’t go down that rabbit hole.
Gobuster
gobuster dir -u http://bounty.htb -w /opt/SecLists/Discovery/Web-Content/raft-medium-directories.txt -t 15 -q --no-error -o recon/gobuster/bounty-root.dirsUpon visiting the /resources folder, I discover a README.txt file containing the following information:
Tasks:[ ] Disable 'test' account on portal and switch to hashed password. Disable nopass.
[X] Write tracker submit script
[ ] Connect tracker submit script to the database
[X] Fix developer group permissionsI also identify that the server is running PHP because the main page has a link going to portal.php :
Since I now know that this server is running PHP, I’ll do some more brute forcing to see if I can find any other TXT or PHP files with the following command:
gobuster dir -u http://bounty.htb -w /opt/SecLists/Discovery/Web-Content/raft-medium-files.txt -x php,txt -t 15 -q --no-error -o recon/gobuster/bounty-root.files
