📦 HTB - BountyHunter
<time datetime="2021-07-29 14:00:00 +0000 UTC">29 July 2021</time><span class="px-2 text-primary-500">·</span><span>192 words</span><span class="px-2 text-primary-500">·</span><span title="Reading time">1 min</span><span class="px-2 text-primary-500">·</span><span>
<span id="views_posts/HTB BountyHunter/index.md" title="views">0</span>
<span class="inline-block align-text-bottom">
<span class="relative block icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 576 512">
<path fill="currentColor" d="M288 32c-80.8 0-145.5 36.8-192.6 80.6C48.6 156 17.3 208 2.5 243.7c-3.3 7.9-3.3 16.7 0 24.6C17.3 304 48.6 356 95.4 399.4C142.5 443.2 207.2 480 288 480s145.5-36.8 192.6-80.6c46.8-43.5 78.1-95.4 93-131.1c3.3-7.9 3.3-16.7 0-24.6c-14.9-35.7-46.2-87.7-93-131.1C433.5 68.8 368.8 32 288 32zM432 256c0 79.5-64.5 144-144 144s-144-64.5-144-144s64.5-144 144-144s144 64.5 144 144zM288 192c0 35.3-28.7 64-64 64c-11.5 0-22.3-3-31.6-8.4c-.2 2.8-.4 5.5-.4 8.4c0 53 43 96 96 96s96-43 96-96s-43-96-96-96c-2.8 0-5.6 .1-8.4 .4c5.3 9.3 8.4 20.1 8.4 31.6z"/></svg>
</span>
</span>
</span><span class="px-2 text-primary-500">·</span><span>
<span id="likes_posts/HTB BountyHunter/index.md" title="likes">0</span>
<span class="inline-block align-text-bottom">
<span class="relative block icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512">
<path fill="currentColor" d="M47.6 300.4L228.3 469.1c7.5 7 17.4 10.9 27.7 10.9s20.2-3.9 27.7-10.9L464.4 300.4c30.4-28.3 47.6-68 47.6-109.5v-5.8c0-69.9-50.5-129.5-119.4-141C347 36.5 300.6 51.4 268 84L256 96 244 84c-32.6-32.6-79-47.5-124.6-39.9C50.5 55.6 0 115.2 0 185.1v5.8c0 41.5 17.2 81.2 47.6 109.5z"/></svg>
</span>
</span>
</span><span class="px-2 text-primary-500">·</span><span>
<button id="likes_button"
class="rounded-md border border-primary-400 px-1 py-[1px] text-xs font-normal text-primary-700 dark:border-primary-600 dark:text-primary-400"
onclick="process_article()">
<span id="likes_button_heart" style="display:none" class="inline-block align-text-bottom">
<span class="relative block icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512">
<path fill="currentColor" d="M47.6 300.4L228.3 469.1c7.5 7 17.4 10.9 27.7 10.9s20.2-3.9 27.7-10.9L464.4 300.4c30.4-28.3 47.6-68 47.6-109.5v-5.8c0-69.9-50.5-129.5-119.4-141C347 36.5 300.6 51.4 268 84L256 96 244 84c-32.6-32.6-79-47.5-124.6-39.9C50.5 55.6 0 115.2 0 185.1v5.8c0 41.5 17.2 81.2 47.6 109.5z"/></svg>
</span>
</span>
<span id="likes_button_emtpty_heart" class="inline-block align-text-bottom">
<span class="relative block icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512">
<path fill="currentColor" d="M244 84L255.1 96L267.1 84.02C300.6 51.37 347 36.51 392.6 44.1C461.5 55.58 512 115.2 512 185.1V190.9C512 232.4 494.8 272.1 464.4 300.4L283.7 469.1C276.2 476.1 266.3 480 256 480C245.7 480 235.8 476.1 228.3 469.1L47.59 300.4C17.23 272.1 0 232.4 0 190.9V185.1C0 115.2 50.52 55.58 119.4 44.1C164.1 36.51 211.4 51.37 244 84C243.1 84 244 84.01 244 84L244 84zM255.1 163.9L210.1 117.1C188.4 96.28 157.6 86.4 127.3 91.44C81.55 99.07 48 138.7 48 185.1V190.9C48 219.1 59.71 246.1 80.34 265.3L256 429.3L431.7 265.3C452.3 246.1 464 219.1 464 190.9V185.1C464 138.7 430.4 99.07 384.7 91.44C354.4 86.4 323.6 96.28 301.9 117.1L255.1 163.9z"/></svg>
</span>
</span>
<span id="likes_button_text"> Like</span>
</button>
</span><span class="px-2 text-primary-500">·</span>
<span class="mb-[2px]">
<a
href="https://github.com/OxNinja/blog"
class="text-lg hover:text-primary-500"
rel="noopener noreferrer"
target="_blank"
title="Edit content"
><span class="inline-block align-text-bottom">
<span class="relative block icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512"><path fill="currentColor" d="M490.3 40.4C512.2 62.27 512.2 97.73 490.3 119.6L460.3 149.7L362.3 51.72L392.4 21.66C414.3-.2135 449.7-.2135 471.6 21.66L490.3 40.4zM172.4 241.7L339.7 74.34L437.7 172.3L270.3 339.6C264.2 345.8 256.7 350.4 248.4 353.2L159.6 382.8C150.1 385.6 141.5 383.4 135 376.1C128.6 370.5 126.4 361 129.2 352.4L158.8 263.6C161.6 255.3 166.2 247.8 172.4 241.7V241.7zM192 63.1C209.7 63.1 224 78.33 224 95.1C224 113.7 209.7 127.1 192 127.1H96C78.33 127.1 64 142.3 64 159.1V416C64 433.7 78.33 448 96 448H352C369.7 448 384 433.7 384 416V319.1C384 302.3 398.3 287.1 416 287.1C433.7 287.1 448 302.3 448 319.1V416C448 469 405 512 352 512H96C42.98 512 0 469 0 416V159.1C0 106.1 42.98 63.1 96 63.1H192z"/></svg>
</span>
</span></a
>
</span>
HTB
htb
writeup
Table of Contents
⚠️ writeup wrote months after root so informations are not accurate.
TL;DR #
JS source code disclosure to forge internal requests, leak PHP source code with XXE in custom request, get DB credentials. Privesc with code injection in custom code without input validation.
Recon #
Only HTTP and SSH, nothing special.
Footholds #
We have here a simple web server, with custom SJ script to send bounty tickets. The portal tells us to go to /log_submit.php, here we have a custom XHR launched towards an internal API dirb_pr00f314.php. We see that XML is posted here so lets try a classic XXE:
We can leak source code with this, here are the files I got: db.php.
We get credentials:
1<?php
2// TODO -> Implement login system with the database.
3$dbserver = "localhost";
4$dbname = "bounty";
5$dbusername = "admin";
6$dbpassword = "m19RoAU0hP41A1sTsq6K";
7$testuser = "test";
8?>
With leaking /etc/passwd we got our target, the user developement. We can SSH eith the $dbpassword.
Privesc #
Basic sudo -l:
From that we have a local script to validate tickets: ticketValidator.py.
Here we see an obvious code injection vulnerability in a custom ticket:
We cat get root:
Related
📦 HTB - Explore
<time datetime="2021-07-29 13:00:00 +0000 UTC">29 July 2021</time><span class="px-2 text-primary-500">·</span><span>268 words</span><span class="px-2 text-primary-500">·</span><span title="Reading time">2 mins</span><span class="px-2 text-primary-500">·</span><span>
<span id="views_posts/HTB Explore/index.md" title="views">0</span>
<span class="inline-block align-text-bottom">
<span class="relative block icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 576 512">
<path fill="currentColor" d="M288 32c-80.8 0-145.5 36.8-192.6 80.6C48.6 156 17.3 208 2.5 243.7c-3.3 7.9-3.3 16.7 0 24.6C17.3 304 48.6 356 95.4 399.4C142.5 443.2 207.2 480 288 480s145.5-36.8 192.6-80.6c46.8-43.5 78.1-95.4 93-131.1c3.3-7.9 3.3-16.7 0-24.6c-14.9-35.7-46.2-87.7-93-131.1C433.5 68.8 368.8 32 288 32zM432 256c0 79.5-64.5 144-144 144s-144-64.5-144-144s64.5-144 144-144s144 64.5 144 144zM288 192c0 35.3-28.7 64-64 64c-11.5 0-22.3-3-31.6-8.4c-.2 2.8-.4 5.5-.4 8.4c0 53 43 96 96 96s96-43 96-96s-43-96-96-96c-2.8 0-5.6 .1-8.4 .4c5.3 9.3 8.4 20.1 8.4 31.6z"/></svg>
</span>
</span>
</span><span class="px-2 text-primary-500">·</span><span>
<span id="likes_posts/HTB Explore/index.md" title="likes">0</span>
<span class="inline-block align-text-bottom">
<span class="relative block icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512">
<path fill="currentColor" d="M47.6 300.4L228.3 469.1c7.5 7 17.4 10.9 27.7 10.9s20.2-3.9 27.7-10.9L464.4 300.4c30.4-28.3 47.6-68 47.6-109.5v-5.8c0-69.9-50.5-129.5-119.4-141C347 36.5 300.6 51.4 268 84L256 96 244 84c-32.6-32.6-79-47.5-124.6-39.9C50.5 55.6 0 115.2 0 185.1v5.8c0 41.5 17.2 81.2 47.6 109.5z"/></svg>
</span>
</span>
</span>
HTB
htb
writeup
📦 HTB - Cap
<time datetime="2021-07-28 16:00:00 +0000 UTC">28 July 2021</time><span class="px-2 text-primary-500">·</span><span>519 words</span><span class="px-2 text-primary-500">·</span><span title="Reading time">3 mins</span><span class="px-2 text-primary-500">·</span><span>
<span id="views_posts/HTB Cap/index.md" title="views">0</span>
<span class="inline-block align-text-bottom">
<span class="relative block icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 576 512">
<path fill="currentColor" d="M288 32c-80.8 0-145.5 36.8-192.6 80.6C48.6 156 17.3 208 2.5 243.7c-3.3 7.9-3.3 16.7 0 24.6C17.3 304 48.6 356 95.4 399.4C142.5 443.2 207.2 480 288 480s145.5-36.8 192.6-80.6c46.8-43.5 78.1-95.4 93-131.1c3.3-7.9 3.3-16.7 0-24.6c-14.9-35.7-46.2-87.7-93-131.1C433.5 68.8 368.8 32 288 32zM432 256c0 79.5-64.5 144-144 144s-144-64.5-144-144s64.5-144 144-144s144 64.5 144 144zM288 192c0 35.3-28.7 64-64 64c-11.5 0-22.3-3-31.6-8.4c-.2 2.8-.4 5.5-.4 8.4c0 53 43 96 96 96s96-43 96-96s-43-96-96-96c-2.8 0-5.6 .1-8.4 .4c5.3 9.3 8.4 20.1 8.4 31.6z"/></svg>
</span>
</span>
</span><span class="px-2 text-primary-500">·</span><span>
<span id="likes_posts/HTB Cap/index.md" title="likes">0</span>
<span class="inline-block align-text-bottom">
<span class="relative block icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512">
<path fill="currentColor" d="M47.6 300.4L228.3 469.1c7.5 7 17.4 10.9 27.7 10.9s20.2-3.9 27.7-10.9L464.4 300.4c30.4-28.3 47.6-68 47.6-109.5v-5.8c0-69.9-50.5-129.5-119.4-141C347 36.5 300.6 51.4 268 84L256 96 244 84c-32.6-32.6-79-47.5-124.6-39.9C50.5 55.6 0 115.2 0 185.1v5.8c0 41.5 17.2 81.2 47.6 109.5z"/></svg>
</span>
</span>
</span>
HTB
htb
writeup
📦 HTB - Ready
<time datetime="2021-03-20 10:00:00 +0000 UTC">20 March 2021</time><span class="px-2 text-primary-500">·</span><span>435 words</span><span class="px-2 text-primary-500">·</span><span title="Reading time">3 mins</span><span class="px-2 text-primary-500">·</span><span>
<span id="views_posts/HTB Ready/index.md" title="views">0</span>
<span class="inline-block align-text-bottom">
<span class="relative block icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 576 512">
<path fill="currentColor" d="M288 32c-80.8 0-145.5 36.8-192.6 80.6C48.6 156 17.3 208 2.5 243.7c-3.3 7.9-3.3 16.7 0 24.6C17.3 304 48.6 356 95.4 399.4C142.5 443.2 207.2 480 288 480s145.5-36.8 192.6-80.6c46.8-43.5 78.1-95.4 93-131.1c3.3-7.9 3.3-16.7 0-24.6c-14.9-35.7-46.2-87.7-93-131.1C433.5 68.8 368.8 32 288 32zM432 256c0 79.5-64.5 144-144 144s-144-64.5-144-144s64.5-144 144-144s144 64.5 144 144zM288 192c0 35.3-28.7 64-64 64c-11.5 0-22.3-3-31.6-8.4c-.2 2.8-.4 5.5-.4 8.4c0 53 43 96 96 96s96-43 96-96s-43-96-96-96c-2.8 0-5.6 .1-8.4 .4c5.3 9.3 8.4 20.1 8.4 31.6z"/></svg>
</span>
</span>
</span><span class="px-2 text-primary-500">·</span><span>
<span id="likes_posts/HTB Ready/index.md" title="likes">0</span>
<span class="inline-block align-text-bottom">
<span class="relative block icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512">
<path fill="currentColor" d="M47.6 300.4L228.3 469.1c7.5 7 17.4 10.9 27.7 10.9s20.2-3.9 27.7-10.9L464.4 300.4c30.4-28.3 47.6-68 47.6-109.5v-5.8c0-69.9-50.5-129.5-119.4-141C347 36.5 300.6 51.4 268 84L256 96 244 84c-32.6-32.6-79-47.5-124.6-39.9C50.5 55.6 0 115.2 0 185.1v5.8c0 41.5 17.2 81.2 47.6 109.5z"/></svg>
</span>
</span>
</span>
HTB
htb
writeup
📦 HTB - Obscurity
<time datetime="2020-04-12 16:00:00 +0000 UTC">12 April 2020</time><span class="px-2 text-primary-500">·</span><span>1004 words</span><span class="px-2 text-primary-500">·</span><span title="Reading time">5 mins</span><span class="px-2 text-primary-500">·</span><span>
<span id="views_posts/HTB Obscurity/index.md" title="views">0</span>
<span class="inline-block align-text-bottom">
<span class="relative block icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 576 512">
<path fill="currentColor" d="M288 32c-80.8 0-145.5 36.8-192.6 80.6C48.6 156 17.3 208 2.5 243.7c-3.3 7.9-3.3 16.7 0 24.6C17.3 304 48.6 356 95.4 399.4C142.5 443.2 207.2 480 288 480s145.5-36.8 192.6-80.6c46.8-43.5 78.1-95.4 93-131.1c3.3-7.9 3.3-16.7 0-24.6c-14.9-35.7-46.2-87.7-93-131.1C433.5 68.8 368.8 32 288 32zM432 256c0 79.5-64.5 144-144 144s-144-64.5-144-144s64.5-144 144-144s144 64.5 144 144zM288 192c0 35.3-28.7 64-64 64c-11.5 0-22.3-3-31.6-8.4c-.2 2.8-.4 5.5-.4 8.4c0 53 43 96 96 96s96-43 96-96s-43-96-96-96c-2.8 0-5.6 .1-8.4 .4c5.3 9.3 8.4 20.1 8.4 31.6z"/></svg>
</span>
</span>
</span><span class="px-2 text-primary-500">·</span><span>
<span id="likes_posts/HTB Obscurity/index.md" title="likes">0</span>
<span class="inline-block align-text-bottom">
<span class="relative block icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512">
<path fill="currentColor" d="M47.6 300.4L228.3 469.1c7.5 7 17.4 10.9 27.7 10.9s20.2-3.9 27.7-10.9L464.4 300.4c30.4-28.3 47.6-68 47.6-109.5v-5.8c0-69.9-50.5-129.5-119.4-141C347 36.5 300.6 51.4 268 84L256 96 244 84c-32.6-32.6-79-47.5-124.6-39.9C50.5 55.6 0 115.2 0 185.1v5.8c0 41.5 17.2 81.2 47.6 109.5z"/></svg>
</span>
</span>
</span>
HTB
htb
writeup
📦 HTB - Magic
<time datetime="2020-08-20 14:00:00 +0000 UTC">20 August 2020</time><span class="px-2 text-primary-500">·</span><span>543 words</span><span class="px-2 text-primary-500">·</span><span title="Reading time">3 mins</span><span class="px-2 text-primary-500">·</span><span>
<span id="views_posts/HTB Magic/index.md" title="views">0</span>
<span class="inline-block align-text-bottom">
<span class="relative block icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 576 512">
<path fill="currentColor" d="M288 32c-80.8 0-145.5 36.8-192.6 80.6C48.6 156 17.3 208 2.5 243.7c-3.3 7.9-3.3 16.7 0 24.6C17.3 304 48.6 356 95.4 399.4C142.5 443.2 207.2 480 288 480s145.5-36.8 192.6-80.6c46.8-43.5 78.1-95.4 93-131.1c3.3-7.9 3.3-16.7 0-24.6c-14.9-35.7-46.2-87.7-93-131.1C433.5 68.8 368.8 32 288 32zM432 256c0 79.5-64.5 144-144 144s-144-64.5-144-144s64.5-144 144-144s144 64.5 144 144zM288 192c0 35.3-28.7 64-64 64c-11.5 0-22.3-3-31.6-8.4c-.2 2.8-.4 5.5-.4 8.4c0 53 43 96 96 96s96-43 96-96s-43-96-96-96c-2.8 0-5.6 .1-8.4 .4c5.3 9.3 8.4 20.1 8.4 31.6z"/></svg>
</span>
</span>
</span><span class="px-2 text-primary-500">·</span><span>
<span id="likes_posts/HTB Magic/index.md" title="likes">0</span>
<span class="inline-block align-text-bottom">
<span class="relative block icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512">
<path fill="currentColor" d="M47.6 300.4L228.3 469.1c7.5 7 17.4 10.9 27.7 10.9s20.2-3.9 27.7-10.9L464.4 300.4c30.4-28.3 47.6-68 47.6-109.5v-5.8c0-69.9-50.5-129.5-119.4-141C347 36.5 300.6 51.4 268 84L256 96 244 84c-32.6-32.6-79-47.5-124.6-39.9C50.5 55.6 0 115.2 0 185.1v5.8c0 41.5 17.2 81.2 47.6 109.5z"/></svg>
</span>
</span>
</span>
HTB
htb
writeup
SQLi lab solutions
<time datetime="2020-08-20 14:00:01 +0000 UTC">20 August 2020</time><span class="px-2 text-primary-500">·</span><span>1003 words</span><span class="px-2 text-primary-500">·</span><span title="Reading time">5 mins</span><span class="px-2 text-primary-500">·</span><span>
<span id="views_posts/sqli lab/index.md" title="views">0</span>
<span class="inline-block align-text-bottom">
<span class="relative block icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 576 512">
<path fill="currentColor" d="M288 32c-80.8 0-145.5 36.8-192.6 80.6C48.6 156 17.3 208 2.5 243.7c-3.3 7.9-3.3 16.7 0 24.6C17.3 304 48.6 356 95.4 399.4C142.5 443.2 207.2 480 288 480s145.5-36.8 192.6-80.6c46.8-43.5 78.1-95.4 93-131.1c3.3-7.9 3.3-16.7 0-24.6c-14.9-35.7-46.2-87.7-93-131.1C433.5 68.8 368.8 32 288 32zM432 256c0 79.5-64.5 144-144 144s-144-64.5-144-144s64.5-144 144-144s144 64.5 144 144zM288 192c0 35.3-28.7 64-64 64c-11.5 0-22.3-3-31.6-8.4c-.2 2.8-.4 5.5-.4 8.4c0 53 43 96 96 96s96-43 96-96s-43-96-96-96c-2.8 0-5.6 .1-8.4 .4c5.3 9.3 8.4 20.1 8.4 31.6z"/></svg>
</span>
</span>
</span><span class="px-2 text-primary-500">·</span><span>
<span id="likes_posts/sqli lab/index.md" title="likes">0</span>
<span class="inline-block align-text-bottom">
<span class="relative block icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512">
<path fill="currentColor" d="M47.6 300.4L228.3 469.1c7.5 7 17.4 10.9 27.7 10.9s20.2-3.9 27.7-10.9L464.4 300.4c30.4-28.3 47.6-68 47.6-109.5v-5.8c0-69.9-50.5-129.5-119.4-141C347 36.5 300.6 51.4 268 84L256 96 244 84c-32.6-32.6-79-47.5-124.6-39.9C50.5 55.6 0 115.2 0 185.1v5.8c0 41.5 17.2 81.2 47.6 109.5z"/></svg>
</span>
</span>
</span>
article
ctf
sqli
writeup