HackTheBox: BountyHunter Walkthrough


This is the target site. There are three sections on the site.


Let’s scan for open ports with Nmap

Command: nmap -A

We have two open ports.

Find the appropriate extensions to the link via Dirb.

Command: dirb

Let’s look at the link

We know that the database is inside .php files. So let’s use it in a search

Command: dirb -X .php

We found the db.php file

Let’s take a look at the burp

We came to this site using a link in the portal section and found a strange information file here


Since it is a hash, you need to decode it first.

Let’s decode it first as Url and then as Base64.

And here we found the xml vulnerability on the site. It is enough to do research to exploit it.

Let’s choose the required payload

Let’s change the payload we find according to ourselves.

And let’s hash again for system recognition

First Base64 encode the next Url

Then let’s look at the answer through burp

Now we have found the username.

Let’s check the contents of the .php document we found earlier.

To do this, select the appropriate payload

Let’s make changes.

Let’s look at the answer

In response, let’s decode a hash code and look at the answer.

We found some important information.

Our 22 port was open. Try to connect

Gaining Access

Command: ssh development@

Find the user flag

Findout the user flag and submit to htb.

Now let’s get to the root

Command: sudo -l

Let’s check the file

Command: cat ‘Location of the file’

We learned by reading this python script that this script requires us to enter a file name and a file name ending in .md. If the condition is met, the script opens the file and looks for the next condition.

Let’s write a file to allow it to fulfill the .md conditions

Command: nano test.md

# Skytrain Inc
## Ticket to
__Ticket Code:__
**200+ 24 == 224 and __import__(‘os’).system(‘cat /root/root.txt’) == False

Let’s check

Findout the root flag and submit to htb.

Good h4cks)




Hello, my name is Elman. I am from Azerbaijan. I wish you a good days

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Tanzu: <June 8th> A week of “5” Live learning events & 1 Article that’s worth a read!

Syncfusion Visual Studio Extensions Support .NET 5.0 Preview 6

Syncfusion Visual Studio Extensions Support .NET 5.0 Preview 6

What does it take to deliver a successful API?

The Sherbet Weekly Scoop # 3

Avoiding Build Breakage — Essential Practices for Continuous Integration

How to Get Paid to Be a Transcriptionist

Counting The Days…

Backoff and Retry Strategy using Flows in Android

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Al1z4deh:~# echo "Welcome"

Al1z4deh:~# echo "Welcome"

Hello, my name is Elman. I am from Azerbaijan. I wish you a good days

More from Medium

TryHackMe: UltraTech

HackTheBox — Backdoor Walkthrough

HackTheBox backdoor writeup

Tryhackme crackme0019301933 writeup.

Shocker | HackTheBox writeup