HackTheBox: BountyHunter Walkthrough


This is the target site. There are three sections on the site.


Let’s scan for open ports with Nmap

Command: nmap -A

We have two open ports.

Find the appropriate extensions to the link via Dirb.

Command: dirb

Let’s look at the link

We know that the database is inside .php files. So let’s use it in a search

Command: dirb -X .php

We found the db.php file

Let’s take a look at the burp

We came to this site using a link in the portal section and found a strange information file here


Since it is a hash, you need to decode it first.

Let’s decode it first as Url and then as Base64.

And here we found the xml vulnerability on the site. It is enough to do research to exploit it.

Let’s choose the required payload

Let’s change the payload we find according to ourselves.

And let’s hash again for system recognition

First Base64 encode the next Url

Then let’s look at the answer through burp

Now we have found the username.

Let’s check the contents of the .php document we found earlier.

To do this, select the appropriate payload

Let’s make changes.

Let’s look at the answer

In response, let’s decode a hash code and look at the answer.

We found some important information.

Our 22 port was open. Try to connect

Gaining Access

Command: ssh development@

Find the user flag

Findout the user flag and submit to htb.

Now let’s get to the root

Command: sudo -l

Let’s check the file

Command: cat ‘Location of the file’

We learned by reading this python script that this script requires us to enter a file name and a file name ending in .md. If the condition is met, the script opens the file and looks for the next condition.

Let’s write a file to allow it to fulfill the .md conditions

Command: nano test.md

# Skytrain Inc
## Ticket to
__Ticket Code:__
**200+ 24 == 224 and __import__(‘os’).system(‘cat /root/root.txt’) == False

Let’s check

Findout the root flag and submit to htb.

Good h4cks)