HackTheBox: BountyHunter Walkthrough


This is the target site. There are three sections on the site.


Let’s scan for open ports with Nmap

Command: nmap -A

We have two open ports.

Find the appropriate extensions to the link via Dirb.

Command: dirb

Let’s look at the link

We know that the database is inside .php files. So let’s use it in a search

Command: dirb -X .php

We found the db.php file

Let’s take a look at the burp

We came to this site using a link in the portal section and found a strange information file here


Since it is a hash, you need to decode it first.

Let’s decode it first as Url and then as Base64.

And here we found the xml vulnerability on the site. It is enough to do research to exploit it.

Let’s choose the required payload

Let’s change the payload we find according to ourselves.

And let’s hash again for system recognition

First Base64 encode the next Url

Then let’s look at the answer through burp

Now we have found the username.

Let’s check the contents of the .php document we found earlier.

To do this, select the appropriate payload

Let’s make changes.

Let’s look at the answer

In response, let’s decode a hash code and look at the answer.

We found some important information.

Our 22 port was open. Try to connect

Gaining Access

Command: ssh development@

Find the user flag

Findout the user flag and submit to htb.

Now let’s get to the root

Command: sudo -l

Let’s check the file

Command: cat ‘Location of the file’

We learned by reading this python script that this script requires us to enter a file name and a file name ending in .md. If the condition is met, the script opens the file and looks for the next condition.

Let’s write a file to allow it to fulfill the .md conditions

Command: nano test.md

# Skytrain Inc
## Ticket to
__Ticket Code:__
**200+ 24 == 224 and __import__(‘os’).system(‘cat /root/root.txt’) == False

Let’s check

Findout the root flag and submit to htb.

Good h4cks)




Hello, my name is Elman. I am from Azerbaijan. I wish you a good days

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

How to solve the Nested Weight List Sum II?

Getting started with Kubernetes

How to setup AWS Single Sign-On with Azure AD

Did Anyone Educate The Development Teams On Those Privacy Policies?

Photo of a doorway sign that reads “Privacy Please”

Service Account | Kubernetes

CI/CD with Jenkins pipeline & Nodejs into K8S (Part-2)

Speed is all you need! Moving towards continuous deployment.

2021 Raspberry Pi 4 Mining 2GB vs 4GB

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Al1z4deh:~# echo "Welcome"

Al1z4deh:~# echo "Welcome"

Hello, my name is Elman. I am from Azerbaijan. I wish you a good days

More from Medium

CTF Walkthrough | TryHackMe | GoldenEye 👁

Hack The Box — Remote Write-up

HTB-Frolic Writeup

HTB — Previse Walkthroughs