# HackTheBox-BountyHunter
## NMAP
```bash
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.41 ((Ubuntu))
|_http-favicon: Unknown favicon MD5: 556F31ACD686989B1AFCF382C05846AA
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Bounty Hunters
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
```
## PORT 80 (HTTP)
We can see this is just an html being used on the webserver , going to portal it says that it's under development
Which takes us to Bounty reporting system
But when we submit details to the reporting system it just doesn't get saved
So here let's try to run `gobuster` and fuzz for files and directories
We can't visit `/assets` as it's forbidden for us
Checking the `/resources` folder we do see some files
From `README.txt` it seems that reporting system isn't connected to database also it says about disabling the test account maybe we can login somewhere but for now I don't think there's a login page.
Moving on and checking the the `bountylog.js` we can see a url which points to `tracker_diRbPr00f314.php`
So let's use `burp suite` and try intercepting that reporting system to see if it's actually sending data somewhere
This is making a POST request to that page and sending the data as base64 encoded
So this means here we need to do what is called `XXE(XML Xternal Entity)`, what XXE basically allows us to read local files like `/etc/passwd` and sensitive files like php file's source code that the browser doesn't reveal we can steal some information that can be either passwords or some sensitive data . An application that parses XML input . we can add a variable which is called `Entity` that we define inside a `DTD` which is Document Type Definiation which looks like this
```xml
```
The DOCTYPE declaration is where we declare elements, attributes, entities, and notations.
So in DTD we define an entity
```xml
```
This is an external Entity as we are accessing something which isn't declared in the current xml and they are defined with `SYSTEM` keyword
If we combine this together it will look like this
```xml
]>
```
Now in this scenario our xml input looks like this
```xml
SQLI
IDK
4.4
99
```
Including our XXE payload
```xml
]>
&arz;
IDK
4.4
99
```
Notice that `&arz;` this is the variable or the entity that we defined and we are calling that in `title` , so let's base64 encoded it and convert it to url encoding so it can be parsed
And we have performed XXE and are successful in reading the `/etc/password` file means that we can access that `db.php` as well by using a php filter `php://filter/convert.base64-encode/resource=index.php` that converts the php page to base64 text form as php won't be able to parse base64 encoded text so it will output that page in base64 that we can decode it and see the whole source code
```xml
]>
&example;
IDK
4.4
99
```
From `/etc/passwd` the only user that has a command shell `bash` is only `development` user so we can try this password through ssh
On doing `sudo -l` we can see that we are allowed to run a python script as root
So to break down that python script it's going to first ask for the path of the markdown file `.md` file
And it's going to run `load_file` function
This function will check if the file is ending with markdown extension or not if ti is it's going to open that file and read it , then it's going to return the contents of the file to `evaluate` function
The first part of this code will check if that markdown file starts with `# Skytrain Inc` if not it's going to return false and the program will end else it will continue
The scond part would check if the second line contains `## Ticket to` if not it's going to return false and will end the program else that will continue
The third will check if the next line of markdown starts with `__Ticket Code:__` or not and will do the same as previously
The fourth part of this function is important as it will only evaluate the file if those asteriks contain a number that on dividing with `7` it's remainder must be `4` also the number we have in those asteriks must be greate than 100
Here this is going to split the txt on `+` that will make a list and it's going to take the first argument of that list
Now this part is where we can do code injection
So first let's make our markdown file
```
# Skytrain Inc
## Ticket to
__Ticket Code:__
**102**+__import__('os').system('whoami')
```
We have `102` which on dividing with `7` will give us the remainder `4` and after that we added `+` and then importing os module to run the shell command `whoami`
So that eval function will have the value `102+__import__('os').system('whoami')` and during runtime it's going to import `os` module in python script and execute the command
So we can just replace `whoami` with bash reverse shell
## References
https://research.cs.wisc.edu/mist/SoftwareSecurityCourse/Chapters/3_8_3-Code-Injections.pdf