Hack_The_Box_Writeups

HackTheBox – BountyHunter

saksham dixit

┌──(rootkali)-[/home/kali/Downloads]

└─# nmap -A 10.10.11.100

┌──(rootkali)-[/home/kali/Downloads]

└─# dirb http://10.10.11.100/

http://10.10.11.100/resources/

http://10.10.11.100/resources/README.txt

┌──(rootkali)-[/home/kali/Downloads]

└─# dirb http://10.10.11.100/ -X .php

http://10.10.11.100/portal.php

Since it is a hash, you need to decode it first.

Let’s decode it first as Url and then as Base64.

https://ostermiller.org/calc/encode.html

https://github.com/payloadbox/xxe-injection-payload-list

Let’s change the payload we find according to ourselves.

Modified content:

And let’s hash again for system recognition.

First Base64 encode the next Url.

Username: development

Let’s check the contents of the .php document we found earlier.

To do this, select the appropriate payload

$dbusername = “admin”;

$dbpassword = “m19RoAU0hP41A1sTsq6K”;

┌──(rootkali)-[/home/kali/Downloads]

└─# ssh development@10.10.11.100

Password: m19RoAU0hP41A1sTsq6K

development@bountyhunter:~$ sudo –l

development@bountyhunter:~$ cat /opt/skytrain_inc/ticketValidator.py

development@bountyhunter:~$ cd /tmp

development@bountyhunter:/tmp$ cat test.md

development@bountyhunter:/tmp$ chmod 777 test.md

Hi, I’m saksham dixit

Related Posts

Hack The Box – Spectra

──(root💀kali)-[/home/kali/Downloads] └─# nmap -A 10.10.10.229 http://10.10.10.229:8081/ http://10.10.10.229/ http://spectra.htb/main/ http://spectra.htb/testing/index.php http://spectra.htb/testing/...
saksham dixit

Leave a Reply

Your email address will not be published. Required fields are marked *