Hello everyone, here we will consider the solution of the BountyHunter machine, which can be found on the special platform Hack The Box. Well, below is a description of the machine itself and its specific parameters, including the ip-address.

1. First you need to go to the site itself and study it carefully. We have a rather primitive service that can provide information about vulnerabilities. But the trouble is, the service does not work correctly, or rather, the functionality of providing data on vulnerabilities does not work. AND BUG Service
2. Well, now you need to do some exploration and see what this site is fraught with.

To begin with, you can use the nmap tool, you need to find out which ports are open (look outside) and analyze the overall picture of the service structure

~$ nmap -Pn -A 10.10.11.100

The fact that ports 22 and 80 are open is good news, as an option for the future it is possible to brute force port 22 of ssh, but this is a bad idea. I think it's better to find ssh credentials information somewhere...

Now I want to look diffrent possible paths which include this service And I'm going to use dirsearch tool, which you can easily find on github - https://github.com/maurosoria/dirsearch

~$ ./dirsearch.py -u 10.10.11.100

That's what i get btw:

There are a couple of interesting local files here, db.php is empty, but we find something interesting in the README ...

3. We have collected some information for a more successful injection on the server. Well, what interested me the most was the submit.php path. I decided to use Burp Suite to intercept and modify server requests. How example i tried look on this page:

I gues we can find here xml

Next step is to research Bounty Report System:

I push POST request on the server and get this Responce

Data is base64 encoded xml, the next step I am convinced of this

4. Now we need to figure out how to exploit the xxe vulnerability associated with the injection of additional parameters into the xml, which the server will then return to us.

   For more information about XXE look here:

   • https://cisoclub.ru/rukovodstvo-po-xxe-injection/ - XXE Injection Guide

   • https://gist.github.com/staaldraad/01415b990939494879b4) - XXE_payloads

   And so, I tried to implement DOCTYPE foo ENTITY for / etc / passwd. I could not successfully run xxe through Burp Suite, so I decided to use the developer's console in the browser. But in any case, I suggest that you try to write your own xxe and remember to encode the xml in base64, then add new data, send a request and see what the server will give you. In my case, I used pure xml code and return secret (btoa (xml))

   

I find here user development maybe he will be usefull in future

Here I used xxe to locally connect to the db.php file...

Well done! We find xml data in base64. Only what we need just decrypt and look on it!

5. Decrypt our Data. Here is some very interesting information

I tried to connect server by 22 ssh port using bounty and admin names but it didn't work. Then I remembered about development user and entering password from xml data

~$ ssh [email protected] 

~$ cat user.txt  

We have out user flag, well done!