BountyHunters HacktheBox

Kapil Verma
4 min readJun 26, 2022

nmap scan port 22 and 80 in basic scan, still we will go for full scan.

command: nmap -sC -sV -p- -oN bounty-hunter.nmap

Anyway full scan also shows only 2 ports.

port 80 has a website:

Upon directory listing we get some directory and files but nothing much on there.

db.php was interesting but it was kind of not giving any output.

Now I tried to intercept the request and somewhere there was data travelling in Base64+URL encoded format.

And upon decoding the data we understand that this is an xml data travelling, so the very basic XML attack is XXE, or we call it XML injection.

So without further wasting much time i searched for some payload for XXE.

Similarly there was many more payloads, but first we need a username and for that we need to read the passwd file.

Now encoding it to base64 and then url.

From the response we understood that the user is development.

Now again trying to see what’s in the db.php file using XML injection attack payload.

For this we can use access control bypass payload php.

Just need to modify as per our requirement.

Now let’s send this after encoding it to BASE64 and then URL encoding.

Sending the request from burp:

We got the encrypted response. Let’s decode.

Now using the password from the above db.php response and user name asa development, to SSH into the development user.

browsing through the /home/development directory you can get the user flag.

Now privilege escalation.

Using our easy sudo -l technique.

So there’s one script, we need to see what’s there on the script.

So reading the script, we can understand that it looks for a .md file and opens it in read mode.

let’s create one file for the script.

However the above file might have some error so couldn’t read the root.txt so i created one another file which will send the reverse shell to my attacker machine.

On a different terminal we have initiated a netcat listener on port 1234.

browsing through /root/root.txt we can get the root flag.