webfreemedium
Conversor (Full Box)
hackthebox
Task: Full HackTheBox machine with an XML-to-HTML converter web app and Linux privilege escalation. Solution: Exploited XSLT injection via exsl:document to write a Python reverse shell through a cron job for user access, then used CVE-2024-48990 needrestart PYTHONPATH injection for root.
$ ls tags/ techniques/
rcemd5_crackingprivilege_escalationsource_code_leakxslt_injectionexsl_documentcron_exploitationcve-2024-48990needrestartpythonpath_injection
hash_crackingdatabase_extractionxslt_file_writecron_job_abuseshared_library_injectionconstructor_hijacking
$ cat /etc/rate-limit
Rate limit reached (20 reads/hour per IP). Showing preview only — full content returns at the next hour roll-over.
Conversor — HackTheBox (Full Box)
Challenge Info
| Field | Value |
|---|---|
| Platform | HackTheBox |
| Target | 10.129.1.165 |
| Category | Web / Linux Privilege Escalation |
| Difficulty | Medium |
| User Flag | aeff561c839d56cfced2c19e6ec562eb |
| Root Flag | 4f83b59aad1bc7ababce8678ff0feaed |
Overview
This is a complete HackTheBox machine involving:
- User Flag: XSLT Injection → Cron Job RCE → Credential Theft → SSH Access
- Root Flag: CVE-2024-48990 needrestart PYTHONPATH Injection → Local Privilege Escalation
PART 1: User Flag
Reconnaissance
Port Scanning
nmap -sV -sC 10.129.1.165
Results:
| Port | Service | Version |
|---|---|---|
| 22 | SSH | OpenSSH 8.9p1 |
| 53 | DNS | - |
| 80 | HTTP | Apache 2.4.52 |
The HTTP service redirects to conversor.htb - added to /etc/hosts:
echo "10.129.1.165 conversor.htb" | sudo tee -a /etc/hosts
Web Application Analysis
Initial Exploration
The website is an XML to HTML converter using XSLT transformation:
- User registers an account
- User uploads XML file
- User uploads XSLT stylesheet
- Server transforms XML using XSLT
- Returns HTML result
Source Code Discovery
On the /about page, found a download link:
/static/source_code.tar.gz
curl -O http://conversor.htb/static/source_code.tar.gz tar -xzf source_code.tar.gz
Source Code Analysis
Key File: app.py
from lxml import etree # XML Parser - SECURE configuration (XXE blocked) parser = etree.XMLParser( resolve_entities=False, # No XXE no_network=True, # No external requests dtd_validation=False, load_dtd=False ) xml_tree = etree.parse(xml_path, parser) # XSLT Parser - INSECURE configuration (no restrictions!) xslt_tree = etree.parse(xslt_path) # Default parser = vulnerable! transform = etree.XSLT(xslt_tree)
...
$ grep --similar
Similar writeups
- [web][free]Facts— hackthebox
- [pentest][free]Interpreter (Mirth Connect → f-string Injection)— hackthebox
- [web][free]Browsed— hackthebox
- [pentest][free]WingData (Wing FTP RCE → Python tarfile PATH_MAX bypass)— hackthebox
- [web][free]Prison Pipeline— hackthebox_business_ctf_2024