Conversor (Full Box)

hackthebox

Task: Full HackTheBox machine with an XML-to-HTML converter web app and Linux privilege escalation. Solution: Exploited XSLT injection via exsl:document to write a Python reverse shell through a cron job for user access, then used CVE-2024-48990 needrestart PYTHONPATH injection for root.

rce md5_cracking privilege_escalation source_code_leak xslt_injection exsl_document cron_exploitation cve-2024-48990 needrestart pythonpath_injection

hash_crackingdatabase_extractionxslt_file_writecron_job_abuseshared_library_injectionconstructor_hijacking

$ ls tags/ techniques/

rce md5_cracking privilege_escalation source_code_leak xslt_injection exsl_document cron_exploitation cve-2024-48990 needrestart pythonpath_injection

hash_crackingdatabase_extractionxslt_file_writecron_job_abuseshared_library_injectionconstructor_hijacking

$ cat /etc/rate-limit

Rate limit reached (20 reads/hour per IP). Showing preview only — full content returns at the next hour roll-over.

Conversor — HackTheBox (Full Box)

Challenge Info

Field	Value
Platform	HackTheBox
Target	10.129.1.165
Category	Web / Linux Privilege Escalation
Difficulty	Medium
User Flag	`aeff561c839d56cfced2c19e6ec562eb`
Root Flag	`4f83b59aad1bc7ababce8678ff0feaed`

Overview

This is a complete HackTheBox machine involving:

User Flag: XSLT Injection → Cron Job RCE → Credential Theft → SSH Access
Root Flag: CVE-2024-48990 needrestart PYTHONPATH Injection → Local Privilege Escalation

PART 1: User Flag

Reconnaissance

Port Scanning

nmap -sV -sC 10.129.1.165

Results:

Port	Service	Version
22	SSH	OpenSSH 8.9p1
53	DNS	-
80	HTTP	Apache 2.4.52

The HTTP service redirects to conversor.htb - added to /etc/hosts:

echo "10.129.1.165 conversor.htb" | sudo tee -a /etc/hosts

Web Application Analysis

Initial Exploration

The website is an XML to HTML converter using XSLT transformation:

User registers an account
User uploads XML file
User uploads XSLT stylesheet
Server transforms XML using XSLT
Returns HTML result

Source Code Discovery

On the /about page, found a download link:

/static/source_code.tar.gz

curl -O http://conversor.htb/static/source_code.tar.gz
tar -xzf source_code.tar.gz

Source Code Analysis

Key File: `app.py`

from lxml import etree

# XML Parser - SECURE configuration (XXE blocked)
parser = etree.XMLParser(
    resolve_entities=False,   # No XXE
    no_network=True,          # No external requests
    dtd_validation=False,
    load_dtd=False
)
xml_tree = etree.parse(xml_path, parser)

# XSLT Parser - INSECURE configuration (no restrictions!)
xslt_tree = etree.parse(xslt_path)  # Default parser = vulnerable!
transform = etree.XSLT(xslt_tree)

...