Cypher HackTheBox Medium Box Writeup

Overview

Cypher is a Medium-rated Linux machine on HackTheBox that lives up to its name. The entire foothold revolves around Cypher Injection against a Neo4j graph database, the graph query language equivalent of SQL injection. The box also features a clever custom procedure abuse for RCE and a sudo misconfiguration for privilege escalation.

Enumeration

An Nmap TCP scan reveals the usual two ports: SSH (22) and HTTP (80), running nginx 1.24.0 on Ubuntu. The web app is called GRAPH ASM — already hinting at graph database technology under the hood.

UDP scanning comes up empty, so the attack surface is entirely web-facing.

Gobuster directory enumeration surfaces several interesting endpoints: /login, /demo, /about, /api (which redirects to /api/docs), and — crucially — a /testing directory.

Discovering the Tech Stack

Browsing to /testing reveals a downloadable .jar file. Decompiling it with JADX exposes the application internals, confirming the backend is running Neo4j 5.23, a graph database that uses its own query language called Cypher.

The login page source also contains a revealing TODO comment left by a developer: "don't store user accounts in neo4j" — practically a neon sign pointing at the attack vector.

The backend query structure (leaked via verbose error messages) looks roughly like:

cypher

MATCH (u:USER) -[:SECRET]-> (h:SHA1) WHERE u.name = '<input>' return h.value as hash

User input is being interpolated directly into the Cypher query with no sanitisation. A textbook injection vulnerability...

Cypher Injection — Getting Auth Bypass

Cypher injection works similarly to SQL injection but uses Neo4j's query syntax. The comment character in Cypher is //, and the goal is to break out of the string context and rewrite the query logic.

The error messages returned by the app are extremely verbose, leaking the full stack trace and the constructed Cypher query. These are invaluable for iterating on the injection payload.

After some trial and error navigating Cypher's syntax quirks (single-quote escaping behaves differently than SQL), a working payload via curl causes the query to return a controlled hash value as the hash field, bypassing the credential check entirely and granting access to the application.

Remote Code Execution — Custom Neo4j Procedure

Once inside the application, further investigation of the API docs and the decompiled JAR reveals a custom Neo4j procedure: custom.getUrlStatusCode(). This procedure takes a URL string and makes an HTTP request — but it's being passed directly to a shell command without sanitisation, enabling command injection via semicolon chaining.

Crafting a payload that appends a curl-pipe-bash command to the URL parameter triggers a reverse shell, landing a foothold on the box.

A password found in the graphasm user's home directory allows upgrading to a stable SSH session, and the user flag is collected.

Privilege Escalation — sudo bbot

Running sudo -l as graphasm reveals the user can run bbot (a modular OSINT/recon framework) as root without a password.

Bbot supports custom YARA rules and accepts target files as arguments. By pointing both the --custom-yara-rules and -t flags at /root/root.txt, bbot reads the file as part of its scan process and surfaces the root flag in its output.

The way i retrieved root flag is a bit of a cheapshot and i bet there is a way to leverage it in the correct way to get a root shell. However this is the way i did it. :)

Key Takeaways

• Verbose error messages are a gift to attackers. The application leaking full stack traces and constructed queries accelerated exploitation. Error detail should never reach the client in production.
• Custom database procedures expand the attack surface significantly. Registering custom procedures that shell out to the OS is dangerous by design. If they must exist, their inputs must be thoroughly validated.
• Legitimate admin tools can be weaponised via sudo misconfigurations. bbot is a real, useful recon tool but granting passwordless sudo access to any tool that reads arbitrary files is a privilege escalation waiting to happen.