We covered a demo of XML External Entity Injection along with privilege escalation through exploiting Python eval function. This was part of HackTheBox BountyHunter CREST CRT Track.

BountyHunter is an easy Linux machine that uses XML external entity injection to read system files. Being able to read a PHP file where credentials are leaked gives the opportunity to get a foothold on system as development user. A message from John mentions a contract with Skytrain Inc and states about a script that validates tickets. Auditing the source code of the python script reveals that it uses the eval function on ticket code, which can be injected, and as the python script can be run as root with sudo by the development user it is possible to get a root shell.

Get OSCP Notes

Video Walkthrough

CREST CRT track, CTF Writeups, HackTheBox, HackTheBox BountyHunter

Show Comments

Motasem

About the Author

I create cybersecurity notes, digital marketing notes and online courses. I also provide digital marketing consulting including but not limited to SEO, Google & Meta ads and CRM administration.

View Articles

XML External Entity Injection Demonstration | HTB BountyHunter | CREST CRT Track

Leave a Reply Cancel reply

Motasem

About the Author

Other stories

Python Eval Function Exploitation | TryHackMe Devie

Windows Privilege Escalation with PowerUp | HackTheBox Remote | CREST CRT Track

Press ESC to close

XML External Entity Injection Demonstration | HTB BountyHunter | CREST CRT Track

Leave a Reply Cancel reply

Motasem

About the Author

Share Article:

Other stories

Python Eval Function Exploitation | TryHackMe Devie

Windows Privilege Escalation with PowerUp | HackTheBox Remote | CREST CRT Track