alt text

Information Gathering


Rustscan finds ssh and http running on the system. This is a typical hackthebox Linux machine:

rustscan --addresses --range 1-65535

alt text



After adding editorial.htb to /etc/hosts, we can access the website:

alt text

/upload path provides feature for URL priview:

alt text

This instantly reminded us with SSRF vulnerability.


Let’s interecept the request for preview and send in

alt text

The response shows directory path to images. Interesting.

alt text

SSH as Dev

Internal Port Scan

Now that it seems SSRF is verified on this system, let’s see if there are any other open ports on the system.

We will send the request over to Intruder and bruteforce on the ports (1-65535):

alt text

Out of all the ports, port 5000 showed a different length of response:

alt text

Let’s copy down the path to created preview:

alt text

After downloading the created file, we can take a look at it.

It seems like we have bunch of api endpoints path revealed:

alt text


Among the above exposed api endpoints, one path caught our attention.

Let’s take a look at it.

We will send the preview request for it through Burp Suite repeater as we did earlier:

alt text

Downloading and examining on the result, we have credential leak for user dev: dev080217_devAPI!@

alt text


Using the found password, we can ssh in:

ssh dev@editorial.htb

alt text

Privesc: Dev to Prod


There is user prod on the system as well. It seems like we need to first escalate our privilege to prod:

alt text

Let’s enumerate local file system.

Inside apps directory, there is .git directory:

alt text

Inside .git, we see bunch of juicy files:

alt text

Taking a look at HEAD, it seems like we would be able to obtain log file for the git commits made earlier:

alt text

Using the command git log, we can see all the previous commits:

alt text

Using git show 1e84a036b2f33c59e2390730699a488c65643d28, we can read the contents before being downgraded to dev, and inside of it, password for prod is exposed:

alt text

Using the password 080217_Producti0n_2023!@, we now have shell as prod:

alt text

Privesc: Prod to root


Let’s check on commands that can be ran with sudo privilege:

sudo -l

alt text

/opt/internal_apps/clone_changes/ could be ran with sudo privilege. Let’s take a look at it:

alt text is using git library. hmm, this is interesting.

Checking on git version, it is 3.1.29:

alt text

Searching for known exploits regarding this version, it is vulnerable to CVE-2022-24439:

alt text


CVE-2022-24439 is a RCE vulnerability that is caused from improper user input validation:

alt text

Here we found a post that would help us to read root.txt.

Let’s first create empty root.txt using the command: echo "" > root.txt

We will copy the actual root.txt to our empty root.txt inside /home/prod directory:

sudo /usr/bin/python3 /opt/internal_apps/clone_changes/ "ext::sh -c cat% /root/root.txt% >% /home/prod/root.txt"

alt text

Now we have root.txt copied to our home directory:

alt text

Fun and easy box!
