Conversor
NMAP
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 0174263947bc6ae2cb128b71849cf85a (ECDSA)
|_ 256 3a1690dc74d8e3c45136e208062617ee (ED25519)
80/tcp open http Apache httpd 2.4.52
|_http-server-header: Apache/2.4.52 (Ubuntu)
|_http-title: Did not follow redirect to http://conversor.htb/
Service Info: Host: conversor.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Foothold
- website uses xml and xslt to display nmap code is a pretty HTML way.
- website has the source code
- sent source code to Claude. Found out that xslt is not parsed properly.
- https://ine.com/blog/xslt-injections-for-dummies
- to start with
<?xml version="1.0" encoding="UTF-8"?> <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"> <xsl:output method="html" indent="yes" /> <xsl:template match="/"> <html> <head> <title>Nmap Scan Results</title> </head> <body> <h1>Nmap Scan Report</h1> <h3>Version: <xsl:value-of select="system-property('xsl:version')"/> </h3> <h3>Version: <xsl:value-of select="system-property('xsl:vendor')"/> </h3> <h3>Version: <xsl:value-of select="system-property('xsl:vendor-url')"/> </h3> # for each xsl statement here </body> </html> </xsl:template> </xsl:stylesheet> 
- to start with
- Tried a lot but getting
URI NOT FOUNDorXPatherrors -
reading the
app.wsgiscript - -
start a nc listener
- upload a python3 socket reverse shell with the name
../scripts/shell.pybecause the file is being uploaded to/uploadsfolder from the web root. - the
convert/page throws an error thatshell.pywas not readable because it doesnt start with< - however, we get a reverse shell a
www-dataon nc - upload
linpeas.shon the target - shows
/usr/bin/bashhas suid bit set - gtfobins shows
bash -pwhich gives the root shell
