BountyHunter Write-up by evyatar9

Read my Writeup to BountyHunter machine on:


To solve this machine, we begin by enumerating open services – finding the ports 22 and 80.

User: Using XML External Entity (XXE) attack to read the file db.php which includes the credentials of development user.

Root: By running sudo -l we found /usr/bin/python3.8 /opt/skytrain_inc/ script, Create a payload to get the root flag from python eval command.