Read my Writeup to BountyHunter machine on:
TL;DR;
To solve this machine, we begin by enumerating open services – finding the ports 22
and 80
.
User: Using XML External Entity (XXE) attack to read the file db.php
which includes the credentials of development
user.
Root: By running sudo -l
we found /usr/bin/python3.8 /opt/skytrain_inc/ticketValidator.py
script, Create a payload to get the root
flag from python eval
command.