Hack The Box - Season 9 HTB Conversor Writeup - Easy - Weekly - October 25th, 2025
HTB Conversor - Linux Easy Box Writeup
Summary
Conversor is an easy Linux box that involves exploiting an XSLT injection vulnerability to achieve code execution, followed by database enumeration for privilege escalation to user, and finally abusing sudo permissions for root access.
Skills Required:
- Basic web application testing
- XSLT injection knowledge
- Database enumeration
- Hash cracking
- Sudo privilege escalation
Enumeration
Nmap Scan
nmap -sC -sV -oA conversor [ATTACKER_IP]
Results:
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 01:74:26:39:47:bc:6a:e2:cb:12:8b:71:84:9c:f8:5a (ECDSA)
|_ 256 3a:16:90:dc:74:d8:e3:c4:51:36:e2:08:06:26:17:ee (ED25519)
80/tcp open http Apache httpd 2.4.52
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Did not follow redirect to http://conversor.htb/
|_http-server-header: Apache/2.4.52 (Ubuntu)
Domain Setup
Add the domain to /etc/hosts:
echo "[ATTACKER_IP] conversor.htb" >> /etc/hosts
Web Application Analysis
Navigating to http://conversor.htb reveals a web application called "Conversor" with user registration functionality.
After registering and logging in, we discover the main functionality - an XML and XSLT file converter:
Directory Discovery
Using gobuster to enumerate directories:
gobuster dir -u http://conversor.htb -w /usr/share/wordlists/dirb/common.txt
Key findings:
/static/- Static files directory/scripts/- Scripts directory (executable)
Exploitation
XSLT Injection Analysis
The application accepts XML and XSLT file uploads for transformation. This presents an opportunity for XSLT injection using EXSLT extensions.