Platform: Hack The Box
Season: 9
Difficulty: Easy
OS: Linux
Date: 2025-10-26
Author: x4cc3
Conversor is an Easy Linux machine running a Flask web application that performs XSLT transformations on user-supplied XML. Registration downloads an .xslt template, hinting at server-side XSLT processing. Source code disclosure via an XSLT unparsed-text() call reveals a hardcoded Flask secret key and a vulnerable XML parser. EXSLT extensions are leveraged to write a reverse shell to the web root, gaining foothold as www-data. Hardcoded MD5 hashes in the source are cracked, leading to SSH as fismathack. For root, a SUID binary with command execution is abused via /usr/bin/bash -p.
nmap -Pn -sV -sC conversor.htb
| Port | Service | Version |
|---|---|---|
| 22/tcp | SSH | OpenSSH |
| 80/tcp | HTTP | nginx (redirects to conversor.htb) |
Added to /etc/hosts.
Nmap scan results
Visiting the web application on port 80 revealed a login page with registration. After registering, the application offered a downloadable .xslt template — a strong indicator that the server processes XSLT stylesheets.
Visiting the web app