Overview
Browsed is a HackTheBox machine that presents an interesting challenge focusing on web application security and enumeration techniques. This walkthrough covers the initial reconnaissance, vulnerability discovery, and exploitation path for this machine.
Attack Summary
This boxx involved an end-to-end attack chain that began with basic network and web service enumeration, leading to the discovery of an exposed development-grade web application that incorrectly trusted uploaded browser extension content. By modifying a sample extension’s JavaScript, attacker-controlled code was executed client-side and used to interact with an internal-only backend routine, resulting in command execution and a reverse shell as a low-privileged user.
Post-exploitation access was stabilised by pulling an exposed SSH private key, enabling direct SSH login without reliance on the original exploit. Privilege escalation was achieved by abusing a NOPASSWD sudo-permitted Python tool that relied on world-writable Python bytecode; poisoning the .pyc cache allowed execution flow hijacking while preserving file size and timestamps, ultimately resulting in root-level code execution.
MITRE ATT&CK Mapping
| Tactic | Technique ID | Technique Name |
|---|---|---|
| Discovery | T1046 | Network Service Discovery |
| Initial Access | T1190 | Exploit Public-Facing Application |
| Execution | T1059 | Command and Scripting Interpreter (JavaScript, Unix Shell) |
| Credential Access | T1552.004 | Unsecured Credentials – Private Keys |
| Privilege Escalation | T1548.003 | Abuse Elevation Control Mechanism: Sudo |
| Persistence / Defense Evasion | T1574.001 | Hijack Execution Flow: DLL Side-Loading / Code Cache Poisoning |
| Privilege Escalation | T1068 | Exploitation for Privilege Escalation |
Locked Content as per HTB Policy
The detailed walkthrough content for this machine has been restricted in accordance with HackTheBox’s content sharing policy. This ensures that the learning experience remains fair for all users and maintains the integrity of the platform’s challenges.