HTB Conversor

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://0xdf.gitlab.io/2026/03/21/htb-conversor.html
• Blog Title: HTB: Conversor
• Suggested Section: Pentesting Web -> File Upload (arbitrary file write) and/or Pentesting Web -> XXE/XSLT injection (add libxslt/EXSLT exslt:document file-write + processor fingerprinting); plus a cross-reference under Linux Privilege Escalation / Scheduled tasks (cron) as an execution sink for arbitrary file write

🎯 Content Summary

Title / context
Walkthrough of HackTheBox “Conversor” (Linux). Target hosts an Apache-served Flask app that converts uploaded nmap XML into HTML using user-supplied XSLT processed by lxml (libxslt). The post chains: (1) authenticated file upload → (2) arbitrary file write (two different primitives) → (3) cron-triggered Python execution as www-data → (4) credential extraction (MD5 in SQLite) → (5) local privilege escalation to root via needr...

🔧 Technical Details

Arbitrary file write via unsafe filename-to-path joins (path traversal + absolute path override): If an app constructs destination paths like os.path.join(base_dir, user_filename) and then writes the upload, an attacker can use ../ to traverse outside base_dir. Additionally, supplying an absolute path (e.g., starting with /) causes os.path.join to ignore earlier components, letting the attacker write anywhere the process can write. If the app writes the file before parsing/validation, the write succeeds even when the request ultimately errors.

Convert arbitrary write to RCE using cron-executed script directories: When a system runs a cron entry like * * * * * www-data for f in /path/*.py; do python3 "$f"; done, placing any attacker-controlled .py file in that globbed directory yields code execution as that cron user. Because it’s a simple for loop, scripts exec...

🤖 Agent Actions

Updated xslt-server-side-injection-extensible-stylesheet-language-transformations.md.

The addition keeps this in a single file and focuses on the actually new technique from the blog: libxslt-specific abuse. I added the document() XML-only caveat, the XML-vs-XSLT parser asymmetry in lxml, the EXSLT exsl:document arbitrary file-write primitive, the XML entity encoding gotcha when generating payload files, and a short note on using cron-polled script directories or similar execution sinks after a successful write. I also updated the References section with the blog and primary docs.

Verification: checked the final diff and git status; only that file was modified.

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://0xdf.gitlab.io/2026/03/21/htb-conversor.html

Content Categories: Based on the analysis, this content was categorized under "Pentesting Web -> File Upload (arbitrary file write) and/or Pentesting Web -> XXE/XSLT injection (add libxslt/EXSLT exslt:document file-write + processor fingerprinting); plus a cross-reference under Linux Privilege Escalation / Scheduled tasks (cron) as an execution sink for arbitrary file write".

Repository Maintenance:

• MD Files Formatting: 954 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0