HackTheBox - Conversor

The video walks through the Hack The Box "Conversor" machine, an ostensibly easy box that hides two distinct attack vectors. The target is a Flask‑based web application that accepts XML and XSLT files to generate HTML reports, while the underlying host runs an outdated NeedRestart service vulnerable to a publicly disclosed CVE.

The presenter demonstrates how the XSLT conversion can be abused for injection, but more reliably exploits a path‑traversal flaw in the file‑upload routine. By supplying "../" sequences or a leading slash, the os.path.join call is bypassed, allowing arbitrary files—including a malicious Python script—to be written to the server’s filesystem. The need for careful framework identification is highlighted, as Flask’s default 404 page helped confirm the stack and guide payload selection.

A memorable line from the host is, “It does a good job at showing how common vulnerabilities can just hide in plain sight,” underscoring the box’s educational value. The walkthrough also notes that the XML parser disables external entity resolution, rendering XXE attempts ineffective, and that the NeedRestart daemon provides a second, CVE‑based privilege‑escalation path.

The dual‑vector approach illustrates why pen‑testers must examine both application‑level logic and underlying services. Overlooking simple file‑path sanitization can grant remote code execution, while unpatched system daemons offer quick root access. The lesson extends to real‑world environments: regular updates and rigorous input validation are essential to mitigate such low‑complexity, high‑impact exploits.