Bounty Hunter Hack the Box Write-Up| Bounty Hunter HTB Walkthrough

So in this blog, we are going for bounty hunter hack the box machine and we’ll take over the user flag and root flag of the machine…

so first turn and on your hack the box VPN and load the IP address on your browser which is


First, we going to take the Nmap scan using the below command

STEP 1: nmap -sC -sV

the result is shown below:

so in this result, we are able to see the interesting services is SSH and port is 22

Next, we going to brute force the directory using gobuster for any interesting directory

STEP 2: gobuster dir -u -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt

result for gobuster

so in this gobuster result, we will abe to see the lots of hidden directories…

Next, go to the webpage and click the portal tab in this section you will be able to see the development under construction, and there click here button.

Click the button it will (shown below image)

further, I have tried more SQL injection but nothing done


further, I have scanned the webpage using burpsuit (shown in the below image )

And the request to the burpsuit repeater…

In this request, the data is encoded in the url+base64 encoding.

so going to decode the encoding using the cyber chief website (link is below)

we going to decode using this website (instructions are shown below image)

now it has been decoded

And it looks like an XML file and have found that it has XXE vulnerability using the below website…

so in this website, you will be able to study XXE or XML vulnerability…

Now we going to inject the XXE payload in the XML file and encode the file and send it to the web application…

you can download the payload using the below link

Now can able to download the payload and inject in the XML file (image is shown below)

Next, encode a file using cyber chief the encode should be base64+urlencoding (shown below image)

so copy the encode and paste burpsuit data request (show below image)

Now send the request you get a response… in this response, you are able to see some encode (shown below image)

In this encoding you will be able to see the password… but I have tried this username and password it will not work and I have a password for another user it will work by using another payload…

You can able to download the payload using the below link

Copy the payload and paste it into the XML file and encode the XML file by seeing the below image…

Next copy the encode and paste in the request and you get the response…

So in this response, you will be able to see some encoding (shown below image)

Next, decode this encoding by seeing the below image

In this decoding, you will be able to see the user which is development…

Now we got the username: development

Password : m19RoAU0hP41A1sTsq6K

Now we find the username and password and we going to enter through the SSH using the below command

STEP 3: ssh devlopment@

now it will ask for the password… so enter password m19RoAU0hP41A1sTsq6K

now you will get the shell…..

STEP 4: ls

now you get the user flag which is the user.txt

STEP 5: cat user.txt

Now it’s time for Root Flag, Can get root.txt walkthrough from the video demonstration below :

A clap would be really appreciated.

Keep Coming for more.

Happy Hacking!!!!



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store



Hey Hackers !! I am Harshit Dodia aka Freaky Dodo , I am a student of Information Technology and Ethical hacking.