Beginner’s Guide to Conquering Interpreter on HackTheBox

Key Highlights

Here’s a quick look at what we’ll cover in this guide to conquering the Interpreter machine. This walkthrough is a great exercise in practical penetration testing skills.

• Start by scanning for open ports to find the web server and SSH services.
• Exploit a blind SQL injection vulnerability on the website’s login page.
• Use the credentials gained to establish an initial shell via SSH.
• Abuse group permissions to escalate privileges on the Linux system.
• Gain full root access by hijacking a process that runs on login.

Introduction

Welcome to your guide for the Interpreter machine on HackTheBox! This box is rated as medium difficulty and offers a fantastic learning experience for those looking to sharpen their penetration testing abilities. You’ll begin by identifying open ports and investigating a web server. The path to root involves exploiting a web vulnerability to gain credentials, logging in via SSH, and then finding a clever way to escalate your privileges. Ready to jump in and start your hacking journey? Let’s get started.

Overview of the Interpreter Machine on HackTheBox

The Interpreter box provides a realistic scenario that begins with basic reconnaissance. Your first step will be to run a port scan against the target IP address to discover what services are available. You will find that the machine has a couple of open ports, including one for a web server.

From there, your focus will shift to enumerating the web application to find potential weaknesses. This initial phase is crucial for gathering the information needed to gain your first foothold on the system. We will explore what makes this machine an engaging challenge and the skills you’ll need to succeed.

What Makes Interpreter an Interesting Challenge

What sets the Interpreter box apart is its multi-stage approach to the hack. It’s not just about finding a single vulnerability; it’s about chaining together different exploits to achieve your goal. The initial phase requires you to identify and leverage a blind SQL injection vulnerability, a common but tricky flaw to exploit. This part of the challenge tests your patience and precision.

After gaining initial access, the challenge shifts to privilege escalation. This is where the box gets really creative. The exploitation path here isn’t immediately obvious and requires you to dig into system configurations and user permissions. You’ll need to understand how Linux groups can be misconfigured to create a path to root.

This combination of web application security and Linux privilege escalation makes Interpreter a well-rounded and rewarding machine. It forces you to think like an attacker, connecting disparate pieces of information to build a complete exploitation chain from start to finish.

Objectives and Expected Skill Level

The main objective of the Interpreter machine is to build your practical skills in a real-world penetration testing scenario. You will start with a web application, find a way in, and then work your way up to full system control. This process is designed to reinforce fundamental concepts while introducing you to more advanced techniques.

Rated as a medium-difficulty box, Interpreter is ideal for those who have a solid grasp of the basics and are ready to tackle more complex challenges. You should be comfortable with tools for scanning and enumeration and have some experience with web application vulnerabilities. It’s a step up from beginner boxes but doesn’t require the deep expertise needed for insane-level machines.

By completing this challenge, you will gain hands-on experience with SQL injection, privilege escalation through group misconfigurations, and the importance of thorough enumeration. These are valuable skills that are directly applicable to professional penetration testing engagements.

ALSO READ: Mastering WingData: Beginner’s Guide from HackTheBox

Initial Foothold

Intelligence Gathering & Network Reconnaissance

Every successful engagement begins with a comprehensive mapping of the attack surface. For “Interpreter,” our initial scan reveals a sophisticated stack of Java-based middleware and standard remote access protocols.

Port Scanning and Service Fingerprinting

Using rustscan and nmap, we identify the following active listeners:

• Port 22 (SSH): OpenSSH 9.2p1 (Debian). Standard entry point for authenticated users.
• Port 80/443 (HTTP/HTTPS): Jetty server hosting the Mirth Connect Administrator interface.
• Port 6661: A specialized port used by Mirth Connect for internal communications.

The presence of Jetty and Mirth Connect immediately shifts our focus. Mirth Connect is a prominent healthcare integration engine used to route HL7 messages. When exposed to the internet, these platforms are high-value targets due to the sensitive nature of the data they process and the complexity of their Java-based architectures.

Web Application Fingerprinting: The Mirth Portal

Browsing to the web interface presents a “Mirth Connect Administrator” portal. While the web UI offers limited direct interaction, the Java Web Start (JNLP) file provided for the desktop client contains vital metadata.

For the JNPL Mirth Admin Script access, Please Buy me a Coffee

By analyzing the launch.jnlp file, we confirm the exact version: NextGen Connect 4.4.0. This specific version is notorious in the security community for its susceptibility to deserialization attacks.

Exploitation: The Mirth Connect Vulnerability (CVE-2023-43208)

The core of the initial compromise lies in CVE-2023-43208. This is a bypass of an earlier, incomplete fix (CVE-2023-37679) for a vulnerability in the way Mirth Connect handles XML data.

Technical Deep Dive: The Deserialization Flaw

Mirth Connect uses the XStream library to convert XML data into Java objects (unmarshalling). The application exposes REST API endpoints that accept application/xml payloads. In version 4.4.0, certain servlets (like UserServlet and SystemServlet) were configured to disable authentication checks during the initial request handling.

The vulnerability occurs in the XmlMessageBodyReader class. It intercepts incoming XML and passes it to ObjectXMLSerializer. Because XStream, by default, can be manipulated to instantiate arbitrary classes, an attacker can craft a “gadget chain”—a sequence of Java objects that, when deserialized, execute a command.

Execution via Metasploit

A reliable Metasploit module exists for this vulnerability. By targeting the HTTPS service on port 443 and configuring the FETCH_COMMAND to wget (a common utility on Debian systems), we can trigger the reverse shell.

The Attack Flow:

1. Request: We send a malicious XML payload to an unauthenticated API endpoint.
2. Processing: The server’s XmlMessageBodyReader attempts to deserialize the XML.
3. Trigger: The XStream gadget chain executes bash -c to download and run our Meterpreter stager.
4. Result: A shell is returned as the service account mirth.

For the XmlMessageBodyReader Script access, Please Buy me a Coffee

Post-Exploitation & Data Mining

With a foothold as the mirth user, we must move laterally. In Java environments, configuration files are the “gold mines” of internal intelligence.

Analyzing mirth.properties

The primary configuration file is located at /usr/local/mirthconnect/conf/mirth.properties. This file reveals:

• Keystore Secrets: Passwords for the JKS files used for TLS (though not immediately useful for root).
• Database Credentials: MariaDB credentials for the mirthdb user: MirthPass123!.

Database Forensics: Dumping the PERSON Table

Connecting to the local MariaDB instance (mc_bdd_prod), we find the PERSON and PERSON_PASSWORD tables. These tables store the application’s administrative users. We identify a user named sedric with a Base64-encoded password hash.

Cryptographic Analysis: Cracking PBKDF2-HMAC-SHA256

Mirth Connect 4.4.0 uses a highly secure hashing scheme: PBKDF2-HMAC-SHA256. Unlike standard MD5 or SHA1, PBKDF2 is “stretched” to prevent brute-force attacks.

Understanding the Hash Structure

The 40-byte hash extracted from the database is a concatenation of:

• Salt (8 bytes): Used to prevent rainbow table attacks.
• Derived Key (32 bytes): The actual hashed output.

The iteration count is a staggering 600,000. This means for every single password guess, the computer must perform 600,000 SHA-256 operations.

For the pbkdf Extract & Crack Script access, Please Buy me a Coffee

The Recovery Process

Using a custom Python script or Hashcat (Mode 10900), we supply the salt and the derived key. Despite the high iteration count, the password “snowflake1” is found within the standard rockyou.txt wordlist. This highlights a critical lesson in security: even the strongest hashing algorithms cannot protect weak, dictionary-based passwords.

We successfully transition from the mirth service account to the user sedric via SSH.

Root Escalation: The Python F-String Injection

The final stage of “Interpreter” requires an advanced understanding of Python’s dynamic execution models. System enumeration reveals a root-owned process running a script: /usr/local/bin/notif.py.

Source Code Review: notif.py

The script is a local Flask server listening on port 54321. It processes XML data representing patient records. The critical vulnerability exists in the template function:

template = f"Patient {first} {last} ({gender}), {{datetime.now().year - year_of_birth}} years old, received from {sender} at {ts}"
try:
    return eval(f"f'''{template}'''")
except Exception as e:
    return f"[EVAL_ERROR] {e}"

For the Complete notif.py Script access, Please Buy me a Coffee

Vulnerability Analysis: Double Evaluation

The code performs a “double evaluation.” It first creates a string using a standard f-string, then it wraps that string into another f-string and passes it to eval().

In Python, anything wrapped in curly braces {} within an f-string is executed as code. If we can inject {code_here} into any of the variables (first, last, sender, etc.), it will be executed as the root user when eval() is called.

Bypassing the Regex Guard

The script employs a regex filter: r"^[a-zA-Z0-9._'\"(){}=+/]+$". What is blocked?

• Spaces (critical for shell commands).
• Commas.
• Brackets [].
• Semicolons.

What is allowed?

• Parentheses ().
• Quotes ".
• Dots ..
• Slashes /.

Crafting the Payload

To execute a command like id or bash, we need spaces. We can bypass the space restriction by using Base64 encoding.

1. The Payload: {__import__("os").popen(__import__("base64").b64decode("BASE64_ENCODED_COMMAND").decode()).read()}
2. The Primitive: We use install -o root -m 4755 /bin/bash /tmp/.sh as our command. This creates a SUID bash shell in /tmp.
3. Delivery: We wrap this payload in the <sender_app> tag of an XML request and send it via wget to the local port 54321.

For the complete exploit script, Please Buy me a Coffee

The server processes the XML, the regex allows our characters, and eval() executes our Python code. We execute /tmp/.sh -p and obtain a root shell.

For a non-public writeup, please buy me a coffee

ALSO READ: Mastering Pterodactyl: Beginner’s Guide from HackTheBox

Key Features and Unique Aspects of Interpreter HackTheBox

Interpreter presents a classic penetration testing flow with a few unique twists. After discovering the web server, you’ll find a login page and a hidden directory that hosts a simple content management system. The path to getting credentials isn’t straightforward and relies on a time-based vulnerability.

The privilege escalation phase is particularly noteworthy. It moves away from common kernel exploits and instead focuses on misconfigured user permissions within the Linux operating system. This unique aspect requires careful enumeration of the server’s environment and a creative approach to gain root access. Let’s look closer at the services and vulnerabilities you’ll encounter.

Notable Services and Attack Surfaces

Your initial port scan will reveal the primary attack surfaces on the Interpreter machine. Unlike some boxes that have many open services like an FTP server, this one is more focused, which helps you narrow down your initial efforts. A thorough scan is the first step to understanding what you’re up against.

The scan shows two main services running, which will be your entry points for the exploitation phase. These services are the foundation of your attack.

• SSH (TCP Port 22): OpenSSH is running, but you won’t be able to access it without credentials. This will become your entry point after you compromise the web application.
• HTTP (TCP Port 80): An Apache web server is active. This is your primary attack surface and where you’ll spend most of your initial enumeration time.

By focusing on the web server first, you can begin to probe for weaknesses. The limited number of services means you can dedicate your attention to fully enumerating the web application and its underlying components to find a way in.

Types of Vulnerabilities Commonly Found

The Interpreter box focuses on specific, real-world vulnerabilities rather than a broad range of them. The primary web vulnerability you’ll exploit is a blind SQL injection. This type of SQLi is challenging because the server doesn’t return data directly in its response, forcing you to infer information based on its behavior, such as response times.

Other common vulnerability types, like remote code execution or a file inclusion vulnerability, are not the main focus here, though the principles of command execution are relevant in the privilege escalation stage. The machine avoids more complex exploits like a buffer overflow.

The exploitation path is clear but requires precision. Here’s a breakdown of the key vulnerability and the subsequent misconfiguration you’ll leverage.

Essential Skills and Preparation for Interpreter HTB Writeup

To successfully conquer the Interpreter machine, you’ll need a combination of technical knowledge and the right set of tools. Familiarity with basic Linux commands and web application penetration testing concepts is a must. A little scripting knowledge, particularly with Python, can also be very helpful for automating parts of the exploitation process.

You should be comfortable using tools like Nmap for scanning, Gobuster for directory brute-forcing, and Burp Suite for intercepting and manipulating web traffic. These tools are staples in any penetration tester’s arsenal and will be crucial for this challenge. Let’s go over the specific knowledge and resources you’ll need.

Fundamental Knowledge and Tools Needed

Before you start, make sure you have a good understanding of the TCP/IP stack and how web applications work. You should know how to interpret the output of a port scan and understand the difference between various HTTP response codes. This foundational knowledge will make the enumeration phase much smoother.

You will also need a few essential tools in your hacking toolkit. While you can often find multiple tools for the same job, the ones listed below are highly effective for this particular box and are commonly used in the industry.

• Nmap: For initial port scanning and service enumeration to identify open ports like HTTP and SSH.
• Gobuster: To discover hidden directories and files on the web server that aren’t linked from the main page.
• Web Browser with Developer Tools: For inspecting page source, analyzing network requests, and interacting with the web application.

With these tools and a solid understanding of the basics, you’ll be well-equipped to begin your assault on the Interpreter machine. The key is to be systematic and thorough in your approach.

Recommended Learning Resources and References

If you get stuck or want to see how others approached the challenge, there are plenty of resources available. Looking at another person’s writeup can provide new insights and teach you different techniques. A quick search on Google for “Interpreter HTB writeup” will yield many helpful articles and videos.

Many security professionals and enthusiasts maintain a blog where they post detailed walkthroughs of HackTheBox machines. These blogs are often the best place to find high-quality information, as they typically explain the “why” behind each step, not just the “how.” Be sure to check out a few different ones to get a well-rounded perspective.

Here are some places to find reliable resources:

• Official HackTheBox Forums: Once a machine is retired, official walkthroughs and user-submitted writeups become available.
• Personal Security Blogs: Many hackers share their solutions. Search for the machine name plus “writeup” or “walkthrough.”
• YouTube: Video walkthroughs can be extremely helpful for visualizing the exploitation process.
• Packet Storm: A great resource for finding proof-of-concept exploit scripts, like the one used for the SQL injection in this challenge. Simply copy the URL of the script to use it.

Common Challenges and Mistakes for Beginners

When tackling the Interpreter machine, beginners often stumble in a few key areas. The enumeration process can be a major hurdle if you’re not thorough enough. It’s easy to miss the subtle clues that point toward the correct vulnerability if you rush through your scans.

Another common challenge is the privilege escalation phase. The method used here is less common than a simple kernel exploit, requiring more creative thinking. Rushing the exploitation can lead to dead ends and frustration. Let’s examine some specific pitfalls to avoid during enumeration and privilege escalation.

Pitfalls in Enumeration and Exploitation

A common mistake during the enumeration phase is not investigating the web server’s software version thoroughly. The CMS Made Simple version used on this box is outdated and has a known public exploit. Overlooking this piece of sensitive information will leave you stuck at the very first stage.

Another pitfall is running automated scanners like Gobuster too aggressively. The homepage explicitly warns about banning any IP address that generates too many requests. This is a deliberate trap to slow you down and encourage a more careful, targeted approach to enumeration. Ignoring this warning can get you temporarily blocked.

Finally, when you successfully run the SQL injection exploit to get credentials, it’s crucial to use the correct wordlist for cracking the password hash. The exploit script will retrieve the username, email, and a password hash.

• Not identifying the CMS version: Failing to find the software version means you won’t know which exploit to use.
• Ignoring server warnings: Running aggressive scans can get your IP blocked, halting your progress.
• Using an ineffective wordlist: A weak wordlist may fail to crack the password, preventing you from getting the credentials needed for SSH access.

Avoiding Privilege Escalation Errors

Once you have an SSH session as the user ‘jkr’, the next step is privilege escalation. A frequent error here is focusing only on finding SUID binaries or running automated scripts like LinEnum without carefully analyzing the output. The key to root access on this machine is hidden in the user’s group memberships.

Many beginners overlook the permissions of the ‘staff’ group. This group has write access to directories that are in the root user’s PATH. Failing to identify this misconfiguration means you’ll miss the intended path to elevate your privileges. It is a subtle but powerful vector.

Another mistake is not observing system processes correctly. After gaining a shell, you need to monitor what the system is doing, especially what root is running. The solution involves hijacking a script that root executes when a user logs in via SSH.

• Ignoring group memberships: Overlooking the ‘staff’ group’s special permissions is a critical error.
• Not monitoring processes: Failing to see that root runs ‘run-parts’ on SSH login will cause you to miss the hijack opportunity for root access.

Step-by-Step Beginner’s Guide to Conquering Interpreter on HackTheBox

Ready to get your hands dirty? This section will walk you through the entire process of conquering the Interpreter machine, from initial reconnaissance to gaining root access. We’ll cover each step in detail, ensuring you understand the techniques used for exploitation and privilege escalation.

Our goal is to get an initial shell on the box and then elevate our privileges to become the root user. We won’t need a complex reverse shell script for this machine, as the path involves gaining direct SSH access. Let’s start by making sure you have everything you need.

What You Need Before You Start (Accounts, Tools, Setup)

Before diving in, let’s get your setup ready. First and foremost, you’ll need an account on HackTheBox to access the machine. Once you’re logged in, you can connect to the lab network using the provided VPN configuration file. This will allow your machine to communicate with the target box.

Your attacking machine should be equipped with a standard set of penetration testing tools. Most Linux distributions designed for security, such as Kali Linux or Parrot OS, come with everything you’ll need pre-installed. You’ll primarily rely on your terminal, a web browser, and a few specific command-line tools.

Here’s a quick checklist of the essential tools and accounts for this challenge:

• HackTheBox Account: To access the Interpreter machine and the HTB network.
• VPN Connection: To connect your machine to the HackTheBox labs.
• A Linux-based OS: With tools like Nmap, Gobuster, and a Python environment.

With this setup in place, you’re ready to begin the first phase of the attack: reconnaissance.

Step 1: Initial Reconnaissance and Scanning Techniques

The first step in any penetration test is reconnaissance. You need to know what you’re up against. Start by performing a port scan on the target IP address assigned to the Interpreter machine. A tool like Nmap is perfect for this task. The goal is to identify all open ports and the services running on them.

A comprehensive scan will reveal that the machine has two open TCP ports. This immediately narrows your focus and gives you a clear starting point. The services running on these ports are common and should be familiar to you.

Your Nmap scan should identify the following open ports:

• Port 22: Running OpenSSH. This is a potential entry point if you can find credentials.
• Port 80: Running an Apache web server. This will be your primary target for initial enumeration.
• No other ports: The limited number of services helps you concentrate on the most likely attack vectors.

With this information, your next move is to investigate the web server on port 80 to see what you can find.

Step 2: Enumerating Services and Identifying Vulnerabilities

Now that you’ve identified the web service, it’s time for deeper enumeration. Open the IP address in your browser to see the website. The homepage doesn’t offer much, but it mentions that it’s “under DoS attack,” a hint to be careful with aggressive scanning. Unlike machines with an FTP service, your focus here is entirely on HTTP.

Check the robots.txt file, as it often contains clues. You’ll find a disallowed entry: /writeup/. Navigating to this directory reveals a blog platform. Inspecting the page source shows it’s built with “CMS Made Simple.” A quick search for this CMS version reveals a critical vulnerability: a blind SQL injection.

Here’s how to pinpoint the vulnerability:

• Visit the website: Examine the home page and look for any interesting links or comments.
• Check robots.txt: Discover the /writeup/ directory.
• Identify the software: Look at the HTML source of the /writeup/ page to find it uses CMS Made Simple and identify its version. This leads you to the specific SQL injection vulnerability.

Step 3: Gaining an Initial Foothold on the Interpreter Box

With the vulnerability identified, the next step is exploitation. You’ll use a public exploit script for the CMS Made Simple SQL injection flaw. This script automates the process of extracting data from the database by sending timed queries to the server. Your goal is to retrieve a username and password hash.

Once you run the exploit script, it will dump the username, ‘jkr’, and a password hash. The script even has a feature to crack the hash for you using a provided wordlist. Using a common wordlist like rockyou.txt will quickly reveal the user’s password.

Now you have the credentials needed to gain an initial shell.

• Run the exploit script: Use the Python script for the blind SQL injection to extract the user’s credentials.
• Crack the password: Use a wordlist to crack the retrieved hash and get the plain-text password.
• Login via SSH: Use the username and password to establish an SSH session, giving you your first foothold on the machine.

Step 4: Privilege Escalation Strategies for Interpreter

After gaining an initial shell as ‘jkr’, the final objective is privilege escalation to root access. Start by enumerating the user’s permissions. Running the id command shows that ‘jkr’ is part of the ‘staff’ group. This group has special write permissions in /usr/local/bin, a directory that comes first in the root user’s PATH.

Next, you need to find a process run by root that you can hijack. By monitoring processes as you log in with a new SSH session, you’ll see that root executes run-parts from a PATH that prioritizes /usr/local/bin. This is your opportunity. You don’t need a reverse shell payload; you can create a malicious script.

The strategy is to create a fake run-parts script, place it in /usr/local/bin, and make it executable.

• Identify group permissions: Discover that the user is in the ‘staff’ group with write access to /usr/local/bin.
• Find a hijackable process: Observe that root runs run-parts on SSH login.
• Create a malicious script: Write a script named run-parts that copies /bin/bash and sets the SUID bit, then place it in /usr/local/bin. Log in again via SSH to trigger it and gain root access.

Tips, Tricks, and Best Practices for Interpreter HackTheBox

To make your experience on the Interpreter machine smoother, there are a few best practices to keep in mind. Efficient enumeration is key; knowing what to look for and where can save you a lot of time. Rushing the process is a common mistake that leads to missed clues.

Another crucial habit is documentation. Keeping detailed notes of your findings, commands, and thought processes will help you stay organized and connect the dots. These practical skills are just as important as technical knowledge. Below are some tips on how to improve your enumeration and organization.

Efficient Enumeration Methods

Instead of running a noisy, full-directory Gobuster scan right away, start with more targeted enumeration. The warning on the homepage is a clear hint to be stealthy. Begin by manually exploring the website and looking for files like robots.txt or sitemap.xml. These can often point you directly to interesting folders.

When you do use a tool like Gobuster, use a smaller, more targeted wordlist first. Look for common directory names like admin, blog, dev, or test. This is less likely to trigger security alerts and can often yield results faster than a massive brute-force scan.

Focus on quality over quantity in your enumeration.

• Manual checks first: Always start by checking for robots.txt and inspecting the page source manually.
• Use targeted wordlists: When using automated tools, start with smaller, more common wordlists to avoid detection and find low-hanging fruit quickly.
• Identify software versions: Once you find a piece of software (like a CMS), immediately search for its version number to find known exploits. This is often the fastest path to a vulnerability.

Staying Organized and Documenting Progress

Keeping organized is a skill that will serve you well in any penetration test. As you progress through the Interpreter box, you’ll gather a lot of information. Without proper documentation, it’s easy to lose track of credentials, vulnerable paths, and potential exploits. Use a note-taking application to document everything.

Create a structured approach to your notes. You could have a separate section or tab for each phase: reconnaissance, initial access, and privilege escalation. In each section, log the commands you run and their output. This creates a clear record of your progress and helps you retrace your steps if you hit a dead end.

Here are a few tips for effective documentation:

• Use a dedicated note-taking app: Tools like CherryTree, Obsidian, or even a simple text file can work.
• Structure your notes: Organize your findings by phase (e.g., Nmap scans, web enumeration, discovered credentials).
• Screenshot important findings: A picture of a key configuration file or error message can be invaluable later on.

Conclusion

In conclusion, conquering the Interpreter machine on HackTheBox is an exciting journey that blends skills, strategy, and persistence. By understanding its unique features and challenges, you can navigate this learning experience effectively. From initial reconnaissance to privilege escalation, each step is crucial in developing your abilities as a penetration tester. Remember to document your progress and avoid common pitfalls, as these practices will enhance your overall performance. As you dive deeper into this challenge, keep honing your skills and stay connected with others in the community. If you’re eager to stay updated and receive more tips, don’t forget to subscribe!

Frequently Asked Questions

How difficult is the Interpreter HackTheBox machine compared to others?

Interpreter is rated as a medium-difficulty machine on HackTheBox. It is more complex than easy boxes, requiring a multi-step vulnerability chain. However, it is a great stepping stone for those looking to build practical skills in penetration testing before moving on to hard or insane-level challenges.

Which vulnerabilities are typically exploited in Interpreter HackTheBox?

The primary vulnerability exploited on the Interpreter machine is a blind SQL injection in an outdated version of CMS Made Simple. This is used to gain initial credentials. Privilege escalation is achieved by abusing misconfigured group permissions, not through exploits like remote code execution or buffer overflow.

Where can I find reliable Interpreter HTB Writeup resources?

You can find reliable writeups by searching on Google for “Interpreter HTB writeup.” Many security professionals post detailed walkthroughs on their personal blog. The official HackTheBox forums and various YouTube channels are also excellent resources for different perspectives and step-by-step guides.

Are custom exploits or scripts needed for Interpreter HackTheBox?

You do not need to write custom exploits from scratch. A publicly available Python script is used for the SQL injection. For privilege escalation, you will write a simple shell script to hijack a process, but it does not require complex coding or a reverse shell payload.