🎯 Executive Summary

The Browsed machine was compromised by abusing a trusted Chrome extension upload workflow. A malicious extension was uploaded and later installed by a developer, resulting in automatic JavaScript execution on all visited websites. This provided a browser-context SSRF primitive, allowing access to internal services bound to localhost.

The SSRF was used to reach an internal Flask application vulnerable to Bash arithmetic expansion injection, leading to remote command execution and a reverse shell as the user larry. Privilege escalation was achieved via a misconfigured sudo rule allowing execution of a Python tool as root. A world-writable __pycache__ directory enabled Python .pyc cache poisoning, resulting in arbitrary code execution during module import and a root shell.

1. Reconnaissance - Surface Discovery

1.1 Port Scanning

We begin with a full TCP scan to ensure no hidden services are missed.

# Aggressive full-range scan with service detection
rustscan -a 10.10.8.1 --ulimit 5000 -r 1-65535 -- -A -sS -Pn -oA browsed

1.2 Scan Results

22/tcp open  ssh     syn-ack OpenSSH 9.6p1 Ubuntu (protocol 2.0)
80/tcp open  http    syn-ack nginx 1.24.0 (Ubuntu)
|_http-title: Browsed

Observations

  • SSH likely requires credentials

  • Web server is the main attack surface

  • Title hints at browser-related functionality

1.3 Host Configuration

During enumeration, multiple virtual hosts are discovered. These must be added locally.

echo "10.10.8.1 browsed.htb browsedinternals.htb" | sudo tee -a /etc/hosts

🔐 PREMIUM WRITEUP - MEMBERSHIP REQUIRED

This machine is still active in HTB, so the full walkthrough, exploitation path, and flags cannot be publicly released.

But you can access the entire premium writeup right now.

🌟 Get Instant Access

Unlock the complete step-by-step solution, techniques used, notes, and exclusive insights by becoming a member.

Membership

Why Go Premium?

  • Early access to full detailed writeups

  • Passwords for active CTF solutions

  • Advanced exploitation techniques

  • Priority help & faster support

Upgrade once - unlock everything instantly.

💬 Need help while solving?

I’ve got your back - reach out anytime:
Email: [email protected]

Keep hacking, keep learning, keep winning. 🎯

Keep Reading

No posts found

© 2026 Andrés.

Report abuse

Privacy policy

Terms of use

Powered by beehiiv