Browsed is a Linux box hosting a browser extension repository where uploaded extensions are tested in a headless Chrome instance. I’ll analyze the Chrome debug logs to discover an internal Gitea instance and a Python Flask app running on localhost. By crafting a malicious Chrome extension with a background service worker, I’ll perform SSRF to reach the internal Flask app and exploit a Bash arithmetic evaluation injection in a shell script to get remote code execution. For root, I’ll abuse a world-writable pycache directory to poison a Python bytecode file imported by a sudo-allowed script, getting code execution as root.

0xdf hacks stuff

A walkthrough of the HackTheBox machine 'Browsed', a Linux box running a browser extension repository. Uploaded extensions are tested in a headless Chrome instance, and Chrome debug logs reveal an internal Gitea instance and a Python Flask app on localhost. The attack chain involves crafting a malicious Chrome extension with a background service worker to perform SSRF against the internal Flask app, then exploiting a Bash arithmetic evaluation injection in a shell script for RCE. Privilege escalation to root is achieved by poisoning a Python bytecode (.pyc) file in a world-writable __pycache__ directory that is imported by a sudo-allowed script.

HTB: Browsed