Guardian is a Linux box hosting a university portal built with PHP. I’ll exploit an IDOR in the chat feature to find Gitea credentials, then use the source code to identify a vulnerability in PhpSpreadsheet that allows XSS through a malicious XLSX file to steal a lecturer’s session cookie. From the lecturer account, I’ll combine a CSRF vulnerability with a weak CSRF token implementation to create an admin account. As admin, I’ll abuse a local file include with PHP filter chain injection to get RCE. After cracking a database password hash, I’ll pivot through users by modifying a writable Python script. I’ll escalate to root abusing a silly binary wrapper around apache2ctl many ways.

0xdf hacks stuff

A detailed walkthrough of the HackTheBox 'Guardian' Linux machine. The attack chain involves exploiting an IDOR vulnerability in a PHP university portal's chat feature to retrieve Gitea credentials, then leveraging a known XSS vulnerability in PhpSpreadsheet (CVE-2025-22131) via a malicious XLSX file to steal a lecturer's session cookie. From there, a CSRF vulnerability with weak token implementation is used to create an admin account. Admin access enables local file inclusion with PHP filter chain injection for RCE. Privilege escalation proceeds through cracking a database password hash, modifying a writable Python script to pivot between users, and abusing a binary wrapper around apache2ctl to reach root.

HTB: Guardian