Skip to content

symphony2colour/htb-browsed-rce

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
README.md
README.md
 
 
browsed_rce.py
browsed_rce.py
 
 

Repository files navigation

Browsed HTB – Extension Upload → Routine Injection PoC

Hack The Box – Browsed
Proof-of-Concept demonstrating abuse of a Chrome extension upload feature combined with unsafe server-side routine execution.

scope python license

Overview

This repository contains a Python proof-of-concept that targets the Browsed HTB machine.
The attack chain abuses:

  1. A Chrome extension upload feature
  2. A Flask endpoint that forwards user-controlled input into a Bash script
  3. Improper validation of routine identifiers, allowing command injection

The PoC automates:

  • Building a malicious Chrome extension
  • Uploading it using an anonymous PHP session
  • Triggering server-side execution via a crafted request

Repository Structure

.
├── browsed_rce.py        # Main PoC script
├── README.md             # Documentation
└── extension_build/      # Generated at runtime
    ├── content.js
    └── manifest.json

Requirements

  • Python 3.9+
  • Linux environment
  • nc (netcat)
  • Python dependencies:
    • requests

Install dependencies:

pip install requests

Usage

python browsed_rce.py <IP> <PORT>

Example

python browsed_rce.py 10.10.15.157 5050

Optional Flags

Flag Description
--no-listen Skip starting a local listener

High-Level Attack Flow

1️⃣ Payload Generation

The script generates a command string, base64-encodes it, and treats it strictly as data.

2️⃣ Malicious Chrome Extension

The PoC dynamically generates:

  • content.js
  • manifest.json

These are packaged into a ZIP and uploaded to the target application.

3️⃣ Upload & Session Handling

  • A new anonymous PHP session is created automatically
  • The extension ZIP is uploaded using browser-like headers

4️⃣ Vulnerable Backend Logic

The Flask backend exposes the following route:

@app.route('/routines/<rid>')
def routines(rid):
    subprocess.run(["./routines.sh", rid])
  • rid is fully user-controlled
  • Passed directly to a Bash script
  • No validation or sanitization is applied

5️⃣ Bash Script Behavior

The Bash script expects numeric routine IDs but does not strictly enforce them, allowing crafted input to reach the shell.

Root Cause Summary

Issue Description
Unsafe subprocess usage User input forwarded to Bash
No strict validation Assumes numeric routine IDs
Extension upload trust User-controlled JS allowed
Local-only assumption Flask bound to 127.0.0.1

Defensive Recommendations

  • Never pass user input directly to shell scripts
  • Avoid subprocess when not strictly required
  • Replace shell logic with internal Python functions
  • Validate and restrict uploaded extension content

Disclaimer

This project is intended solely for educational purposes in controlled lab environments such as Hack The Box.

Do not use this code against systems you do not own or have explicit permission to test.

About

This repo contains RCE exploit for Browsed htb machine

Topics

rce htb-writeups htb-scripts htb-browsed

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages