— Expedia Group appointed Xavier Amatriain as its first chief artificial intelligence officer and data officer. He joins the Seattle-based travel giant from Google where he served as vice president of product in AI and Compute Enablement. Other past employers include Quora, LinkedIn and Netflix.

“[Amatriain’s] deep expertise in building large-scale AI platforms will help redefine how people experience travel,” Expedia CTO Ramana Thumu said in a statement. “Expedia Group operates at a scale few can match, and we invest deeply in our talent, giving technologists the space to learn, experiment, and push the boundaries of what AI can do.”

Amatriain, based in San Jose, Calif., has mapped a diverse career path — he’s been a university professor in Spain, a healthcare startup co-founder, a researcher, and an engineering leader.

— Textio co-founder and former CEO Kieran Snyder returned to Microsoft as vice president of AI transformation.

“My goal in this new role is to help Microsoft be the best living case study of effective, human AI transformation in the world,” Snyder said on LinkedIn.

Snyder began her tech career at Microsoft in 2004, working on the Bing search engine and Windows. In 2014, she launched Textio, which claims to be the first-to-market venture using AI for HR functions. The company’s software helps organizations recruit, hire and retain inclusive teams.

Over the past two years, Snyder ran a business called “nerd processor,” which offered research and leadership coaching, and served as chief scientist emeritus at Textio, where she is now on the board of directors.

— Ross Tennenbaum is leaving his role as president of Avalara for a new role with an unnamed public company, according to the Puget Sound Business Journal. Tennenbaum joined the tax software giant in 2019 and was previously CFO. He worked at Goldman Sachs and Credit Suisse before joining Avalara, which relocated its headquarters from Seattle to North Carolina following its acquisition by Vista Equity Partners in 2022. It filed to go public, again, earlier this year.

— After more than 12 years at T-Mobile, Janice Kapner is leaving the telecommunications giant. Kapner was chief communications and corporate responsibility officer and executive VP at the Bellevue, Wash., company where she led a team of more than 160 employees.

“From Magenta sneakers and confetti cannons to competitive stunts, big bets, and a front-line team that made the brand burst off the page and into the world — these are moments I’ll never forget,” Kapner said on LinkedIn. “They shaped me as much as I helped shape them.”

Prior to T-Mobile, Kapner was at Microsoft for more than a decade.

— Former Microsoft and Amazon leader Vinita Ananth is now senior director of product for the cloud company Nebius. Ananth, based in the Seattle area, has been working since July on stealth-mode startups HelpViber and FulcrumAX. Ananth called the decision to leave these ventures “difficult and emotional.”

“I’m thrilled that my co-founder will continue driving both HelpViber and FulcrumAX forward, with a strategic focus on customer traction, platform maturity, and meaningful funding milestones over the coming year,” she said on LinkedIn, adding that she’ll continue in advisor and co-founder roles.

— PayPal appointed Bo English-Wiczling as VP of global developer relations. English-Wiczling, based in Seattle, joins from Oracle, where she worked for nearly nine years in leadership roles in database product management and developer relations. Previous employers include Amazon and Best Buy.

“After an incredible journey working alongside talented engineers, community leaders, and innovation-minded partners, this new role feels like the perfect next step,” English-Wiczling said on LinkedIn. “I’ll be working at the intersection of PayPal’s global payments platform and developer ecosystems — helping build, grow, and energize the communities and relationships that power our future.”

— Jaimin Gandhi joined Seattle-based AI roleplay startup Yoodli as a product leader. Gandhi’s past roles include leadership positions at Nerdy, Binance, Uber, DocuSign, Microsoft and others.

Over the past year, Gandhi built FourPoint.AI, a tool that helps job seekers improve their communications. While he won’t be adding new features to FourPoint, “I am opening it up for free,” Gandhi said on LinkedIn. “If it helps someone land their next opportunity the way it helped me find mine, that is a meaningful way to pay it forward.”

— Kapil Hetamsaria is now chief business officer of Neo4j, a data analysis, graph intelligence platform. Hetamsaria joins from C3 AI, where he served as a vice president, and was previously co-founder and CEO of Viddl App, a Bellevue-based short-video platform.

— Dave Rosenbaum is leaving his role as senior publications manager at Seattle-based pet sitting company Rover to join Airbnb.

“I have always been a firm believer in the transformative power of travel — discovering new places, trying new foods, and having new experiences,” Rosenbaum wrote on LinkedIn. “Airbnb’s mission is central to this belief that the world offers limitless possibilities.”

Rosenbaum is also a deputy mayor and city council member for Mercer Island, a city east of Seattle, and previously served in legislative roles for members of Congress.

— Ambika Singh, founder and CEO of online clothing rental company Armoire, joined the board of trustees for the Seattle Metro Chamber.

— Pete Fewing, associate athletic director at Seattle University and longtime Sounders FC broadcaster, joined the board of directors for Starfire Sports. The organization provides coding classes, drone summer camps, and other free, after-school sports programming for underprivileged kids in South Seattle.

Introduction to Cypher:

In this write-up, we will explore the “Cypher” machine from Hack The Box, categorised as a Medium difficulty challenge. This walkthrough will cover the reconnaissance, exploitation, and privilege escalation steps required to capture the flag.

Objective:

The goal of this walkthrough is to complete the “Cypher” machine from Hack The Box by achieving the following objectives:

User Flag: Exploit a vulnerable Neo4j database by injecting a Cypher query to extract a password hash, authenticate via SSH, and retrieve the user flag.

Root Flag: Leverage a misconfigured bbot binary with sudo privileges to execute a command that sets the SUID bit on /bin/bash, granting root access to capture the root flag.

Enumerating the Cypher Machine

Establishing Connectivity

I connected to the Hack The Box environment via OpenVPN using my credentials, running all commands from a Kali Linux virtual machine. The target IP address for the Cypher machine was 10.10.11.57

Reconnaissance:

Nmap Scan:

Begin with a network scan to identify open ports and running services on the target machine.

nmap -sC -sV -oA initial 10.10.11.57

nmap -sC -sV -oA initial 10.10.11.57

Nmap Output:

┌─[dark@parrot]─[~/Documents/htb/cypher]
└──╼ $nmap -sC -sV -oA initial 10.10.11.57
# Nmap 7.94SVN scan initiated Sun Jul 20 11:35:15 2025 as: nmap -sC -sV -oA initial 10.10.11.57
Nmap scan report for 10.10.11.57
Host is up (0.26s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.6p1 Ubuntu 3ubuntu13.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 be:68:db:82:8e:63:32:45:54:46:b7:08:7b:3b:52:b0 (ECDSA)
|_  256 e5:5b:34:f5:54:43:93:f8:7e:b6:69:4c:ac:d6:3d:23 (ED25519)
80/tcp open  http    nginx 1.24.0 (Ubuntu)
|_http-title: Did not follow redirect to http://cypher.htb/
|_http-server-header: nginx/1.24.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Jul 20 11:50:37 2025 -- 1 IP address (1 host up) scanned in 921.53 seconds
┌─[dark@parrot]─[~/Documents/htb/cypher]
└──╼ $

┌─[dark@parrot]─[~/Documents/htb/cypher]
└──╼ $nmap -sC -sV -oA initial 10.10.11.57
# Nmap 7.94SVN scan initiated Sun Jul 20 11:35:15 2025 as: nmap -sC -sV -oA initial 10.10.11.57
Nmap scan report for 10.10.11.57
Host is up (0.26s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.6p1 Ubuntu 3ubuntu13.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 be:68:db:82:8e:63:32:45:54:46:b7:08:7b:3b:52:b0 (ECDSA)
|_  256 e5:5b:34:f5:54:43:93:f8:7e:b6:69:4c:ac:d6:3d:23 (ED25519)
80/tcp open  http    nginx 1.24.0 (Ubuntu)
|_http-title: Did not follow redirect to http://cypher.htb/
|_http-server-header: nginx/1.24.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Jul 20 11:50:37 2025 -- 1 IP address (1 host up) scanned in 921.53 seconds
┌─[dark@parrot]─[~/Documents/htb/cypher]
└──╼ $

Analysis:

• 22/tcp (SSH): OpenSSH 8.2p1 running, indicating potential remote access with valid credentials.
• 80/tcp (HTTP): Apache web server, likely hosting a web application for further enumeration.

Web Enumeration:

I performed directory enumeration on the web server using Gobuster

gobuster dir -u http://cypher.htb -w /opt/common.txt

gobuster dir -u http://cypher.htb -w /opt/common.txt

Gobuster Output:

Analysis:

• The web interface revealed a “Try out free demo” button redirecting to /login/.
• The /api/docs directory was inaccessible or empty.
• A .jar file was found in /testing/, which seemed unusual and warranted further investigation.

The website interface looks something as shown above

Inspecting the login page at /login/ revealed a form.

In this example, the application builds a database query by directly inserting the username and password the user enters into the query string. Because the system does not properly check or clean these inputs, an attacker can insert special characters or code that changes the query’s intended behaviour. This lack of input validation creates a Cypher injection vulnerability.

Here’s a simplified version of the vulnerable code:

def verify_creds(username, password):
    cypher = f"""
    MATCH (u:USER) -[:SECRET]-> (h:SHA1)
    WHERE u.name = '{username}' AND u.password = '{password}'
    RETURN h.value AS hash
    """
    results = run_cypher(cypher)
    return results

def verify_creds(username, password):
    cypher = f"""
    MATCH (u:USER) -[:SECRET]-> (h:SHA1)
    WHERE u.name = '{username}' AND u.password = '{password}'
    RETURN h.value AS hash
    """
    results = run_cypher(cypher)
    return results

Here, the username and password Values are inserted directly into the Cypher query string without any validation or escaping. This allows an attacker to inject malicious Cypher code by crafting special input, leading to a Cypher injection vulnerability.

No content found in the /api/docs directory.

A JAR file was located in the /testing/ directory, which appeared suspicious or out of place.

Static Analysis of JAR File Using JADX-GUI on Cypher machine

Examine the JAR file by opening it with jadx-gui.

The Code Walkthrough (Simplified)

The Function Setup

@Procedure(name = "custom.getUrlStatusCode", mode = Mode.READ)<br>public Stream<StringOutput> getUrlStatusCode(@Name("url") String url)<span style="background-color: initial; font-family: inherit; font-size: inherit; text-align: initial;">

@Procedure(name = "custom.getUrlStatusCode", mode = Mode.READ)<br>public Stream<StringOutput> getUrlStatusCode(@Name("url") String url)<span style="background-color: initial; font-family: inherit; font-size: inherit; text-align: initial;">

This creates a special function that anyone can call from the database. It’s like putting up a sign that says “Ring this bell and I’ll check any website for you!” The problem is, no security guard is checking who is ringing the bell or what they’re really asking for.

The Weak Security Check

if (!url.toLowerCase().startsWith("http://") && !url.toLowerCase().startsWith("https://")) {
    url = "https://" + url;
}

if (!url.toLowerCase().startsWith("http://") && !url.toLowerCase().startsWith("https://")) {
    url = "https://" + url;
}

The so-called ‘security’ in place is like a bouncer who only checks if you’re wearing shoes before letting you into a club. As long as you have shoes on, you’re allowed in—never mind the fact that you’re holding a crowbar and carrying a bag labeled “STOLEN GOODS.”

The Dangerous Command

String[] command = {"/bin/sh", "-c", "curl -s -o /dev/null --connect-timeout 1 -w %{http_code} " + url};

String[] command = {"/bin/sh", "-c", "curl -s -o /dev/null --connect-timeout 1 -w %{http_code} " + url};

The real issue arises when the system takes the user-provided URL and passes it straight to the computer as-is, saying, “Execute this exactly as the user entered it.” There’s no validation or filtering, which makes it easy for attackers to sneak in malicious commands.

Exploitation

Web Application Exploration:

Analyse the login page’s packet by intercepting it, which returns an invalid credentials response.

Review the error that occurred after entering a Cypher injection into the username field.

Cypher Injection on Cypher Machine

Cypher injection happens when an application doesn’t properly check what you type into a login form or search box before sending it to the database. Think of it like filling out a form at a bank: instead of just writing your name, you also add a note telling the bank to open the vault. If the bank employee doesn’t read carefully and just follows the instructions, you could get access to things you shouldn’t.

In the same way, attackers can type special commands into a website’s input fields. If the website passes those commands straight to the database without checking, attackers can trick it into revealing private data or even taking control of the system.

Cypher Injection Verification and Exploitation Steps

This query tries to find a user node labeled USER with the name ‘test’ OR 1=1//‘ and then follows the SECRET relationship to get the related SHA1 node. It returns the value property from that SHA1 node as hash. The extra single quote after ‘test‘ likely causes a syntax error, which may be why the injection triggers an error.

Analyze the next step by modifying the payload to avoid syntax errors and bypass filters.

Analyze the network traffic by executing tcpdump.

Start by testing with the ping command to check for command execution.

We received an immediate response, confirming that the command was successfully executed.

Set up a Python HTTP server to test for outbound connections from the target system.

Attempt to fetch a file that doesn’t exist on the target system to observe the error behaviour.

The attempt was successful, confirming that the system executed the command and reached out as expected.

Start a listener on your machine to catch any incoming reverse connections from the target system.

Call the shell.sh file from your machine, and observe that the request hangs, indicating that the payload was likely executed and the reverse shell is in progress.

The shell.sh file was successfully transferred, confirming that the target system was able to fetch and process the file.

We have successfully gained access as the neo4j user on the target system.

Check the neo4j user’s home directory for any configuration files, databases, or credentials that could aid further exploitation.

The neo4j directory does not contain any files of interest.

A password was found in the .bash_history file.

Start the Neo4j service by using the cypher-shell command.

We successfully retrieved the hashes.

Access attempt as graphasm failed.

However, access is graphasm succeeded through the SSH or pwncat-cs service.

We successfully obtained the user flag.

Escalate to Root Privileges Access

Privilege Escalation:

The sudo -l command reveals the presence of the bbot binary with elevated privileges.

Executing sudo /usr/local/bin/bbot -cy /root/root.txt -d --dry-run returns the root flag.

The bbot_present.yaml file contains important configuration details. It specifies the target as ecorp.htb and sets the output directory to /home/graphasm/bbot_scans. Under the configuration section, the Neo4j module is configured with the username neo4j and the password cU4btyib.20xtCMCXkBmerhK.

The dark.yml file specifies the module_dirs configuration with a directory path set to ["/home/graphasm"]. This indicates where the system will look for custom modules to load.

In the dark.py script, which imports BaseModule from bbot.modules.base, there is a class named dark that runs the command chmod +s /bin/bash through os.system(). This command changes the permissions of /bin/bash to set the setuid bit, allowing anyone to execute the shell with root privileges, posing a serious security risk.

First, check if /bin/bash has the SUID bit set. Look for an s in the user’s execute position (e.g., -rwsr-xr-x); this indicates it’s a SUID binary. If you don’t see it, the setuid bit isn’t set.

Execute the command to run bbot with the specified configuration and module

This runs the dark module using the settings from /home/graphasm/dark.yml, forcing execution with the --force flag.

Another way to gain root access is by executing the reverse shell with root privileges.

We have successfully received a reverse shell connection back to our machine.

The post Hack The Box: Cypher Machine Walkthrough – Medium Difficultyy appeared first on Threatninja.net.