Linux

Another medium box that starts with just a web form and ends with a root shell through a surprisingly elegant chain. Editorial is all about knowing what to look for — and what to ask the server to fetch for you. Machine Info Field Value Name Editorial Platform HackTheBox OS Linux Difficulty Medium IP 10.129.1.101 TL;DR SSRF on the book cover URL field → internal API on port 5000 → /api/latest/metadata/messages/authors leaks SSH creds for dev → git history in ~/apps reveals prod credentials → prod can run a GitPython clone script as root → ext:: protocol injection sets SUID on /bin/bash → root. ...

Jenkins is one of those tools that organizations often spin up quickly and forget to harden. Builder is a medium-difficulty Linux box that demonstrates exactly what happens when that oversight meets a known CVE and a stored credential that wasn’t meant to be found. Machine Info Field Value Name Builder Platform HackTheBox OS Linux Difficulty Medium IP 10.129.230.220 TL;DR Jenkins 2.441 is vulnerable to a Local File Inclusion (CVE-2024-23897). The LFI lets us read arbitrary files from the server, which is enough to enumerate Jenkins users, steal a password hash, crack it, log in as that user, and execute a Groovy reverse shell from the Script Console. The shell lands inside a Docker container. From there, the Jenkins home directory contains an encrypted SSH private key in credentials.xml. We use pwn_jenkins to decrypt it with master.key and hudson.util.Secret, then SSH in as root. ...

Default credentials and a comment field that should never have held a password - two very human mistakes that open the door all the way to root. Machine info Name Keeper Platform HackTheBox OS Linux Difficulty Easy TL;DR Web server redirects to tickets.keeper.htb running Request Tracker (RT) - default credentials (root:password) work A user profile comment reads “Initial password set to Welcome2023!” - SSH access as lnorgaard Home directory contains RT30000.zip with a KeePass dump and .kdbx file keepass_dump recovers a partial master password; context clues complete it KeePass vault holds a PuTTY SSH key for root - convert and log in Recon Nmap 1 nmap -sV -sC -Pn -A 10.129.229.41 ...

Sometimes the vulnerability is not in your target’s code - it is in their supply chain. Knife is a good example of what happens when a poisoned release slips through. Machine info Name Knife Platform HackTheBox OS Linux Difficulty Easy TL;DR A web server running PHP 8.1.0-dev - a version that shipped with a backdoor - allows arbitrary command execution via a custom HTTP header Initial shell as james, sudo -l reveals the knife CLI can be run as root without a password sudo knife exec -E "exec('/bin/bash')" drops a root shell immediately Recon Nmap 1 nmap -sV -sC -Pn -A 10.129.34.68 ...

A PDF converter hiding a command injection CVE, credentials buried in a Ruby config file, and a YAML deserialization gadget to finish it off - Precious stacks three clean techniques on top of each other. Machine info Name Precious Platform HackTheBox OS Linux Difficulty Easy TL;DR Web app converts URLs to PDFs using pdfkit v0.8.6, which is vulnerable to CVE-2022-25765 (command injection) Initial shell as ruby, Bundler config at ~/.bundle/config leaks credentials for user henry Henry can run a Ruby script as root with sudo; the script uses YAML.load - exploitable via deserialization to get a root shell Recon Nmap 1 nmap -sV -sC -Pn -A 10.129.228.98 ...

HTTP gave nothing. The real entry point was hiding on UDP - a reminder that TCP-only scans miss half the attack surface. Machine info Name Underpass Platform HackTheBox OS Linux Difficulty Easy TL;DR UDP scan reveals SNMP and RADIUS; SNMP walk with the public community string leaks hostname and username daloRADIUS web interface accessible with default credentials (administrator:radius) User svcMosh has an MD5 password hash in the RADIUS database - John cracks it SSH as svcMosh, sudo -l shows mosh-server without a password - run it as root and connect with mosh-client to get a root shell Recon Nmap TCP 1 nmap -sV -sC -Pn -A 10.129.231.213 ...

Directory brute-force gets you nowhere on Devvortex. The win is one layer up - in the subdomains. Machine info Name Devvortex Platform HackTheBox OS Linux Difficulty Easy TL;DR Subdomain enumeration reveals dev.devvortex.htb, running Joomla 4.2.6 joomscan identifies the exact version; CVE-2023-23752 leaks usernames and the admin password via unauthenticated REST API endpoints Log in as lewis, edit the active Cassiopeia template to plant a PHP webshell, get a shell as www-data configuration.php re-exposes the MySQL password; query the sd4fg_users table and crack logan’s bcrypt hash with John su logan, check sudo: (ALL:ALL) /usr/bin/apport-cli - escape through the less pager to root Recon Nmap 1 nmap -sV -sC -Pn -A devvortex.htb ...

Sometimes nmap does half the work for you. .git on port 80 is all the hint you need. Machine info Name Dog Platform HackTheBox OS Linux Difficulty Easy TL;DR Nmap’s http-git script flags an exposed .git directory; a browser extension confirms it gitdumper.py reconstructs the repository and surfaces the Backdrop CMS settings file with database credentials: root:BackDropJ2024DS2024 The git log commit message references the Backdrop URL aliases docs, which reveals the /accounts/[user:name] pattern - wfuzz enumerates valid usernames, and the DB password logs in as tiffany Backdrop 1.27.1 has a known authenticated RCE (EDB 52021); the module installer only accepts tar/tgz/gz/bz2, so the exploit’s zip output needs repackaging before upload - shell as www-data Two users on the box; the same DB credential switches to johncusack sudo -l shows bee (Backdrop’s CLI) without a password; bee php-eval with --root gives root Recon Nmap ...

CVE-2023-46604 dropped while this machine was live - a critical Apache ActiveMQ RCE with a public PoC, CVSS 10.0. The privesc flips the script: instead of running code, nginx becomes a file server for the entire filesystem. Machine info Name Broker Platform HackTheBox OS Linux Difficulty Easy TL;DR Rustscan reveals port 61616 running Apache ActiveMQ 5.15.15 - vulnerable to CVE-2023-46604 Clone and adapt the public PoC: serve a malicious ClassInfo XML and trigger the RCE to land a shell as activemq sudo -l shows activemq can run /usr/sbin/nginx as root without a password Craft an evil nginx config with WebDAV PUT and root /; to expose the entire filesystem on port 1337 Read root.txt directly, or overwrite /etc/passwd to add a new root-level user Recon Port scan ...

Version numbers in page footers exist for a reason. Searchor 2.4.0 handed over the foothold; a kernel exploit closed it out. Machine info Name Busqueda Platform HackTheBox OS Linux Difficulty Easy TL;DR Nmap reveals a web app on port 80 - the page footer discloses “Powered by Flask and Searchor 2.4.0” Searchor 2.4.0 is vulnerable to arbitrary command injection; a public exploit delivers a reverse shell as svc Privilege escalation via DirtyFrag (universal Linux LPE): compile and run the PoC to get root Recon Add host to /etc/hosts ...